A Simple Explanation of Group Policy Inheritance in Active Directory

WARNING:  This post involves playing around with Active Directory, so don’t do this in a production environment.  You use this information at your own risk.  For other warnings, please see the disclaimer.

Group Policy is an incredibly powerful feature in Active Directory that allows one to implement specific configurations for users and computers. By creating Group Policy objects (GPOs), administrators can apply thousands of different settings to objects within Active Directory by linking the GPO to sites, domains, or organizational units (OUs).

Unfortunately, Group Policy’s flexibility can also increase its complexity.  It’s one thing to specify a single setting, such as a password complexity rule, to the entire domain.  It’s an entirely different thing to specify unique configurations for thousands of users or computers spread across different geographic areas.  One area where there can be confusion is in determining which settings are applied to a particular user or computer when multiple policies exist.

Inheritance in Group Policy works very similarly to inheritance when it comes to NTFS permissions.  The basic rule is “settings on parent objects are inherited by child objects”.

For example, let’s say you have an Organizational Unit (OU) hierarchy as follows:

AD-1.PNGEvery Active Directory domain has a “Default Domain Policy” which is a Group Policy Object (GPO) which contains the default settings for the domain.  That GPO is linked to the domain:


Because it is linked to the domain, every OU under the domain inherits the settings of the Default Domain Policy GPO.

Let’s say the Default Domain Policy configures users to get a green desktop background.  Regardless of where your user account is in the domain, you end up with a green desktop because the settings in the Default Domain Policy are inherited by all child objects (everything in the domain).

ddp-green.pngNobody has to enforce this; it’s just how Group Policy works.

Now, let’s say that you need to create some settings for your sales department.  So you create a GPO called “Sales Stuff” and you link it to the Sales OU:

ssgpo.pngOnce you do that, the settings in Sales Stuff is applied to everything in the Sales OU, including Managers, Sales Reps and Sales Admin and everything they contain.  Again, this is just how Group Policy works.

When multiple GPOs are applied, they are applied from the top down.  So, the first GPO applied is the Default Domain Policy and the second is the Sales Stuff.  (It’s not quite like that, but close enough for this discussion).

As each policy is applied, it will overwrite conflicting settings that previous policies applied.  In our example, the Default Domain Policy GPO changes the desktop color to green.  But, let’s say the Sales Stuff policy has the desktop color set to yellow.

Well, the first policy applied when you logon is the topmost policy.  That’s the Default Domain Policy.  So, it changes the setting on your computer to make the desktop background green.  However, the Sales Stuff policy is applied next and it changes the setting to make the desktop background yellow.

The end result is your desktop is yellow.

Keep in mind, this only applies for configured settings which conflict with each other.  In this case, the desktop color.  But, if the Default Domain Policy also dictated what kind of mouse pointer you had, and that wasn’t specified in the Sales Stuff policy, the Default Domain Policy settings would be there, and because they won’t get overwritten by the Sales Stuff GPO, they would apply.

Well, the CEO will have none of that!  By God, those desktops are going to be green, or some heads are going to roll!

No problem.  In your Group Policy Management console, right-click on the Default Domain Policy and select “Enforced”.

Now, the Sales Stuff policy cannot overwrite the Default Domain Policy settings (and neither can any other GPO).  So, when you log on, any setting the Sales Stuff policy would have overwritten, including the desktop color, are kept intact.

ssp-green.pngSo, regardless of the Sales Stuff settings, your desktop is green.

This is a very simplified explanation, but I hope it might clear up some fog on how this works.


Exporting an SSL Certificate in Windows

Sometimes it’s useful to be able to get a certificate being used on one server and move it to the other server without having to go through the whole enrollment process.  In Windows, SSL certificates can be exported to a file so that you can then import it somewhere else.  While there are a lot of considerations and restrictions on how you would use this exported certificate, I’m simply going to look at how to perform the export.

1. Open Internet Information Services (IIS) Manager and select the server

IIS - Select Server

 2. Double-click on the “Server Certificates” icon in the Features View of the server

IIS - Select Server Certificates

3. In the “Server Certificates” pane, select the certificate you wish to export and click on “Export…” in the “Actions” pane

Select Cert and Export2

4. In the “Export Certificates” window, fill in the required information and click “OK”

Export Certificate

You must assign a password in order to export the certificate.  Make sure you record this somewhere because there is no way to recover the password if you lose it.

Exporting an SSL certificate from Windows is a pretty easy task.  I hope this has been useful information.  Please let me know what you think!

Installing an Intermediate CA Certificate in Windows

When downloading an SSL certificate from a Certificate Authority (CA) , the CA will generally include a separate Intermediate CA certificate which also needs to be installed on the server.

Installing the certificate is pretty straightforward, except that Windows does not include a Certificates console in the Administrative Tools folder.  So, you’ll have to create that one yourself.

1. Right-click on the Windows icon and select “Run”

    Start Menu

2. In the “Run” box, type “mmc” and hit <ENTER>


3. When the MMC console is up, hit <CTRL>+M and the Add Snap-Ins window appears


4. In the left pane of the “Add or Remove Snap-ins” Window, select “Certificates”, and click on “Add”

Add or Remove Snap-ins 1


5. In the “Certificates Snap-In” window,  select “Computer Account” and then click “Next”

Select Computer Account

5. In the “Select Computer” window, accept the default “Local computer: (the computer this console is running on)” and click “Finish”.

Select Computer

6. Back in the “Add or Remove Snap-ins” window, click “OK”.

Add or Remove Snap-ins 2

7. Expand the “Certificates” node, right-lick on “Intermediate Certification Authorities” node, hover on “All Tasks” in the context menu and then select “Import…”

All Tasks and Import

 8. Click on “Next” on the welcome screen for the Certificate Import Wizard

Welcome Cert Imp Wiz

9. Browse to the file provided by your CA and click “Next”

File to Import10.  In the “Certificate Store” window, select “Place all certificates in the following store”, browse to the “Intermediate Certification Authorities” store and click “Next”

Certificate Store

11. The “Completing the Certificate Import Wizard” window appears giving you a summary of the operation

Completing the Cert Imp Wiz

12. You should see a window saying the import was successful

Import Successful

That’s it!  The certificate is now installed in your Windows server.  This is the procedure you follow for installing certificates in Windows, regardless of where you get them.

I hope this has helped someone out there!  As always, your feedback is welcome.



Installing an SSL Certificate in Windows

SSL is the protocol used to secure connections to web servers by encrypting the session so prying eyes can’t see what’s going on between the client and the server.  I need to install an SSL certificate for a web site on one of my servers, so I’m going to document the process here in case someone else could use the information.

Generally speaking, installing an SSL certificate is a pretty straightforward procedure:

1. Generate a certificate request from the device on which you wish to use SSL
2. Submit the request to a Certificate Authority
3. Retrieve the completed certificate from the CA
4. Install the certificate on the device along with CA certificates
5. Configure the device to use the certificate for SSL

I will be doing this on a Windows Server 2012 R2 server using the Default Web Site as an example.

Generating the Certificate Request:

1. Open Internet Information Services (IIS) Manager and select the server

IIS - Select Server

 2. Double-click on the “Server Certificates” icon in the Features View of the server

IIS - Select Server Certificates

3. In the “Actions” pane, click the “Create Certificate Request…” link

Server Certificates

4. In the “Distinguished Name Properties” window, fill in the required information and click “Next”.

Distinguished Name Properties

The fields here need to be filled out accordingly:

Common name: This is the fully-qualified domain name (FQDN) for the website.  For example, if your website is testcert.yourdomain.com, this is what you put in this field.  Do not include the “http://” or “https://” prefixes in your common name.

Organization: This is the legally registered name of your organization.  The organaztion must be the legal registrant of the domain name in the certificate request. If you’re a sole proprietor, put your name in this field.

Organizational Unit: This is the internal department within the organization that is responsible for the maintenance of the certificate and/or site.   If you’re a sole proprietor, enter your DBA (doing business as) name in this field.

City/Locality: This is the city in which your organization is located.  This needs to be spelled out; do not abbreviate.

State/Province: This is the state/province/region/territory in which your organization is registered.  This needs to be spelled out; do not abbreviate.

Country Code: This the country in which your organization is registered.  Unlike the City/Locality and State/Province fields, you will abbreviate the country using the two-letter International Organization for Standardization (ISO) format country code.

5. In the “Cryptographic Service Provider Properties” window, select the appropriate bit length and select “Next”

Cryptographic Service Provider Properties

The bit length requirement is set by the Certificate Authority from who you are requesting the certificate.  For most providers, the required length is 2,048 bits.

6. In the “File Name” window, browse to where you’d like to store the request file and give it a name.  Click “Finish”.

File Name

The file you save here is what you’ll submit to the CA when you submit your request.

Submitting the Request to a Certificate Authority:

Each Certificate Authority will have its own procedure for submitting the certificate request.  You’ll either upload the file or submit it by opening it in a text editor and copying/pasting the contents into a form on the CA’s site.

The contents of the file will look something like this:


When cutting and pasting this information into the CA’s website form, make sure you copy everything including the ” —–BEGIN NEW CERTIFICATE REQUEST—–” and “—–END NEW CERTIFICATE REQUEST—–” lines.

Retrieving the Certificate from the Certificate Authority:

The CA will process your request and issue your certificate after completing a few administrative procedures.  The CA will keep you informed of what’s going on and will let you know when the process is complete.

Once the certificate is ready, you’ll download a file from your CA which will contain your certificate along with one or more other certificates that identify the CA and establishes the identity chain required to validate your certificate when others connect to your web site.

Installing the Certificate:

There are two steps in installing the certificate from the CA.  The first step is to install the Intermediate CA Certificate on the server.

Once that’s completed, you’ll install the SSL certificate on the web server.

1. Open Internet Information Services (IIS) Manager and select the server

IIS - Select Server

2. Double-click on the “Server Certificates” icon in the Features View of the server

IIS - Select Server Certificates

3. In the “Actions” pane, click the “Complete Certificate Request…” link

Select Complete Req

4. In the “Specify Certificate Authority Response” window, browse to the file you downloaded from the CA, assign the certificate a Friendly Name and click “OK”

Specify Certificate Authority Repsonse

The friendly name is not actually part of the certificate; it’s simply a way for you to give the certificate a name so that it is easily identifiable when you attempt to use it later.

Keep the certificate store set to “Personal”.

You should now see the certificate listed in your IIS Manager.

Configuring the Web Site for SSL

Now that the certificates are installed, it’s time to finally get SSL running on the web site.

1. In your IIS Manager, select the web site which will use SSL

IIS - Default Web Site

In my example, I’m just using the Default Web Site.

2. In the “Actions” pane, select “Bindings..”

Select Bindings...

3. In the “Site Bindings” window, click on “Add…”

Site Bindings

4. In the “Add Site Binding” window, complete the fields and click “OK”

Add Site Binding

Type: This must be set to “https”
IP address: Select the IP address to use for the site
Host name:  Leave this blank
SSL certificate:  Use the drop-down to select the certificate

5. Double-click on “SSL Settings” in your web site’s Features View pane

SSL Settings Select

6. In the “SSL Settings” pane, put a check in the “Require SSL” box and then click on “Apply” in the “Actions” pane

Require SSL and Apply

You’ll see a message that says “The changes have been successfully saved”.

Your site now uses SSL!

I hope this has been useful for you.  Your feedback is always welcome!

Installing OpenSSL in Windows 8.1

Windows doesn’t have a good tool for manipulating SSL certificates.  So, if you want to do anything serious with SSL, you need to grab yourself a copy of OpenSSL.  I’m installing the Windows x64 version of OpenSSL provided by Shining Light Productions.

First, you’ll need to download and install the Microsoft Visual C++ 2008 Redistributable Package (x64) from Microsoft.  Just accept all of the defaults for the installation.  (If you’re running a 32-bit version of Windows, you’ll need to install 32-bit versions of everything.  This example is for 64-bit.)

Once you have that installed, download the latest “Light” version of OpenSSL.  If you’re not developing software, you don’t need the full versions; the “Light” version is intended for end-users.

Accept the defaults for the installation until you come to the “Select Destination Location” window.  Figure out where you want OpenSSL to be installed.  I like to keep everything in my Program Files directory, so that’s where I’m putting mine:


I don’t worry too much about Start Menu locations, but the “Select Additional Tasks” window is important:

DLL Location

Wherever you put the DLLs is up to you, but I put them in their own directory rather than the System directory.  It just makes more sense to me.

Once you complete the installation wizard, you’ll end up at the following window:


Whether you donate or not is up to you, of course.  You can simply clear the check box and hit “Finish” and the software will work fine.  I’d like to encourage you to make a donation, though.  Everyone thinks open source software is “free”.  In actuality, it’s extremely expensive in time and resources and if you benefit from its use, please support the developers by donating when you can.

The last thing to do is to modify the Path system variable so you can launch the OpenSSH shell from anywhere at a command prompt:

1. Right-click the Windows icon and select “System”

Start Menu

2. Select “Advanced System Settings”


3. On the “Advanced” tab, click the “Environment Vairables…” button


4. Find the “Path” variable in the “System variables” selection window and click on “Edit…”

Find Path

You’ll have a “Edit System Variable” dialogue box appear.  Append “;C:\Program Files\OpenSSL-Win64\bin” to the end of the path information and click “OK”.  Notice there is a semi-colon at the start of the string.  This is a delimiter which tells Windows that this location is a separate location and not part of the path immediately before it.

Edit System Variable

Click “OK” a few times and you’re done.

Once you’ve completed the installation and path configuration, you can launch OpenSSL from a command prompt window:


For more information about how to use OpenSSL’s commands and syntax, refer to the official documentation.

I hope this helps someone and saves some time.  If you see anything wrong, please let me know.

Installing and Configuring an SSL Certificate on Cisco 3000 Series VPN Concentrator

Some of the equipment on our network is a bit dated as we have some customers who still rely on those services for their day-to-day operations.  One of the oldest pieces of equipment we have is a Cisco 3030 VPN Concentrator.

Generally speaking, installing an SSL certificate is a pretty straightforward procedure.  Unfortunately, this is a bit of a challenge on the Cisco VPN Concentrator due to its age and lack of support for more current certificate file formats.  When following the normal enrollment procedure within the concentrator’s UI, one receives the following error:

ErrorSo, in order to keep the concentrator’s SSL certificate current, a workaround will have to be performed.  To do this, you’ll need access to a computer with Internet Information Services (IIS)and OpenSSL.

The certificate itself is going to be created and installed on a Windows server via IIS using the VPN concentrator’s information.

Next, export the certificate, ensuring you’ve recorded the password assigned to the exported certificate.  At this point, you have a certificate in PKCS#12 format which is not supported by the VPN concentrator as it requires a certificate in PKCS#8 format.

To convert the certificate from one format to the other, we’ll use OpenSSL.  What’s interesting here is that you can’t just convert from PKCS#12 to PKCS#8.  Instead, you have to convert from PKCS#12 to PEM and then from PEM to PKCS#8.

NOTE: Make sure you launch the command prompt as Administrator or you might get “unable to write ‘random state'” errors.

So, converting the file to PEM:

Convert 12 to PEM2

pkcs12 is the OpenSSL command that indicates we’re working with a PKCS#12 format file
-in is the parameter that indicates the next input is the name of the file to be reformatted
D:\Temp\ExportCert.pfx is the path and filename of the file to be reformatted
-out is the parameter that indicates the next input is the name of the reformatted file
D:\Temp\ExportCert.pem is the path and filename of the reformatted file

You can see that I was prompted for the password of the exported certificate file.  Once that was supplied and verified, OpenSSL prompted me for a passphrase for the reformatted file.  I just used the same password I had used before to keep things simple.

Now, we’re going to convert from PEM to PKCS#8.  The commands are almost identical as the ones we used for converting to PEM from PKCS#12:

Convert PEM to 8

Hopefully, the syntax here is rather obvious with the only differences being the use of “pkcs8” rather than “pkcs12” as the OpenSSL command.  Also, you’ll see the -topk8 switch which tells OpenSSL the incoming private key is to be converted to the PKCS#8 format.

If you look at the contents of the .pk8 file, you’ll see something like this:

<A whole lot of random-looking characters>

Create a new text document in your favorite text editor and copy and paste the contents of the .pk8 file into it.

Once you’ve done that, open the .pem file you created when converting from .pfx and you should see a section that has the certificate you were issued by the CA:

<A whole lot of random-looking characters>

Cut and paste this section into your new text document immediately following the private key contents from the .pk8 file.  It should look like this:

<A whole lot of random-looking characters>
<A whole lot of random-looking characters>

Save this file so you don’t lose what you’ve accomplished so far.

The next step is to install the certificate bundle you received from the CA which contains the Intermediate and Root CA certificates.  This should be okay to install straight into the concentrator via the UI.

Go to Administration > Certificate Management > Installation and choose “Install CA Certificate” and upload the file from the CA.  I’ve been able to do this without any problems.

Next, go to Administration > Certificate Management and look for the “SSL Certificates” section.  You should have three interfaces listed there:  Private, Public and External.  You’ll want to perform this operation on each of the interfaces:

1. Click on “Import”
2. Select “Cut & Paste Text”
3. Copy and paste the contents of the text file which contains the private key and certificate
4. Type in the password for the private key
5. Click on “Install”

That’s it!  Hopefully, this will save you a bunch of time and some heartache.  I know this problem has frustrated me for quite some time.

Let me know what you think!