Limit group policy only to client OS

Sometimes you want to apply your policy to every client PC in many OUs. To do such you can use WMI filter. This is especially useful in messy AD structures, where is no dedicated OU for client computer objects.

Namespace: root\CIMv2
Query: select * from Win32_OperatingSystem where ProductType="1"

I use here following WMI Class and property:

Data type: uint32
Access type: Read-only
Additional system information.
Work Station (1)
Domain Controller (2)
Server (3)

Can’t access any Outlook tabs on ribbon except Enterprise Vault

Recently one of our customers installed Microsoft Dynamics CRM Outlook add-in and discovered that after this action Microsoft Outlook became absolutely useless, because after start of the program there are no other tabs except Enterprise Vault, which is also used by this customer. Little research showed that the root of the problem is in some components of earlier version of Microsoft Office. To fix problem you need to delete following registry key:


To automate this across organization you can use group policy preferences:

Computer Configuration -> Preferences -> Windows settings ->Registry -> New -> Registry Item:

Action: Delete
Key Path: TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4

Find all active AD users not expiring in a month

Sometimes your AD has a lots of temporary users, with accounts expiring in near future, and to ensure that only legitimate users have never expiring or long expiring accounts you want to audit your accounts. To do so, perform next:
1. Create test account expiring today
2. With ADSI edit get the value of accountExpires property
3. Add to this value Number_of_days*864000000000, write down this value (actually you can create test account expiring on required date, but it is not so fun)
4. Run the following command:
dsquery * -filter “(&(objectCategory=person)(objectClass=user)(accountExpires>=130344624000000000)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))”
where 130344624000000000 is the number from step 3
and !(userAccountControl:1.2.840.113556.1.4.803:=2) means that we only want to find enabled users.


In some cases users with expire date “Never” have accountExpires=9223372036854775807 but in some cases it is equal to 0. So, correct search query will be:

dsquery * -filter “(&(objectCategory=person)(objectClass=user)(|(accountExpires>=130720500000000000)(accountExpires=0))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))” -limit 1000