Active Directory 2016 Security Group Scopes

Hi All,

I was studying (now passed) for the Microsoft Identity with Windows Server 2016 (70-742) exam. When I got to studying Group Scopes, I found the group scope table within the Active Directory Security Groups article from Microsoft unclear and very hard to memorise.

I am a visual learner and tried to find a diagram to depict the scopes of each group. Unfortunately I was unable to find one so had to create my own. This has been ready helpful to me for memorising Active Directory Security Group Scopes and thought it might help others.

NOTE: There is a difference between the Scope conversion from Universal to Domain Local in my diagram versus the Microsoft Documentation. The Microsoft documentation for Universal Group conversion says “Can be converted to Domain Local scope” (i.e. no restrictions), however another user pointed out (see feedback at bottom of article) that this is wrong. I have tested this in my own lab and a Universal group can ONLY be converted to Domain Local scope if the Universal group is not a member of any other Universal groups.

Group Scope Diagram

The diagram below shows the membership a group can contain, where it can be used to assign permissions and possible scope conversions.

Group Scope Descriptions

Below I have listed the scope of Global, Universal and Domain Local groups. I have included a screenshot of what you see when you select the Location to search when adding members to the respective group type. Again, this helped me visualise where you can add members from.

Global Group Scope

Can Include As Members:

  • Accounts from the same domain
  • Global Groups from the same domain

Can Be Assigned Permissions In:

  • Any domain in the same forest, or trusting domains or forests

Group Scope Can Be Converted To:

  • Can be converted to Universal scope if the group is not a member of any other Global groups

Universal Group Scope

Can Include As Members:

  • Accounts from any domain in the same forest
  • Global groups from any domain in the same forest
  • Universal groups from any domain in the same forest

Can Be Assigned Permissions In:

  • Any domain in the same forest or trusting forests

Group Scope Can Be Converted To:

  • Can be converted to Domain Local scope if the group is not a member of any other Universal groups
  • Can be converted to Global scope if the group does not contain any other Universal groups

Domain Local Group Scope

Can Include As Members:

  • Accounts from any domain or any trusted domain/forest
  • Global groups from any domain or any trusted domain/forest
  • Universal groups from any domain or any trusted domain/forest
  • Domain Local groups from the same domain (as itself)

Can Be Assigned Permissions In:

  • The same domain (as itself)

Group Scope Can Be Converted To:

  • Can be converted to Universal scope if the group does not contain any other Domain Local groups

Disclaimer: The table provided by Microsoft is somewhat confusing in some of the terminology used, especially around group membership from different domains. I have used the Microsoft site, other blogs along with testing in my own lab to confirm where possible the information in this post and diagram is correct.

I hope this is of help to others,


Use Group Policy Preferences to deploy the NotPetya\GoldenEye vaccine – Updated instructions

Please note instructions updated to include perfc.dat and perfc.dll files.

The advise on the files needed to prevent the encryption now included creating perfc.dat and perfc.dll files in the Windows directory in addition to the one without an extension.

Please note: this does not prevent the spread of NotPetya, at this time until the software is updated to prevent this from working, this just stops it encrypting your computer.

Following today’s(27th June 2017) manor cyber-attack outbreak for the NotPetya/GoldenEye bleepingcomputer have published an article on Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak

They have supplied a bat script or instructions to apply this manually but if you want to apply it so the computers will receive it without a reboot you could use Group Policy Preferences.

  • On a file share, the targeted computers have access to (e.g. read access by domain computers and domain controllers)
    • Create a directory
    • Create a file named perfc (no file extension)
    • Add some content to the file explaining what its for (example in the sctript linked above is “This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya.”)
    • Set the file to read only
    • copy this file twice
    • rename one to be perfc.dat
    • rename the other to be perfc.dll
    • Check all three files are readonly
    • you should now have three files in that directory perfc, perfc.dat and perfc.dll
  • Create a new group policy or edit an existing one targeted to all the computers you want to deploy the vaccine file to
  • Edit the group policy
  • Under Computer Configuration -> Preferences -> Windows Settings – Files
  • Right click and select new -> file
  • In the source file location enter the path to the directory you created earlier and append \*.* to the end of the path – e.g. \\server\share\nopetya Vaccine\*.*
  • In the destination file enter c:\windows\
  • Select Read-only
  • Action should be create (note this will only create the files if they does not already exist in the destination) this is preferred as you would not want the files on the server if compromised to be copied again to the clients. Please note – any file in this directory will be copied to the c:\windows\ directory. If your not happy with this, you could create three ‘new -> file’ entries in the GPO, each explicitly naming the files you want to copy
  • Click OK
  • run GPupdate /force on some computers to check
    • the file “c:\Windows\perfc” is created and is read only
    • the file “c:\Windows\perfc.dll” is created and is read only
    • the file “c:\Windows\perfc.dat” is created and is read only

I accept no liability following this instructions of those found on third party websites I have linked to.

When using explorer view or try to map a drive to SharePoint you are prompted for credentials when you don’t use a proxy

We have recently changed from using a proxy to not needing one. Once we unchecked use a proxy server from IE our drive mappings to SharePoint sites mapped via GPO stopped appearing. Also users who had mapped drives them selves were prompted to authenticate.

I had already assigned the SharePoint URLs to the Intranet Zone using a GPO. In order to get the WebClient service (this is the services that allows you to access WebDAV folders using explorer) passing the authenticated credentials on transparently(SSO) you need to create a registry entry to allow it.

1.Open Regedit
2. Brows to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters
3.Create a new Multi-String Value
4.Name it AuthForwardServerList
5.Modify it, type the URL of the server that hosts the Web share including the protocol e.g. http:// or https://

You will need to apply this to all computers you want SSO to the share point document libraries using explorer. This can be achieved using GPO preferences under; Computer Configuration – Preferences – Windows Settings – Registry


If you are using a shortcut and the path looks like \\\DavWWWRoot\… and your SharePoint site is using SSL you need to update the shortcut to use @SSL after the server name – e.g. \\\DavWWWRoot\…

DFSR does not replicating files because they have been marked as temporary files

If you get the following error when running a DFS Replication validation report

DFS Replication does not replicate certain files in the replicated folders listed above because they have temporary attribute set, or they are symbolic links . This problem is affecting at least 3 files in 1 replicated folders (up to 100 occurences per replicated folder are reported). Event ID: 11004



You might need to change the flag on the files if in fact they are NOT temporary using the command below

Get-childitem “<PATH TO THE DATA>” -recurse | ForEach-Object -process {if (($_.attributes -band 0x100) -eq 0x100) {$_.attributes = ($_.attributes -band 0xFEFF)}}

More information can be found at

Some Useful SCCM OSD log file locations

  • Windows PE before HDD format: x:\windows\temp\smstslog\smsts.log
  • Windows PE after HDD format: x:\smstslog\smsts.log and copied to c:\_SMSTaskSequence\Logs\Smstslog\smsts.log
  • Full version Windows before SCCM agent installed: c:\_SMSTaskSequence\Logs\Smstslog\smsts.log
  • Full version Windows after SCCM agent installed: c:\windows\ccm\logs\Smstslog\smsts.log
  • Full version Windows (x64) after SCCM agent installed: c:\windows\sysWOW64\ccm\logs\Smstslog\smsts.log
  • After Task Sequence has finished running: c:\windows\ccm\logs\smsts.log
  • After Task Sequence has finished running (x64): c:\windows\sysWOW64\ccm\logs\smsts.log

Post SCCM 1511 upgrade problems

After our SCCM upgrade from 2012 R2 SP1 to SCCM 1511 applications, OSs etc would not deploy.  The client would sit at 0% downloading.

If you clicked “update content” on the installer within the SCCM console it would then install on the client. Investigating further I found the following error in the DataTransferService.log on the client

 <![LOG[[CCMHTTP] ERROR: URL=http://<DP SERVER NAME>:80/SMS_DP_SMSPKG$/Content_53b51003-972a-41a7-bc75-0a22b18ceaef.1, Port=80, Options=480, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE]LOG]!><time=”09:13:45.837+00″ date=”02-10-2016″ component=”DataTransferService” context=”” type=”1″ thread=”5284″ file=”ccmhttperror.cpp:291″>

This highlighted that the file could not be found on the web server. I checked the file location in IIS on the DP, it was pointing to E:\SMSPKGSIG – as expected the file it was trying to download did not exist. 

To find the application that went with this Content ID I sued the following PowerShell script on the DP/Site server (I cannot remember what website I found this script on so apologies to the author)

$SiteCode = ‘Site Code’

$ContentID = ‘Content_53b51003-972a-41a7-bc75-0a22b18ceaef.1’

#Get-WmiObject -Namespace root\sms\site_$SiteCode -ComputerName $Server -Class SMS_Deploymenttype

Get-WmiObject -Namespace root\sms\site_$SiteCode -Class SMS_Deploymenttype -Filter “ContentID = ‘$($ContentID.Split(“.”)[0])'” | Select LocalizedDisplayName -Unique

I validated the application on this DP and it failed and suggested redistributing. This did not resolve the problem but in the distmgr.log file on the site server hosting the DP role I found this error

 RDC:Failed to copy package content signature file \\?\C:\SMSPKGSIG\Content_53b51003-972a-41a7-bc75-0a22b18ceaef.1.tar to \\<SERVER NAME>\SMSSIG$\Content_53b51003-972a-41a7-bc75-0a22b18ceaef.1.tar. Error 2

The strange thing was, the SMSPKGSIG directory should be on the E drive for our server(as set in IIS). When I check the c:\SMSPKGSIG directory I found the Content_53b51003-972a-41a7-bc75-0a22b18ceaef.1.tar file.

 It would appear after upgrading the DP has changed its location for the SMSPKGSIG & SCCMContentLib directories and is now looking for them on the C drive & E Drive.

I used the ContentLibraryTransfer.exe tool from the ConfigMgr 2012 Toolkit R2 with the following command to transfer the library back to the E drive.

ContentLibraryTransfer.exe -SourceDrive C -TargetDrive E

I then revalidated the content of the failing package on the DP and it passed.

I scheduled a validation on all content – this should have already been on as it is on our other DPs

All Applications and OSs are now deploying again.

Hope this helps someone else as this caused massive head scratching!

Active sync issue when published via MS Web Application Proxy

Exchange 2013 CU7

If you are getting this error on the CAS servers

[Eas] The number of outstanding requests for guard TargetBackend(“servername”) has exceeded the max limit 150. Current request will be rejected.

And this error on the Microsoft Web Application Proxy

The HTTP response from the back end server was not received within the expected interval. Expected interval: 300 seconds.


Reference here 

  • On all CAS servers:

    In \Exchange Server\V15\FrontEnd\HttpProxy\sync\web.config, add this key in the <appSettings> node.

    <add key=”HttpProxy.ConcurrencyGuards.TargetBackendLimit” value=”5000″ />

    In \Exchange Server\V15\FrontEnd\HttpProxy\rpc\web.config, add this key in the <appSettings> node.

    <add key=”HttpProxy.ConcurrencyGuards.TargetBackendLimit” value=”5000″ />

    After this change recycle the MSExchangeSyncAppPool and MSExchangeRPCProxyAppPool in IIS manager.

    After this, we stopped getting Event ID 2002, and all Connection_Dropped_Event_List_Full stopped appearing in Httperror logs.


Access Denied Error when using Operations Manager Web Console

If you get “The Operations Manager web console was not configured successfully on this computer. Some views in the web console will not function correctly. Unable to import code signing certificate. System Error -2147024891 (0x80070005): Access is Denied” Check your group policy settings.

OpsMgr Error

The users need to be able to mage there own Trusted Publishers. As screenshot below

GPO Setting


This GPO Setting is under Computer Configeration\Policies\Windows Settings\Security Settings\Public Key Policies\Certificate Path Validation Settings


This same setting caused the following error in Configuration Manager 2012 (and 2012 R2) when trying to install software from the users application catalogue

Hope this helps someone else

“This setting cannot be configured because of a network communication or configuration problem.”

WARNING! Windows 8.1 Logon Scripts not working – Delay

So you upgrade to Windows 8.1 and think your logon scripts ‘don’t work’ or take ages to run. Hopefully this will save you many hours of head scratching!

Microsoft have now introduced a delay of 5 minutes by default before running any logon scripts after logon! You can change this via a GPO setting “Configure Logon Script Delay” under Computer configuration – Administrative Templates – System – Group Policy