Deselect “automatically detect settings” in IE using GPP


Lately I struggled with finding a way to deselect “automatically detect settings” in IE for all users of a customer.


There are no GPO settings for this and the GPP IE settings doesn’t allow to set this for any IE versions before IE10 and the customer needs IE9 for compatibility issues with their SharePoint sites.

After much searching I found a way to set this  using GPP to set a registry setting.

  1. Create a new GPO or edit an existing one
  2. Navigate to User configuration – Preferences – Windows Settings – Registry
  3. Create a new registry item with the following values
    1. Name: DefaultConnectionSettings
    2. Action: Update
    4. Path: SoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnections
    5. Value Name: DefaultConnectionSettings
    6. Type: REG_BINARY
    7. Data: (make sure you copy the entire line below, it’s several hundred digits)


It should look like this then


This will always clear the “Automatically detect settings” on next logon or gpupdate

View original post

CAWeb Enrollment error 403.14

A short blogpost about my PKI/IIS challenge today


The Certification Authority Web Enrollment is the webpage where you can logon to request certificated or download crls from your CA. One of my challenges today was that a newly installed issuing CA was unable to configure the Web enrollment webpage correctly. No matter what I did I always got the “403.14 – Forbidden” error.

After quite a bit of troubleshooting, including removing and re-adding roles using both Server Manager and powershell and reboots between the steps I was no closer to a solution. One of my Google-searches lead me to where he suggests to check that default.asp is located in the path C:WindowsSystem32CertSrven-US.

I had the file and everything there was correct, but that lead the to check the path of the website itself. For some reason IIS kept linking the /certsrv site to C:WindowsSystem32CertSrv which is the parent folder, so as soon as I changed the path from C:WindowsSystem32CertSrv to C:WindowsSystem32CertSrven-US in IIS…

View original post 3 more words

Display disabled and inactive users and computers

This little script will query your AD and display disabled computers, inactive computers, disabled users and inactive users. Inactive in this examples is 365 days since last logon.

$LastYear = (Get-Date).AddDays(-365)
$AllDisabledComputers = Get-ADComputer -Filter 'Enabled -eq $False'
$AllDisabledUsers = Get-ADUser -Filter 'Enabled -eq $False'
$AllEnabledUnusedComputers = Get-ADComputer -Filter 'Enabled -eq $True' -Properties LastLogonDate | Where-Object {$_.LastLogonDate -lt $LastYear}
$AllEnabledInactiveUsers = Get-ADuser -Filter 'Enabled -eq $True' -Properties LastLogonDate | Where-Object {$_.LastLogonDate -lt $LastYear}
Write-Host "Total disabled computers:"$
Write-Host "Total enabled computers, logon more than one year old:"$
Write-Host "Total disabled users:"$
Write-Host "Total enabled inactive users:" $

This script does not require any admin permissions, by default. Honorable mention for this script to Bjørn Wang