You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.

07: Use PolicyPak cloud + Azure AAD Group Membership for User or Computers

If you have PolicyPak Cloud *AND* Azure AD, then use this technique to query the User or Computer groups. Then use Item Level Targeting to trigger when GPPrefs or PolicyPak items will apply.

Hi. This is Jeremy Moskowitz. In a previous video, you saw me use PolicyPak Scripts to enumerate the computer side of Azure Active Directory and figure out what computer groups you’re in and also enumerate the user side and figure out what groups the user is in. In this video, we’re going to take what we learned in the first video and get it to work with PolicyPak Cloud, and it’s pretty easy. You’re actually going to take all the stuff you’ve already done, get it into Notepad land, and then get it into PolicyPak Cloud.
The first thing you’re going to do is for your first policy, “Install AAD module,” you’re going to “View as XML in Notepad.” Copy that and then go over to PolicyPak Cloud over here. I’m going to put it right here into this “Azure AD Group Demo.” I’m going to “Upload and link a new XML here” and just paste it in. I’m going to give this a good name like “PPSCRIPTS: Azure Getting Started.” Okay, so that’s that first script.
Then the second script is already done too. We’ll go back over there. There we go. That’s the “Get Computer Groups” one. We’ll once again “View as XML in Notepad.” Copy it. We’ve already done all the work, which is to say we’ve already encoded our user for the lookup and also our credentials, and it’s already in PolicyPak scripts XML format.
So like I said we’re just taking all this stuff. We’re going to go over to PolicyPak Cloud. We’re going to “Upload and link a new XML here.” I’ll paste that in, and then I’ll call this “PPSCRIPTS: Azure AD Computer Side.” Then we will save that.
Then we’ve got one we’ve got one more to go. You can see it’s in order how I want to do it. Then we’ll do the last one which is over here. We’ll just grab the user side guy right here, “Get User Creds,” right click and “View as XML in Notepad.” Copy that and go back over here. We’re going to “Upload and link a new XML here.” Paste that. Now this is on the user side, so “PPSCRIPTS: User side.”
Let’s just stop right there and see if it works. I’ve got my computer hanging out here in this “Azure AD Group Demo” computer group. If I were to go over to this computer, this computer is just Azure joined. So it has PolicyPak Cloud and Azure and not Group Policy. So what does that mean? Well, if I were to go to do a “ppcloud /sync” here, what are we going to do? We’re going to go over to the cloud and we’re going to download these scripts.
Look how it actually does it in the order that we had it lined up. It has to do the “Azure Getting Started first,” then it has to do the “Azure AD Computers Side” second, and then lastly Azure “User side.” Just to show you that order in here you can see if you select “Show Policies” here, that’s the order. You can change the order by moving things up and down: “Change Policy Link Order.” But you don’t have to. In this case, if you do it in this exact order, you’re ready to go.
Also, as a troubleshooting step which I didn’t show in the last video so it’s good that I’m going to show it here, what you may need to know is did the script run or not. How do you know that? Well, there are two places. The first place is in “AppData,” “local,” “PolicyPak,” “PolicyPak Scripts Manager.” If we take a look at “ppUser_onPolicyChanged,” what we’re going to see here is did the script actually fire off.
There we go. We can see that our script is “SUCCESSFUL” “Connecting.” These errors are actually totally fine. There are a couple of different methods that we can use to try to figure out what your group membership is. Those fail, and then finally, “Writing user groups to AzureADUserGroups environment variable in User Profile…SUCCESSFUL.”
Now on the computer side this is in a slightly different location. This is in “ProgramData,” “PolicyPak,” “PolicyPak Scripts Manager.” Then if we take a look at “ppComputer_onPolicyChanged,” there we go. We can see some output is there, and we can see that it did the work. We can see, “Writing user groups to AzureADComputerGroups environment variable in Machine Profile…SUCCESSFUL.” So we did the work.
Let’s see if we actually see them. Now this first time you may not see them. The first thing you actually have to do is close all the DOS boxes. But if I take a look and type “set,” if I don’t see them right away, which I don’t here, don’t panic. What I’m going to do is simply “Sign out” here and log back on. Then the second time around it should kick in.
Let’s go ahead and check it out. Log back on as “EastSalesUser1” Azure-only guy here. So we type “set” at a Command Prompt here, there we go. We can see. It went by a little fast. I’ll close all that. If we were to go back to the top, there we go. We can see “AzureADComputerGroups” and “AzureADUserGroups.” So there we go. We’re querying Azure and getting those items just like we said.
So then how do we take that last thing? How do we take a Group Policy Preferences item? What we’ll do is we’ll find that Group Policy Preferences item, that “” guy. Remember, in my previous video I had an “Item-level targeting” that would use the “WMI Query” item type. The way I did it was I used the example “Query” that I supplied in the download. Remember, you have to nuke that “Namespace” area.
I’m just going to take this item, drag and drop it to the Desktop, and then get it into Notepad. I’m just going to get rid of all this stuff. I’m going to drag and drop it. I already have it here because I did it earlier today. I’m just going to go ahead and “Open with” “Notepad.” So I’ve got this guy. Again, I’m going to take him.
Then I’m going to go back to PolicyPak Cloud and I’m going to, lastly, “Upload and link a new XML here.” I just paste that whole thing in and call this “GPPrefs: Shortcuts ONLY for SALES Azure Guys.” Something like that. If we were to look at the thing if we were to go to edit it after we’re done by copying it in, if we were to take a look at the “Shortcuts ONLY” one, once again, notice how it’s Number 4. This is in alphabetical order, but the link policy order, that matters and that has to go fourth.
So if we were going to click on the item and click on “Edit Policy” here, there is the graphical editor here so you can click “Edit” on this guy. You’ll see everything is in here. When you go into the item-level targeting (“ILT”) you can see that it has actually performed the work. And, look, it looks exactly like it does in Group Policy land. It’s doing the “Query,” so it’s looking for my “EastSalesUsers” or whatever.
And remember how “Namespace” has to be nuked. So you’re welcome to do the creation of the policy inside the PolicyPak Cloud editor. But just remember that you have to get it exactly right or this next thing is not going to work. Once I go ahead and click “OK” here, we’re off to the races. Click “OK” and now we’ve got our policy.
If we were to go back to our Azure joined machine here and do “ppcloud /sync,” we’re going to go ahead and sync with the cloud. What we’re looking for this “GPPrefs: Shortcuts ONLY for SALES Azure Guys." If we just wait a couple of seconds, there it is: “” It has evaluated it, and you’re off to the races.
With this in mind, basically this is a good rule to live by with regards to using PolicyPak Cloud. Remember, the first video started with doing some small scale testing here in Group Policy land with domain joined machines. Testing it out on a machine and making sure it actually worked the first time. Then you can take your efforts that you just did and then get it into PolicyPak Cloud cutting out the middleman. Then you’ve got it on the target machine.
That wraps it up. That’s it. With the in mind, I hope this helps you out and you’re ready to get started figuring out where your groups are in Azure.
Just so I can say it out loud one more time, remember, the scripts that we’re using are not considered technically secure because if you look inside the scripts, you can see the user name and you can see the encrypted credentials. But the “key” is right here, so a savvy user who knew what they were doing could technically reverse engineer it and actually get the password of this “lookup” guy. He can’t do a whole lot because he doesn’t have Office or have any other kind of access. But it is a risk and you should be aware of it, and I just wanted to say it out loud just so there was no mystery there.
Hope this helps you out. Looking forward to helping you get started real soon.
Thank you. Bye.

  • 801
  • 24-Apr-2020