Disable Short Filename Creation

Widows Best Practises Analyser sometimes says that a host needs to "disable short file name creation". To do this type this at an elevated command prompt.


fsutil.exe behavior set disable8dot3 1

Configure Trusted Time Source

Type the following command to display the time difference between the local computer and a target computer, and then press ENTER:


w32tm /config /manualpeerlist: /syncfromflags:MANUAL
Stop-Service w32time
Start-Service w32time = Liverpool UK Stratum 1 time source.

DNS: Valid network interfaces should precede invalid interfaces in the binding order

To move all disabled and invalid interfaces to the bottom of the binding order list
  1. Click Start, click Network, click Network and Sharing Center, and then click Manage Network Connections.
  2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.
  4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.

Modify MaxNegPhaseCorrection and MaxPosPhaseCorrection

  1. Open the Group Policy Management snap-in. To open Group Policy Management, click Start, click Administrative Tools, and then click Group Policy Management.
  2. In the console tree, select the Group Policy object (GPO) for the Windows Time service that is linked to this domain controller and then open the Group Policy Management Editor snap-in. To open the Group Policy Management Editor, right-click the selected GPO, and then click Edit.


It is not recommended to link your Windows Time Service GPO to the entire domain (in other words, linking it to all domain controllers and member servers in this domain). If you want to configure Windows Time Service for a selected domain controller through Group Policy, we recommend that you create a GPO for Windows Time Service and link it to that specific domain controller.

  1. In the console tree, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then expand Windows Time Service.
  2. In the details pane, double-click Global Configuration Settings.
  3. In Global Configuration Settings, under Options, navigate to MaxNegPhaseCorrection, set the value to 172800 (a decimal value for 48 hours), and then click OK.

If the Windows Time service Group Policy settings have not been applied to this domain controller, you can use the following procedure to update the value of MaxNegPhaseCorrection through the registry.

To update the value of the MaxNegPhaseCorrection registry key

  1. Open the Registry Editor. To open the Registry Editor, click Start, click Run, and then type regedit.
  2. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection.
  3. Set the value of MaxNegPhaseCorrection to 172800 (a decimal value for 48 hours).


Protect all OUs from accidental deletion

To protect all existing OUs in your domain from accidental deletion by using the Get-ADOrganizationalUnit and Set-ADOrganizationalUnit cmdlets

  1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
  2. At the Active Directory module command prompt, type the following command to check with OUs are not protected, and then press ENTER:
    Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | ft
  3. At the Active Directory module command prompt, type the following command to protect the OUs that you identified in Step 2, and then press ENTER:
    Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true
  4. Run the command in Step 2 again to verify the OUs are protected.
    For more information about the 
    Get-ADOrganizationalUnit and Set-ADOrganizationalUnit cmdlets, at the Active Directory module command prompt, type Get-Help Get-ADOrganizationalUnit or Get-Help Set-ADOrganizationalUnit, and then press ENTER.