Hi,

I am trying to apply a GPO setting for a scheduled task: Computer Configuration\Control Panel Settings\Scheduled Tasks for remote users who use laptops who connect to the our network via the internet and Microsoft VPN (Windows 7). When I run gpresult on a test laptop connected to the internet/VPN I can see that the GPO is applied to Computer Configuration, but I cannot see the scheduled task under task scheduler. I tested this GPO on office based machines and the GPO works fine. I'm aware of the following:

"Network Location Awareness running on the Windows server ensures Group Policy application can work with VPN connection and allows us to make changes to policy settings and make sure they are applied efficiently to mobile users.

When mobile users connect to the corporate network, the Group Policy client will detect the availability of a domain controller. If the Group Policy refresh cycle has elapsed or the previous policy application has failed, Group Policy will initiate a background refresh over the VPN connection, updating both the computer and user policy. There is no need to reboot or log off before connecting to the corporate network over a VPN."

This does not seem to happen and the GPO is not applied unless I run a gpupdate. I do not want to have to tell all our remote users to run a gpupdate. Is there a way around this? 

Hello,

We are running a simple windows 2003 domain with 1 domain controller (w2k3 x64).  A recent attempt to upgrade the domain to a 2008 server failed, mainly due to a lack of delegation permissions.  That pointed us to the group policies.

Looking at the DC after this, we started to get a lot of Event log errors 1030 and 1097 (see below).  We are able to run the group policy MMC from an XP x32, and make changes to the group policy.  I can make changes and see those reflected on client PCs (win7 and XP) by looking at the gpresult output.  We have the 3 basic policies that came with the domain:  Default DC Policy, Default Domain Policy, Default Password Policy.   To help with troubleshooting, I've renamed these slightly by adding a 1 to the end (ie "Default Domain Policy1") and added an empty test policy.  Again, I see the changes on my client machines, but on the DC, gpresult reports that only the USER SETTINGS are coming from the new policies.  The COMPUTER settings are still listed from the old/non-existent policies.  (See example below). 

We've run a DCDIAG, netdiag which come back fine.  We've been through a lot of the other suggestions for the Event 1030 error with no luck.

Any thoughts? Thanks

...

-------------------------------------------------------------------------

Event Type:Error
Event Source:Userenv
Event Category:None
Event ID:1097
Date:5/17/2013
Time:12:32:35 PM
User:NT AUTHORITY\SYSTEM
Computer:SHIRLEY
Description:
Windows cannot find the machine account, The logon attempt failed .

-------------------------------------------------------------------------

I am try to create task in my windows 2003 server task scheduler.

but this error keep poping up.

"0x80070005: Error encountered while creating scheduled task."

I cannot proceed to create new task on the scheduler.

GPO and local policy did not show any restrictions on creating new task.

I also find creating on a old windows 2000 server giving the same error.

I saw some KB (841873) abt windows XP giving the same error. but this does not applies to server.

i have found one policy that disable creating task for my domain controller but there is no such policy for member servers.

i have since disable that policy for domain controller.

Hello,

i am having 2 Domain Controllers.

When created 1 new GPO, this GPO is only created on 1 of the DC`s.

On the problem-dc there is no new GPO in c:\windows\sysvol.

When doing a gpupdate on this dc , this will result in :

Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.

C:\Users\user_admin.domain>gpupdate /force
Updating policy...

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file \\domain.local\SysVol\domain.local\Policies\{FA9EDD88-AE25-477B-90CF-6D6D87C87EA4}\gpt.ini from a domain controller and was no
t successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
User Policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file \\domain.local\SysVol\domain.local\Policies\{FA9EDD88-AE25-477B-90CF-6D6D87C87EA4}\gpt.ini from a domain controller and was no
t successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

C:\Users\user_admin.domain>

I have checked the NTFS-rights on c:\windows\sysvol, but these are correct now.

In GPMC this will result in the following :

Howto fix this issue?

Hi,

I am currently self-studying for the 70-640, and have not sat MS exams before, although I have basic experience.  One of the practise tests in an early chapter asks me to log on to my newly created DC with a standard user account, and I get the message"You cannot log on because the logon method you are using is not allowed on this computer".  Little bit of googling, and I stumbled across http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/0f750de8-d56e-4951-a2b1-839e55934745/, which advises looking at the group policy settings for "Allow Log On Locally" and "Deny Log On Locally".

I found with the above that standard users are not listed in "Allow Log On Locally", but I cannot edit via gpedit.msc as the 'Add User or Group' button under this setting is greyed out (I am currently logged in as domain admin).  Numerous searches have pointed me in the direction of gpmc.msc, many similar to the post on May 02, 2009 12:07AM @ http://social.technet.microsoft.com/Forums/en-US/winservermanager/thread/059465f4-a35b-4172-820c-f0c1e0a44d08/.  When I follow this through for my domain, however, I browse all the way through to "Allow Log On Locally" and it is set as 'not defined'.  If I double-click and select 'Define these policy settings' it looks like I have to add all the required groups from scratch.

Is this meant to be by design?  Essentially, "Allow Log On Locally" is currently set to Account Operators, Administrators, Backup Operators, Print Operators, Server Operators - and all I want to do is add Domain Users to this list, without having to manually add what is already there.

Any comment on this is greatly appreciated :-)

Server is vanilla build win2k8 R2 Standard, all updates installed as of 03/01/12, and .net framework 4.0 installed.

cheers,

Dears,

we have a vague issue in a domain environment!

the windows firewall has been disabled on all workstations by the group-policy, and when we check the firewall settings through the command line using the command netsh as the following:- 

netsh advfirewall show allprofiles

it shows that the firewall turned on for all local profiles including the domain profile 

but when i go to the control panel and click the Windows Firewall icon it shows that the firewall turned off for all profiles? 

could you tell us why Windows behave in that way, and how can i really confirm my results when two way of checking windows firewall settings leading to different status!

Thank you,

ksa-maestro

Hi,

Had posted this Q in the Windows Server General Forum however have been advised to post it here.

i would like to set up an home drive for users that will get mapped automatically when user is made a member of a group. Currently when each  new user joins the company we have to manually create a home folder, assign the appropriate permissions and then have the drive mapped for the user. I understand that this can be automated by using GPP and item level targeting with group membership. Basically the users home folder should get created automatically with appropriate permissions to the user and the drive get mapped as well.

Also we do not want to ADUC for this as this means we still have to go into user properties in AD to enter the path.

Have read this post http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/0363bd69-4559-47a3-b236-82f281d5c874 however it mentions that the users home folder has to manually created. Again a tedious procedure to do each time new users join.

One of answers posted by Adam Way in the general forum was to use folder redirection - this works, but not sure how the redirection settings will affect the user if user is moved to another OU.

Is there a way where we just use \\Server\Home$\%username% and then have this mapped by adding user to a group (eg HomeDriveUsers)

Thanks,

During our migration process from Windows Server 2008 R2 to Windows Server 2012 for all of our DC's, I've noticed a problem with the Default Domain Controller Policy.  I can edit this policy from any domain-joined computer running Windows 7 or Windows Server 2008 R2 (and probably earlier versions).  However, I can't edit it via Windows 8 or Windows Server 2012.

Here's the error message I receive:

Failed to open the Group Policy Object.  You might not have the appropriate rights.

Details: The volume for a file has been externally altered so that the opened file is no longer valid.

• This AD domain has been gradually upgraded since its original introduction Windows 2000 Server.
• I'm a Domain Admin and Enterprise Admin.
• I've triple-checked the ACL for this GPO, even going through every property of each entry, and it is exactly as it should be.
• I've verified that all the standard files and folders for the GPO are in the correct location.
• DFS-R is being used for sysvol replication.
• The policy applies correctly, even to Windows Server 2012 domain controllers.
• As mentioned, I can edit the policy without a problem from earlier versions of Windows.
• This problem does not apply to the Default Domain Policy.  Both of these default policies have the proper UUID.
• This problem occurs regardless of which DC I'm connected to via the GPO editor.
• dcdiag /c passes all tests.

I'm stumped!  Any suggestions?

I created a GPO to map a drive on the local server (2008 R2).  This is pushed out to all users (Windows 7 clients).  I created a shortcut GPO to push out to all users desktops.  The mapped drive works but the shortcuts only appear on the server not on any of the clients.  I tried I tried URLs also with the same outcome the shortcuts appear on the server desktop but not on any of the clients.   I'm a little out of date with my knowledge I took Network+, MCSE back when Window 2000 server was fresh and have not kept up so take it easy on me...  

Regards...

Hi all,

I have a Windows Server 2008 as DC and Windows Server 2003 as second DC.

On each one of them , there is a different "Domain Group Policy" with different settings.

How can I know which one of them is being applied ? and don't they should be the same ?

Note that Windows 2003 was the main one before I transfer the 5 FSMO rules to Windows 2008.

We create a Loopback policy for our windows 2008 r2 RDS. It works fine. However, we also want to deny this policy to some users. So I check deny in Apply this group. As sown the screenshot.

However, the Computer policy still applies to the user (User policy is denied). I also post the gpresult here.

COMPUTER SETTINGS

------------------

    Last time Group Policy was applied: 5/20/2013 at 4:11:00 PM

    Group Policy was applied from:     2008DC

    Group Policy slow link threshold:  500 kbps

    Domain Name:                       DOMAIN

    Domain Type:                       Windows 2000

    Applied Group Policy Objects

    -----------------------------

        RDS Client Policy

        Default Domain Policy

    The following GPOs were not applied because they were filtered out

    -------------------------------------------------------------------

        WebHawk AD

            Filtering:  Disabled (GPO)

        Local Group Policy

            Filtering:  Not Applied (Empty)

USER SETTINGS

--------------

    Last time Group Policy was applied: 5/20/2013 at 4:11:36 PM

    Group Policy was applied from:     2008DC

    Group Policy slow link threshold:  500 kbps

    Domain Name:                       DOMAIN

    Domain Type:                       Windows 2000

    Applied Group Policy Objects

    -----------------------------

        Default Domain Policy

        WebHawk AD

        Local Group Policy

    The following GPOs were not applied because they were filtered out

    -------------------------------------------------------------------

        Vircom Addin Client

            Filtering:  Denied (Security)

        RDS Client Policy

           Filtering:  Denied (Security)

Bob Lin, MVP, MCSE & CNE Networking, Internet, Routing, VPN Troubleshooting on

http://www.ChicagoTech.net

http://www.howtonetworking.com

Hello,

I've recently modified our TS server policy to see about having a version of the Javascript, Flash and our Teamviewer programs available for my users to add to their TS sessions when they need files. I have over 300 users so while applying the web-broswer plugins via the computer is ideal, when I add the Adobe Acrobat reader 11 to the user part of the GPO for the software installation nothing appears in the add/remove section on the users profile.

I've done a gpupdate /force and nothing has changed. The UNC of the provisioned applications folder is accessible perfectly fine. I've chosen Publish over Assign since I want users to have the option to install it on their own if need be. The files where .exe files that were converted to .msi files and they do execute perfectly fine so I doubt it's this as the issue. Currently I have GPO that is assigned to our TS server farm affected and it's still not showing up in the list on all 6 of the TS servers.

I'm just baffled as to what setting could be preventing the programs from propagating in the add/remove list. We do have a multi-location domain, so I waited 2 times the length of a normal AD replication and it still doesn't show up.

Any help would be appreciated or some insight.

We have a primary and secondary domain controller that are not logging user logins or logoffs. There are a few occasional event ID 4624's but they appear to be all for service accounts and not actual end users.

The local security policy's on both controllers list no auditing so I thought for sure that was my issue but come to find out (with a bit of research on this site) local security policy will say that even if it is being overridden by a group policy on a domain controller.

Local Security Policy:

Policy Security Setting
Audit account logon events      No auditing
Audit account management        No auditing
Audit directory service access  No auditing
Audit logon events              No auditing
Audit object access             No auditing
Audit policy change             No auditing
Audit privilege use             No auditing
Audit process tracking          No auditing
Audit system events             No auditing

With this in mind I ran rsop.msc to verify GPO is overriding local audit policies.

RSOP Results:

Policy Computer Setting Source GPO
Audit account logon events Success, Failure Default Domain Controllers Policy
Audit account management Success, Failure Default Domain Controllers Policy
Audit directory service access Success, Failure Default Domain Controllers Policy
Audit logon events Success, Failure Default Domain Controllers Policy
Audit object access No auditing Default Domain Controllers Policy
Audit policy change Success, Failure Default Domain Controllers Policy
Audit privilege use Success, Failure Default Domain Controllers Policy
Audit process tracking Success, Failure Default Domain Controllers Policy
Audit system events Success, Failure Default Domain Controllers Policy

Hi all,

I am using application locker GPO for blocking Google Chrome and this is working fine with default setup (Chrome.exe).

But the issue is, if I copy and paste this Chrome folder to any other location and rename Chrome.exe to anyname.exe GPO is allowing to run Chrome.

I have checked with conditions like “Product Name” and “Publisher” but no luck.

Please check and advise.

Thank you

Shilambuselvan A

| Chennai - 600 008 | India

I added a domain controller Windows server 2012 to existing Windows 2003 domain. Now whenever I run Group Policy Management. It gives me the error "A processing error occurred collecting data using this base domain controller. Please change the base domain controller and try again.". I tried to change Baseline DC, but nothing can be listed in Add Navigation Nodes. 

Baseline DC seems a new term to me. 

so what's the issue now? any hint or solution is welcome. Thanks.

CliffZ

Hi

I have a problem with editing default group policy in windows server 2008 in active directory 2008

i go administrative tools > group policy management > group policy objects > default group policy > right click > edit and see this error:

Group policy edit error failed to open group policy object. you may not have appropriate rights

in the event viewer :

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          5/21/2013 11:20:08 AM
Event ID:      1096
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      MIREMADACTIVE.Tabm.ir
Description:
The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=Tabm,DC=ir. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
    <EventID>1096</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2013-05-21T06:50:08.658847000Z" />
    <EventRecordID>22849</EventRecordID>
    <Correlation ActivityID="{323585D9-ED47-4871-A25E-0D786601913F}" />
    <Execution ProcessID="428" ThreadID="3420" />
    <Channel>System</Channel>
    <Computer>MIREMADACTIVE.Tabm.ir</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SupportInfo1">2</Data>
    <Data Name="SupportInfo2">1232</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">1390</Data>
    <Data Name="ErrorCode">13</Data>
    <Data Name="ErrorDescription">The data is invalid. </Data>
    <Data Name="DCName">\\MIREMADACTIVE.Tabm.ir</Data>
    <Data Name="GPOCNName">LDAP://CN=Machine,CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=Tabm,DC=ir</Data>
    <Data Name="FilePath">\\Tabm.ir\sysvol\Tabm.ir\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\registry.pol</Data>
  </EventData>
</Event>

how can i fix this?

thanks for helping.

alfONso

The user 'xlsx' preference item in the 'USER-Microsoft-Office  Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.

I have a problem with GPP that should make a program (Libreoffce or Microsoft office) the default opening option for certain file-types (.doc, xls, .ppt etc...)

But the GPP runs in system account even tho I have set the policy to "Run in user's security context"

I am attempting to use the Group Policy Migration Table.  I created a table and when I copied the policy, it did not convert the paths as I expected when I did this via PowerShell.  I then attempted to use the GPMC GUI and when manually copying the policy, GPMC did not detect any UNC paths either and hence did not offer to let me use a Migration Table. 

I have checked two policies - one has a computer Startup Script and another policy has Software Restriction Policy Path Rules. 

Is the Migration Table not supported under these scenarios?  Or have I missed something? 

Thanks!

We apply a general purpose GPO to our servers. This GPO has over 150 entries, someone made a change to the GPO and own when we try to load a web page we get a 404 error. We remove the gpo and everything works fine.

We want to narrow our search for cause without have to remove 10 gpo settings at a time.

What kinds of things cause 404 errors when trying to load a web page?