We have Group policies set up on a server (2008 R2) that contain settings for IE such as proxy configuration. This is managed by the Internet Explorer Maintenance section in the GP.  We have taken delivery of a new PC from Dell which has come with IE 10 pre-installed and this is the first IE 10 installation we have.  Have just discovered that our GP will not now work (eg. will not set the proxy on the PC) because the IEM section is deprecated for IE10.  Although I've read loads of posts I can't figure out what to do.  I've looked at GP preferences and there's nothing there, it's all blank, I don't see any tabs which people are referring to in their posts.  Can someone explain in simple terms how to use GP Preferences (ie. how do I get anything to show up in it other than a blank screen), or any other method that will allow us to set the IE settings for all users (about 130 in all so we don't want to manually edit every machine locally).

I am trying to install printers on xp workstations and I'm having a hit and miss with my success. Just a bit of info about our environment. We are running a 2008 r2 domain with a 2008 r2 print server. All xp workstations have been patched with everything including the GP preferences patch and yes I'm using the pushprinterconnection.exe.

So here is what I'm trying to do. I need to apply printers to just a group of workstations (a PC LAB) and NOT all the users. In other words I don't want the printers to follow the users around. I also need to set the default printer.

The only way I know to set the default printer is in User configuration > control Panel settings > Printers and then connect to a shared printer and check the default box. The problem is that printers will only show up in XP if I ALSO put the printers in User configuration > Policies > Windows Settings > Deployed printers. Normally that wouldn't be a problem but as I pointed out above I'm also trying to limit what PCs get these printers and I would like to use the "Item-level targeting" which would be pointed to the security group that has all the PCs in the lab in it.

Now something that I didn't do is setup individual OUs for the labs, instead I created security groups. Does that make a difference?

Clear as mud?

Thanks in advance. :)

What in the GPO would specifically block ABE from running properly? I have 1 GP that is blocking it, and when I remove it from the scope, ABE works great as it should. If I add that policy back in, it doesn't work. Any ideas?

I recently discovered in my AD domain data, when viewed with ADSIEdit, that the CN=System/Policies section contains GPOs that have software assignments in them, but many of the packages listed in the GPOs seem to reference packages that I long-ago removed/replaced in my policies.

I have also been seeing some errors with certain computers refusing to accept an MSI that I deployed with GPO, and I"m wondering if these old/obsolete packages are interfering with things. Is there any reason that some of these policies or packages should be cleaned up?

thanks!

I'm pretty new to all this so I'm not too sure what the important details are or how exactly to get them but here is what I know

The purpose of my rule is to allow me to connect SQL Management studio from computer A to computer B's Database Engine

-My OU is linked to the GPO
-I created the inbound rule in the Computer Configuration in the Group Policy Management Editor
-I'm using HyperV to host all these machines  (Domain Controller, Computer A, computer B)
-I'm using Differencing Disks
-I ran sysprep on all of them so they have unique SID's
-I checked and they all have Unique MAC addresses

The part that confuses me is that if I go to computer B and open up the Windows Firewall with Advanced Security. I can see the Inbound Firewall rule that I created for the Group on the Domain Controller.... If I create the IDENTICAL rule on computer B then I'm able to connect to the SQL Database Engine just fine.. But if all I have in place is the rule created for the domain it doesn't work.... But the two rules are identical :-(  I'm guessing it has something to do with how firewall rules are applied on the local store vs the domain store and for some reason the domain store set of firewall rules on computer B isn't providing a conduit of connection.

Thoughts?

Hello,

I am trying to implement a GPO that will disable users from being able to plug in USB flash drives into designated workstations. I have looked at a majority of the other popular articles to no avail.

I have created a test environment. I have created an OU that has blocked inheritance. Inside that OU there is a folder labeled Computer and one labeled User. I created a new user account and dropped it into the User folder and I migrated a test machine into the Computer folder. I then linked both the Computer and User to the test GPO and enabled.

The GPO itself has everything configured under Computer Configuration > Windows Settings > Security Settings > File System to deny full access to usbstor.inf and usbstor.PNF for the SYSTEM and COMPUTER NAME\USER accounts. As far as I can tell this works fine...

The real problem is with the registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Start. The GPO is set under User Configuration > Preferences > Windows Settings > Registry with the following entry:

Action: Replace

Hive: HKEY_LOCAL_MACHINE

Key Path: SYSTEM\CurrentControlSet\Services\USBSTOR

Value name: Start

Value type: REG_DWORD

Value data: 4

Base: Hexadecimal

When I log into the test PC with the test user account I can go into the registry and see that the value is still set for 3!

I have tried to change the Action: Replace to Action: Update. I have also tried to implement the .adm file listed here: Support page for:

HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

This did not work either.

I am able to manually change the value to a 4 and then it properly disables the ability to use a flash drive.

It seems to be an issue with permissions or something. Any ideas?

Firstly 'Hello' everyone, hope someone can give me a pointer in the right direction........

About 6 weeks ago I migrated our DCs from 2008 R2 to 2012, all well swimmingly well, couple of minor issues which were easily resolved.

Today however it was bought to my attention that accounts were locking out after 6 failed password attempts. Now I did have this configured under 2008 R2, so naturally I assumed I could go into the GPO and change that.

I work at a school, this time of year we have the Year 5's coming in for a 'taster' day so rather then create 60 individual accounts, I provide a single generic student account which they can use in the suites.

Unfortunately a couple of the little chaps got the password wrong which locked the account, so to make life easier for the staff I wanted to turn off the account lockout......this is where the fun started.

When I examined the GPOs, even though settings for password complexity etc were present , all the setting for account lockout were not configured. Historically by default these GPO were set at the domain level. I then checked the nested OUs to see if the account lockout had been configured there.......it hadn't.

When I run secpol on the client machine it clearly shows there is no account lockout policy set, same result if I run a RSOP logging.

To ensure it wasn't an account issue I used a couple of the other accounts - same result.

So I setup logging, here is an extract from the 'winlogon' log, any help would be greatly appreciated.

Make a local copy of \\xxx.somerset.gov.uk\sysvol\xxx.somerset.gov.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

Make a local copy of \\xxx.somerset.gov.uk\SysVol\xxx.somerset.gov.uk\Policies\{F7E96668-4F42-48C6-9653-9FB153E7E4EA}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

Make a local copy of \\xxx.somerset.gov.uk\SysVol\xxx.somerset.gov.uk\Policies\{ED3526CE-497E-41D4-9954-CDA202D7CB48}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

Process GP template gpt00000.dom.

This is not the last GPO.
-------------------------------------------
Thursday, July 11, 2013 2:24:15 PM
 Administrative privileged user logged on.
 Parsing template C:\Windows\security\templates\policies\gpt00000.dom.
 Copy undo values to the merged policy.

----Un-initialize configuration engine...

Process GP template gpt00001.inf.

This is not the last GPO.
-------------------------------------------
Thursday, July 11, 2013 2:24:15 PM
 Administrative privileged user logged on.
 Parsing template C:\Windows\security\templates\policies\gpt00001.inf.

----Un-initialize configuration engine...

Process GP template gpt00002.inf.
-------------------------------------------
Thursday, July 11, 2013 2:24:15 PM
 Administrative privileged user logged on.
 Parsing template C:\Windows\security\templates\policies\gpt00002.inf.
----Configuration engine was initialized successfully.----

----Reading Configuration Template info...

----Configure User Rights...
  Error assigning SeSystemtimePrivilege to Administrators account. This setting may block administrators from logging on interactively.
  There is already an undo value for group policy setting <SeMachineAccountPrivilege>.
  There is already an undo value for group policy setting <SeBackupPrivilege>.
  There is already an undo value for group policy setting <SeSystemtimePrivilege>.
  There is already an undo value for group policy setting <SeCreatePagefilePrivilege>.
  There is already an undo value for group policy setting <SeCreatePermanentPrivilege>.
  There is already an undo value for group policy setting <SeDebugPrivilege>.
  There is already an undo value for group policy setting <SeRemoteShutdownPrivilege>.
  There is already an undo value for group policy setting <SeAuditPrivilege>.
  There is already an undo value for group policy setting <SeIncreaseBasePriorityPrivilege>.
  There is already an undo value for group policy setting <SeServiceLogonRight>.
  There is already an undo value for group policy setting <SeInteractiveLogonRight>.
  There is already an undo value for group policy setting <SeSecurityPrivilege>.
  There is already an undo value for group policy setting <SeSystemEnvironmentPrivilege>.
  There is already an undo value for group policy setting <SeProfileSingleProcessPrivilege>.
  There is already an undo value for group policy setting <SeSystemProfilePrivilege>.
  There is already an undo value for group policy setting <SeRestorePrivilege>.
  There is already an undo value for group policy setting <SeTakeOwnershipPrivilege>.
  There is already an undo value for group policy setting <SeDenyInteractiveLogonRight>.
  There is already an undo value for group policy setting <SeRemoteInteractiveLogonRight>.
 Configure S-1-5-20.
  remove SeAuditPrivilege.
Error 50: The request is not supported.
 Configuring some user rights for this account is not supported. Re-attempting configuration by ignoring unsupported operation errors.
  remove SeAuditPrivilege.
Configuring SeAuditPrivilege for this account is not supported.
 Configure S-1-5-21-3674901190-3434711979-3236415797-1002.
  remove SeServiceLogonRight.
 Configure S-1-5-32-544.
 Configure S-1-5-32-549.
 Configure S-1-5-32-551.
 Configure S-1-5-21-2305780114-2822244767-3400383141-1109.
 Configure S-1-5-21-2305780114-2822244767-3400383141-1126.
 Configure S-1-5-21-2305780114-2822244767-3400383141-512.
 Configure S-1-5-21-2305780114-2822244767-3400383141-13139.
 Configure S-1-5-32-548.
 Configure S-1-5-21-2305780114-2822244767-3400383141-5651.
 Configure S-1-5-21-2305780114-2822244767-3400383141-13616.
 Configure S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420.
 Configure S-1-5-19.
  remove SeAuditPrivilege.
Error 50: The request is not supported.
 Configuring some user rights for this account is not supported. Re-attempting configuration by ignoring unsupported operation errors.
  remove SeAuditPrivilege.
Configuring SeAuditPrivilege for this account is not supported.

 User Rights configuration was completed successfully.

----Configure Group Membership...
 Configure xxx\Domain Admins.
  old memberof tattoo list: *S-1-5-32-544,
  object already member of Administrators.
  new memberof tattoo list: *S-1-5-32-544,
 Configure xxx\gsglocaladmins.
  old memberof tattoo list: *S-1-5-32-544,
  object already member of Administrators.
  new memberof tattoo list: *S-1-5-32-544,

 Group Membership configuration was completed successfully.

----Configure Security Policy...
  Start processing undo values for 6 settings.
  There is already an undo value for group policy setting <MinimumPasswordLength>.
  There is already an undo value for group policy setting <PasswordHistorySize>.
  There is already an undo value for group policy setting <MaximumPasswordAge>.
  There is already an undo value for group policy setting <MinimumPasswordAge>.
  There is already an undo value for group policy setting <PasswordComplexity>.
  There is already an undo value for group policy setting <ClearTextPassword>.
 Configure password information.
  Start processing undo values for 3 settings.
  There is already an undo value for group policy setting <LockoutBadCount>.
  There is already an undo value for group policy setting <NewAdministratorName>.
 Rename the Administrator account to xxxxxxxx.
  There is already an undo value for group policy setting <NewGuestName>.
 Rename the Guest account to xxxxxxxxx.
  There is already an undo value for group policy setting <EnableGuestAccount>.
 Guest account is disabled.

 System Access configuration was completed successfully.
 Configure machine\software\microsoft\driver signing\policy.
  There is already an undo value for group policy setting <machine\software\microsoft\driver signing\policy>.
 Configure machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd.
  There is already an undo value for group policy setting <machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd>.
 Configure machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount.
  There is already an undo value for group policy setting <machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount>.
 Configure machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning.
  There is already an undo value for group policy setting <machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning>.
 Configure machine\software\microsoft\windows\currentversion\policies\system\disablecad.
  There is already an undo value for group policy setting <machine\software\microsoft\windows\currentversion\policies\system\disablecad>.
 Configure machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername.
  There is already an undo value for group policy setting <machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername>.
 Configure machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption.
  There is already an undo value for group policy setting <machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption>.
 Configure machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext.
  There is already an undo value for group policy setting <machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext>.
 Configure machine\system\currentcontrolset\control\lsa\everyoneincludesanonymous.
  There is already an undo value for group policy setting <machine\system\currentcontrolset\control\lsa\everyoneincludesanonymous>.
 Configure machine\system\currentcontrolset\control\lsa\submitcontrol.
  There is already an undo value for group policy setting <machine\system\currentcontrolset\control\lsa\submitcontrol>.
 Configure machine\system\currentcontrolset\control\session manager\protectionmode.
  There is already an undo value for group policy setting <machine\system\currentcontrolset\control\session manager\protectionmode>.
 Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature.
  There is already an undo value for group policy setting <machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature>.
 Configure machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature.
  There is already an undo value for group policy setting <machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature>.

 Configuration of Registry Values was completed successfully.

 Audit/Log configuration was completed successfully.

----Configure available attachment engines...

 Configuration of attachment engines was completed successfully.

----Un-initialize configuration engine...

Hi,

there is any option to apply a GPO to the entire forest?

I mean to all domains in the forest.

Thanks in advance

Thanks & Regards Amit Kumar | EDP Dept.| Indus Weir Industries Limited | FF-42 | 3rd Floor | Mangal Bazar Road | Near V3S Mall | Laxmi Nagar | Delhi-92 | M +91 8010477243 E-Mail singhamit1993@hotmail.com

I have an SBS 2008 in my home office with folder redirection working perfectly.  I have two remote offices connected via sonicwall gateway to gateway tunnels.  The servers in both remote locations are server 2003 standard.  All three servers are on same domain, with sbs2008 as the pdc and both 2003 servers as secondaries.

I have issues with a few users that work out of the main sbs2008 office that travel to both remote locations.  When they login it can take hours for the login to complete.  It is random but does happen often.  I have setup gpo's that redirect with sbs2008 to redirected folders, and under documents and settings for server 2003.  Most of the time it works but the owner is one of the users who seems to never be able to login correctly or doesn't receive his desktop and documents.

I need to know if there is known issues with this and how to resolve.  Please help.

Thank you.

someone help me about how group policy filtering works in GPMC scope there are 2 tabs links & security filtering how exactly differs it's mandatory to enable link & add security group in case policy needs only on either few users/computers

why unale to add OU in security filter tab

sccmghost@hotmail.com

I have 4 Windows 7 Professional Computers in a domain on Windows Server 2012 Essentials. Computer-2 and Computer-3 are identical hardware.

Computer-1 - oldest of the bunch, everything works fine

Computer-2 - Group Policy for users applies just fine, folder redirection and anything else I attempt to do with GPO for users works flawlessly. The problem is that it fails to apply anything from the policies that apply to the computer.

Computer-3 - Identical problems to Computer-2. I cloned the hdd from this computer and put the clone in Computer-2 before I joined either of them to the server.

Computer-4 - Newest rig, everything works fine.

I used gpupdate /force on both computer-2 and computer-3, and on both I get event in the event log. I used gpresult /h and both computers give me a report likethis

Group Policy Infrastructure failed due to the error listed below.

Access is denied. 

Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.

Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 2/24/2013 9:22:32 PM and 2/24/2013 9:22:33 PM.

I found some instructions for testing name resolution for the server in nslookup

C:\Windows\system32>nslookup
Default Server:  UnKnown
Address:  fe80::a4a4:ca5c:25ac:4b93> set q=srv> _ldap._tcp.dc._msdcs.COMPTONIRR.local
Server:  UnKnown
Address:  fe80::a4a4:ca5c:25ac:4b93

_ldap._tcp.dc._msdcs.COMPTONIRR.local   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = office-server.comptonirr.local
office-server.comptonirr.local  internet address = 10.0.1.8
office-server.comptonirr.local  internet address = 10.0.1.200

and everything seems to check out.

If it helps, both computer-2 and computer-3 show "Not Applicable" under the Group Policy column in the Devices tab in the Dashboard and periodically pop up with a computer monitoring error:

Can only partially assess the health of this computer. The failing components are: DevicePeoviderReporting!DomainJoinStatusInfo

I then removed Computer-3 from the domain, changed its name to Computer-5, and rejoined it with the server 2012 connector software. The same problems occurred.

More details - these 3 messages appear frequently on both computer-2 and the newly designated Computer-5

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          2/25/2013 6:12:21 PM
Event ID:      1055
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      COMPUTER-5.COMPTONIRR.local
Description:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: 
a) Name Resolution failure on the current domain controller. 
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" /><EventID>1055</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>1</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2013-02-26T00:12:21.664926800Z" /><EventRecordID>8689</EventRecordID><Correlation ActivityID="{A6B3851A-1280-42F1-A35B-A5A6DD3ABACE}" /><Execution ProcessID="124" ThreadID="1152" /><Channel>System</Channel><Computer>COMPUTER-5.COMPTONIRR.local</Computer><Security UserID="S-1-5-18" /></System><EventData><Data Name="SupportInfo1">1</Data><Data Name="SupportInfo2">1632</Data><Data Name="ProcessingMode">2</Data><Data Name="ProcessingTimeInMilliseconds">1529</Data><Data Name="ErrorCode">5</Data><Data Name="ErrorDescription">Access is denied. </Data></EventData></Event>

Log Name:      System
Source:        LsaSrv
Date:          2/25/2013 6:12:21 PM
Event ID:      40961
Task Category: None
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      COMPUTER-5.COMPTONIRR.local
Description:
The Security System could not establish a secured connection with the server ldap/OFFICE-SERVER.COMPTONIRR.local/COMPTONIRR.local@COMPTONIRR.LOCAL. No authentication protocol was available.
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /><EventID>40961</EventID><Version>0</Version><Level>3</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2013-02-26T00:12:21.591922600Z" /><EventRecordID>8688</EventRecordID><Correlation /><Execution ProcessID="492" ThreadID="600" /><Channel>System</Channel><Computer>COMPUTER-5.COMPTONIRR.local</Computer><Security UserID="S-1-5-18" /></System><EventData><Data Name="Target">ldap/OFFICE-SERVER.COMPTONIRR.local/COMPTONIRR.local@COMPTONIRR.LOCAL</Data></EventData></Event>

Log Name:      System
Source:        NETLOGON
Date:          2/25/2013 6:12:10 PM
Event ID:      5719
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      COMPUTER-5.COMPTONIRR.local
Description:
This computer was not able to set up a secure session with a domain controller in domain COMPTONIRR due to the following: 
There are currently no logon servers available to service the logon request. 
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

ADDITIONAL INFO 
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="NETLOGON" /><EventID Qualifiers="0">5719</EventID><Level>2</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2013-02-26T00:12:10.000000000Z" /><EventRecordID>8601</EventRecordID><Channel>System</Channel><Computer>COMPUTER-5.COMPTONIRR.local</Computer><Security /></System><EventData><Data>COMPTONIRR</Data><Data>%%1311</Data><Binary>5E0000C0</Binary></EventData></Event>

Looking at the User GPPs under Windows Settings there is an item called APPLICATIONS, but I can't seem to do anything with it.

R-Clicking then clicking on New, extends the menu to Appplication, but stops there.

What is this for?  I'm having difficulty in finding information on this preference.  I was wondering if its possible to govern an applications behavior, such as disallowing for specified users or allowing during specified times or if there might be more options.  It'd be nice to be able to set things like that and also attach Client-Side-Targeting.

sccmghost@hotmail.com

sccmghost@hotmail.com

sccmghost@hotmail.com

sccmghost@hotmail.com

sccmghost@hotmail.com

sccmghost@hotmail.com

Hi ,

We have deployed Wallpaper via Group Policy (Windows Server 2008 R2)

Our clients includes Windows XP,Windows 7 and Windows 8 (Both desktops and Laptops).

The policy is applying to all the systems. We have selected 'fit' in group policy.

But For XP machines the wallpaper is applied entire screen but in laptops not showing entire screen. I have tested with all the available options like fit,fill,center and Stretch.

How to resolve this issue?