Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

GPO not applying to individual users

July 14, 2013, 7:03 pm
$
0
0
Hi All,
I have approx. 1200 users over four AD sites. Each site has its own proxy server. Over the weekend we upgraded to our new proxy servers and I changed the GPO's to reflect the new servers. My problem is that approx. 40 users are still using the old proxy servers (we left them on for just this situation). When I run RSOP or gpresult the results come back with the new IP address of the new Proxy Servers. However when I look at the users settings in IE they have the old IP addresses listed.
The users are in many different OU's and their peers have picked up the new addresses. I have done gpupdate /force and complete reboot of the problem users PCs to no avail. I have also Enforced the relevant GPO
I can manually change the settings and they will stick but I would really like to find out why this is happening and solve it enmasse.
The AD servers are 2003, all clients are Win7 (a mix of x32 and x64), and the Proxy Servers are running Win 2008 R2
Search

Recycle Bin - Windows 7 Mandatory Profile - Server 2012

July 14, 2013, 4:45 pm
$
0
0

Have just setup a test lab and have configure folder redirect for My Documents and so on, but on client A I delete a file and can see on the server that it in the recycle bin. But back on client A if I open the Recycle Bin it shows no file... But if I right click the recycle bin on users home folder on server it show 2 items in side.

How can I fix it so that Client A can see the deleted files at the logged in computer i.e. Client A station?

This is for Windows 7 64 bit clients with Server 2012 Standard, if the fix is gpo / registry happy to edit the hive

Geoff

Changing default picture viewer via GPO without changing image type and icon (Windows 7)

July 9, 2013, 7:31 am
$
0
0

Hello,

I am trying to change the default picture viewer for some file extensions (.bmp, .jpeg, .png and .tiff). Actually Windows Photo Viewer is the default viewer and we need to replace it with Microsoft Office Picture Manager.

I managed to do that change via GPO using the 'open with' preference under User Configuration\ Preferences\Control Panel Settings\Folder Options. So now the files are opened with Microsoft Office Picture Manager (office 2010). The problem is that the image type became 'OIS.EXE' for all the specified file extensions. Moreover the icon is now the same (Microsoft Office 2010).

When I change manually the associated program for a file extension, the icon change but no the image type... this is different using GPO.

Is there a solution in order to change the default program but keeping the image type and associated icon ?

I tried to do that modification using the 'new file type' preference under Computer Configuration\Preferences\Control Panel Settings\Folder Options. I specified the 'open' action for OIS.exe, selected file extension BMP with associated class 'Bitmap Image'. It solves the problem for image type, Microsoft Office Picture Manager opens the files ... but I have to specify the icon file path and icon index and I don't know where I can find the default icons for the file extensions ...

What is the best solution ? Am I right ? Am I doing something wrong ?

Thank you in advance !

GPP Printer: error code '0x80070006 The handle is invalid.'

July 15, 2013, 5:59 am
$
0
0

Hello,

We're using two 2008 R2 domain controllers, one 2008 R2 print server and six 2008 R2 XenApp terminal servers.

A problem has occured with one of the terminal servers. It has completely stopped mapping printers for the users during logon.

The error event in event log says: "Group Policy object did not apply because it failed with error code '0x80070006 The handle is invalid.' This error was suppressed."

The printers are configured in Group Policy Preferences using FQDN.

I installed a printer on a secondary print server, for testing purposes, and that printer was mapped just fine, but when deploying printers residing on the main print server, nothing gets mapped.

File shares and every other settings work fine.

Users are able to browse to \\printserver or \\printserver.fqdn.com and add the printers without problem. They can also browse the directory and add them.

gpupdate ends up with the same error in the eventlog.

I have tried (on the terminal server) to leave the domain and rejoin, but that didn't solve this.

I would need some help solving this. I cannot tell if the problem is in the print server or the terminal server..

Any ideas?

Exporting GPO's for different forests

July 15, 2013, 7:23 am
$
0
0

Hi all,

I'm looking for ways to work smarter with server builds for our smaller clients when we move them to new versions of SBS or from SBS to full server. I often find myself recreating the same GPO's from other clients before customizing them, i.e. workstation settings, terminal server lock down settings etc. 

I am hoping I can speed up the process by exporting GPO's from a model client, importing GPO's and applying them to the new client I am working on, adjusting settings, links as appropriate for the client and build up a repository of GPO's as I work forward. This would save a bit of time building and configuring the domains doing it right once and implementing it at multiple sites. At the moment, the quickest way to achieve the same goal is a RDP session of an existing client and working my way through GPM copying the settings.

I've had a brief play with exporting a GPO from one forest and importing it into another completely separate domain but this did not work as expected and did not import.

Any suggestions or work flows to achieve this goal? Is it even possible?

Regards,


Michael

GPO: unable to configure a scheduled task to run under system account

July 14, 2013, 11:37 pm
$
0
0

Domain/Forest functional level: Windows Server 2003

Issue description:

I have a computer configuration policy where i'm trying to create a scheduled task (Windows Vista or Later).

I want the task to run under system account, but when I try to select it - it does not seem to resolve properly (BUILTIN\SYSTEM instead of NT AUTHORITY\SYSTEM):

https://skydrive.live.com/redir?resid=CDFFB208AB5845E8!133&authkey=!AIktNBxvU_dukyY
https://skydrive.live.com/redir?resid=CDFFB208AB5845E8!132&authkey=!ADZ7tz4aqHUIHlU
https://skydrive.live.com/redir?resid=CDFFB208AB5845E8!134&authkey=!APAn-Mdv_bF6TfY

I get the following error message in the event viewer of the target Windows 7 PC after the GPO is applied (+ scheduled task is not there):

The computer '******' preference item in the '********' Group Policy object did not apply because it failed with error code '0x80070534 No mapping between account names and security IDs was done.' This error was suppressed.

When I go to the setting again at any later time I get the following screen displayed:

https://skydrive.live.com/redir?resid=CDFFB208AB5845E8!135&authkey=!AHl8LAjPUgFJSjc

The setting for "Run whether user is logged on or not" is just reset.

If I click "Change User or Group" and select the domain "From this location", then the system resolves to this:

NT AUTHORITY\Well-Known-Security-Id-System

The scheduled task still fails - it's just not there.





Hide Notification Area on Specific Computer

July 14, 2013, 9:07 pm
$
0
0
All of my users are local admins of their machines.  this just makes life easy.  I ran into a problem, though, when users started clicking around stuff in the system tray (windows update, specifically).  I'd like to hide the notification area JUST on the remote server.  But the GPOs I'm making seem to follow the login, not the computer.  I have to set the GPO on a container with users, and then it applies to all computers.  Help!

GPP - Delete Printers not getting applied

July 15, 2013, 8:34 am
$
0
0

Hi,

I don't seem to be able to find the right setting or hotfix to get this GPP Working.

At several installations shared printers are mapped via GPP, everything works fine.

Usually the mapped printers are removed from the user/session via a logoff script, this works fine.

The GPP though also have the option of deleting specific printers e.g. when you decommit them. This GPP is not getting applied unless a /gpupdate /force is applied in the session. The GPP is not applied on logon. GPP Refresh (after 90 minutes) is not throughfully tested yet, but still this should be applied at logon.

Tracing and EventLog don't show any error and it's not driver related as we've broken down the example to a simple Generic Text only printer.

So for any insight / link to a KB I'd be thankful.

M.Reimer

Search

Group Policy Client service does not start

November 10, 2012, 1:48 am
$
0
0

Hi,

As soon as I (administrator on my PC) logon to Windows 7, I get a message saying that the Group Policy Client service failed to start. I'm not sure why I'm getting this error even though the dependencies are very much up and running..

Below is the error message I get in the notification area as soon as I logon

Failed to connect to a windows service
Windows could not connect to the Group Policy Client service. This problem prevents stndard users from logging on to the system.
As an administrative user, you can review the System Event Log for details about why the service didn't respond.

"This program is blocked by group policy"

July 12, 2013, 9:15 am
$
0
0

Hi all.

I have searched Google a fair bit on this but shockingly I just can't find an actual answer.  The Group Policy forum is where I should have started rather than finally come to :)

I am no genius with GP, I use it in the most basic ways in very small orgs.  My users appear to all have the same problem, when they insert a removable media device that has software on it that might run or autorun, I get the "This program is blocked by group policy, contact your admin" message.  I don't believe this ccurs with removable media just as just plain USB storage sticks.  So far the two examples I know of are for an Internet providers USB broadband mobility stick, and another user that is using some Kodak products (SD card, camera, and even the Kodak CD I think). 

Environment is 2008 R2, Win7 Pro workstations, all users are local admin on their machine.  All users are in the default Users container, and all computers are in the Computer container.  To my recollection I have never set a GPO that would directly or indirectly cause all users problems like this.  The only thing that has had indirect consequences that I know of in the past, was because we use many of the options available under Folder Redirection, including redirecting the Desktop.  In some cases, when a user has tried to launch an exe or what not that was on the desktop, it failed because it's trying to launch in truth on their user folder on the server, not really on the Windows Desktop.  I'm not sure if that might impact my current problem. 

To start, where can I go to actually check GPO's for this?  Is this the Software Restriction Policy?  If so, which one governs, the one in User Configuration or Copmputer Configuration?  In both cases I went to GPMC and under both, it would say I had to go to the Actions menu to create a New Software Restriction policy.  I did so (just picking the item in the Actions menu), and the resutlt was some choices under the actual GPO now, none of which I've yet configured. 

So, I need to torublesahoot this ut also to know where such a thing causing this error message would be set under normal circumstances.  Also, could antivirus cause this?  I can't see the error saying "group policy" if it did though. 

Thank you very much. 

windows 7 windows server 2003 domain controller screen saver

July 15, 2013, 9:56 am
$
0
0

Hello all,

For some reasons sometime some windows 7 client computers screen saver doesn't kick in after 20 minutes according to the setting in the AD. All other GPOs seem to be working fine. Window XP clients works fine.

After googling for several hours I noticed this is not a new problem. A lot of people experiencing some sort of a problem with screen saver in windows 7 if you run windows server 2003 AD, but no one seem to have a solution.

Any idea why sometime screen saver doesn't work  (Lock) in windows 7 ?

2 GPOs with firewall exceptions: one applies, one does not

July 1, 2013, 12:30 pm
$
0
0

I've run across what appears to be a strange issue in our Group Policy setup.

We have 2 GPOs set up to add firewall exceptions within our domain.  One has a firewall exception defined for program A; the other has a firewall exception for program B.  Both are linked to the parent OU where all our Windows 7 workstations reside within our Group Policy tree.

The exception for program A applies to these computers; the exception for program B does not.  If I move the firewall exception from the firewall exception GPO for program B into the firewall exception GPO for program A (so exceptions for both A and B are in the same GPO), the exception is distributed to all our workstations.  Keeping them in separate GPOs results in the exception for program B (but not all) not being applied to some of our computers.

"gpresult /H" shows both firewall exception GPOs being included, but the settings from the second GPO do not show up.

Any thoughts on why I would see such behavior?

John

GPO:Windows Event Log Service

July 3, 2013, 5:25 am
$
0
0

I have a GPO that is stopping the Windows Event Log service from starting. I need to know what GPO setting causes this problem. The Windows Event Log service cannot be started and the reason is, “Error 5: Access is denied”. Every computer on the network gets this error. As soon as, I add a computer to the domain and run gpupdate /force, all of a sudden you get this error.

Group Policy processing has been aborted because the file gpt.ini cannot be accessed

July 4, 2013, 4:19 pm
$
0
0

Hi Everyone,

We have 20 Windows Server 2008 R2 SP1 DC's with only ONE of the DC's reporting this problem:

The processing of Group Policy failed. Windows attempted to read the file \\server\sysvol\domain\Policies\Default Domain Policy\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

This is being reported by Ops Manager 2012

I've restarted ntfrs, performed a purge, checked the IP config, DNS nslookup's all work and sourced the web all to no avail. gpt.ini exists and has the same permissions as on other DC's. Only thing I haven't performed is a reboot of the DC in question.

Any assistance most welcome.

GPO to deploy a shortcut to all users in a domain.

July 16, 2013, 1:55 am
$
0
0

Hi.

I have a shortcut that I need deployed to all users in my domain. I cba going to each individual computer to add it =)

I have the shortcut on P:\XXXX\YYYY.ink or computername: MYSERVERDC01, P: drive.

This is how I did it:

GPO management -> Create GPO in this domain, and Link it here... -> Named it XYZ -> Right click on XYZ, edit -> Preferences(on both user AND computer, since I dont know which is right) -> Windows settings ->  Shortcut -> New shortcut.

So far so good?

These are the settings i put on the new shortcut.

Action: Create -- Name: XZY -- Target type: File System Object -. Location: Desktop -> Target path: p:\xxxx/yyyy.ink -- Start in: %commondesktopdir% -- Icon file path: p:/xxxx/yyy1.ico

--------------------------------------

It creates an shortcut on my testusers desktop, with the correct icon. But when I double click it, it sends me to c:\users\all desktop (something like that)..

How can I modify so it opens the shortcut that is located on p:/xxxx/yyyy.ink?

Should I add the new shortcut to Computer config or User config?

Is there an easier way to add a shortcut to all domain users?

Very thankfull for all help.

Regards

Jesper

Search

Scheduled Task (run as, At Logon) from GPO

July 5, 2013, 7:50 am
$
0
0

Hi, i configured Scheduled Task in GPO for 8D\Test user. This User is non-admin on PC or domain. This task must be run as user8D\Alex, when 8D\Test is logon - but it is not working. That is wrong?

If user 8D\Test manually run cmd.exe with highest privileges as 8D\Alex and then run \\SERV-2008R2\script$\classid.cmd - script apply to system.

Thank you!



Report: Computer in AD but not in WSUS?

July 11, 2013, 9:13 am
$
0
0

Hello,

Does a report showing the server existing in Active Directory and not showing in WSUS exist?

Thnaks,

Dom

System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

GPO not deploying access is denied

July 15, 2013, 6:02 pm
$
0
0

Hi guys,

Having a problem with GPO. I created a shortcut GPO and it seems to be working fine. I created another GPO software install package but it says its inaccessible. Permissions on the first shortcut GPO is the same as the second. Anyone have any idea. Tried numerous things and cant seem to get it correct.

Heres a sample of a working and non working:

Link Locationrrserver.com/RR Users
Extensions Configured 
EnforcedNo
DisabledNone
Security FiltersNT AUTHORITY\Authenticated Users
RRSERVER\Domain Admins
RRSERVER\Domain Users
RRSERVER\Domain Computers
RRSERVER\administrator
RRSERVER\Enterprise Admins
RevisionAD (0), SYSVOL (0)
WMI Filter 
Reason DeniedInaccessible


deploy printers via GPO from server with only local admin credentials logged in

July 16, 2013, 8:37 am
$
0
0

I've got Print Manager role installed and working on a domain server.  Run>\\ServerPrint\MySharedPrinter double-click and it installs. I've even got the security configured using AD DL groups on the printers and that is working as intended.

The server (ServerPrint) C:\Users\Administrator is logged in with the local (machine) admin, but it is on the domain.

I've got my GPO added in GPMC (ServerDC01), GPO_PrinterDeploy

When I try to right-click on the Printer (ServerPrint), Deploy with Group Policy>Browse...  Everything is greyed out.

My question, is there a way to force that dialog to prompt for domain admin credentials, so I can access GPO on ServerDC01?

Or is the only way to do this to be logged into ServerPrint with a domain account?

GPSI Software remains cached on AD

July 16, 2013, 8:37 am
$
0
0

Hi. I've got one GPO where a software installation remains cached. It does *not* appear in the actual GPO (when opening GPM and modifying the GPO) but when a computer retrieves the GPO it still sees the software (i.e rsop.msc) after gpupdate /force and restart.

This is not a PC problem as it happens on any PC that the GPO was applied to. So it's something with the DC/AD itself. How can I go about purging this particular package from the GPO so that clients don't pick it up any more?

I am also unable to copy the GPO to recreate it. I get the following error during the paste process:

GPO: IT Computers...Failed
The system cannot find the file specified.
Event Viewer on the server shows the following error when trying to paste the GPO (eventid 2008)
Copy of GPO failed. Error [The system cannot find the file specified.
]
 Details:
     Source GPO:
         DisplayName: IT Computers
         ID: {BE52B3B6-FEC8-48A5-AA18-CB59D0AC8CE5}
         Domain: xxx
     Destination GPO:
         DisplayName: IT Computers
         ID: {97B8D411-986F-45FE-94B0-B3BA96A35225}
         Domain: xxx

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>