Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

GPO Software Deployment Question

August 13, 2013, 8:18 am
$
0
0

Hello All,

I recently added a simple flash installer for IE and Firefox into GPO for deployment and both deployed successfully, which was great, but my question is: how can I remove the actual Software line item from the GPO I placed it in. I'm not looking to uninstall, I know how to do that, but since now that I have tested this and it works, I think I want to make a new GPO and dedicate it solely to Software installations(I don't want to load up my primary GPO with a million Software packages, so I figure I'll keep it separate). I can't seem to find a way to remove an install job from the policy itself. Is this possible?

Thanks!

Search

GPO not applying using computer group as filter

August 13, 2013, 11:59 am
$
0
0

I have a GPO that disables screen saver and I am linking it to a specific OU with a lot of workstations in it.  I created a group, ExemptFromScreenSaver and added the computers I wanted exempt from getting the screen saver to this group so, no matter who logged in, these computers would not have screen saver enabled.

Problem is, the GPO will not apply.  It says the GPO not applied due to filter.  Any ideas why this may occur.  No other filters applied and it is linked directly to the OU where the systems reside.

Dave

Dave

Prevent execution of a shell command

August 7, 2013, 9:19 pm
$
0
0

I would like to prevent a domain user from executing a specific shell command like netsh.  Is it possible to do through group policy?  If so, how?

Thanks in advance

Configuring VPN Group Policy Access for Groups

August 9, 2013, 1:32 pm
$
0
0

I have a question, I was tasked with configuring user authentication through our firewall. What management wants to do is configure our Fortigate firewall to allow users to access the internal network using their LDAP user name and password.

What should happen is a user should be able to do is use the foritgate client and connect to the firewall using SSL and access the network. Access should be based on a user's membership of a particular group.

As an example: User uses VPN client to connect, if the user is not a mamaber of a group that has access he gets denied access to the internal network, then based on membership the user recieves access to resources linked to their group.

What I need to do is to configure user group to first be either approved or denied access based on group membership based on membership to a group. Second i need of users to have access to only certain resources based on their membership.

I need to try to do this through group policies, don't think i could do this through policies on the firewall as there is a hundred or so groups that will need to be configured this way, and there are several hundred firewall that will need to be configured.

GPO system.adm not there

August 5, 2013, 5:48 am
$
0
0

Could anyone please help me out with the following.
I am trying to change the system.adm so I can hide specified drives for Windows 7 users.

They are in a domain and the dc is windows server 2008 R2.

When I follow microsoft guides it states that it should be in the following location:

c:\windows\sysvol\sysvol\domain\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\adm and then system.adm

However this folder is empty.....

Can anyone point me in the right direction?

I think I know how to change the file I just need to know the correct location or if someone can tell me that I need to create or import or something else...

Andre

How to check Gpo synchro (GPT and GPC) on all 2008 R2 DCs ?

August 14, 2013, 4:31 am
$
0
0

Hi,

I used to work with the gpotool.exe when i was on server 2003. It displayed me result for synchronisation between AD and Sysvol for all my DCs. The result was "Policies OK" or "Errors found" and i checked this result by nagios.

Now i work with only server 2008 R2 DCs and i would like to do the same.

the gpotool is not for this version, i don't find anything with the group policy cmdlets, so i need help

Regards,

Guillaume

"Internet Explorer Branding failed..." even after the GPO was deleted

August 14, 2013, 5:48 am
$
0
0

Our environment is Server 2008 R2 on all servers and Windows 7 Pro 64bit on workstations. Both servers and workstations are on IE10. When running RSOP on the servers we get the following message under the User section:

"Internet Explorer Branding failed due to the error listed below. The specified procedure could not be found."

I found that a GPO still applied IE settings through Internet Explorer Maintenance. I've since created a new GPO using GPP and deleted the old GPO. The problem is that the error still appears when running RSOP.

How can I remove these old GPO settings?

Sharing folder

August 14, 2013, 2:32 am
$
0
0

Dear all,

    I created a share folder in that i created a file and given permission for everyone, only read access. But user who had not access to modified the file, but he is able to modified the file and while saving the file he is get an option as SAVE AS.He is able to save the another drive, I didn't given any access to save,modified or save as. I given only READ ONLY permission but the user getting save as option. can i any one help me to solve this. i created the folder in work group system.

regards,

rajesh.

Search

Error by click on "edit Default Domain Policy"

August 8, 2013, 1:24 am
$
0
0

Hi

I upgraded the Domain Controllers from Windows Server 2008 R2 to Windows Server 2012. If I want to edit the Default Domain Policy after the upgrade I get the following Error:

any ideas?

thanks for replies,

Phil

Item-level targeting in GPP stop show OS "Windows 7" like target ?

August 14, 2013, 7:19 am
$
0
0

Hello,

I have server with Windows 2008 x86.

Also have a lot (around 20) GPP polycies for different goals. I love to use Item-level targeting because it's easy and faster than WMI filter.

Suddenly last week I've copied some of used GPOs to make new ones and when I want to change OU or Site parameters in item-level the GPMC gives me an error:

"

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at Microsoft.GroupPolicy.Targeting.Filters.OperatingSystemFilterControl.get_OperatingSystemEdition()
   at Microsoft.GroupPolicy.Targeting.Filters.OperatingSystemFilterControl.GetSummaryText()
   at Microsoft.GroupPolicy.Targeting.Common.GetSummaryText(BaseFilterControl filterControl, Boolean firstInCollection)
   at Microsoft.GroupPolicy.Targeting.FilterDesignerForm.Filter_FilterChanged(Object sender, EventArgs e)
   at Microsoft.GroupPolicy.Targeting.Filters.BaseFilterControl.FireFilterChanged()
   at Microsoft.GroupPolicy.Targeting.Filters.BaseFilterControl.set_OperatorIsAnd(Boolean value)
   at Microsoft.GroupPolicy.Targeting.FilterDesignerForm.SetOperatorIsAnd(Boolean operatorIsAnd, Boolean firstInCollection)
   at Microsoft.GroupPolicy.Targeting.FilterDesignerForm.RefreshPreviewPane()
   at Microsoft.GroupPolicy.Targeting.FilterDesignerForm.filtersTree_AfterSelect(Object sender, TreeViewEventArgs e)
   at System.Windows.Forms.TreeView.OnAfterSelect(TreeViewEventArgs e)
   at System.Windows.Forms.TreeView.TvnSelected(NMTREEVIEW* nmtv)
   at System.Windows.Forms.TreeView.WmNotify(Message& m)
   at System.Windows.Forms.TreeView.WndProc(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

************** Loaded Assemblies **************
mscorlib
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4241 (VistaSP2GDR.050727-4200)
    CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
----------------------------------------
Microsoft.GroupPolicy.Targeting
    Assembly Version: 2.0.0.0
    Win32 Version: 6.0.6001.18000
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.GroupPolicy.Targeting/2.0.0.0__31bf3856ad364e35/Microsoft.GroupPolicy.Targeting.dll
----------------------------------------
System.Windows.Forms
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4236 (VistaSP2GDR.050727-4200)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4235 (VistaSP2GDR.050727-4200)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Drawing
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4235 (VistaSP2GDR.050727-4200)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Xml
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4246 (VistaSP2GDR.050727-4200)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------

"

If click Continue the form loading but all Items where exist "OS Windows 7" are blank, noname, only Windows flag stand in the row. If I add an Item "Operating system" - there is no "Windows 7" in drop down list?

What happens, is it posible to be from some Updates (.NET Framework ?)

I've tested to edit GPOs with my second RODC under Windows 2008 R2 and polycies are read properly, with all item-level rules ?

Please some advice, thanks to anyone in advance !

just Topper

The configuration file Seczones.inf is not in a valid format.

March 7, 2011, 6:57 am
$
0
0
Win7 and XP on the client side, Server 2k8 and 2k3 on the DC side.   Folder Redirection is working, but when using the GPMC on a 2k8 server to view GP on the clients, we get the "The configuration file Seczones.inf is not in a valid format. Use Group Policy Object Editor to reconfigure the settings in this extension" error.   Any ideas would be appreciated.

seczones.inf - invalid file format

October 7, 2010, 7:38 am
$
0
0


We have  Windows 7, XP and have Windows 2008 running on our file servers and domain controllers.  We made a change to our group policy internet explorer maintenance/import URLS/ homepage.  Changes were not being applied so we ran the Group Policy Modeling Wizard and after clicking on that portion of the policy it states The configuration file Seczones.inf  is not in invalid file format. Use Group Policy Object Editor to reconfigure the settings in this extension.  We went back into the policy, changed the homepage, but no luck.  This is the only setting that is in there.  Any help would be appreciated.  Thanks.

Changing password complexity on AD

August 14, 2013, 7:36 am
$
0
0

Hi,

We are on Windows 2003 AD and at the moment we need to up the complexity of the passwords. We have around 400 users and the issue I have is I am worried once I cange this all users including service accounts will be informed all at the same time that there passords are not complex enough.

Will this come into effect the next time they are due to change passwords or from the moment I put the policy in place forcing password changes?

Thanks Tim

Screen Lockout Policy

August 14, 2013, 8:37 am
$
0
0

I setup a screen lockout policy in Server 2012 as follows:

User Configuration\Policies\Administrative Templates\Control Panel\Personalization\

Enable screen saver = Enabled

Password protect the screen saver = Enabled

Screen saver timeout = Enabled

Number of seconds to wait to enable the screen saver = 300 Seconds

Force specific screen saver = Enabled

Screen saver executable name = X:\Screensaver\scrnsave

The problem is, some computers, including mine which already had a screen saver set for a time is still going by the original time.  

So I originally had mine set for 60 seconds.  After the group policy, I can't change my screen saver settings, it even says 5 minutes.  But it turns on after 60 seconds.  

Any ideas on how to resolve this?

Thanks

Windows 2003 Server Std SP2 losing OU identity

August 14, 2013, 9:50 am
$
0
0

So this is pretty random...

I have several 2003 servers located in a OU (servers) that I made just for them that is located right off the domain. I have Block Inheritance checked. They have their own GPO linked to that OU which works fine except when the servers randomly decide that the OU and GPO I created for them isn't good enough. They are still in the OU I created but a gpresult shows that the Applied Group Policy Object (under Computer Settings) is no longer the one I created. It's the domain/site. I then move them out of the OU I created to some other random OU, then move them back to the OU I created for the servers. Gpresult shows they are in the correct OU and the applied policy is the correct one, until the process repeats itself some other day. I have made sure that there are no GPO's with enforced checked above the policy on my trouble OU which has Block Inheritance checked. This doesn't happen with a reboot. There's no set schedule as to when this happens. Sometimes it will happen in 4 hours. Sometimes it takes a month. Event Viewer is not sending up any red flags. The only thing I'm not sure of is Local Domain Policy (Which I don't need to tweak in this instance) is also listed as an applied policy. Could that be the issue?


Search

My Documents folder redirection to a UNC causes issues with files if the UNC needs to change.

August 9, 2013, 10:33 am
$
0
0

Greetings.

My IT shop redirects the My Documents, My Pictures, My Videos, and My Music to our user's home directories. In the past we did this though the %HOMESHARE%%HOMEPATH% variable, where the GPO created a My Documents folder in the root of the home directory, and we configured the GPO to store the other three folders inside the My Documents folder.

The problem we ran into recently was when we wanted to move the user home directories to a new server and share, all of the recent documents on the user workstations referenced the those file through the UNC path of the %HOMESHARE%%HOMEPATH% folders, which caused us to have to write scripts to go into the registry and modify the path of the recent documents and other files to reflect the new home directory path UNC. This seemed to apply to any file stored in the "My Documents" feature of Windows, including Outlook Archive.PST files where Outlook thinks are stored in a UNC path.

We experimented with the GPO setting "Redirect to the user's home directory" hoping it would start referencing the H: drive as this is their defined home directory drive, but instead the GPO still references the UNC path, and this time user workstations switched to using the root of the home directory as the My Documents folder versus using the pre-existing My Documents folder in the home directory. I.E. The My Documents folder became the UNC version of H:\ versus the former UNC version of H:\My Documents.

We looked at trying to specify int he GPO the "H:\My Documents" folder as the redirection point, but the GPO editor warns against not using a UNC path, so we didn't try to force it.

So the question is - how can we get the folder redirection to use the user's home directory drive letter and not a UNC path, so we can later on move the home directory without breaking all of the user workstation recent documents and other files stored in the My Documents path because they reference a UNC and not a drive letter?

As a side note the folder redirecton shows the user the UNC path when they open the My Documents folder, and we would really prefer it just say H:\My Documents to avoid confusion.

Windows Firewall - Turn on "Use recommended settings" from GPO

August 14, 2013, 12:24 pm
$
0
0

Hopefully there is GPO config already built for this :

I want to "User recommended settings" in Firewall Settings and deploy it thru GPO.

Can anyone help??

Thank you in advance...

Here is a picture http://wonrhee.wordpress.com/2013/08/14/capture-png/  

(sorry cant embed links or pictures until verifying account but outlook.com is down)

GPP Drive Map Policy - Problem (Win8 RP/Server 2012)

June 4, 2012, 2:42 am
$
0
0

Hi everyone,

i've got a litte problem with GPP drive mapping and Win8 / 2012

On Windows7 / Server 2008 R2 everything is working for every user. On Win8 / 2012 RC  the drive mapping is only (visible) working for non administrative users.

So i enabled GPP Logging and reviewed the logfiles and the eventlog, which is the same for every OS and User:

Window 2008 R2
2012-06-04 11:20:05.924 [pid=0x368,tid=0xb0c] EVENT : The user 'N:' preference item in the 'Global_UserLogon {C1C638C5-8E14-4DD4-96BF-B35013009E9B}' Group Policy object applied successfully.

Windows 8
2012-06-04 10:48:47.760 [pid=0x37c,tid=0xef0] EVENT : The user 'N:' preference item in the 'Global_UserLogon {C1C638C5-8E14-4DD4-96BF-B35013009E9B}' Group Policy Object applied successfully.

  • I tried to enable EnableLinkedConnections for the machines (just to make sure, even if does not really apply to my current problem).
  • "Always wait for the network at computer startup and logon" is enabled

Long story short:
Windows7/2008 : GPP drive mapping is working for everyone
Window8 RP/2012 RC: GPP drive mapping is working for every user (according to the logs) but the drives only show for non admin users.

Any ideas? Known Problem for Win8/2012?

cheers Flip

group policy help!

August 13, 2013, 8:43 am
$
0
0

Hi all,

windows 2008 DCs
 
We have users which have roaming profiles configured in AD
user profile path
We have specific GPOs which apply to terminal servers OU
with restrict settings and enabled loopback processing
with replace mode.

Will users with roaming profiles expience slow logon time
when they access terminal servers?

Thank you.

 

 

Group Policy - Running batch script with an administrative command line

August 15, 2013, 7:00 am
$
0
0

HI All

I am trying to run a batch script via Group Policy that does the following

  1. net stop wuauserv
  2. rename c:\windows\SoftwareDistribution softwaredistribution.xxx
  3. net start wuauserv

Steps 1 and 3 work fine but on Step 2 I get an Access Denied message when the policy is executed. The same happens when I run the batch file manually.

When I manually run the batch file, with an elevated command line, it works.

Is there a way I could execute an elevated command line through the GPO?

Thanks

Ivan


Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>