Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Office 2010 Default File location manual override

August 13, 2013, 9:00 pm
$
0
0

Hi,

I've set the "Default File Location" setting in Administrative templates for Word 2010 in order to change the default Save/Open location for all users. The setting is found here:

User Config/Policies/Administrative Templates/Microsoft Word 2010/Word Options/Advanced/File Locations

Everything works fine until a user tries to override this setting manually in the options of Word. The issue is that the manual setting that the user sets does not stick. The path set in the group policy setting above overrides the user's setting.

My question is, can the Default File Location setting be set initially via GPO but be then overwritten if the user wishes?

Thanks in advance. 

Search

GPO Folder redirection issue

August 16, 2013, 3:44 am
$
0
0

Hi,

I have delegated adminisitrator rights in an OU of an active directory, and I have experiencing a very rare issue.

We apply some GPO's to the OU, which has inside some servers. The users are in other OU, so in all GPO's applied to the OU where that servers are, we have activated the loopback processing in Sustitute mode, so the user part of those policies applies to every user who logs into one of those servers.

In the user part of one of those GPO's, whe define an user environment variable, Homeshare2 with the path to a server share, like this: Homeshare2 = "\\server1\share$\%username%"

In the sharefolder of server1, the share has read/write control permisions to the group Domain Users and the NTFS permisions has the full control permisions to the Domain Users too.

Finally, the GPO user part has a folder redirection policy, which has the following configuration for documents folder:

Basic: redirect everyone folder to the same location

Redirect to the following location: %HOMESHARE2%\Documents

With this config, when a user logs into one server, the documents are not redirected. An event logs in to event viewer saying 'Windows cannot apply folder redirection config. If I run localy a gprsesult comand, it says Folder redirection n/a, and if I try to execute a result group policy for the user from GPMC console, I get a 'Not valid pointer' error.

This folder redirection worked perfectly last week. We have been making some test to achieve mandatory profiles, and it has stopped working. Now, we have no mandatory profiles configured, and still doesn't work. I don't have more ideas to investigate why this is happening and how to solve it.

Need help.

Just a test that I have done a minute ago.

I go to server1\share$

I delete the folder User1 and everything inside.

I log into server with user1.

In the server1\share$, a folder named user1 is created. The local path to share$ is D:\share. The NTFS permissions of that folder are:

user1: full control, just this folder, inherited from D:\Share

Domain users: full control, this folder, subfolders and files, inherited from D:\Share

Administrators: full control, this folder, subfolders and files, inherited from D:\Share

Inside \\server1\share$\user1, no Documents folder is created, as it should be as configured in GPO. But from the server, the user1 connects to the folder and he can create folders inside.

So I guess is a permission problem, but I can't imagine which: aparently, the permissions are correctly configured.

How can Make IE as default browser and no body can change it from other bowser

August 14, 2013, 11:58 am
$
0
0

HI

I need to make IE as default browser on windows 7 machines in my domain. Also no any user can change default browser to other browser like firefox and chrome.

How can i achieve it.. Please suggest.

Allow anonymous SID/Name translation - Setting via registry instead of the Local Security Policy (or GPO)

August 16, 2013, 5:35 am
$
0
0

I have a Windows 2008 R2 server and I am building a script to set a bunch of security settings via the registry.

I am stuck on one.

I am trying to set: Network Access - Allow anonymous SID/Name translation to 'Disabled' via the registry, I know this can be done through the local security policy or via a GPO but that is not what I am interested in. I want to do it making changes to the registry.

I found some people saying this can be done at:

HKLM\System\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock

However, when I browse to the registry this TurnOffAnonymousBlock registry key does not exist. Even if I set the policy to enabled or disabled manually in the local security policy. The key doesn't exist. This leads me to believe this is not the correct registry key that controls this setting.

Can anyone shed light what the appropriate key is in the registry?

How to move PC to specific OU when joining domain

August 16, 2013, 4:09 am
$
0
0

Hi,

We are setting a VMWare View installation.  All I want is for a way to automatically put VMs that have been newly joined to the domain moved to a particular OU.  I heard from someone that you can use Group Policy, but I can't figure out how?

My thinking is you would create a GPO with a WMI filter based on the machines hostname.  You then configure the GPO to do something to all machines that are found by the filter.

What do you get it to do?  Do you tell it to run a startup script that will execute redircmp?  The thing I don't like about that is it will do it each time the machine restarts.  Is there a "runonce" GPO setting?

Please help,

Thanks,

Charles

Applocker: Get-AppLockerFileInformation for saved event log

August 16, 2013, 2:29 am
$
0
0

Hi

How do I run this for a saved/archived eventlog?

Command:

Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -Event Type Audited

PSRemoting not enabled for this environment.

Thanks

Andrew

User unable to change password - Active Directory Group Policy

August 14, 2013, 3:25 pm
$
0
0

Hi all,

I've seen this issue come up, but no answers seem to be applicable.

When a user tries to change their password using control-alt-delete -> change password, they're getting a "Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain." We've even tried extremely long complex strings as tests, which also generates the error message.

In AD U&C, I can force the account password to be changed on next logon, which works successfully. 

The applicable security setting is applied at the domain level in the Default Domain Policy GPO.  When I view the RSOP on one of the workstations, I can see the settings below (which are consistent with the GPO):

Enforce Password History: 2 passwords remembered

Maximum Age: 120 days

Minimum password age: 0 days

Minimum Length: 6 characters

Password must meet complexity requirements: disabled

Store passwords using reversible encryption: disabled

I've run a dcdiag against our DC's. They pass all tests. Any suggestions on why this problem might be occurring, or how to rememdy it?

Thanks!

"There is no software installation data object in the Active Directory" when creating software installation GPO

August 16, 2013, 10:55 am
$
0
0
I'm on a 2008 R2 domain. I've done many successful software rollouts using GPO in the past. Currently, when I create a GPO, add a package and choose Assign, it comes back with the error "There is no software installation data object in the active directory." Software Installation event IDs 103 and 104 are logged in the application log. I can't find much information about this error anywhere. I've double and triple-checked my permissions on the network share containing the installation package. Any ideas would be appreciated.
Search

Help with Removable Storage Access limits

August 16, 2013, 12:58 pm
$
0
0

Hi Crowd,

I'm having a problem with group policy that's been driving me nuts for about a month now.

I need to limit write access to removable media. 

Due to the layout of our network, I have multiple sites. Site A has computers that are connected to the internet, site B has computers that are not connected to the internet. Each site has a DC. I'm focusing on Site A for now.

I created two group policies:

"Removable Read Only" Has all "Deny write access" group policy objects ENABLED.

"Removable Read and Write" has all "Deny write access" group policy objects DISABLED.

I have created an OU (Lets call it "A Computers"), and added Site A's computers to it. I linked the two group policies I created to the "A computers" OU. I set the scope on "Removable Read" to "Authenticated Users". I set the scope on "Removable Read and Write" to the "Transfer Agents" group.

Now when I login to a workstation, and run GPresult /v as one of the transfer agent users, it is reporting that the policies were applied, but it is not letting me write to media. (Im testing with USB flash drives)

Upon further investigation, gpresult reports that the "Removable Read and Write" policy has Deny_Write ENABLED!.

What am I missing? I honestly could have sworn this was working one day, and not the next. I tested so many different combinations of group policies, and this one seemed to work, then stop.

Someone please help me before I loose the rest of my hair!

Thanks!!

Group Policy

August 16, 2013, 10:58 pm
$
0
0

Wants to apply the group policy for a specific time duration only : Between 10:00 AM to 6:30 AM.

Windows 7 Input Languages

August 17, 2013, 1:08 am
$
0
0

Hello,

I am deploying Windows 7 SP1 for the company and noticed that we have several staff (non Admin) uses multiple languages (Japanese, Chinese (Traditional, Simplified), Czech, French, Italian and so on.

I have downloaded IME packages for the languages (Japanese, Chinese, Korean) which is fine and I was planning to use "reg ADD" in the log in script for those rest of the languages. and tested the script with the staff permissions, though it don't allowed me to do I was using /S switches (I hear 'the error sound(Please see the event ID1530 below)' while logging onto the computer). I tested with Admin privileges, It works OK Though since I am updating the registry, the settings will be taken effect on the next log on. (I need to log out/log back in) to see those input language appears in the bar

Event ID: 1530 Warning

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  

For the company's security reasons, I can't assign them even local administrators group and the workplace is quite busy and the users uses computers at many locations.

I have been searching this over the internet though all I could find is to create/update registry via regedit (HKCU\Keyboard Layout\Preload) which requires 'admin privilege' and log out to take effect not feasible at all.

Is there any better way (no user action required, no log out/back in required, no admin rights required)? 

Thanks in advance,

EXE to MSI for use with GPO deploy

March 28, 2012, 6:23 am
$
0
0

Hi guys, just a quick one, im having some issues finding a convertor for EXE to MSI file a free anyway as i don't plan on doing this to often, the program in question is a LIVE PERSON chat application so our agents can talk to customers on the website regarding issues with policies or what ever with out them having to phone up.

what would be the best way to go about doing this across 150 PC's in our domain?

any help would be greatly appreciated.

Thanks

Greg.

Configuring Server Updates Question

August 15, 2013, 9:45 am
$
0
0

Our WS 2008 systems are required to be patched manually.  However, to save time, we would like to schedule a particular time for them to be automatically downloaded - ideally, a time when traffic is low.  

  • The option Auto download and notify for installwould work if it had an option to schedule when updates were downloaded.
  • The option Auto download and schedule the installwill automatically install the updates at the selected time, which would not work either since they have to patched manually.

Is there perhaps a PowerShell script or another method that can used to accomplish these tasks?

On a side note, for the second option, what might cause the time selection to be faded out and unavailable to alter (set to 3:00AM by default)?

-NuxCase

Group policy preferences - Registry.

August 18, 2013, 2:54 am
$
0
0

Hello guys! Short question. Should I reboot my server to apply Registry settings?

I've set some but I don't want to reboot servers to apply this settings.

Thank you!

How to create policy that allow a single user to have multiple proxy settings

December 14, 2011, 4:02 am
$
0
0

Here is the scenario:

We have 3 site(data center) in parent domain. The members (developers and engineers) of this domain needs to access the machines on each data center and they needs to get out to the Internet (for the meantime) so they can download the things they need. 

Problem: As we know the proxy configuration is under "User Configuration" of the Group Policy. Having the same instance of the user object on a different OU is not allowed. How can I configure the AD to allow a user when he access Site A, he/she will use the proxy on Site A and when he/she goes to a machine in site B he/she will use the proxy on site B.

AD structure:

 

Parentdomain.com

---- Site A OU

--------Site A Machine OU

---- Site B

--------Site B Machine OU

---- Site C

--------Site C Machine OU

Note: I have already have in mind using script to run on the on the "Computer Configuration" is there any other way side using this method?

Thank you in advance.

 

 

Search

What is the disadvantage and advantage of store password using reversible encryption for all users in the Domain policy?

August 18, 2013, 10:07 am
$
0
0
What is the disadvantage and advantage of store password using reversible encryption for all users in the Domain policy?

Enforce IE to be the default browser & Disable all browsers except IE

August 18, 2013, 6:06 am
$
0
0

Hi,

I have following requirement, please suggest.


1 - enforce IE to be the default browser 
2 - Disable all browsers except IE
3 - Set recommended IE security settings through group policy 

Regards,

Maqsood

Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified


Mapped network drive available offline even after restarting PC without network connection From group policy server 2008 R2

August 18, 2013, 8:31 am
$
0
0

Can anyone tell me how to make network (mapped) drive available Offline even after restarting PC without network connection from Group policy and I have Microsoft server 2008 R2 installed in my server.

plz let me now the soln....

Server 2003 Group Policy Object question

August 15, 2013, 4:15 pm
$
0
0

Based on server 2003 group policy objects, can I make more than one folder at a time available offline? And if so, what GPO settings do I need to make to do that. The client machine is Win 7, and I need to make 4 different folders available offline, if that's possible. If my question sounds funny, it's because I'm just beginning to learn server 2003, and 2008.

Thanks


Item-level targeting in GPP stop show OS "Windows 7" like target ?

August 14, 2013, 7:19 am
$
0
0

Hello,

I have server with Windows 2008 x86.

Also have a lot (around 20) GPP polycies for different goals. I love to use Item-level targeting because it's easy and faster than WMI filter.

Suddenly last week I've copied some of used GPOs to make new ones and when I want to change OU or Site parameters in item-level the GPMC gives me an error:

"

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at Microsoft.GroupPolicy.Targeting.Filters.OperatingSystemFilterControl.get_OperatingSystemEdition()
   at Microsoft.GroupPolicy.Targeting.Filters.OperatingSystemFilterControl.GetSummaryText()
   at Microsoft.GroupPolicy.Targeting.Common.GetSummaryText(BaseFilterControl filterControl, Boolean firstInCollection)
   at Microsoft.GroupPolicy.Targeting.FilterDesignerForm.Filter_FilterChanged(Object sender, EventArgs e)
   at Microsoft.GroupPolicy.Targeting.Filters.BaseFilterControl.FireFilterChanged()
   at Microsoft.GroupPolicy.Targeting.Filters.BaseFilterControl.set_OperatorIsAnd(Boolean value)
   at Microsoft.GroupPolicy.Targeting.FilterDesignerForm.SetOperatorIsAnd(Boolean operatorIsAnd, Boolean firstInCollection)
   at Microsoft.GroupPolicy.Targeting.FilterDesignerForm.RefreshPreviewPane()
   at Microsoft.GroupPolicy.Targeting.FilterDesignerForm.filtersTree_AfterSelect(Object sender, TreeViewEventArgs e)
   at System.Windows.Forms.TreeView.OnAfterSelect(TreeViewEventArgs e)
   at System.Windows.Forms.TreeView.TvnSelected(NMTREEVIEW* nmtv)
   at System.Windows.Forms.TreeView.WmNotify(Message& m)
   at System.Windows.Forms.TreeView.WndProc(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

************** Loaded Assemblies **************
mscorlib
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4241 (VistaSP2GDR.050727-4200)
    CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
----------------------------------------
Microsoft.GroupPolicy.Targeting
    Assembly Version: 2.0.0.0
    Win32 Version: 6.0.6001.18000
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.GroupPolicy.Targeting/2.0.0.0__31bf3856ad364e35/Microsoft.GroupPolicy.Targeting.dll
----------------------------------------
System.Windows.Forms
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4236 (VistaSP2GDR.050727-4200)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4235 (VistaSP2GDR.050727-4200)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Drawing
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4235 (VistaSP2GDR.050727-4200)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Xml
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4246 (VistaSP2GDR.050727-4200)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------

"

If click Continue the form loading but all Items where exist "OS Windows 7" are blank, noname, only Windows flag stand in the row. If I add an Item "Operating system" - there is no "Windows 7" in drop down list?

What happens, is it posible to be from some Updates (.NET Framework ?)

I've tested to edit GPOs with my second RODC under Windows 2008 R2 and polycies are read properly, with all item-level rules ?

Please some advice, thanks to anyone in advance !

just Topper

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>