Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Server 2012 Applocker Script blocking not working correctly

November 19, 2013, 1:44 am
$
0
0

Im currently experiencing issues trying to apply an applocker script blocking policy.

I am using a Windows 2012 domain controller and trying to apply this to a Windows 7 Hyper V VM to test before applying to our live environment.

My goal is to block *.bat files running on the users desktops and home drives.

I have done the following -

made sure the application identity service is running on server and client

configured the policy - to test ive set a deny policy on my test account and directed it to block the folder i want it to block and i have tried leaving the * at the end to block scripts in the whole folder aswell as adding .bat to the start to set a wildcard.

Ive then enforced the policy.

when i apply this to a test folder its appearing to block all.bat files from running outside of the folder without the usual applocker message stating its been blocked by the system administrator.

When i attempt to run a .bat file cmd will pop up briefly and then go again.

Any thoughts as to what im doing wrong to not generate the usual applocker message? has any used applocker to block scripts before as theres a real dirth in information on the net for blocking bat files using applocker.

Search

Adding site to Local Intranet sites zone via GPO

September 14, 2011, 1:57 am
$
0
0

Hello,

We need to add a url to our local intranet sites zone for all users, where can I do this in a GPO?

Thanks

Unable to Configuring Automatic Certificate Request for Domain Controllers

November 26, 2013, 4:05 am
$
0
0

Hi guys, 

I want to setup the LDAPS connection for Windows Domain Controller.

To configuring Automatic Certificate Request for Domain Controllers, below are the location I need to setup for the auto-enrolment of Domain Controller,

Group Policy > Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Automatic Certificate Request Settings

But I couldn't find "Automatic Certificate Request Settings" option in my group policy, can anyone guide me to setup the automatic certificate request for domain controller?

I'm using Windows Server 2008 R2.

Hope some one can help me on this.

Thanks.


Group policy does not apply correctly on Win XP PC on a 2008R2 Domain

November 25, 2013, 5:03 am
$
0
0

Hi,

I have a user that when logs in a specific PC from another child domain the policy does not apply correctly.

When tried the user to login to anothe XP PC from the same domain the policy works fine. Both PCs are on the same OU. On Event we get Event id:1202, SourceSceCli, Security policies were propagated with warning, 0x4b8.

On DC the policy results show correctly, more precisely we want to remove run from start menu.

Tried to delete registry entries, removed the PC from the domain, deleted the user settings, but still same error.

Thanks in advance



Default behaviour when shutdown button is pressed

November 26, 2013, 5:00 am
$
0
0

Hi,

I have serveral Windows 2003 servers in a 2003 Active Directory. I need that when a user is logged through Remote Desktop to any server, and he press Start, ShutDown, the default action will be log off instead of ShutDown.

I have found that this can be achieved by changing the registry key KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown Setting  from 0 (default - Shutdown) to 1 (Log Off). But the gpo policy setting to do this is not available in Windows 2003, only 2008 and above. So I need to write an adm template to set this value as I need.

But I don't know how. I have tried this code, but the only thing that appears is the folder ShutDown Action at the left of the screen, but no value to change:

CLASS USER
CATEGORY "ShutDown Action"
    POLICY "Default Action"
        PART "defaultaction" DROPDOWNLIST
            KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\"
            VALUENAME "ShutDown Setting"
            ITEMLIST
            NAME "Shutdown" VALUE NUMERIC 0
            NAME "Logoff" VALUE NUMERIC 1
            END ITEMLIST
        END PART
        END POLICY
END CATEGORY

Could you help me to write a valid adm template able to achieve what I need?

Thanks

Printer remove and re-map GPO scenario (currently not working)

November 26, 2013, 12:00 am
$
0
0

Hi world,

My company is re-locating to a new building and therefore we are renaming our printers. I am also taking the opportunity to name them more correctly and have all the Group Policies running properly.

The issue is that the current Group Policies won't automatically remove themselves because we are keeping the same IP ranges and so I am having to run a script to remove all currently mapped printers before mapping the new ones, however only the removal script is running, the new printers are not mapping. Details:

The removal of printers is via a logon script (VBS) and this GPO is ENFORCED to ensure it runs first. This GPO/script is running and printer mappings are removed. THEN, the new printers are supposed to be mapped using user preference GPO's and filtered using IP range Item Level Targeting to ensure only printers on the users floor are mapped. This GPO is currently applied last and has about 15 other GPO's applied before it.

This GPO to map the new printers IS NOT working. Group Policy results wizard shows that both of these policies are the winning GPO's for their respective categories and are applied, however printers do not appear mapped.

If after logon, I do a manual gpupdate command, the printers map as you would expect so the group policy does work, it just refuses to map printers in the same process as removing printers.

Can anyone help here? I MUST remove old printer mappings then map the new printers on day 1 after our office move.

Thanks.

Windows 7 and Windows Server 2012 Essentials Group Policy Problem

November 20, 2013, 12:17 pm
$
0
0

Greetings everyone,

I'm in the process of deploying a windows 2012 Essentials server and all my clients are Windows 7 machines. I've got them all connected to the domain no problem but for some reason which I can not find out when I'm trying to deploy apps say 7-Zip for example or Firefox.msi edition on the computer level to the authenticated users (there will be 7) but I'm only working on one machine right now nothing goes though. I've tried everything I can think of including double checking everything to the following pages:

http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part1.html

and

http://technet.microsoft.com/en-us/library/cc732979.aspx

I thought it might have been because when I looked up the users in AD they were listed as Domain Users so I added them to the Security Filtering in the Scope of the GPO.

I can not for the life of me get it to take. I've been working with a 2003 Server and have never had this much trouble. I even checked youtube for video's all of them mirror what I'm doing successfully this is a brand new machine literally out of the box with a clean install of Windows 7 Pro on it.

Can anyone offer some insight?

Cannot import backed up GPO in a new domain

November 25, 2013, 1:19 am
$
0
0

Hey Guys,

For a specific project we had to create a brand new domain, completly isolated from our main corporate domain.
Due to security requirements, I have to apply to this 2nd domain the same domain policy as in the 1st domain.

This domain policy is defined in a GPO and I'd like to transfer this GPO to the new domain.
There's no relation between these domains as they are completely separated.

I used GPMC to backup the GPO from the 1st domain.
Copied the backed up folder to the DC in my 2nd domain.
Used GPMC in my 2nd domain and tried to import the GPO from the backup folder.

Whatever I do I always get "No backup foudn" error message.
Even when I try to go via "Manage Backup" and pointing to the backup folder, I still get the same message.

The 1st domain is in functional level Win Server 2003 and the new one is 2012.

Any idea how I can transfer the GPO to this new domain?

I've already read the TechNet and MSDn articles about it, but it doesn't work for me.

Thanks in advance

Search

desktop wallpaper and default home page for internet explorer

November 26, 2013, 7:10 am
$
0
0

dear mates......

i have windows server 2008 R2 active directory in my organization....

now i need to apply a desktop wall paper for all the users who login to AD

also want to set a default home page in internet explorer .........which is my organizations internal webpage........

so kindly help me how i can  do that through group policy .....

i have only default group policy ........

thnx in advance

istiaq

GPO Wallpaper and Local Script

November 26, 2013, 1:09 am
$
0
0

Dear All,

i have question for the bellow....

All my client using same wallpaper by using local log on script nowadays i have to change the wallpaper so i find that i can do it from Group Policy , so please correct me 

- Create GPO name wallper

- Enable Desktop Wallpaper from "User Setting-> Policy -> Administrative Temp -> Desktop"

- Also Enable Prevent Changing Desktop Background form " User Setting-> Policy -> Administrative Temp -> Control Panel -> Personalization"


My Question

is Group Policy have more power than local log on Scripts so no need to remove the local scripts?

Note:

if there is another way please advice

Omar A. G. Dweik Senior System Engineer Qatar - Doha


Server 2012 Essentials - Implement Group Policy Wizard fails

November 20, 2013, 9:42 am
$
0
0

Hey all,

I would like to implement Group Policy on my Server 2012 Essentials server.

When I select the wizard in the dashboard I get the following:

Group Policy Configuration Did Not Succeed

Group policy configuration encountered an error. Restart the wizard and try again.

* Folder Redirection

* Security setting that impact the following:

Windows Update

Windows Defender

Network Firewall

Not sure where to begin to troubleshoot this issue.  Any help is greatly appreciated!

Thanks,

James

How do I configure a user account to have ‘logon as a service’ permissions?

February 15, 2011, 3:01 am
$
0
0

How do I configure a user account to have ‘logon as a service’ permissions?

This is for CRM application use and need to enable permission via GPO

Microsoft TechNet Forum Bandara

Powershell command help

November 26, 2013, 2:50 pm
$
0
0

Hi I have a powershell startup script in a GPO for Computers that reads like this..... Start-process myfileserver\sys02\SoftwareDeployedbyGPO\Office2013LyncClient\setup.exe" -argumentlist "/adminfile", "Updates/Lync2013.MSP"  this script works when I ran it manually.  My question is if I have this in a GPO for computer startup wont Lync 2013 try to install at every startup?  What can I add to the script so it looks to see if it is installed and if it is to end, do nothing?  I am not a powershell guru so hope this is a really easy one for you :-)  Please note most pc's still run either Office 2007 or 2010 so my msp is to just install Lync 2013 and as I said it does work when executed  manually.

Thanks in advance!

BUG: Group Policy Preferences - Scheduled Tasks

January 29, 2010, 2:46 am
$
0
0

Hi,

Given this is reproducable in our environment, I'm going to go out on a limb and say the following is a bug. I'll include the steps below, but in a nutshell, we are finding policy objects populated with more than one Vista or later scheduled task is corrupting the policy file through the addition of duplicate entries.

I'll keep the following detail section short, because, well, it's just past 6pm on Friday, and I just want to get out of here.

Steps:

1. Open GPMC on either a Windows 7 machine or R2 domain controller (tried both just to rule the other out),
2. Create a new policy,
3. Disable the user settings,
4. Edit the policy object,
5. Expand Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks
6. Select New > Scheduled Tasks (Windows Vista or later),
7. General tab: Fill in the Name, Action = Replace, account name, password, "run whether user is logged on or not"  option selected, "run with the highest priviliges",
8. Triggers tab: Enter any "One time" time schedule that takes your fancy,
9. Actions tab: Enter any action you feel is appropriate - it makes no difference,
10. Conditions tab: Check the Wake the computer to run this task option,
11. Settings tab: Just skip it,
12. Common tab: Check the "Remove this item when no longer used" option, check the "Item-level targetting" option,
13. Common tab: Select the Targetting button, New Item:Computer, Computer Name = whatever you have handy to test on, Netbios radio button selected,
14. Ok button, and Ok button again to get back out to the main editing window,
15. Repeat steps 6 through to 14 to add a second scheduled task,
16. Close the policy editor so that you're not back out at the main GPMC screen.

You should end up with something resembling the following: http://public.bay.livefilestore.com/y1pOnr0-qf0ihv2gX4xiFowTC4hbxQY0y1LakHuPVRDd_DQ6WSKg7vuk_kOTJt_RliD7Kjc31p2oUJMh5B3H4G4Dw/gpmc_EditorScheduledTasks.PNG

Okay, so, what I'm seeing from this point on is as follows:
1. If you immediately inspect the Settings of this policy, instead of seeing correct ordering, you will see a duplicate of the first entry,
(http://public.bay.livefilestore.com/y1pRnNyvWKAZUeGihhBhJzaWlscin-L4gcQnCXHA-vEp5amlR1wgbJevvYpl7Mkomj1uVLAYqMO87RhOWkHuDIq-A/gpmc_SettingsDuplicates.png)
2. If you check the target computer, the correct number of entries appear in Task Scheduler,
(http://7mgp6a.bay.livefilestore.com/y1peSCvQExf6JhdDVW-pcq89zMYrrpVPhY-9r37vUD-94i42zV4w9p-O9KkMyPS8oQbTGM3jlvZYhRT9c_nMiRLO9h5xrVwTIey/gpmc_ClientTaskScheduler.PNG)
3. If you use GPMC to generate a resultant set of policy (under the Group Policy Results node) for that computer minus the user settings, you will get the following error:

An error occurred while generating report:
Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index
(http://7mgp6a.bay.livefilestore.com/y1pvjanolUi28OGoOTbY_58hpyi3_8k6Nvpu8CzBod0-3P3ATaGpwEU_ISuxE9l91YwAiUvxVGDr4McQlkydYu7YbdGFySJYjeb/gpmc_GPMCError.PNG)

Is this significant? I don't know, but I do know it sure as nuts shouldn't be happening. The nett result is you can't audit that machine if required, and that's just not very useful.

Cheers,
Lain

removable storages Blocking

November 27, 2013, 6:56 am
$
0
0

Hi,
In my organization antivirus through we are blocking USB Storage Drives (Pen drive ,External HDD,Memory Cards)  but safe mode is not blocking users are logged in safe they copying data.

I am trying to blocking USB Group Policy  through but not working.

please advise how to control Pen drive blocking . I need to block some users not enter domain. Computers policy are Users policy.

 

Server :windows 2008,Users systems are running  in windows-7 OS.


Search

some question about "how to deploy the msp package via GPO"

November 26, 2013, 11:57 pm
$
0
0
I can successfully deploy the msp package via GPO on Win7 OS,but fail on Vista OS.Please give me some suggestions.Thanks a lot.

Disable USB Storage

November 26, 2013, 1:25 pm
$
0
0

We're running SBS 2011 and I'd like to create a GPO that disables USB storage on all of our workstations (all but two are Windows 7, the other two are XP). Is the easiest way to do this with a script or disabling it in under Group Policy Management? Along with that, how easy is it to temporarily disable it for a user that may need to copy things to a flash driver? Our users are not local admins, so if they need to copy to a flash drive can it just require an admin username/password to allow it?

Thanks.

Issue deploying software using GPO

November 27, 2013, 8:16 am
$
0
0

HI ,

In our environment while we are deploying a software (22MB size msi package) using GPO method we are getting two issues:

1.The software getting installed to the desktop (specifiedlly win 7 64 bit) but the settings not getting registered on system registry .

2.It is showing in the list of applied policy while seeing gpresult.but the the actual software is not found in system.

Also Can anyone please help,if there is any time duration for a gpo applied on client?

Desktop folder will not redirect

November 14, 2013, 4:47 pm
$
0
0

I have a Windows 7 user who I added to the OU for folder redirection. The GPO is set to redirect the Desktop, My Documents, and Favorites.

Favorites and My Documents redirected just fine. The folders were created on the server and the files copied to them and they no longer exist on the laptop.

The Desktop is another story. A folder was created in the server share and the desktop files copied to it. But on his laptop the Desktop folder still exists. I have tried everything I can think of to get it to work right but to no avail. If I create a test folder or document on his laptop desktop it does not appear in the server folder....until he logs off and back in. Then any changes are copied to the server.

I even looked in the registry and found the location where it shows the folders are pointed to. Favorites and Documents (actually Personal in the registry) are pointed to the UNC path on the server. Desktop is still pointed to %USERPROFILE%\Desktop. I tried changing that one entry but that didn't help.

Anyone ever see this or know what to do? I have spent hours trying to get this to work. I've done several folder redirections before and never ran into anything like this.

Any help would be appreciated.

Jonathan

Group Policy to allow users to resolve conflicts on offline files

November 27, 2013, 8:37 am
$
0
0

Hi,
for our highly managed users we have disabled configuration of offline files. However, we want them to be able to solve conflicts. Currently this is not possible.

These group policies are applied as user policies:
- Prohibit user configuration of Offline Files
- Remove ‘Make Available Offline'
- Prevent use of Offline Files folder

It seems that one of these or maybe some other policy also prohibits opening the synchronisation center by double clicking the synchronisation symbol. I could figure out which one it is. Could anyone help me on this? I'd like to restrict users ability to configure offline files as much as possible. However, it would be good if they could resolve conflicts if needed. AFAIK, no one can do it for them.

Regards,
Oliver

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>