Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Problem Windows 8 logon script not working from windows server 2008 R2

November 28, 2013, 11:24 pm
$
0
0

hi there , this is third post regard this problem, here is my problem goes .....

Is a very simple logon script for mapping drive purpose .... PLS take note Domain users can access and run this script for domain users using windows XP / WINDOWS VISTA / WINDOSWS 7 and only  users " WINDOWS 8.1 " Does NOT run at all . the script I put on logon script in Windows server 2008R2 group policy ... 

@jrv :- http://social.technet.microsoft.com/profile/jrv/?ws=usercard-mini , insist said is my group policy setup problem so I post here agn...

Manually run the script on WINDOWS 8.1 is 100 % perfect so it is definitely not my logon script issue , PLS any guidance pls share for me ok ?? thanks

Below is my script syntax ;-

@echo off
REM Login.bat Version 1.0
REM Exit if user has logged on to the Server
IF %COMPUTERNAME%.==SL2011. GOTO END
REM Delete pre-existing drive mappings
REM
REM Map M: to SL2011 on sl2011
NET USE M: /DELETE >nul
NET USE M: \\SL2011\sl2011 /YES >nul
REM
REM Map Y: to AccScan on rss2
NET USE Y: /DELETE >nul
NET USE Y: \\rss2\Public\AccScan /YES >nul
REM

Search

Windows 7 GPO - Disable All Removable Media then Re-enable, now CD/DVD drive is inaccessible

March 20, 2012, 3:07 pm
$
0
0

Ok, this might be better placed in the Windows 7 forum, but we're having some issues with limiting access to removable media via GPO.

We've set up a GPO for Computer Policy, Admin Templates, System, Removable Storage Access, All Removable Storage classes: Deny all access - Enabled

After finding that this was a bit too restrictive we reset it back to Not Configured (and later Disabled to try and force it) but it seems to break our DVD drives on all Win7 x64 machines (the gpo is limited to apply only to these machines).  Instead of the usual icon in my computer it shows a description of the CD/DVD in the drive and the usual "unknown file type" icon.  if you take the cd out it shows the usual cd rom icon, but still gives "access denied"

There is one workaround, and that is to set the GPO back to not configured and manually remove the CD/DVD device via device manager, restart, and allow windows to re-install the device drivers.

This is 100% repeatable by applying the same local computer policy (All Removable Storage classes: Deny all access - Enabled" and restarting the machine. 

Has anyone else run into this problem before?  And how can we fix it without having to go to every machine to remove the DVD drive from device manager? 

Thanks,

-Nick

Invoke-IpamGpoProvisioning : Failed to import GPO. The data is invalid. (Exception from HRESULT: 0x8007000D) Event ID 2002

April 3, 2013, 2:10 am
$
0
0
HI,

at the momemt I am testing the new IPAM Feature of Server 2012. I followed this guide: http://technet.microsoft .com/de-de/library/hh831622.aspx

in the task of configuration the powershell command Invoke-IpamGpoProvisioning should be runned, but it fails with the following error:

Invoke-IpamGpoProvisioning : Failed to import GPO. The data is invalid. (Exception from HRESULT: 0x8007000D)
At line:1 char:1
+ Invoke-IpamGpoProvisioning -Domain domainname.tld -GpoPrefixName ipam -Ip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Invoke-IpamGpoProvisioning], Exception
    + FullyQualifiedErrorId : InvalidOperation,Invoke-IpamGpoProvisioning



In the event viewer is the following event logged:


- <System>
  <Provider Name="Group Policy Management" />
  <EventID Qualifiers="49152">2002</EventID>
  <Level>2</Level>
  <Task>0</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2013-04-03T08:50:29.000000000Z" />
  <EventRecordID>272</EventRecordID>
  <Channel>Application</Channel>
  <Computer>hostname.tld</Computer>
  <Security UserID="S-1-5-21-2155411338-4212752665-2881386377-1108" />
  </System>
- <EventData>
  <Data>The data is invalid.</Data>
  <Data>C:\Users\username\AppData\Local\Temp\ipamprov</Data>
  <Data>{09673450-4573-42E8-85D0-104144DF0BA3}</Data>
  <Data>IPAMGPO_DNS</Data>
  <Data>IPAMGPO_DNS</Data>
  <Data>{7F345996-1D92-4194-85BF-72BFB5298EDA}</Data>
  <Data>ipamtestsetup.com</Data>
  <Data>ipam_DNS</Data>
  <Data>{F53ABEDA-B34B-4486-8E8F-D8537CCACC96}</Data>
  <Data>hostname.tld</Data>
  </EventData>

    


can someone give me a hint to resolve this error.



kind regards,

Missing settings available in a regular GPO, when creating a Starter GPO - such as Rename Administrator/Guest account, Restricted Groups

November 29, 2013, 1:22 am
$
0
0

Y'all,

I'm looking at automating GPO creation and try to utilize Starter GPOs for common settings done on most OUs and customize afterwards as necessary.

I'm probably not getting the concepts right and I apologize for that.

What I specifically try to achieve is to rename the Administrator and Guest Accounts and set Restricted Groups. While starting with a common set of configuration, I could set on a higher level OU by a standard GPO, I want to configure these or enable people to reconfigure these based on their OU requirements.

So I'm missing the Computer Configuration : Policies : Windows Settings : Security Settings : Local Policies/Security Options branch when trying to edit the Starter GPO.

Can anyone point me in the right direction?

Thanks,

HH

Windows 8.1 and MessageLogonText

November 28, 2013, 6:44 am
$
0
0

Having installed Windows 8.1 Enterprise to trial in our environment there is an issue which stands out straight away.

When using the Group Policy 'MessageLogonText:' option, the message text is displayed at start up, even before pressing CTRL, ALT , DELETE.

The same applies when logging off a user; the user logs off, you receive the messagelogon text, and then when you click OK it goes back to the main startup screen ready to press control , alt delete.

In Windows 7 the message text is displayed AFTER pressing CTRL AT delete, which seems more logical.

Is this a fault or another microsoft whim!

Martin

MS Office Building Blocks

November 28, 2013, 2:49 pm
$
0
0

Hi

I need to copy a "building block template" from a servers location to the user that is logged onto the machine at the time.

So I am trying to use GPO -> Computer Configuration -> Preferences -> Windows Settings -> Files so that this one single file to be be sent to certain people who are apart of the OU.

My setting that I am using is \\ServerName\MSOffice Building Blocks\Building Blocks.dotx OR F:\MSOffice Building Blocks\Building Blocks.dotx as the source and the destination that I am using is %Userprofile%\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\

Where am I going wrong or must I use logon scripts for that particular OU? 

We are looking for the most simplest way to have this up and running.

Please can someone help as I am not that clued up on Group Policies?

Group Policy to map Remote Desktop Home Folder to share caused it to map to a local share

November 25, 2013, 2:31 pm
$
0
0

While testing a Group Policy setting I had something unexpected happen:

I was attempting to set users Remote Desktop home folder to a network share through a GPO. Testing it with one user showed it was working, but after adding more users it began mapping the home folder to the local share of the terminal server. Even after editing the users Remote Desktop Services Profile through ADUC and disabling the GPO, the share was still being mapped locally. Only by deleting the local profile folder (C:\Documents and Settings\<User Folder>), disabling the GPO policy and having the user log back in did the problem get fixed.

The domain function level is 2008 R2, and the Terminal Servers are Windows 2000 (Long story!) After a little more research I realized that the Group Policy I was attempting to use will only affect 2003 and up. So why did implementing this Group Policy cause the home folder to map locally?

Ex. of file share I was trying to map to:

\\Fileserver\UserFiles\%username%

GPO Policy:

Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles > Set Remote Desktop Services User Home Directory

Any insight is greatly appreciated.

GPO Wallpaper and Local Script

November 26, 2013, 1:09 am
Search

BGinfo and Wallpaper in same GPO Policy

November 29, 2013, 12:59 pm

Remote Desktop Services Roaming User Profiles do not get created when you activate this policy: Windows Server 2008 and Windows Server 2012

November 29, 2013, 5:18 pm
$
0
0

Remote Desktop Services Roaming User Profiles do not get created when you activate this policy.

I have found this in both 2k8 and 2k12 servers so I know it is not an anomaly.

Open Group Policy Management Console -> Navigate to: 

Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Profiles/Set path for Remote Desktop Services Roaming User Profile

You should see the box below:

Set Path for Remote Desktop Services Roaming User Profiles

As the box above indicates, do not follow the instructions. Add the %USERNAME% variable to the end of the path.

The final path should look like this: \\server\terminalprofiles\%username%

On each terminal server, run "GPUPDATE /FORCE" then try to logon as a user. Assuming the rights on the share and security tabs on the folder\\server\terminalprofiles are correct, you should see a new folder being created in the form USER.V2.

Thanks,

Robert



Disable Hibernate with a startup script

November 20, 2013, 8:20 am
$
0
0
I am trying to remove the ability for users to hibernate their computers by removing it from the start menu.  I tried the different power settings and policies but none worked.  Then I found that "powercfg -h off" did exactly what I needed.  So I have a script that does only that in the computer policy> startup script.  The problem is this doesn't work.  I know the command has to be run with admin privileges but I have read elsewhere that startup scripts run with permission to make changes to the system.  Please let me know if you have any suggestions or questions.  Thanks in advance

USB blocking policy creating local security database locking and GPO issues on windows XP

November 19, 2013, 2:32 am
$
0
0

Hi,

I have a windows 2008 R2 based domain controller AD infrastructure with windows XP & win 7 clients. I have applied a USB blocking GPO with Microsoft recommended custom ADM (http://support.microsoft.com/kb/555324).Besides the ADM, I have restricted access to the 03 USB files [1. usbstor.inf ,2. usbstor.pnf, 3. Usbstor.sys] and also the USBSTOR registry @ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR. Only domain admins have Full Allow access on these files& registry and others including local systems admin accounts are having full deny acess on these files & registry.

This policy is working perfectly fine for windows 7 systems, but causing issues on windows XP systems now. It's getting applied on Windows XP systems, but somehow locking the local security policy container. As a result, the XP systems are unable to release/update the GPOs when there is a change in existing GPOs or a new GPO comes in. When I observed the RSOP data on these XP machines, I observed memory error in applying the restricted USB registry settings ( refer the attached RSOP screenshot). It shows the old applied GPOs like WSUS & other GPOs even if I remove those GPOs in AD.

Most interesting part is, if I remove this USB GPO or move the computer to another OU and run gpupdate/force, everything works fine and all new/changed GPO are applied perfectly. But again if I apply the USB GPO, I am unable to release the deleted GPOs or apply new GPOs on the XP systems. I already have tried this with new freshly configured GPO as well with no luck.

Request if anyone can help on this issue.

Regards,

Jnana R Dash 

unable to download apps because home group system administrator

November 16, 2013, 11:17 pm
$
0
0
When trying to redownload an app (which I lost after Windows 8.1 erased everything), the details state: "This app couldn't be installed because of the Group Policy set by your system administrator. Please contact your system administrator for more information."  Please instead of referring me to an article or giving me the technical jargon, please just simply state what I can do to re-download my apps, with this message.

Mapping printers via Group Policy Preferences create a direct mapping to printer, how to change it to use a print server?

November 21, 2013, 3:58 am
$
0
0

Hi

When I try and map printers in our organisation using GPP, the printers map correctly, but the print queue is local - rather than via the designated local server. Therefore printers deployed via GPP have all their jobs queued locally rather than centrally.

I would like to map the printers via GPP, but set the local server to be the main print queue (preferred solution) - or be able to change all the existing deployed printers to use the local server as the main print queue using a hack/fix/etc.

As you can see below, the highlighted printer is the one deployed via GPP, but I would prefer it to be deployed like the one below.

Thanks

Exchange / Outlook 2010 Message Format

October 31, 2013, 2:19 am
$
0
0

Hi,

it is possible to set the Outlook 2010 email message format with following policy:

User Configuration - Policies - Administrative Templates - Microsoft Outlook 2010 - Outlook Options - Mail Format - Internet Formatting - Message Format - Set Message Format

Is it possible to set the message format depending on let´s say the emailaddress (*@company.com)?

Example 1: employee sends/receives an internal email, message format HTML

Example 2: employee sends/receives email from customer, message format Text

Thanks.

Search

Limited Printer Deployment

November 20, 2013, 11:45 am
$
0
0

Hello,

I've been strugling with this for a bit and thought I should ask for help...  Our AD Environment has an OU for Workstations and an OU for Servers/Management.  W have a Security group Called DefaultPrinters.

I'm trying to deploy a printer to all users in the DefautPrinters group but only on the Computers within the Workstations OU.  The problem I seem to be running into is that the GPO is a user policy but filtered by BOTH the user and Computer in question.

I have enabled w/Replace the Loop back policy

This is what I have so far:

Policy applied at the domain level and security filtering is set to DefaultPrinters and LaptopGroup. - This applies to all computers (does not filter right)

If I move the GPO to the Workstations OU it doesnt apply the User portion of the policy being the user object isnt within the scope of the policy (Not benieth the Workstaion OU)

Any help would be great...

Ernst

Migrating from 2008 to 2012 Folder Redirection

November 20, 2013, 2:13 pm
$
0
0

Basics, hopefully will explain it fully:

2008 GPO for Folder Redirection: Storage location \\server_old\store$\%username%\my documents

2012 GPO for Folder Redirection: Storage location \\server_new\store$\%username%\documents

Is there a way to get 2012 to utilize my documents so we dont have the network moving the docs to a new folder called documents. 

I want to use robocopy to copy the share over, but it does me no good if then the new gpo copies all the user data back across the network to a new folder that it creates.

Thanks

Cannot deploy printer with Group Policy Preferences'- Event IDs 600, 601 and 4098

November 21, 2013, 6:03 pm
$
0
0

First, I want to state that I was able to deploy printers to users and computers (per user, per machine) just fine using "basic Group Policy".

*

I wanted to take a look at printer deployment with Group Policy Preferences and discovered... that this just does not work.

*

Yet it should.

*

The printer is a HP LaserJet 4200, a common model for which Windows Server 2012 has built-in, type 4 drivers.

*

The computers, all 64 bit, are as follows:

*

- Domain controller: Windows Server 2012 (DNS and DHCP also)

- Print Server: Windows Server 2012

- Client machine: Windows 7, SP1

*

Having looked at TechNet documentation, forum discussions and other blogs, I thought this would be easy to do. Yet it does not work. These are the error messages:

EventID 600


The print spooler failed to import the printer driver that was downloaded from\\SVR-004\print$\x64\PCC\ntprint.inf_amd64_33076fad6e030706.cabinto the driver store for driver Microsoft enhanced Point and Print compatibility driver. Error code= 800f0247. This can occur if there is a problem with the driver or the digital signature of the driver.

***



EventID 601

The print spooler failed to download and import the printer driver from\\SVR-004into the driver store for driver Microsoft enhanced Point and Print compatibility driver. Error code= 800f0247.

***




EventID 4098

The computer '10.0.0.18' preference item in the 'GPP-PRINT {32F99E49-5138-4A32-9956-50E8FDA2E402}' Group Policy object did not apply because it failed with error code '0x800703eb Cannot complete this function.' This error was suppressed.

*

*

*

For details on how I step up the printer, you can refer to my blog (on Google Blogger). There are also posts where, using "traditional" Group Policy, I was able to deploy printers without a problem.

*

http://davidmtechblog.blogspot.com/2013/11/windows-server-2012-print-management_21.html

*

Can anyone see what is wrong, if indeed something is wrong?

Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.


RPC SERVER IS UNVAILABLE WHEN ADDING DOMAIN USERS

November 21, 2013, 9:01 pm
$
0
0

Dear Expert,

we are facing with a problem.

We have 2 server and 1 DC

Server 1: is Application sever

Server 2: Database server

sever1 and sever 2 and some clients  have already joined to domain. And those clients added to User Group on sever 1, everything work well,

but recently, when i add some clients to domain it is OK. but could not add those clients User Group. the error

RPC SERVER IS UNVAILABLE .

server 1 can see all computer join to domain. but sever 2 and all clients can not see sever1

IE9 Settings does not apply before i delete the user profile

November 22, 2013, 12:56 am
$
0
0

Hello,

I have a situation were i have some users that are not getting the GPO seetings applied that are specific to IE9

The .admx file for IE in the my centralstore is for IE8 so they have not been upgraded to IE9.

No errors are in the eventlog.

Deleting the users local profile solves the problem. When the user is logging on after this the GPO applies fine.

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>