I have created a new OU and I wanted to restrict some users from installing programs off the internet. Any ideas on how to get this done?
↧
restrict users from installing programs
↧
New Server 2012 R2 Getting AD / SYSVOL Mismatch
I just loaded up a fresh copy of Server 2012 R2 in VMWare and made it a Domain Controller. To get a feeling of it before I deploy it.
All the Windows updates have been done.
Ran the Group Policy Results Wizard and got these alerts.
Default Domain Controller Policy Alert: AD / SYSVOL Version Mismatch
Default Domain Policy Alert: AD / SYSVOL Version Mismatch
I found that there is a hot fix for this for Server 2012.
http://support.microsoft.com/kb/2866345
But when I run the hot fix it tells me that "The update is not applicable to your computer"
So how do i fix this issue? Dont want to deploy Server 2012 R2 to my live enviorment only to have issues.
↧
↧
Disabling start menu Items via group policy
Hi All,
We want to disable following items from appearing under start menu for all users. We only want log off to appear under start menu. Can you please confirm GPO\GPP settings which can be configured for this to be disabled for all Winxp machines
- Start > Programs>Accessories
- Start > Programs> Startup
- Start > Programs>Internet Explorer
- Start > Programs>Windows Media Player
↧
Too long to open My Computer folder
From what I understand this folder, C:\Program Files\C:\Program Files, should not exist on my Pavillion. Yet it's there.
It looks to me like C was moved into a folder inside itself with the same title. Is that possible and would this be the reason it takes 30 seconds to a couple minutes to find (C:) or other drives, or opening My Computer or My Documents?
↧
Programatically query / set local group policy settings
Hi
I want to programatically (script / command line) access (get value, set value and enable/disable) some settings that are contained within a Windows 7 local group policy.
I can access and modify these via gpedit.msc, in particular the setting is
Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client > DNS Suffix Search List
The machine is not on a domain. The reason that I need to change this programatically is because I change corporate networks frequently and need to be able to change these options and turn them on and off.
Thanks in anticipation.
Cheers
Paul
↧
↧
Windows 8.1 and MessageLogonText
Having installed Windows 8.1 Enterprise to trial in our environment there is an issue which stands out straight away.
When using the Group Policy 'MessageLogonText:' option, the message text is displayed at start up, even before pressing CTRL, ALT , DELETE.
The same applies when logging off a user; the user logs off, you receive the messagelogon text, and then when you click OK it goes back to the main startup screen ready to press control , alt delete.
In Windows 7 the message text is displayed AFTER pressing CTRL AT delete, which seems more logical.
Is this a fault or another microsoft whim!
Martin
↧
How apply two diff GPO on single OU
Guys,
Advice me in the below scenario,
I need to apply two group policy on one OU , is this possible..?
Ranjith
ranjith
↧
Configurin network sharings
I have Windows Server 2012 as DC and something about 30 worsktations that is part of domain. Is it possible to replace all network shares on worsktations (force hide al items in network neighborhood list) to custom share that I've created?
↧
Locally Disable all Domain GPOs
I have an urgent need to locally disable all GPOs from being pushed to a group of about 400 PCs and Servers.
Background:
I am in a rather large medical facility. IT manages daily work PCs (email, office, internet access), Biomed IT manages all Medical Systems (segregated through VLANS and ACLs). I am Biomed IT, our medical systems, though in an OU that isn't supposed to receive
updates, still receives updates about once a week. When this happens, the device is no longer certified for medical use (last week we had to spend $45k to get a vendor back out to re-image). The latest IT stunt pushed from region was to remove all admin rights
from both local IT and Biomed IT. While we are trying to restore access...
I need to find a way to block any and all policies being pushed to these devices without having domain admin rights. Most of these machines are setup with local admin accounts or with a Biomed Admin group given local admin rights.
To make things worse, this is a government facility in which IT will not make any domain side changes for us. Even though the FDA says these machines must be excluded, IT has simply said NO. The only option we have been able to come up with is to force the IT policies out of the medical systems so situations like this do not affect patient care. We have been denied (by the directors office) a request to put in place our own domain to manage these systems. All I would need is a trust to allow the users to continue to use their existing domain logins, but was also shot down by IT not allowing trusts. We have requested delegation to manage this OU and been denied.
My thoughts were to:
a) block required ports for updating on the Cisco ACLs or
b) to find a way to block domain policies through some local settings.
So far, all my searches have come up short on providing enough information to move forward with any certainty.
Any suggestions or recommendations is greatly appreciated.
↧
↧
Disable Access to Windows Explorer or at least to the "network" list in it
Hi,
I recently got a job: A library (with books and stuff, not a dll) wants a special user which library visitors (aka anybody) can use for two and only these two things:
- Access to a library software
- Access to Internet (with IE 10)
They have a thin client and this public user will login on a terminal server with 2008 R2.
So i began to completely lock down the (mandatory, by the way) user profile. By now everything is disabled; the user can do absolutely nothing except using a strongly locked down Internet Explorer and the mentioned library software. Everthing is great, except
for one single problem:
The user still has access to Windows Explorer when he tries to change the downloads directory through the IE download manager. In the administrative group policy templates for IE, there is no appropriate option for that.
As a result, all servers are visible unter "network" and in some cases, the user even has read permissions to its shares.
Is there any possibility to disable this explorer frame or at least the "network" list in it? For the latter, I've found some registry tweaks, but unfortunately they're system level.
Can anyone help me?
↧
Multiple Home Page settings not working in Server 2008 R2
I have Windows Server 2008 R2 as a DC & ADC is same 2008 R2 server both with SP1 with IE 11 installed
other Group policies are there & running well.
I had setup two home pages but on user machines its showing & running only one Primary home page.
I have one my intranet site & another home page is our website.
I have enable "Disable changing Primary Home page" & kept my intranet page there.
I have enable "Disable changing Secondary Home page" & kept my website page there.
After gpupdate I can see only one page in users Internet settings. My website page is not at all loading !!!
Scenario 2 :-
I have selected not configured option for "Disable changing Primary Home page" & apply.
I have enable "Disable changing Secondary Home page" and kept Both Intranet & my website page address there.
after Gpupdate its loading 3 pages. Twice same intranet page & one website page.
In group policy configured only two & loading 3 pages?
I need it must show only two pages. Tried all the ways & seems frustrating with Windows Server 2008 R2 Group Policy.
Does anyone succeeded in the multiple home i.e. must load Only TWO pages in the IE browser via Group policy.
All users have 64 bit Windows 7 OS with IE 10 & IE 11 browser installed & updated. Servers has IE 11
↧
IE10 ADMX
Hi All,
I am deploying IE10 to my multi domain environment. . My domain controllers are 2008 r2. All clients are windows 7 Ent with SP1 with IE 9 (they have GPO settings applied to them for IE)
I would like to add the ADMX template downloaded from the MS site (http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&ved=0CC0QFjAA&url=http%3A%2F%2Fwww.microsoft.com%2Fen-gb%2Fdownload%2Fdetails.aspx%3Fid%3D37009&ei=pJygUvzpFsKl0AXXkoHgBA&usg=AFQjCNGhFHiCh_xSQpOj_7TH9M_22iEZWA&sig2=PJM024L50dQAPz9I67sHzA&bvm=bv.57155469,d.d2k)
to my central store. I have the central store setup and currently use it. There is already an inetres.admx in there (presuming this is for IE9). If I copy the IE10 inetres.dmx into the repository it will overwrite the current one. What will happen to my GPO settings regarding IE9. Will it break them?
the inetres.admx for IE 9 is over 3mb and the one for IE10 is 1.5 GB. I will be rolling out deployment of IE10 very gradually so I cant have my IE 9 users breaking.
any help would be appreciated.
Thanks
↧
Changing My documents, Pictures and music folder locations.
I know you can use folder redirection GPO to redirect users My documents ect... to a network share but I am tasked with redirecting them to a local partition on the system "D:\Data". So that I have "D:\Data\my documents D:\My pictures" and so on.
I am looking for info, suggestion on doing this in a GPO. Or any other Ideas you may have.
tconners
↧
↧
GPO Preference "Folder Options" issues
I have created folder options under "User configuration\Preferences\control panel settings\Folder options" for showing hidden files and folders by choosing "Folder Options "At least Windows Vista" assuming that means minimum its vista or newer. "W are using win7" I have a separate OU for testing and when creating this preference I right clicked the OU and chose "Create a GPO in this domain and link it here...". Right clicked the new GPO and chose edit. Changed to folder options and done.
When I run gpresult on a client in that OU the setting I not applied. Under Computer Configuration summery\Group Policy Objects it shows up in "Denied GPOs" with a reason of "Empty" and I don't see it at all under "User Configuration Summery\Group policy Objects" either in applied or denied. Can someone shed some light on what I may be doing wrong? Also its been a good hr so any replication should be done.
tconners
↧
TCP/IP Printer installs - How do I get the proper driver settings?
I saw an older thread relating to this but I thought I would start a new one to revisit this thought. I want to deploy my printers as TCP/IP and not rely on a shared print server. This is in case the print server goes down, the users
will still be able to print. How can I get my driver settings to propagate to the users? We use HP printers with settings like Printer Status Notifications, what tray to use, pages per sheet, duplexing, etc. We also use Zebra label printers
with custom stock sizes and tear-off values.
↧
Windows failed to apply IP Security settings
Hi,
Our server/client environment is a mix of Windows Server 2012, 2008 R2, 2008 and Windows 7. We have nothing below Windows Server 2008. Both the forest and domain functional levels are at Windows 2008 R2.
Every 15 minutes, the following event is generated on all machines joined to the domain:
"Windows could not record the Resultant Set of Policy (RSoP) information for the Group Policy extension <IP Security>. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately."
Below is the detailed view:
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 12/5/2013 2:24:17 PM
Event ID: 1091
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: book.wolfson.fiu.edu
Description:
Windows could not record the Resultant Set of Policy (RSoP) information for the Group Policy extension <IP Security>. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
<EventID>1091</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2013-12-05T19:24:17.011Z" />
<EventRecordID>439591</EventRecordID>
<Correlation ActivityID="{211DE0BB-42E9-4D61-A1D3-0D3F09A24477}" />
<Execution ProcessID="1076" ThreadID="3300" />
<Channel>System</Channel>
<Computer>book.wolfson.fiu.edu</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">3934</Data>
<Data Name="ProcessingMode">0</Data>
<Data Name="ProcessingTimeInMilliseconds">6817</Data>
<Data Name="ErrorCode">2</Data>
<Data Name="ErrorDescription">The system cannot find the file specified. </Data>
<Data Name="DCName">\\drexel.wolfson.fiu.edu</Data>
<Data Name="ExtensionName">IP Security</Data>
<Data Name="ExtensionId">{e437bc1c-aa7d-11d2-a382-00c04f991e27}</Data>
</EventData>
</Event>
Based on the ErrorDescription field above, there seems to be some sort of file missing but that's a little vague and I cannot figure out how to fix. Another clue is that when I search on the internet for the ExtensionID string {e437bc1c-aa7d-11d2-a382-00c04f991e27}, it seems to be related to the IP Security policy setting, however, that setting is not even configured in group policy within our domain or on any machine.
Any suggestion?
Thanks!
-sul.
↧
Extremely Slow Login on Windows 7 when using Group Policy Preferences to Map Shared Network Printers, 5 Minutes from Welcome to Desktop....
Hi all,
We have got a big problem using GPP to deploy 2 Network Shared Printers to well over 400 Windows 7 Clients.
When we had Windows XP, we used to use a VBS script to map the printers, and it was fast and worked great everytime.
So after moving to Windows 7 clients, using the same VBS script , the printers sometimes appear, sometimes one will appear and is very random. The login time is around 2 minutes from welcome screen to desktop, but the printers appear slowly (maybe another 30-40 seconds after the desktop has loaded)
I then opted to use GPP to deploy the printers. The good news is that the Printers appear everytime a user logs in on a Windows 7 Client. Bad news is the Login time has increased massively. The time is now 4-5 mins from welcome to desktop.
I've checked in the Event Viewer on the Windows 7 Clients and found these appearing everytime a user logs in, in the Application Log:
The winlogon notification subscriber <GPClient> is taking long time to handle the notification event (Logon). EVENTID 6005
The winlogon notification subscriber <GPClient> took 167 second(s) to handle the notification event (Logon). EVENTID 6006
These two events appear everytime a user logs in and when I use GPP to deploy the printers. If I remove the printers from GPP and go back to using VBscript, the above events do not appear in the Event Viewer and login time is down to 2 minutes.
So what can I do to fix this? I've looked everywhere on technet and other forums, and there never seems to be an answer, so please can someone help.
Thanks in advance
↧
↧
New users not able to connect to mapped drive (Errors 8007052E + 80070056)
I have been creating users on my domain for several years now and was able to map a network drive just fine, until a month ago.
I created a user using the same method I have done for 3 years, assigned the correct permissions and groups, and when I tried mapping the network (using a script) it gives me various errors. Mainly 8007052E and 80070056. It seems to have a problem with the
user names and passwords, but the scripts do not include anything of the sort. When I try to manually map the drive it will not accept the newly created account credentials. This happens no matter what computer or OS they log into.
Even stranger, all of the accounts created prior to this are working just fine, with the script and everything. I have even tried copying one of the accounts that work fine and rename it and the problem affects this account as well.
Just so you know, I have created many accounts thinking there was a problem with the first one or copies but nothing works.
Any thoughts on this issue would be GREATLY appreciated.
↧
Location of ADMX Files
Hi
I put some default ADMX files in the Sysvol\Domain\Policies, and after restarting the GPME I see those templates in the editor . .
I did the same for the Office 2010 ADMX files, but after restarting I dont see any template for the Office Suite, what I'm doing wrong . .
↧
GPO Tuning
Hi guys,
im working in a very "old" active directory infrastructure and one problem is the very long time which the user needs to sign-in.
To find a solution i can look at a loot of places, i wanted to set the focus at first on my GPOs and scripts which will be proceed during the login.
I'll found a script to measure the time which GPO needs to be proceeded:
I run the script on my win 8.1 client and one win 7 clients with the following results:
win 8.1
Laufzeit = runtime
Win7
Have anybody some statistics, how much time is normal for a gpo?
I think 117,8 is a little bit to long :) -, but 3,33 seems to be ok or maybe not?
I haven't found any satistics on my google research..
Best regards
David
↧