Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Windows 8 and IE10 not accepting Proxy Settings via Group Policy

December 20, 2012, 10:45 am
$
0
0

We have recently introduced a couple of Windows 8 computers in our network, and we are having issues applying the Internet Explorer Proxy Server settings.

We use a Microsoft TMG 2010 server as our proxy server for accessing the internet. We have been using a GPO with the following settings to automatically configure our Windows 7 computers running IE9 with the appropriate Proxy settings:

User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Connection/Proxy Settings

  • “Enable Proxy Settings” : Checked
  • “Address of proxy” : server.domain.local
  • “Port” : 8080
  • “Use the same proxy server for all addresses” : Checked
  • “Exceptions” : Here we have a list of several internal or partner sites that should not be proxied.

This GPO has worked beautifully for our Windows XP and Windows 7 users with IE 7, 8 and 9. Now with Windows 8 and IE10, this no longer works. I’ve therefore added a Windows Server 2012 Domain Controller to the network, and using GPMC on that new DC, I created a new GPO with the following settings:

User Configuration\Preferences\Control Panel Settings\Internet Settings\Internet Explorer 10

Now, seeing as these are preferences, it’s a little different.  But, I’ve “checked off” the option “Use a proxy server for your LAN” as well as “Bypass proxy server for local addresses”. Then I click on “Advanced” and setup all my proxy settings the way I would like them, including the proxy server name, port and exceptions list.

When this new group policy gets applied to my Windows 8 PC, the only setting that gets applied is the “Use a proxy server for your LAN”. It does not configure the name or port of the proxy server nor does it configure the exceptions list. If I go back to the GPMC, and edit the new GPO, the settings are all there. However, if I just view the settings from the main GPMC screen (without opening the GPO itself), I don’t see all of those settings (again, only the one “Use a proxy server…”)

What am I missing???

Search

Deploy an Internal CA Certificate

December 4, 2013, 6:20 am
$
0
0

Been reading a lot of the previous questions and the option to deploy sounds easy by creating a GPO and going in to the following:

Computers Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities and Right Click -> Import -> Point this to your root CA certificate.

My question is will this Root CA that I import and deploy via GPO be appended to those currently on the PCs provided in the Root Certificate Update or will it overlay those and start fresh?  Not certain if I need to extract a copy of what currently exists to populate the GPO and then add on the one Internal CA Certificate or if I only need the one I want to append?  Also going forward would the Root Update work hand and hand so that the PCs I want to deploy to keep up to date on those as well as the Internally Created CA Certificate.

  Thanks,
     Evan Cardanha

Printer Mapping Performance GPP

December 3, 2013, 6:28 am
$
0
0

Hello,

we´ve 60 Printers and want to map them through GPP. Mapping should be handled in one GPO with a Filter based on IP-Adress through Item Level Targeting.

I would build two items per Printer: one for create the Printer and one for delete the Printer, additionally item Level targeting will look for the ip-address, like here: http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-dynamically-map-printers-with-roaming-profiles/.

So in total ~ 120 Printer in one GPO. Creating several GPOs with Printer mappings is notdesired. Additionally the OU structure is very flat, there is only one Client OU with all Client Computers and it must remain so.

I am unsure how about the performance at logon process. Has anyone experiences with such Printer mappings? May be better to use a logon-script?

Set IE 10 as default browser (in Win 7)

December 6, 2013, 4:12 am
$
0
0

Hello,

I need to define the Inernet Explorer 10 as the default web browser of our Windows systems (most of them are Windows 7). Unfortunately, I haven't found an appropriate solution until now, because all internet linnks I found don't fit into my situation:

- solution for Windows server 2012: http://blogs.technet.com/b/mrmlcgn/archive/2013/02/26/windows-8-associate-a-file-type-or-protocol-with-a-specific-app-using-a-gpo-e-g-default-mail-client-for-mailto-protocol.aspx (we don't have windows server 2012)

- solution for all browser version till IE9: http://www.ehow.com/how_6356764_make-ie-default-browser-gpo.html

Does anyone know the solution?

Thank you very much.

Regards Alex

Office 2013 Trusted Locations increase

December 3, 2013, 1:31 am
$
0
0

Hi,

Creating a Office 2013 policy and one of the requirements is to use Trusted Locations BUT we require more than the 20 available in the template.  Can any advise how we address this?  The requirement is to have 40 (ish) Trusted Locations.

Thanks for your time

Server 2012 & Windows 8.1: Group policy loopback processing mode not working ?

December 6, 2013, 2:11 am
$
0
0

Hello everyone,

I have a question about working with server 2012 & 8.1 and group policy loopback processing mode.



The thing is I have a test environment with server 2012 and windows 8.0 for group policy management.

I created a OU with a windows 8.0 machine and linked a new GPO.

In this GPO I configured a few settings configured under computer configuration and some user configuration settings.

- In user configuration I configured drive maps, desktop shortcuts and location for default library files.

- In computer configuration I configured group policy loopback processing mode (replace).


All went well on the server 2012 - 8.0 environment, but when I updated my client from 8.0 to 8.1 the user configuration policies are not aplied.

We are going to upgrade our servers to 2012R2 but untill that time I would like this to work.

So now I simplified my testing to rule out probable causes. I created a server 2012R2-windows 8.1 test environment as well as server 2012-windows 8.1:

In both environments I put the 8.1 machine in a OU with a GPO that has group policy loopback processing mode to enabled (replace) and under user configuration I defined 1 drive map.

This worked fine in the server 2012R2-windows 8.1 environment, but did not in the server2012 - windows 8.1 environment.

I can't find much support on Windows server 2012 with Windows 8.1 issue's. My question, is it possible or is server 2012 just not compatible with windows 8.1? And (if I'm not doing something terribly wrong), is there a way to get this working without upgrading the server to R2?

Extreme slow login on Server 2008 R2 TS at Group Policy Preferences - Printers

December 6, 2013, 6:53 am
$
0
0

I see references to this problem everywhere, going back to 2010.  However I'm not finding any real answers.

I have Group Policy Preferences installing printers to Terminal Server Users.  I have one policy that applies to 4 terminal servers.  One of them is a 2008 R2, the others are 2003 x64.  Only for the 2008 R2 server, after all of the printers show (in event viewer) as successfully loaded, there is a long hang.  I have many printers applied to me, and that results in my load time being the longest of all at about 3 minutes.  I am an administrator on the machine.  Others have the exact same problem, just a bit less pronounced depending on the number of printers. 

The policy preference is set to UPDATE, so it's not loading the driver... again, the printer is already successfully applied.

I've tried setting UAC to "Never" on the server.  No effect.  I've played with the Point and Print policy at both computer and user level, finally just setting both to disabled, but prior to that setting them to Enabled with the "do not show warning" on both settings.  No effect (which makes sense since that is for non-admins and I am having this problem as an admin).

My logging pasted below shows this same thing in all cases.

Is there an answer to this that I am just not finding?

2013-12-06 09:11:44.133 [pid=0x388,tid=0xca0] Filters passed.
2013-12-06 09:11:44.133 [pid=0x388,tid=0xca0] Adding child elements to RSOP.
2013-12-06 09:11:44.133 [pid=0x388,tid=0xca0] Set user security context.
2013-12-06 09:11:44.289 [pid=0x388,tid=0xca0] Set system security context.
2013-12-06 09:14:13.873 [pid=0x388,tid=0xca0] Set user security context.
2013-12-06 09:14:13.909 [pid=0x388,tid=0xca0] Set system security context.
2013-12-06 09:14:13.909 [pid=0x388,tid=0xca0] Properties handled.
2013-12-06 09:14:13.909 [pid=0x388,tid=0xca0] RunOnce value created [SUCCEEDED(S_FALSE)]

Administrative Template Win8.1

December 4, 2013, 9:27 am
$
0
0
I'm planning on installing a few Win8.1 machines for testing, but need the administrative templates for 8.1 gpo installed on our SBS2008 server. Are these officially available? If not, is there something I can do in the meantime?
Search

App Locker Help

December 4, 2013, 10:54 am
$
0
0

With Crypto Virus costing issue on some machine I'm looking to lock down the %AppData% folder using App-Locker. My issue is that when I apply the policy below it doesn't apply to all subfolders in AppData folder. What's the correct way to get it to apply to all folders in AppData folder.

Path: %USERPROFILE%\AppData\*.exe

Security Level: Disallowed

This only apply to two subfolders and stops after that.

Path: %USERPROFILE%\AppData\*\*.exe

Security Level: Disallowed

Cannot Remove Internet Explorer Branding

December 6, 2013, 7:40 am
$
0
0

We had a custom titlebar a while ago, applied in the "Default Domain Policy" (which is problematic, since I cannot just delete the GPO and recreate it).  I only discovered this policy after upgrading all clients to IE 10 and our DCs to 2008.

I've used RSTAT from a computer with IE 8 and removed the branding from the GPO (so it no longer shows in the "Settings"), but we're still getting the "Internet Explorer Branding" Failed "The specified procedure cannot be found" message on the clients.

I want to completely remove Internet Explorer Branding from group policy as it's not wanted.  I have located two GPOs in the SYSVOL directory with IEAK directories, one with a "BRANDING" directory.

How can I get rid of IE Branding once and for all?  Thank you kindly!

IE9 Settings does not apply before i delete the user profile

November 22, 2013, 12:56 am
$
0
0

Hello,

I have a situation were i have some users that are not getting the GPO seetings applied that are specific to IE9

The .admx file for IE in the my centralstore is for IE8 so they have not been upgraded to IE9.

No errors are in the eventlog.

Deleting the users local profile solves the problem. When the user is logging on after this the GPO applies fine.

Group Policy not completely inheriting

December 6, 2013, 8:53 am
$
0
0

Good Morning,

Quick back story before I go into full details.  I recently added a 2008 R2 server to my 2003 domain and made it a DC.  I did all the following prep to the domain to prepare for this DC, adprep, forestprep, and domainprep.  I also decommissioned one the 2003 servers and promoted the 2008 R2 as a DC.  It all appears to have worked seamlessly, no complaints on the network so far.  I did this because we have started to introduce some Wind 7 system to the domain so we wanted to add a 2008 R2 server.  I have created by win 7 group policy and have the win 7 systems in a separate OU where that policy is only applied to those systems.  The problem is the win 7 system are only receiving part of the policy.  Under computer configuration\windows settings\security settings,  they are receiving the account policies, local policies and even the firewall policy I specified, however there are not pulling the advanced audit policy configuration or anything that I specified under the administrative templates which contains the control panel, network, printers, system, and windows components.  I copied the admx files from the 2008 R2 server to the sysvol folder and it states that's where it is getting the templates from.  However when I do a gpupdate /force on a local windows 7 systems it is only pulling part of the policy.  Can someone give me some ideas on what I may be missing or if I have something turned on or off that may be preventing this from applying properly? 

Thank you.

Certificate enrollment web servce GPO enablement failure

November 21, 2013, 10:23 am
$
0
0

2012 Std R2

Added certificate authority role with web services

configuring via library hh831625

I have verified that IIS has the default site ADPolicyProvider_CEP_Kerbos and I copied the URI <a href="https:///ADPolicyProvider_CEP_Kerbos/service.svc/CEP">https://<server>/ADPolicyProvider_CEP_Kerbos/service.svc/CEP

I added a domain GPO per directions Certificate Enrollment Policy Web Services. I am editing the GPO for Computer->Policies->Windows Settings-> Security Settings->Public Key Policies. I double click Certificate Services Client - Certificate Enrollment Policy. I enable the policy and ADD certificate enrollment policy list. I paste the above URI, Authentication type is "Windows Integrated". When I validate server I get the following error:

An error occurred while obtaining certificate enrollment policy

URI:https://<server>/ADPolicyProvider_CEP_Kerbos/services.svc/CEP

Error: The remote endpoint does not exist or could not be located. 0x803d00d (-21434855939 WS_E_ENDPOINT_NOT_FOUND)

Help with this final validation is appreciated. Logged on as administrator with domain admin rights and enterprise Admins rights

John Lenz

Windows failed to apply IP Security settings

December 5, 2013, 12:51 pm
$
0
0

Hi,

Our server/client environment is a mix of Windows Server 2012, 2008 R2, 2008 and Windows 7.  We have nothing below Windows Server 2008.  Both the forest and domain functional levels are at Windows 2008 R2.

Every 15 minutes, the following event is generated on all machines joined to the domain:

"Windows could not record  the Resultant Set of Policy (RSoP) information for the Group Policy extension <IP Security>. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately."

Below is the detailed view:

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          12/5/2013 2:24:17 PM
Event ID:      1091
Task Category: None
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      book.wolfson.fiu.edu
Description:
Windows could not record  the Resultant Set of Policy (RSoP) information for the Group Policy extension <IP Security>. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
    <EventID>1091</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2013-12-05T19:24:17.011Z" />
    <EventRecordID>439591</EventRecordID>
    <Correlation ActivityID="{211DE0BB-42E9-4D61-A1D3-0D3F09A24477}" />
    <Execution ProcessID="1076" ThreadID="3300" />
    <Channel>System</Channel>
    <Computer>book.wolfson.fiu.edu</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SupportInfo1">1</Data>
    <Data Name="SupportInfo2">3934</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">6817</Data>
    <Data Name="ErrorCode">2</Data>
    <Data Name="ErrorDescription">The system cannot find the file specified. </Data>
    <Data Name="DCName">\\drexel.wolfson.fiu.edu</Data>
    <Data Name="ExtensionName">IP Security</Data>
    <Data Name="ExtensionId">{e437bc1c-aa7d-11d2-a382-00c04f991e27}</Data>
  </EventData>
</Event>

Based on the ErrorDescription field above, there seems to be some sort of file missing but that's a little vague and I cannot figure out how to fix.  Another clue is that when I search on the internet for the ExtensionID string {e437bc1c-aa7d-11d2-a382-00c04f991e27}, it seems to be related to the IP Security policy setting, however, that setting is not even configured in group policy within our domain or on any machine.

Any suggestion?

Thanks!

-sul.

Internet Explorer 9 and GPO

March 24, 2011, 3:13 am
$
0
0

Normally when changing Internet Explorer settings with the GPMC we move to: User configuration -> Preferences -> Control Panel Settings -> Internet Settings. If we select new task we can see we are missing Internet Explorer 9 ? Is there a fix for this or can i use ie8 with no hassle at all ? I have placed the new inetres.admx in our central store but it seems that the control panel admx must be updated as well

regards

Richard

Search

Backing Up GPOs with Server 2012

March 14, 2013, 1:40 pm
$
0
0

I have added a member server as Windows 2012 Standard to our domain.  I try to backup all the GPOs in the domain using GPMC from the 2012 server but I get an error stating "The specified server cannot perform the requested operation". 

The domain and forest are still at 2008 R2 level and I figured that should not make a difference since I am just trying to use GPMC to backup the GPOs. 

Thanks

GPO to change Share Permissions

February 18, 2009, 11:12 am
$
0
0
After auditing our servers I found that there were many with shares which had 'Everyone' with full control. 

I want to get rid of the 'Everyone' and replace it with 'Authneticated Users'. Is there any way to do this using GPO? 

If not how else can I do this without having to do it manually on each server?

Yurij 

USB is disabled from GPO but in few machine USB is still enabled

December 7, 2013, 8:19 am
$
0
0

Hi,

There are few machine on which USB is disabled by group policy but still if i plug in a USB pen drive then its gets connected and gets displayed on desktop. Many times i have updated the the gpo on the machines by gpresult /force cmd and restarted the machine but still it doesn't work. USB disbaled policy are applied on the this machine and this is confirmed by generating the RSoP and gpresult /h report.html or gpresult /r /scope computer. The usbstr.inf and usbstr.pnf (something like this) permission are only for system and no privileged permission are given for any user.

Is any thing remaining to check. What else is need to do to block the USB ports.

Thanks for helping.

Set A Group Policy For OU

December 6, 2013, 11:29 pm
$
0
0

Hi,
I have a domain named TECH.com with 2 OU (client_computer,servermeber). I want to set group policy for OU client_computer. How..?
I did following steps.
start->administrative tools->Group policy Management
Then right clicked OU client_computer->create a GPO in this domain and link it here
the named as "client desktop policy".
Then I right click client desktop policy->click edit->User Configuration->Policies->Administrative Templates->Desktop->desktop
Then I Enabled active desktop and desktop wallpapers and set path also.
And run gpupdate..

But this is not working... How can i set a default wallpaper to my client_computer OU..??
With Regards 

Xavi seban

Need help with group policy object (GPO) to control Internet Explorer with preferences

December 7, 2013, 9:04 pm
$
0
0

Hi there,

I have created group policy object (GPO) to control Internet Explorer option and settings with preferences. Could someone please explain why “automatically detect settings” are greyed out (please see picture) for Internet Explorer 8 and 9 but ok for IE10?!

Thanks in advance

IE Settings

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>