Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

How to use GroupPolicy SDK to configure the software installation?

December 3, 2013, 6:48 pm
$
0
0

Hello,

I find that GroupPolicyObject::Save() can take a pair of GUIDs for the extension. Now I need to configure the software installation in the group policy to deploy my own msi.

The pair of GUIDs may be C6DC5466-785A-11D2-84D0-00C04FB169F7 and 7E45546F-6D52-4D10-B702-9C2E67232E62.

I did a search on MSDN but seems find nothing about this. I'm able to programmatically create a GPO using C# but donot know how to use the extension for software installation.

Would you please give a help on this problem? Any sample code to config the software deployment will be highly appreciated.

Thanks,

Evan

Search

Deploy an Internal CA Certificate

December 4, 2013, 6:20 am
$
0
0

Been reading a lot of the previous questions and the option to deploy sounds easy by creating a GPO and going in to the following:

Computers Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities and Right Click -> Import -> Point this to your root CA certificate.

My question is will this Root CA that I import and deploy via GPO be appended to those currently on the PCs provided in the Root Certificate Update or will it overlay those and start fresh?  Not certain if I need to extract a copy of what currently exists to populate the GPO and then add on the one Internal CA Certificate or if I only need the one I want to append?  Also going forward would the Root Update work hand and hand so that the PCs I want to deploy to keep up to date on those as well as the Internally Created CA Certificate.

  Thanks,
     Evan Cardanha

Set IE 10 as default browser (in Win 7)

December 6, 2013, 4:12 am
$
0
0

Hello,

I need to define the Inernet Explorer 10 as the default web browser of our Windows systems (most of them are Windows 7). Unfortunately, I haven't found an appropriate solution until now, because all internet linnks I found don't fit into my situation:

- solution for Windows server 2012: http://blogs.technet.com/b/mrmlcgn/archive/2013/02/26/windows-8-associate-a-file-type-or-protocol-with-a-specific-app-using-a-gpo-e-g-default-mail-client-for-mailto-protocol.aspx (we don't have windows server 2012)

- solution for all browser version till IE9: http://www.ehow.com/how_6356764_make-ie-default-browser-gpo.html

Does anyone know the solution?

Thank you very much.

Regards Alex

Windows could not apply the registry-based policy settings for the Group Policy object

December 8, 2013, 9:23 pm
$
0
0

Dear All,

i am facing issue while running Gpupdate /force in client machine as well as in DC "The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object" also i am trying to create a policy to the specific OU (Which contains computer alone) for refresh policy intervel. Please advice me how to do that..


Thanks, Venkatesh. "Hardwork Never Fails"

How to create Password reset GPO that applies on an ou

December 9, 2013, 3:21 am
$
0
0

Hi,

I have many users in different ou's we different policies applied on the same.
Now I want to create a gpo and bind with an ou that, if I move objects in that ou users password gets automatically reset

Thanks in advance.

Local Password and host file

December 9, 2013, 1:50 am
$
0
0

I have created a GP in Computer configuration to update the local administrator password and copy a version of host file to all machines under a OU.

Both these settings are not working on client machine.

For password - Under computer configuration -> control panel settings -> local users and groups -> Admin -> update password

For Host -> computer configuration -> Windows settings -> files -> source path - unc path for my share folder which has the host file & TArget path : c:\windows\sytem32\drivers\etc and given action as replace.

what's wrong iam doing in this?

regards Sundaresan.C

Group Policy Event Error 1085 after adding 1 entry

December 9, 2013, 6:00 am
$
0
0

 

Hi everybody,

We are getting Event ID 1085 errors after adding "http://*.gob.es" in Group Policy Internet Zonemapping


We have enabled Userenv logging and followed the steps provided in  http://blogs.technet.com/b/askds/archive/2008/08/21/a-test-case-for-troubleshooting-group-policy-application-event-id-1085-and-7016.aspx

After adding the entry "http://*.gob.es", the log looks like this:
USERENV(2c8.1c0) 14:49:11:600 LogExtSessionStatus: Successfully logged Extension Session data
USERENV(2c8.1c0) 14:49:11:615 ProcessGPOList: Extension Internet Explorer Zonemapping returned 0x57.
USERENV(2c8.1c0) 14:49:11:615 ProcessGPOList: Extension Internet Explorer Zonemapping doesn't support rsop logging
USERENV(2c8.1c0) 14:49:11:615 ProcessGPOs: Extension Internet Explorer Zonemapping ProcessGroupPolicy failed, status 0x57.



We have tested several valid formats 

http://*.gob.es
https://*.gob.es
*://*.gob.es

But the error keeps appearing in event viewer

We have tried with another domains and it works.

And even more tricky, in the registry of an affected user we can see these registry entries:


HKEY_CURRENT_USER\software\policies\microsoft\windows\currentversion\internet settings\zonemapkey
    *://*.contoso.com   REG_SZ  2
    *://*.gob.es        REG_SZ  2


This entry (*.gob.es) references all the ministerial and government pages in Spain
We are very interested into adding this entry instead of adding each subdomain of gob.es

Thank you very much in advanced.

Sincerely yours.

Ramiro Cascallana


Ramiro Cascallana MCDST MCSA

GPO stops applying, some settings in user configuration do not display in gpmc. Upon edit of policy everything starts applying and displaying correctly in GPMC.

December 9, 2013, 9:55 am
$
0
0

Hi,

I had a problem recently with a Group Policy that stopped applying and sections of the policy stopped displaying in GPMC but when editing the gpo the settings were there.  In particular the settings were user configuration settings for the site to zone assignment for IE 10.  These are user settings applied via loopback processing.  I got the policy to start working again and displaying correctly in GPMC by editing the policy (adding a new test site to the trusted zone in the site to zone assignment list).  After making this one edit the policy started applying and it also started displaying in GPMC.  Strangely enough other sections of the policy were displaying correctly in gpmc when this section was not displaying\applying.  I ran gpresult on a few of the servers affected and don't recall if it showed the policy applying or not.

Can anyone help explain this behavior?  A few days after it was resolved I was thinking I should have checked which Domain controller I was attached to in GPMC and which Domain controller the servers were connecting to to see if only one domain controller was causing the problem, but I did not do this at the time.  We have 3 DCs.

Thanks!

Search

Location of ADMX Files

October 3, 2011, 1:21 pm
$
0
0

Hi 

I put some default ADMX files in the Sysvol\Domain\Policies, and after restarting the GPME I see those templates in the editor . . 

I did the same for the Office 2010 ADMX files, but after restarting I dont see any template for the Office Suite, what I'm doing wrong . . 

 

 

Can't add network printers as normal users - Point and Print disabled.

December 9, 2013, 4:32 pm
$
0
0

Disabled Point and Print restrictions. This should be all that is required right? Because that's what Microsoft say and yet again I'm having my time wasted and my stress levels risen because of their BS.

So, restrictions are disabled. I can 100% confirm this via gpresult export. There's nothing that should be conflicting with this.

But on a server 2008 client/TS when I attempt to install a network printer I get a prompt saying "To use the shared printer ..... you need to install the printer driver on your computer...."

With a button to "Install Driver" showing UAC symbol or cancel.

Clicking the "Install Driver" UAC button locks up the explorer windows. No UAC window ever appears or any other prompt, but clicking anywhere in the now broken window gives a "error beep".

Microsoft... Stop THIS FUCKING BULLSHIT AND JUST MAKE NETWORK PRINTERS WORK. I followed your instructions. There are no "restrictions"... Why isn't it "just working" like it apparantly should? Are your staff liars? Are MS liars? Who is at fault here?

Software Restrictions Policy Gone Rogue on me!

December 9, 2013, 4:12 pm
$
0
0

In the wake of CryptoLocker I created a software restrictions policy GPO to protect against infection. After deploying this, I learned that there was a number of programs, installations, MS hot-fixes, etc, that needed to use this folder in order to install or run. Because of that, I disabled the GPO. Now I have one single Windows 8.1 Pro computer that the policy is still taking affect on, even though the GPO policy has been disabled. It's driving me crazy. I'd appreciate any help!

When trying to install and open certain apps (ie. Dropbox) , I get the message:

"Your system administrator has blocked this program. For more information, contact your system administrator."

When trying to install vcredist_x86.exe (Microsoft Visual C++ 2010 Redistributable Package (x86)) I get the following message:

"The system administrator has set policies to prevent this installation"

Updating file to network share (at logoff)

December 10, 2013, 8:55 am
$
0
0

We have multiple, load-balanced Citrix servers. Using group policy, I push an .xml file to the users' profile (c:\users\userName\appdata\local). We cannot use roaming profiles or folder redirection. 

When the user logs off, I'd like the .xml file to be copied up to a network share. Is there a way to do this without relying on folder redirection or roaming profiles? I tried a logoff script, that should copy the file, but the script doesn't seem to be running at all. I can tell, because the script also writes a text file to the user's profile, but the text file isn't being created.

Thanks.

Limit Profile Size GPO

December 10, 2013, 3:16 am
$
0
0

Hello,

I've got Windows Server 2012, I've set the GPO limit user profile but one notebook client has a problem: I know the appdata folder which is synchronized doesn't include appdata\local and appdata\localLow, but in this client these folder are included and then it's impossibile to synchronized the user profile.

In another client in the same domain works well.

Please help me.

Thanks

Deploying batch via Group Policy to RunOnce per user per machine

December 11, 2013, 2:34 am
$
0
0

Hello,

What I have: A script that installs network printers with regard to group membership of the current user.

The Problem: Some employees work on many different workstations. Everytime they access a new machine with their user for the first time, they have to run the script (even if another user already ran the script). Otherwise they see no printers. Since the installation requires administrator rights, everytime this happens, someone from the IT department has to type in his credentials.

The intented solution: Deploy the script to this particular group via Group Policy and let it execute exactly one time, when they log into a machine where they did not already run the script.

Perhaps the script itself could be modified, so that GPO deploying wouldnt be necessary.

Here is the Script:

@echo off 

@ping -n 2 -w 1000 localhost >nul 2>&1

echo Loesche alte Druckereintraege...
rundll32 printui.dll,PrintUIEntry /q /dn /n \\data\HP2300 >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n \\data\HP3010 >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n \\data\HP3800 >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n \\file\HP3010 >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n \\file\HP3800 >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n \\file\Kopierer >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n "\\data\HP 2300" >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n "\\data\HP 3010" >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n "\\data\HP 3800" >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n \\data\KONICA_MI >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n \\file\HP4540 >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n \\file\Kyocera >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n "\\ws-sek08\DYMO LabelWriter 450 DUO Label" >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n "\\ws-sek08\DYMO LabelWriter 450 DUO Tape" >nul 2>&1
echo Alte Eintraege geloescht!

REM Syntax "rundll32 printui.dll,PrintUIEntry": /dn = deletes a network printer connection , /in = Connects to a network printer , /y = sets printer as the default printer

echo Neue Drucker einbinden...
@ping -n 2 -w 1000 localhost >nul 2>&1
rundll32 printui.dll,PrintUIEntry /q /in /n \\file\Kyocera /u /w >nul 2>&1
echo [Kyocera      ] eingebunden

@ping -n 2 -w 1000 localhost >nul 2>&1
rundll32 printui.dll,PrintUIEntry /q /in /n \\file\HP3010 >nul 2>&1
echo [HP 3010      ] eingebunden

@ping -n 2 -w 1000 localhost >nul 2>&1
rundll32 printui.dll,PrintUIEntry /q /in /n \\file\Kopierer >nul 2>&1
echo [Kopierer C203] eingebunden
rundll32 printui.dll,PrintUIEntry /y /n \\file\Kyocera >nul 2>&1

call net group /domain sek | findstr /i %USERNAME% >nul 2>&1
if %errorlevel% == 0 (
@ping -n 2 -w 1000 localhost >nul 2>&1
rundll32 printui.dll,PrintUIEntry /q /in /n "\\ws-sek08\DYMO LabelWriter 450 DUO Label" /u /w >nul 2>&1
rundll32 printui.dll,PrintUIEntry /q /in /n "\\ws-sek08\DYMO LabelWriter 450 DUO Tape" /u /w >nul 2>&1
echo [Sekretariat  ] Label Writer
)
call cmd /c "exit 99"

REM Und Standarddrucker setzen!

call net group /domain sek | findstr /i %USERNAME% >nul 2>&1
if %errorlevel% == 0 (
REM Je nach Benutzergruppe (Sekretariat, Artwor, ...) anderen Standarddrucker werwenden.
@ping -n 2 -w 1000 localhost >nul 2>&1
rundll32 printui.dll,PrintUIEntry /y /n \\file\HP3010 >nul 2>&1
echo [Sekretariat  ] Standarddrucker HP3010
)
call cmd /c "exit 99"
call net group /domain artwor | findstr /i %USERNAME% >nul 2>&1
if %errorlevel% == 0 (
@ping -n 2 -w 1000 localhost >nul 2>&1
rundll32 printui.dll,PrintUIEntry /y /n \\file\Kopierer >nul 2>&1
echo [artwor       ] Standarddrucker Kopierer
)
call cmd /c "exit 99"

pause

Best regards,

zuckerthoben

chn


Force a specific Theme not coming down via GPO

December 4, 2009, 4:12 am
$
0
0
Hi all,

I have a quite weird problem on my Windows 2008 + Windows 7 only environment.

I am trying to force a specific theme (aero) and therefore configured the following GPO:

user configuration\policies\administrative templates...(ADMX files)...\Control Panel\Personalization\Load a specific Theme

in the Path to theme field I have tried one at a time without success:

%systemroot%\resources\themes\aero.theme
%windir%\resources\themes\aero.theme
c:\windows\resources\themes\aero.theme
%systemroot%\resources\themes\aero

However I still get the Windows Classic theme upon logging in.

I have run gpresults and the GPO is being applied to the end-user

We are currently using a Mandatory profile for end-users, so I am not sure whether this is to blame.

Has anyone got any ideas or come across such a problem???

Comments are appreciated.
Search

Disable IEAK Setting - "Delete existing favorites and links, if present"

December 11, 2013, 10:05 am
$
0
0

Hi!  We have had a workstation image (Windows 7 x64) deployed to numerous machines (including my own) with the following IEAK setting enabled:

"Delete existing Favorites and Links, if present"

The setting is located in gpedit, under User Configuration/Windows Settings/Internet Explorer Maintenance/URLs/Favorites and Links

The image is being fixed, but customer service is looking to have us fix via GPO.  I have been scouring the net, trying to figure out a way to do this.  I haven't found a registry switch and if I configure a GPO for this, it just sets that particular setting to "not configured" and won't disable it on those that have had it enabled.  The only way I can see to do this is manually on each machine, but that's not my preferred option, obviously.  Does anyone know of a way to disable this setting via GPO?  Batch script, VB, reg fix?

Thanks!

-Brandon


Windows Update policy not applying to servers at all

December 10, 2013, 12:51 pm
$
0
0
I have several OUs with servers in them. Some Server 2003 and some Server 2008 R2. I have a GPO setup for changing several items under Computer Configuration>Policies>Admin Templates>Windows Components>Windows Updates. I am able to get these to apply to workstations, but the servers all fail... but I see no actual failures. I have the security filtering set to domain computers. When I run the results on the servers I get "Inaccessible, Empty or Disabled" under the summary, but under details it shows that it was applied and it shows the correct settings? I'm at a loss.

GPO Multiple Home page settings primary works but unable to see secondary home page. Set 2 pages in secondary home page settings in GPO but when opens IE opens 3 pages? How to remove extra page?

December 10, 2013, 10:38 pm
$
0
0

I have Windows Server 2008 R2 as a DC & ADC is same 2008 R2 server both with SP1 with IE 11 installed other Group policies are there & running well.

I had setup two home pages but on user machines its showing & running only one Primary home page. I have one my intranet site & another home page is our website.

I have enable "Disable changing Primary Home page" & kept my intranet page there.

I have enable "Disable changing Secondary Home page" & kept my website page there.

After gpupdate I can see only one page in users Internet settings. My website page is not at all loading !!!

Scenario 2 :-

I have selected not configured option for "Disable changing Primary Home page" & apply.

I have enable "Disable changing Secondary Home page" and kept Both Intranet & my website page address there.

after Gpupdate its loading 3 pages. Twice same intranet page & one website page.

In group policy configured only two & loading 3 pages?

I need it must show only two pages. Tried all the ways & seems frustrating with Windows Server 2008 R2 Group Policy.

Does anyone succeeded in the multiple home i.e. must load Only TWO pages in the IE browser via Group policy.

All users have 64 bit Windows 7 OS with IE 10 & IE 11 browser installed & updated. Servers has IE 11  



using the correct environment variable

December 11, 2013, 3:59 am
$
0
0

Ok i am trying to replace a file in GPO but i cant seem to get it right for some reason, i am trying to use an environment variable to copy the file to whomever is logged onto the pc at that time.

it goes something like this:

Source files(s) \\xxx-dc1\netlogon\deployment.properties

Destination file: c:\users\%username%\locallow\sun\java\deployment.properties

Any ideas where i got it wrong?  the policy is in: Policy name > Computer Configuration > Preferences > Windows Settings > Files

Mapping drives with item level targeting not working

December 10, 2013, 12:03 pm
$
0
0

 Hi

I created a new gpo with a preference mapping a drive. The drive won't map to my account, but it will map it to the new user in that OU. I'm not in the OU because it's for interns only and I wanted to apply that drive mapping to myself so I decided to use the"Item-Level Targeting" option... and I add the group on there. Any ideas why the policy doesn't create the mapping for my account? I'm in the Intern Group security group as well... I added myself earlier this morning and I see the group when I run a gporesult. 

Client is Windows 7

My login 

Like I said it doesn't map the I: drive to my account

Windows 2008 R2 infrastructure 

mThanks! 

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>