Hi,

We have an issue with our laptops where we occasionally get "No Login Servers Available" when trying to login. We have managed to find out that this is because the laptops are losing the wireless GPO and not picking it up from the DC on boot due to no connection to it. I was wondering if there was a way of applying a Local Group Policy through Powershell that would make them attempt to connect to our wireless network?

In case I have not explained the issue well enough:

1.) Our laptops do not pick up the GPOs from our domain on boot occasionally - event logs have been checked, and the machines have been left for extended periods before attempting a login. There is an error in our event logs about it not managing to pick up GPOs from our DC. This results in them not connecting to our wireless network and returning "No login servers available to process the login request".

2.) Would Local Group Policy on these machines work as a workaround?

3.) Is it possible to set Local Group Policy through PowerShell? And if so, how?

4.) Is there a deeper rooted issue that causes this?

Many thanks in advance,

Jon Davies

We are applying some registry keys into HKCU when users log in if they are a member of a certain AD group, this works fine. If we remove the user from the AD group the keys are still in their profile and therefore apply. 

Is there a way in GPO Pref that apply the keys every time and don't write into the users profile, so when they are removed from the group the keys never apply without having to dig into the user's registry hive and manually remove them?

Or a better way to achieve this?

Dear All,

i am facing issue while running Gpupdate /force in client machine as well as in DC "The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object" also i am trying to create a policy to the specific OU (Which contains computer alone) for refresh policy intervel. Please advice me how to do that..

Thanks, Venkatesh. "Hardwork Never Fails"

Hi,

            I have a domain comprising approx. 30 ADCs, 5000 clients and 50 OUs. Our developers have created a c# Program for fetching some information from client machines and displaying them on their screen on bootup (presence of 2 particular softwares, antivirus presence and its update date, OS patches updation etc... ). This program(.msi) and .net framework 4.0 is required to be pushed to all client machines. We have SCCM server through which we can push software to be installed on clients. There are no. of ADCs for controlling different sites and OUs. Now I need to push this msi and .net framework to all clients. Dotnet  framework I pushed from SCCM & it is successful.

Till today I have pushed this .MSI package using Group policy software installation settings using a local sharepath & sysvol.

In Local Share path , MSI source is availbale at only one ADC and all clients  contact this adc only to install software and its taking very long time to boot.

Using Sysvol share path , MSI Source is available at All ADC and All Clients Contact their Site's ADC to install software.Only Win 7, win 8 machines are getting install and software is  not able to install on XP and vista machine. What might be the problem for xp machine getting it from sysvol path?

The error for XP machines is that Sysvol path is not accessible/ source is not available.

   Now I need to have some other fullproof method to apply it. How I need to push this .MSI packages to all sites (ADCs) in my child domain from my PDC.

   I want to know the steps & methods for installing & uninstalling this .MSI package using Group policy and SCCM as well.

   Thanks for replying...

We have this strange issue where 2 GPOs are not getting applied:

The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Disclaimer
            Filtering:  Not Applied (Unknown Reason)

        No Firewall
            Filtering:  Not Applied (Unknown Reason)

DFL: 2003

FFL: 2003

30 DCs running Windows Server 2003 SP2

Member Servers: Windows Server 2008 r2 SP1

Clients: Windows 7 and XP

This is happening on all machines.

Recently I promoted two servers to be domain controllers in branch offices.  Everything was going fine on them initially but shortly after I promoted the second one, some group policy locked out the ability to turn on remote desktop.  

What is the GPO that blocks the ability to check the box that say Allow Remote Assistance connections to this computer?  I have tried altering a few gpo objects but nothing is working. 

I have also run gpresult /scope /user /v and nothing is really showing what is causing this GPO to be blocked out.  

Hi,

We have a requirement to delete some of the files from all the desktops in Domain. We have already created a script to achieve the same. But when we are applying the same as startup script for the PC's it is not deleting the files. If we apply as logon script then it can delete some files because user does not have access to delete all the files. For this reason we want to apply it on startup so that it can run with SYSTEM privilege and delete files but it is not happening.

Please suggest if there is any reason for which the startup script is not able to delete the files. I have already checked by doing RSOP.MSC and GPRESULT and found the script to be present in the startup.

There is no log in the event viewer related to this.

Hi!

I want to modify the GptTmpl.inf File (\[DOMAIN]\SYSVOL\[DOMAIN]\Policies\{[GUID]}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf) in Powershell so I automatically can insert restricted Groups in the policy using a script.

OS: Windows Server 2008 R2 SP1 64bit

This is the edited GptTmpl.inf File:

*************************************************

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Group Membership]
*SID-of-a-group__Memberof = *S-1-5-32-544
*SID-of-a-group__Members =

******************************************************

Now, when I open GPMC and look at the GPO Report (Tab "Settings") of the modified policy, the restricted Group is not listed in the Report.
But when I open the Edit-Panel in GPMC , the restricted group entry is shown.  Im also not shure, if the Setting will be applied correctly.

What's the reason for this behaviour? Do I have to change the Version number in the GPT.INI File?
Or is there another file, which I have to modify?

Thanks a lot for your help!

Hi there,

We currently store Windows XP and Windows 7 desktops in one single OU and we have multiple GPOs setup specifically for Windows 7 and those GPOs are applied to Windows 7 machines only using WMI filters. Please find the Syntax below for the WMI query for Windows7:

Namespace: root\CIMv2
Query: select * from Win32_OperatingSystem where Version like "6.1%"

The issue we are experiencing is discussed here:
http://support.microsoft.com/kb/974524

Please let me know how can we modify the query to fix this issue.

Thanks,
V

Hi,

Our server/client environment is a mix of Windows Server 2012, 2008 R2, 2008 and Windows 7.  We have nothing below Windows Server 2008.  Both the forest and domain functional levels are at Windows 2008 R2.

Every 15 minutes, the following event is generated on all machines joined to the domain:

"Windows could not record  the Resultant Set of Policy (RSoP) information for the Group Policy extension <IP Security>. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately."

Below is the detailed view:

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          12/5/2013 2:24:17 PM
Event ID:      1091
Task Category: None
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      book.wolfson.fiu.edu
Description:
Windows could not record  the Resultant Set of Policy (RSoP) information for the Group Policy extension <IP Security>. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
    <EventID>1091</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2013-12-05T19:24:17.011Z" />
    <EventRecordID>439591</EventRecordID>
    <Correlation ActivityID="{211DE0BB-42E9-4D61-A1D3-0D3F09A24477}" />
    <Execution ProcessID="1076" ThreadID="3300" />
    <Channel>System</Channel>
    <Computer>book.wolfson.fiu.edu</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SupportInfo1">1</Data>
    <Data Name="SupportInfo2">3934</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">6817</Data>
    <Data Name="ErrorCode">2</Data>
    <Data Name="ErrorDescription">The system cannot find the file specified. </Data>
    <Data Name="DCName">\\drexel.wolfson.fiu.edu</Data>
    <Data Name="ExtensionName">IP Security</Data>
    <Data Name="ExtensionId">{e437bc1c-aa7d-11d2-a382-00c04f991e27}</Data>
  </EventData>
</Event>

Based on the ErrorDescription field above, there seems to be some sort of file missing but that's a little vague and I cannot figure out how to fix.  Another clue is that when I search on the internet for the ExtensionID string {e437bc1c-aa7d-11d2-a382-00c04f991e27}, it seems to be related to the IP Security policy setting, however, that setting is not even configured in group policy within our domain or on any machine.

Any suggestion?

Thanks!

-sul.

I have two questions, Im going to deploy Windows 8 to our company, but have 2 big issues.

1) I need to customize the start screen, but cant find anywhere in the gpo´s? How can I do this without sysprepping etc (deploying with SCCM2012 SP1)
2) I need to set the default programs for adobe reader, mspaint etc, how can I do this? It doesnt work with the GPP and folder options, anyone have done this?

Thanks in advance

I am at the tail end of configuring my GPO and recently made a change to the Explorer.exe shortcut I was pushing to the PC. After I changed it, I didn't like the results so I changed it back to default and now every item in explorer give me an error "Accessing the resource 'e:\' has been disallowed." I get this message no matter what drive or location I try and access. I do not have the policies configured that prevent access to drives from My Computer, nor Hide these specified drives in My Computer. I set those to not configured and disabled but still no luck. I am wondering if I could have broke them another way. If anyone can help I would be grateful, need to get this done by Monday. Thanks

The only thing I can think of I changed was the explorer target through preferences I changed the target to point to computer instead of libraries.  I changed it back when I noticed the issue.  Thanks

Hello,

What I have: A script that installs network printers with regard to group membership of the current user.

The Problem: Some employees work on many different workstations. Everytime they access a new machine with their user for the first time, they have to run the script (even if another user already ran the script). Otherwise they see no printers. Since the installation requires administrator rights, everytime this happens, someone from the IT department has to type in his credentials.

The intented solution: Deploy the script to this particular group via Group Policy and let it execute exactly one time, when they log into a machine where they did not already run the script.

Perhaps the script itself could be modified, so that GPO deploying wouldnt be necessary.

Here is the Script:

@echo off 

@ping -n 2 -w 1000 localhost >nul 2>&1

echo Loesche alte Druckereintraege...
rundll32 printui.dll,PrintUIEntry /q /dn /n \\data\HP2300 >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n \\data\HP3010 >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n \\data\HP3800 >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n \\file\HP3010 >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n \\file\HP3800 >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n \\file\Kopierer >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n "\\data\HP 2300" >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n "\\data\HP 3010" >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n "\\data\HP 3800" >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n \\data\KONICA_MI >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n \\file\HP4540 >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n \\file\Kyocera >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n "\\ws-sek08\DYMO LabelWriter 450 DUO Label" >nul 2>&1

rundll32 printui.dll,PrintUIEntry /q /dn /n "\\ws-sek08\DYMO LabelWriter 450 DUO Tape" >nul 2>&1
echo Alte Eintraege geloescht!

REM Syntax "rundll32 printui.dll,PrintUIEntry": /dn = deletes a network printer connection , /in = Connects to a network printer , /y = sets printer as the default printer

echo Neue Drucker einbinden...
@ping -n 2 -w 1000 localhost >nul 2>&1
rundll32 printui.dll,PrintUIEntry /q /in /n \\file\Kyocera /u /w >nul 2>&1
echo [Kyocera      ] eingebunden

@ping -n 2 -w 1000 localhost >nul 2>&1
rundll32 printui.dll,PrintUIEntry /q /in /n \\file\HP3010 >nul 2>&1
echo [HP 3010      ] eingebunden

@ping -n 2 -w 1000 localhost >nul 2>&1
rundll32 printui.dll,PrintUIEntry /q /in /n \\file\Kopierer >nul 2>&1
echo [Kopierer C203] eingebunden
rundll32 printui.dll,PrintUIEntry /y /n \\file\Kyocera >nul 2>&1

call net group /domain sek | findstr /i %USERNAME% >nul 2>&1
if %errorlevel% == 0 (
@ping -n 2 -w 1000 localhost >nul 2>&1
rundll32 printui.dll,PrintUIEntry /q /in /n "\\ws-sek08\DYMO LabelWriter 450 DUO Label" /u /w >nul 2>&1
rundll32 printui.dll,PrintUIEntry /q /in /n "\\ws-sek08\DYMO LabelWriter 450 DUO Tape" /u /w >nul 2>&1
echo [Sekretariat  ] Label Writer
)
call cmd /c "exit 99"

REM Und Standarddrucker setzen!

call net group /domain sek | findstr /i %USERNAME% >nul 2>&1
if %errorlevel% == 0 (
REM Je nach Benutzergruppe (Sekretariat, Artwor, ...) anderen Standarddrucker werwenden.
@ping -n 2 -w 1000 localhost >nul 2>&1
rundll32 printui.dll,PrintUIEntry /y /n \\file\HP3010 >nul 2>&1
echo [Sekretariat  ] Standarddrucker HP3010
)
call cmd /c "exit 99"
call net group /domain artwor | findstr /i %USERNAME% >nul 2>&1
if %errorlevel% == 0 (
@ping -n 2 -w 1000 localhost >nul 2>&1
rundll32 printui.dll,PrintUIEntry /y /n \\file\Kopierer >nul 2>&1
echo [artwor       ] Standarddrucker Kopierer
)
call cmd /c "exit 99"

pause

Best regards,

zuckerthoben

chn

I am looking for a GPO which will allow non-admin domain users to install specific software updates...mainly Anti-virus, adobe or java updates.

Please suggest!! 

Hi

I would like to apply 3D flying object screen saver which should show orgnization logo as a flying object.

Before capturing Image i had configured it correctly to run it with orgnization logo as a flying object however when machine build is getting completed i can see its getting changed to windows logo.

Not getting option is group policy to control image for screen saver.

Please help.

Is there a way to make that  START MENU to use small icons  ? 

I tested this 

And i know that theres is two way to to but wallpaper with p

We are applying some registry keys into HKCU when users log in if they are a member of a certain AD group, this works fine. If we remove the user from the AD group the keys are still in their profile and therefore apply. 

Is there a way in GPO Pref that apply the keys every time and don't write into the users profile, so when they are removed from the group the keys never apply without having to dig into the user's registry hive and manually remove them?

Or a better way to achieve this?

I just loaded up a fresh copy of Server 2012 R2 in VMWare and made it a Domain Controller.  To get a feeling of it before I deploy it.

All the Windows updates have been done.

Ran the Group Policy Results Wizard and got these alerts.

Default Domain Controller Policy  Alert: AD / SYSVOL Version Mismatch

Default Domain Policy  Alert: AD / SYSVOL Version Mismatch

I found that there is a hot fix for this for Server 2012.

http://support.microsoft.com/kb/2866345

But when I run the hot fix it tells me that "The update is not applicable to your computer"

So how do i fix this issue? Dont want to deploy Server 2012 R2 to my live enviorment only to have issues.

Hi, i have problem when domain user change password then Internet Explorer security settings-> trusted sites zone settings reset to default. How to disable reseting this settings?

Now i have blocked PEN DRIVES and CD writers using HARDWARE ID in  GPO successfully.

But now the technology has changed, all users are using SMART PHONES (android phones) which are not getting blocked by that they are able to copy all the system data into there mobiles or tablets etc.

Kindly suggest how to block this mobile phones using 

Regards,

Mohammed Ali Shaik

09010719933