Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Windows Server 2012 Folder Redirection and Roaming Profile get access denied errors.

March 12, 2013, 2:35 pm
$
0
0

I get the following errors in the event viewer using Windows 7 Pro.

Failed to apply policy and redirect folder "Documents" to "\\server\Users$\test1\My Documents".
 Redirection options=0x9231.
 The following error occurred: "Can not create folder "\\server\Users$\test1\My Documents"".
 Error details: "Access is denied.

And the following:

Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. This error may be caused by network problems or insufficient security rights.

 DETAIL - Access is denied.

I have gone through the whitepaper permissions and everything everyone links but still will not work in Windows 7 Pro, which there are 65 of the 80 computers.

Search

How to block android mobile access using GPO in domain server 2008?

December 15, 2013, 11:30 pm
$
0
0

Now i have blocked PEN DRIVES and CD writers using HARDWARE ID in  GPO successfully.

But now the technology has changed, all users are using SMART PHONES (android phones) which are not getting blocked by that they are able to copy all the system data into there mobiles or tablets etc.

Kindly suggest how to block this mobile phones using 

Regards,

Mohammed Ali Shaik

09010719933


GPO to disable to Safa mode for Xp Machines is Domain ?

December 19, 2013, 12:46 am
$
0
0

GPO to disable to Safa mode for Xp Machines is Domain ?

Please help me is there any way to disable to Safe mode for all XP machine with GPO

GPO fail to apply Gpresult shows: Not Applied (Empty) altough they are not empty

December 11, 2013, 7:33 am
$
0
0

Hello,

I've created a GPO to push printer to computers and change user registry settings to set the defaut printer.

In one room it works fine and the polciy applies.

In another room it is not applied and Gpresult /R shows as "Not Applied (Empty)"

I've logged on to all the DCs and checked the GPMC and none of them showed the GPO to be empty or any part of it disabled.

I do have loop back processing enabled, but must have it on for the user's registry to set the default printer.

I tried recreating a similar GPO and it is still the same.

Many restarts and gpupdate /force didn't help.

We have a a few DC's, 2003R2, 2008, 2008R2, 2012

Many thanks


Removing group policies

December 19, 2013, 1:39 am
$
0
0
I was asked an interesting question today that i didnt know the answer to.  Hopefully you guys will be able to have an answer.  If a computer is in an OU with group polies applied to that OU.  When you remove the computer from that OU to elswhere, do the policies from the old OU still apply?  Or.... if you remove a policy from an OU, will it still aply to all the pc's in that OU?

GPO to disable the Safe boot on all Doamin XP client machines

December 19, 2013, 2:36 am
$
0
0

GPO to disable the Safe boot on all Doamin XP client machines

Please help is there any way to manage

is it possible to  fullfill requirement by editing below boot file

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Advanced Server" /fastdetect /SAFEBOOT:MINIMAL(ALTERNATESHELL)

Unable to modify group policy

December 18, 2013, 4:10 pm
$
0
0

Hi All,

I have the below error when I try to add trusted sites on site to zone assignment list. (see the capture below). See below what I tried:

  • When I go in to modify the SiteToZoneAssignmentList setting in a group policy, I get the error in this thread. Screenshot is in line. It does seem to go away after a random amount of time, typically longer than five minutes but within an hour.
  • I have re-created this policy from scratch  and that worked for a short time. But the issue is presenting itself again.
  • This issue also presents itself at the same time to other users when they try to make a change to this policy, so it’s not limited to my machine, server or account.

I know there is a similar thread with this one, but I tried what they ask for, but it didn't work.

The below procedure didn't work.

"The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)
Now open up gpedit.msc on the problematic server.
User Configuration > Administrative Templates > System > Group Policy
Change the following policy
"Group Policy domain controller selection"
Enable this and set it to use "Use any available domain controller"
Close gpedit.msc and run gpupdate /force
Try to deploy policy again."

The error is this one:

Getting this error message, same as before:

Text of Details:

See the end of this message for details on invoking

just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************

System.IO.FileLoadException: The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)

   at Microsoft.GroupPolicy.AdmTmplEditor.IGPMAdmTmplEditorCallback.ApplyChanges()

   at Microsoft.GroupPolicy.AdmTmplEditor.Editor.SaveChanges()

   at Microsoft.GroupPolicy.AdmTmplEditor.Editor.buttonOK_Click(Object sender, EventArgs e)

   at System.Windows.Forms.Control.OnClick(EventArgs e)

   at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)

   at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)

   at System.Windows.Forms.Control.WndProc(Message& m)

   at System.Windows.Forms.ButtonBase.WndProc(Message& m)

   at System.Windows.Forms.Button.WndProc(Message& m)

   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)

   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

************** Loaded Assemblies **************

mscorlib

    Assembly Version: 2.0.0.0

    Win32 Version: 2.0.50727.5466 (Win7SP1GDR.050727-5400)

    CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v2.0.50727/mscorlib.dll

----------------------------------------

Microsoft.GroupPolicy.AdmTmplEditor

    Assembly Version: 6.1.0.0

    Win32 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

    CodeBase: file:///C:/Windows/assembly/GAC_64/Microsoft.GroupPolicy.AdmTmplEditor/6.1.0.0__31bf3856ad364e35/Microsoft.GroupPolicy.AdmTmplEditor.dll

----------------------------------------

System

    Assembly Version: 2.0.0.0

    Win32 Version: 2.0.50727.5467 (Win7SP1GDR.050727-5400)

    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll

----------------------------------------

System.Windows.Forms

    Assembly Version: 2.0.0.0

    Win32 Version: 2.0.50727.5468 (Win7SP1GDR.050727-5400)

    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll

----------------------------------------

System.Drawing

    Assembly Version: 2.0.0.0

    Win32 Version: 2.0.50727.5467 (Win7SP1GDR.050727-5400)

    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll

----------------------------------------

System.Xml

    Assembly Version: 2.0.0.0

    Win32 Version: 2.0.50727.5420 (Win7SP1.050727-5400)

    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll

----------------------------------------

Accessibility

    Assembly Version: 2.0.0.0

    Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900)

    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/Accessibility/2.0.0.0__b03f5f7f11d50a3a/Accessibility.dll

----------------------------------------

************** JIT Debugging **************

To enable just-in-time (JIT) debugging, the .config file for this

application or computer (machine.config) must have the

jitDebugging value set in the system.windows.forms section.

The application must also be compiled with debugging

enabled.

For example:

<configuration>

    <system.windows.forms jitDebugging="true" />

</configuration>

When JIT debugging is enabled, any unhandled exception

will be sent to the JIT debugger registered on the computer

rather than be handled by this dialog box.

Can someone help me please?

Block firefox installation

December 19, 2013, 6:49 am
$
0
0

Hi,

How to restrict Firefox installation from Group Policy Management?

Search

CertificateServicesClient-CredentialRoaming Errors

December 12, 2013, 1:53 am
$
0
0

Hi Guys,

I have Credential Roaming enabled so that users Certs automatically follow them between sessions. Unfortunately this is not the case. Credential Roaming does not work. When I login to a client PC and check the event log I can see all the policies applying but I also see the following 2 errors

Event ID 1005

Certificate Services Client: Credential Roaming failed to write to the Active Directory. Error code 8202 (The specified directory service attribute or value does not exist.)

Event ID 1012

Certificate Services Client: Credential Roaming failed because the attribute for keyring is not updated in AD. Error code 8202 (The specified directory service attribute or value does not exist.)

Additional Information: The Users profiles are in domain A and the client machines exist in domain B.  A Trust exists between these 2 domains.

Thanks in Advance...

EventID 4907 generated by wbengine.exe

December 19, 2013, 9:14 am
$
0
0

Greetings,

All 4907 events comes from a service called wbengine.exe, present in our Active Directory servers.

This wbengine.exe service is part of "Active Directory Backup and Restore" solution (http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx), and it is utilised in our processes.

Are this events a threat? Are normal events? What configurations have to do to configure properly wbengine.exe

Account lockout threshold problem

December 19, 2013, 2:57 am
$
0
0

Deal All

I have configured account lockout threshold policy so that if a user try to attempt log in with wrong password twice, his account would locked until administrator unlock it.

Policy works fine till user attempts to log in twice with wrong password, it locks the account but as soon after PC lock, user puts the actual password, it log in but user unable to access all shared resources like printers, forms or shared files.

Now, when user log off and log in back then a pop message shows up that account is locked out.i also want to appear message when user provide actual password after two wrong password attempts.

Any help plzzz

screen shot given below.

Zeeshan Ibrahim Network Administrator

GPO Specific to Servers - BGInfo

December 19, 2013, 12:14 pm
$
0
0

Hello. I'm looking to create a GPO to run BGInfo specifically on our servers and ONLY our servers. The catch here is that I only want the script to run when the user logs in to those specific servers, and NOT for any other computer objects. 

How would I go about accomplishing this?


I've done a little research and found that using loopback would work but I can't seem to get that to work. I currently have a bginfo.bat set to run at startup under the computer configuration of the GPO. 

Run Folder Redirection in Background

December 19, 2013, 2:26 pm
$
0
0

We are noticing huge delays when enabling Documents folder redirection. Is there a way we can have this done in the background instead of at logon? I had one machine that took over 1 hour to finish.

nik kumar

2K8r2 Domain Group Policy Firewall Rule Block

November 20, 2012, 3:13 pm
$
0
0

I am having an issue with creating an exception for a client workstation that needs a firewall exception defined.  The 2K8R2 AD is pushing GP down and applying the following rule on the Firewall Domain Profile;

Rule Name: Inbound Rules -> Remote Administration (NP-In)

Port:445

Protocol:TCP

Action:Block

The problem is I don't know where this is specifically in group policy.  I can see in the General tab of the rule properties that "This rule has been applied by the system administrator and cannot be modified".  I've been looking through Computer Configuration->Policies->Administrative Templates->Network->Network Connections->Windows Firewall->Domain Profile.  I have the following enabled with defined exceptions;

Windows Firewall: Allow local program exceptions - Enabled

Windows Firewall: Define inbound program exceptions - Not Configured

Windows Firewall: Protect all network connections - Not Configured

Windows Firewall: Do not allow exceptions - Not Configured

Windows Firewall: Allow inbound file and printer sharing exception - Enabled

Windows Firewall: Allow ICMP exceptions - Not Configured

Windows Firewall: Allow logging - Enabled

Windows Firewall: Prohibit notifications - Not Configured

Windows Firewall: Allow local port exceptions - Enabled

Windows Firewall: Define inbound port exceptions - Enabled

Windows Firewall: Allow inbound remote administration exception - Not Configured

Windows Firewall: Allow inbound Remote Desktop exceptions - Not Configured

Windows Firewall: Prohibit unicast response to multicast or broadcast requests - Not Configured

Windows Firewall: Allow inbound UPnp framework exceptions - Not Configured

Can someone please point me to the correct group policy entry that needs to be modified?  Thank you.

Missing group membership when running gpresult

December 19, 2013, 6:08 pm
$
0
0

Hi,

I'm currently testing a group policy that has security filtering to deny AGP on a particular group. I've added a user to that group however, when running gpresult, the group is not listed on the "The user is a part of the following security groups:". Replication seems to be OK - I've tried running gpresult on a different computer and all groups show up there except for this one server. Tried adding to another test group, but it also doesn't show up.

Would really appreciate your help.

Thanks.

Search

Group Policy Preference Power Plan "Blocked By Group Policy"

March 23, 2013, 9:57 am
$
0
0

I noticed this error in the application event log of a Windows 7 PC:

Log Name:      Application
Source:        Group Policy Power Options
Date:          3/21/2013 3:19:42 AM
Event ID:      4098
Task Category: (2)
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:      xxx
Description:
The computer 'Power Plan (Windows Vista and later)' preference item in the 'Windows 7 Desktop Power Plan {A078F08F-45CC-4209-A264-FE0CB5635A99}' Group Policy object did not apply because it failed with error code '0x800704ec This program is blocked by group policy. For more information, contact your system administrator.' This error was suppressed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Group Policy Power Options" />
    <EventID Qualifiers="34305">4098</EventID>
    <Level>3</Level>
    <Task>2</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-03-21T10:19:42.000000000Z" />
    <EventRecordID>7687</EventRecordID>
    <Channel>Application</Channel>
    <Computer>xx</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data>computer</Data>
    <Data>Power Plan (Windows Vista and later)</Data>
    <Data>Windows 7 Desktop Power Plan {A078F08F-45CC-4209-A264-FE0CB5635A99}</Data>
    <Data>0x800704ec This program is blocked by group policy. For more information, contact your system administrator.</Data>
  </EventData>
</Event>

How can I find out exactly why it is not working?  "Blocked by group policy" is not specific enough.

GPO Template to secure Computers joined to a 2012 Domain

December 16, 2013, 8:52 am
$
0
0

Hi,

We are looking to implement a "Quarenteen OU" for new machines that join our domain.  I've found out how to change the behavior of assigning machines to a different OU than the Computers OU using the redircmp command.   Does anyone have a good "template" resource of default security polices to assign a new Server/destkop machine that gets placed into such a quarenteen OU to ensure its secure before moving it to a different/seperate OU?  I'm currently looking for knowledge base articles that cover this.  Any help would be greatly appreciated.

Thanks,

Kevin C.

Log on as batch job right

November 30, 2011, 1:19 pm
$
0
0

I'm simply trying to configure Task Scheduler to run batch files in the middle of the night.  So I created a task within the scheduler and have specified "Run whether the user is logged on or not".  When I hit ok, it promots me for my username/password.  I'm a domain/enterprise admin logged into a domain account.  It tells me;

"This task requires that the user account specified has Log on as batch job rights"

Ok, so after looking this up I find myself editing the default domain policy:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

I find the above user right, enable it and add my username.  I log off, back on again and back into the scheduler.  It still tells me I need this right.  I checked, my username is there in the list beside the right.

Why can't I create a schedule even with the right I'm supposed to have?

Thanks!

 --- Edit:

Ok I found this:

2. Type in secpol.msc /s

3. Select "Local Policies" in MSC snap in

4. Select "User Rights Assignment"

5. Right click on "Log on as batch job" and select Properties

6. Click "Add User or Group", and include the relevant user.

There's a lot of users in here for different things but the Add User or Group button is greyed out.  I'm a domain/enterprise administrator.  Why can't I add anything here?

 

Or put more simply, how do I give myself this right?

Thanks again

 

Manually edit the GptTmpl.inf File - Settings not visible in GPMC Settings Report

December 13, 2013, 7:13 am
$
0
0

Hi!

I want to modify the GptTmpl.inf File (\[DOMAIN]\SYSVOL\[DOMAIN]\Policies\{[GUID]}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf) in Powershell so I automatically can insert restricted Groups in the policy using a script.

OS: Windows Server 2008 R2 SP1 64bit

This is the edited GptTmpl.inf File:

*************************************************

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Group Membership]
*SID-of-a-group__Memberof = *S-1-5-32-544
*SID-of-a-group__Members =

******************************************************

Now, when I open GPMC and look at the GPO Report (Tab "Settings") of the modified policy, the restricted Group is not listed in the Report.
But when I open the Edit-Panel in GPMC , the restricted group entry is shown.  Im also not shure, if the Setting will be applied correctly.

What's the reason for this behaviour? Do I have to change the Version number in the GPT.INI File?
Or is there another file, which I have to modify?

Thanks a lot for your help!


GPO 2012 RDS Desktop Session - Hide All Application Arrow

December 20, 2013, 4:55 am
$
0
0

Does anyone have any ideas how to hide the all apps arrow on the metro interface please?

running a SBS 2011 server with Win 2012 Std RDS for remote workers.

Many thanks

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>