Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Logon script issue for windows 8

December 20, 2013, 1:14 am
$
0
0

I get following error, The same GPO works well for other computers (Win XP, 7 2008).. Test1.bat is a simple script to copy a file to system32 or SysWOW64 folder based on architecture. It does copy the file when I run the code manually from the win 8 computer but not through GPO.

----------------------------------------------------------------------------------------------------------------------------------------------

Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 12/18/2013 12:53:13 PM
Event ID: 1130
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: LA1008.test.domain.com
Description:
Startup script failed.
GPO Name : GP_WP_Test
GPO File System Path : %7D/Machine">file://test.domain.com/SysVol/test.domain.com/Policies/%<GUID>%7D/Machine)
Script Name: Test1.bat

----------------------------------------------------------------------------------------------------------------------------------------------Test1.bat content is following..

if "%PROCESSOR_ARCHITECTURE%"=="AMD64" goto 64BIT

IF NOT EXIST "%windir%\system32\test.ini" COPY \\Server\test\test.ini"%windir%\system32"

:64BIT
IF NOT EXIST "%windir%\SysWOW64\test.ini" COPY \\Server\test\test.ini"%windir%\SysWOW64"

-Edatha-

Search

Do not apply printers GPO on Some PC

December 20, 2013, 3:26 am
$
0
0

Hi everyone!

Sorry for my English.

I have some GPO objects (5+) that apply to OU with Some Users.

domain
-users1
--GPO1
-users2
--GPO2
--users3
---GPO3
...

On my Print-server I have Printers that assign to thos GPO objects by USER

In this scenario I have that printers automaticly connects to users in the same department on they PCs and on SERVERS

How I can Restrict apply this GPOs on Servers. I have workaroun - add servers to secgroup and Restrict them apply GPO in Delegation tab.

May be you have a better solution?

Directory Permissions for GP Software Installations

December 20, 2013, 8:05 am
$
0
0

I am trying to create a group policy to do a Software Installation to some of my clients. I have created the policy and pointed the software to the UNC path of the distribution point and the policy will fail every time no matter what user or computer tries to install the policy. The software distribution point is a share I created and set permissions on myself. It is not the default permissions set by windows when you initially create a folder and shares. I tried modifying the policy and made the distribution point point to the NETLOGON share and when I do it this way my users are then installing the software no problem. I think this is boiling down to a directory permissions issue but I can't seem to figure out what the differences are. Hopefully someone can tell me what the correct permissions should be so I can resolve this issue.

If I go to the distribution share I created  from the clients machine I can get to the share and see the MSI file and even start the setup no problem. So I am not sure why it won't work if it can get that far for me.

I am not using DFS either.

Thanks!

-Scott


GPO to disable wireless file transfer in Windows 7 and Windows 8?

December 19, 2013, 2:01 pm
$
0
0

How can Bluetooth file transfer and WiFi Direct file transfer be disabled via GPO?

Remove Folder Redirection for one user who logs into multiple PCs

December 20, 2013, 9:46 am
$
0
0

Hi All,

I'm hoping for some insight on the best way to accomplish this. I have a user who logs into multiple computers, and through GPO his user profile is setup for folder redirection. My dilemma is, I want to remove the folder redirection and set it back to be local again. However, I want to retain the user profile on all systems, and I'm not sure what the best approach is to accomplish this. Can any suggest a useful approach.

Thanks



Confused about ADMX files? Missing IE Maintenance GPO

December 17, 2013, 8:10 am
$
0
0

I have not yet had need to worik with adding Aministrative Templates to 2008 R2 domains before - until recently, all the default stuff that comes with 2008 R2 was enough. 

I have a domain-wide GPO set under User Config > Policies > Windows Settings > Internet Explorer Maintenance to provide some company-standard URLs under Favorites.  Today I went to edit them and found that the IE Maintenance option is gone form this GPO.Also we just put IE 10 on these systems maybe a week or so ago and from what I've read, putting IE10 in the mix is what made this IE Maintenance GPO option disappear and there's no way to get it back.   

I'm still reading about how to handle this but so far I gather my best choice is to find some IE10 admx file.  I've never worked with admx files before.  Right now I'm reading through a few documents:

Using Administrative Templates (a subsection of Technet's IE 10 deployment documentation)

http://technet.microsoft.com/en-us/library/jj822355.aspx

Managing Group Policy ADMX Files Step-by-Step Guide

http://technet.microsoft.com/en-us/library/cc709647.aspx

I'm not done reading either of these but already one question comes up.  In the Using Admin Temmplates document it says the following:

You can create a central store that provides all administrators who edit domain-based Group Policy Objects (GPOs) access to the same set of Administrative Template files. The central store is an administrator-created folder on SYSVOL that provides a single centralized storage location for all Administrative Template files (ADMX and ADML) for the domain. Once you create the central store, the Group Policy tools use only the ADMX files in the central store and ignore ADMX versions stored locally. The central store is optional; if you do not create it, the Group Policy tools use the local ADMX files. The root folder for the central store must be namedPolicyDefinitions (that is, %SystemRoot%\SYSVOL\domain\policies\PolicyDefinitions). For more information about creating a central store, seeScenario 1: Editing the Local GPO Using ADMX Files.

First, I would think any organization would prefer to hvae all this stuff centralized so why this is optional is beyond me, but as I said I'm new to this stuff.  But what confuses me is whether or not I should do this central store.  My concern is that if I create it, what if upgrading some future version of IE introduces a new admx file that I don't know about (or any patch or other upgrade other than IE causing need for a new admx) and places it in the local PolicyDefinitions folder of the domain controller.  I don't know how to be notified of when a new admx file is needed so as I see it, the product (IE in this case) will get updated, but since I don't know about a need for an admx file, GPO breaks because I didn't think to put a new admx in the central store.  This method of management doens't sound ideal to me. 

Cna anybody advise on what is the best practice here?  Thank you. 


Deploying Printers using GP Preferences - Network Printer and Local LPTx ports - Why local port for a remote shared printer?

December 20, 2013, 2:49 am
$
0
0
 

I´m trying to create in user´s PCs printers (print queues) and i´m trying to configure using GP Preferences, insted Deploy Printers (old method). All printers are shared in a dedicated print server as \\server\printerX  in the GPP screen, i have to type the printer name and the printer path (\\server\printer$), that´s OK.

But a mandatory parameter is the port (LPT1 for example)

It will be ignored?


IE 11 Group Policy and Windows Server 2008

December 16, 2013, 12:48 pm
$
0
0

We have a Windows 2008 Active Directory (not R2), which is running 2008 forest and domain functional levels. Our clients are running Windows 7 with Internet Explorer 8. We have a need to upgrade the clients to Internet Explorer 11 and use Group Policies to manage IE 11 on them, specifically proxy settings and compatibility modes. We understand that Group Policies have changed for IE 11.

We have two questions:

Can IE 11 be managed by Group Policies on Windows Server 2008?

If so, how?

Thanks, Drew

Search

Unable to modify group policy

December 18, 2013, 4:10 pm
$
0
0

Hi All,

I have the below error when I try to add trusted sites on site to zone assignment list. (see the capture below). See below what I tried:

  • When I go in to modify the SiteToZoneAssignmentList setting in a group policy, I get the error in this thread. Screenshot is in line. It does seem to go away after a random amount of time, typically longer than five minutes but within an hour.
  • I have re-created this policy from scratch  and that worked for a short time. But the issue is presenting itself again.
  • This issue also presents itself at the same time to other users when they try to make a change to this policy, so it’s not limited to my machine, server or account.

I know there is a similar thread with this one, but I tried what they ask for, but it didn't work.

The below procedure didn't work.

"The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)
Now open up gpedit.msc on the problematic server.
User Configuration > Administrative Templates > System > Group Policy
Change the following policy
"Group Policy domain controller selection"
Enable this and set it to use "Use any available domain controller"
Close gpedit.msc and run gpupdate /force
Try to deploy policy again."

The error is this one:

Getting this error message, same as before:

Text of Details:

See the end of this message for details on invoking

just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************

System.IO.FileLoadException: The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)

   at Microsoft.GroupPolicy.AdmTmplEditor.IGPMAdmTmplEditorCallback.ApplyChanges()

   at Microsoft.GroupPolicy.AdmTmplEditor.Editor.SaveChanges()

   at Microsoft.GroupPolicy.AdmTmplEditor.Editor.buttonOK_Click(Object sender, EventArgs e)

   at System.Windows.Forms.Control.OnClick(EventArgs e)

   at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)

   at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)

   at System.Windows.Forms.Control.WndProc(Message& m)

   at System.Windows.Forms.ButtonBase.WndProc(Message& m)

   at System.Windows.Forms.Button.WndProc(Message& m)

   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)

   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

************** Loaded Assemblies **************

mscorlib

    Assembly Version: 2.0.0.0

    Win32 Version: 2.0.50727.5466 (Win7SP1GDR.050727-5400)

    CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v2.0.50727/mscorlib.dll

----------------------------------------

Microsoft.GroupPolicy.AdmTmplEditor

    Assembly Version: 6.1.0.0

    Win32 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

    CodeBase: file:///C:/Windows/assembly/GAC_64/Microsoft.GroupPolicy.AdmTmplEditor/6.1.0.0__31bf3856ad364e35/Microsoft.GroupPolicy.AdmTmplEditor.dll

----------------------------------------

System

    Assembly Version: 2.0.0.0

    Win32 Version: 2.0.50727.5467 (Win7SP1GDR.050727-5400)

    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll

----------------------------------------

System.Windows.Forms

    Assembly Version: 2.0.0.0

    Win32 Version: 2.0.50727.5468 (Win7SP1GDR.050727-5400)

    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll

----------------------------------------

System.Drawing

    Assembly Version: 2.0.0.0

    Win32 Version: 2.0.50727.5467 (Win7SP1GDR.050727-5400)

    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll

----------------------------------------

System.Xml

    Assembly Version: 2.0.0.0

    Win32 Version: 2.0.50727.5420 (Win7SP1.050727-5400)

    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll

----------------------------------------

Accessibility

    Assembly Version: 2.0.0.0

    Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900)

    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/Accessibility/2.0.0.0__b03f5f7f11d50a3a/Accessibility.dll

----------------------------------------

************** JIT Debugging **************

To enable just-in-time (JIT) debugging, the .config file for this

application or computer (machine.config) must have the

jitDebugging value set in the system.windows.forms section.

The application must also be compiled with debugging

enabled.

For example:

<configuration>

    <system.windows.forms jitDebugging="true" />

</configuration>

When JIT debugging is enabled, any unhandled exception

will be sent to the JIT debugger registered on the computer

rather than be handled by this dialog box.

Can someone help me please?

Internet Explorer settings using Group Policy Preferences

December 18, 2013, 4:43 am
$
0
0

Hello,

I have a very annoying (and frustrating) problem setting the correct Internet Explorer settings for my users using GPP (as Internet Explorer Maintenance is deprecated and I can't use it anymore).

I want to set the right connection settings (Proxy with Pac and disable automatically detect correct settings), but those are grayed out!!

I see others have reported the same problem already, but I couldn't find a suitable answer...

Thanks for any help!

Regards,

Geoffrey

Block firefox installation

December 19, 2013, 6:49 am
$
0
0

Hi,

How to restrict Firefox installation from Group Policy Management?

restrict user to adding new account in outlook through group policy in server 2008

December 19, 2013, 10:04 pm
$
0
0

Hi,

How to restrict user to adding new account in outlook through group policy in server 2008. Please help..

Run script at user logon/off. User is a non admin

December 16, 2013, 10:47 pm
$
0
0

Hi there,

I am trying to create a script to stop service when a user logs on and start service when a user logs off. In my case, this is done by running a batch script.

The user is a non-admin and I would like to keep it that way.

I am trying to achieve this using Group Policy.

I tried using using (User Configuration\Policies\Windows Settings\Scripts\Logon,Logoff) , but these do not work because the user does not have privileges to run scripts, and I have no idea how to employ "Run as" command in this context.


However, I managed to achieve this by using Scheduler in GPME (Computer Configuration\Preferences\Control Panel Settings\Scheduled Tasks) running it as another user with domain admin rights. That seems to work.(more or less)

I feel that this is really a dirty way of doing this. Could anyone suggest a proper way? It feels like this is a common task an admin would want to perform.

Thank you

Migrating from SBS 2003 to Server 2012 - remove legacy AD group policy objects

December 21, 2013, 4:20 pm
$
0
0

In the instructions for moving Windows SBS 2003 settings and data for Windows Server 2012 Essentials migration, we are instructed to remove legacy Active Directory Group Policy Objects, and to remove WMI filters for PreSP2 and PostSP2. I did not do not so prior to joining the Server 2012 to the domain and replicating Active Directory between the SBS 2003 Server and Server 2012. Are these GPO's colliding with GPO's configured on the Server 2012? Should I go ahead and now remove legacy GPO and WMI filters from the Server 2012?

I am actually running Windows Server 2012 Standard.

EventID 4907 generated by wbengine.exe

December 19, 2013, 9:14 am
$
0
0

Greetings,

All 4907 events comes from a service called wbengine.exe, present in our Active Directory servers.

This wbengine.exe service is part of "Active Directory Backup and Restore" solution (http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx), and it is utilised in our processes.

Are this events a threat? Are normal events? What configurations have to do to configure properly wbengine.exe

Search

GPO Security Zones and Content Ratings "Modify Settings" buttons are disabled

December 19, 2013, 10:59 am
$
0
0
Task: Trying to modify a GPO so that specific users who logon to Remote Desktop Servers will have a lower Internet security level for Internet Explorer.

We have two Windows Server 2008 Domain Controllers, when I access the GPO using the Group Policy Management Console and Editor on either of the two Domain Controllers, then navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Security > Security Zones and Content Ratings, the available "Modify Settings" buttons are both disabled.

I've read through several forum posts relating to this and the closest solution mentioned was to turn off IE ESC for Administrators on both Domain Controllers. I've done this and it nothing has changed as a result. Is there a way enable the "Modify Settings" buttons, or is there another way to achieve the task mentioned at the top of this post?


 

WMI Filtering when namespace does not exisit on GPMC compluter

May 17, 2013, 7:53 am
$
0
0

GPMC WMI filter wizard takes its namespaces from teh machine on which the GPMC console is running.  In a WS2008 or later domain running GPMC on the server makes many target anmespaces for workstations unavailable event though the policies can be created and run. 

Does anyone know how to best handle this issue.

Assume namespace required is: root\cimv2\Applications\MicrosoftIE

This is how MS has filtered for IE in the past.  This namespace was available on WS2003 but is not on WS2008 and later but we need it to filter for IE versions on XP, WS2003 and other workstations.

What is the best or recommended way to handle this situation?

¯\_(ツ)_/¯


Run Folder Redirection in Background

December 19, 2013, 2:26 pm
$
0
0

We are noticing huge delays when enabling Documents folder redirection. Is there a way we can have this done in the background instead of at logon? I had one machine that took over 1 hour to finish.

nik kumar

Net Use in Script Client Side Extension

December 21, 2013, 2:50 pm
$
0
0

Hi,

I just rebuild my home Network. In my old home Network I had my loginscripts added to each user in AD. However - now I want to move my Loginscripts to GPO. So I added a batch to User Configuration\Policies\Windows Settings\Logon

The script is just a simple net use Batch.

But after logon and multiple GPUpdates - drives were not mapped. So I started to troubleshoot.

First I thought the script wasn't started. And yes there were some Problems:

- Sync Processing,

- Local Intranet for \\domain.name\sysvol

- ...

But it still didn't work. Executing the script from \\domain.name\sysvol... mapped the drives.

So I changed the script to vbs and added a msgbox now() - and I got a messagebox during logon. But still no drives mapped.

If I map the drive by Configuration\Preferences\Windows Settings\Drive Maps - the drives will be mapped.

If I add the script to the user object in AD - I also works.

So maybe I am wrong - but is there a Problem to map drives in Script Client Side Extensions?

I searched the web - but didn't find a clear Statement.

thx in advance

Delete temporary Internet files

February 15, 2013, 5:54 am
$
0
0

Windows 2008 R2

Win 7

Win Xp

Under "user config\preferences\windows settings\folder" Created 2 folders to delete Temporary Internet files with with 1 targeting Windows 7 and the other targeting windows xp.

Here the the path for windows 7: C:\Users\%localappdata%\AppData\Local\Microsoft\Windows\Temporary Internet Files

Here is the path for xp: C:\Users\%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files

However, temporary internet files not being deleted. Are my paths correct and are my enviroment variables correct. thanks

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>