Restrict to View AD objects security tab in ADUC (Dsa.msc) ?
↧
Restrict to View AD objects security tab in ADUC (Dsa.msc)
↧
Monitoring Status of the GPOs in Active Directory Environment
Hi,
There are some empty, disabled, linked and orphaned policy. So using VBScript the status of the GPOs have to be monitored in AD environment.
I am new to ADS and wanted to update the Source code of ADS.
Can anyone tell me how to do this or can provide link where I can get all the details to write the script?
Thanks & Regards,
Gopi Krishna
Thakur
↧
↧
Daylight Saving Time in Windows 7 ultimate SP 1
Dear Sir,
I am from India and using Windows 7 ultimate SP1 on my PC.
My clock in the above windows does not get changed automatically and a message is displaying -
Daylight Saving time is not being observed in this zone.
I have tried to find answers in the from of Microsoft, but not able to solve this problem, being not Computer Saavy.
May I get a simplest method to solve this problem so that I do not have to change the date and time every day.
Thanking you,
csmidha
↧
USB is disabled from GPO but in few machine USB is still enabled
Hi,
There are few machine on which USB is disabled by group policy but still if i plug in a USB pen drive then its gets connected and gets displayed on desktop. Many times i have updated the the gpo on the machines by gpresult /force cmd and restarted the machine but still it doesn't work. USB disbaled policy are applied on the this machine and this is confirmed by generating the RSoP and gpresult /h report.html or gpresult /r /scope computer. The usbstr.inf and usbstr.pnf (something like this) permission are only for system and no privileged permission are given for any user.
Is any thing remaining to check. What else is need to do to block the USB ports.
Thanks for helping.
↧
Missing group membership when running gpresult
Hi,
I'm currently testing a group policy that has security filtering to deny AGP on a particular group. I've added a user to that group however, when running gpresult, the group is not listed on the "The user is a part of the following security groups:". Replication seems to be OK - I've tried running gpresult on a different computer and all groups show up there except for this one server. Tried adding to another test group, but it also doesn't show up.
Would really appreciate your help.
Thanks.
↧
↧
Disable USB Mass Storage through GP across Windows 7 & XP but Usb 3G USB MODEM &Keyboard & Mouse Should work..Possible?
Disable USB Mass Storage through GP across Windows 7 & XP but Usb 3G USB MODEM &Keyboard & Mouse Should work..Possible?
i need 3G modem modem to be working and mouse and keyboard
↧
Unattend MSI install by admin user
We have a need to programmatically (powershell) install a vendor signed MSI from within a process running as a user that's part of local administrators group. We used the typical msiexec with /qn option but it always fails with below error.
==
Installation success or error status: 1625.
Info 1625.This installation is forbidden by system policy. Contact your system administrator.
==
The OS is windows server 2008 R2 SP1 and the machine is not part of any domain, just a local workgroup. The powershell process is launched from a windows service configured to logon as the user that's a member of local administrators group.
After playing with lot of security policy settings, I found the solution by marking the policy "User Account Control: Run all administrators in Admin Approval Mode" as disabled. My question is to know if this is the best/recommended way? Or is there a better (more secure) way to achieve what I want.
Any input is highly appreciated.
Thanks Rags
Thanks Rags This posting is provided as is and confers to no rights.
↧
bit locker recover key
Hi,
I have restarted my windows surface and its asking for the recovery key and has told me to go to http:/windows.microsoft.com/recoverykey to retrieve it. it also gave me the key ID if i need it. where do i go to retrieve this recovery key? using my key ID?
↧
Internet Explorer Maintenance (IEM) Legacy Settings - IEM Policy Processing Settings
I have migrated away from IEM. I am using Win7SP1, IE9 with AD2008R2 functionality. Does the IEM policy processing settings have any affect?
Computer Configuration > Administrative Templates > System > Group Policy > Internet Explorer Maintenance policy processing: contains the following options;<o:p></o:p>
- IEM Policy Processing - allow processing across a slow network<o:p></o:p>
- IEM Policy Processing - do not apply during periodic background processing<o:p></o:p>
- IEM Policy Processing - process even if the group policy objects have not changed<o:p></o:p>
I have migrated away from using IEM. Due to the slow connections of some of my remote sites, these settings still have some value for our environment. If I set this in GP, are the settings ignored since I am not setting anything in IEM?
<o:p></o:p>
<o:p>Many thanks for your time and response...
</o:p>
Charlie Newman
↧
↧
GPO Template to secure Computers joined to a 2012 Domain
Hi,
We are looking to implement a "Quarenteen OU" for new machines that join our domain. I've found out how to change the behavior of assigning machines to a different OU than the Computers OU using the redircmp command. Does anyone have a good "template" resource of default security polices to assign a new Server/destkop machine that gets placed into such a quarenteen OU to ensure its secure before moving it to a different/seperate OU? I'm currently looking for knowledge base articles that cover this. Any help would be greatly appreciated.
Thanks,
Kevin C.
↧
Printer Mapping Performance GPP
Hello,
we´ve 60 Printers and want to map them through GPP. Mapping should be handled in one GPO with a Filter based on IP-Adress through Item Level Targeting.
I would build two items per Printer: one for create the Printer and one for delete the Printer, additionally item Level targeting will look for the ip-address, like here: http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-dynamically-map-printers-with-roaming-profiles/.
So in total ~ 120 Printer in one GPO. Creating several GPOs with Printer mappings is notdesired. Additionally the OU structure is very flat, there is only one Client OU with all Client Computers and it must remain so.
I am unsure how about the performance at logon process. Has anyone experiences with such Printer mappings? May be better to use a logon-script?
↧
Installing Chrome via GPO
Hi! I've been working on trying to install Chrome to all Domain Computers via GPO by following this link and cannot figure out what I've been doing wrong but it's not installing on any machine. Can someone tell me if something is missing from these instructions?
↧
New Server 2012 R2 Getting AD / SYSVOL Mismatch
I just loaded up a fresh copy of Server 2012 R2 in VMWare and made it a Domain Controller. To get a feeling of it before I deploy it.
All the Windows updates have been done.
Ran the Group Policy Results Wizard and got these alerts.
Default Domain Controller Policy Alert: AD / SYSVOL Version Mismatch
Default Domain Policy Alert: AD / SYSVOL Version Mismatch
I found that there is a hot fix for this for Server 2012.
http://support.microsoft.com/kb/2866345
But when I run the hot fix it tells me that "The update is not applicable to your computer"
So how do i fix this issue? Dont want to deploy Server 2012 R2 to my live enviorment only to have issues.
↧
↧
Multiple Home Page settings not working in Server 2008 R2
I have Windows Server 2008 R2 as a DC & ADC is same 2008 R2 server both with SP1 with IE 11 installed
other Group policies are there & running well.
I had setup two home pages but on user machines its showing & running only one Primary home page.
I have one my intranet site & another home page is our website.
I have enable "Disable changing Primary Home page" & kept my intranet page there.
I have enable "Disable changing Secondary Home page" & kept my website page there.
After gpupdate I can see only one page in users Internet settings. My website page is not at all loading !!!
Scenario 2 :-
I have selected not configured option for "Disable changing Primary Home page" & apply.
I have enable "Disable changing Secondary Home page" and kept Both Intranet & my website page address there.
after Gpupdate its loading 3 pages. Twice same intranet page & one website page.
In group policy configured only two & loading 3 pages?
I need it must show only two pages. Tried all the ways & seems frustrating with Windows Server 2008 R2 Group Policy.
Does anyone succeeded in the multiple home i.e. must load Only TWO pages in the IE browser via Group policy.
All users have 64 bit Windows 7 OS with IE 10 & IE 11 browser installed & updated. Servers has IE 11
↧
Printer policy applied after 2nd logon
Hi,
We have a User group policy which map printers for our users. This is done at "User configuration -> Preferences -> Control Panel Settings -> Printers" and not done by so called printer deployment policy.
In this policy we have defined a removal of all shared printer connections as order 1. Order 11 is set to map a certain printer with an Update action and has item-level targeting set. This printer will be mapped to the user as default only when the computer on which the user logged on is located in a certain OU.
What we try to achieve, is that when a user logs on to a certain set of computers the printer in that same room is mapped and become their default printer. When a same user logs on to any other computer, the printer must be removed and must not be used.
What happens now is as follows:
When a users logs on to a computer in the specific room, the printer is mapped and set as default. When the user logs off, this printer is written as the default printer in the roaming user profile. When the user logs on to a computer in a different room, the printer is still there and set as default. This will remain so until the user logs off and logs on again. So to let this work the user basically needs to logon twice on a computer in a different room.
What can be causing this and how to solve it?
Kind regards,
Jasper Kimmel
↧
Group Policy not completely inheriting
Good Morning,
Quick back story before I go into full details. I recently added a 2008 R2 server to my 2003 domain and made it a DC. I did all the following prep to the domain to prepare for this DC, adprep, forestprep, and domainprep. I also decommissioned one the 2003 servers and promoted the 2008 R2 as a DC. It all appears to have worked seamlessly, no complaints on the network so far. I did this because we have started to introduce some Wind 7 system to the domain so we wanted to add a 2008 R2 server. I have created by win 7 group policy and have the win 7 systems in a separate OU where that policy is only applied to those systems. The problem is the win 7 system are only receiving part of the policy. Under computer configuration\windows settings\security settings, they are receiving the account policies, local policies and even the firewall policy I specified, however there are not pulling the advanced audit policy configuration or anything that I specified under the administrative templates which contains the control panel, network, printers, system, and windows components. I copied the admx files from the 2008 R2 server to the sysvol folder and it states that's where it is getting the templates from. However when I do a gpupdate /force on a local windows 7 systems it is only pulling part of the policy. Can someone give me some ideas on what I may be missing or if I have something turned on or off that may be preventing this from applying properly?
Thank you.
↧
Local Scripts
Hello,
I have a startup login script running locally in the computer I have around 1000 computers
my question
how I can remove that script from the machine via GP
Thanks
FZ2H
↧
↧
GPO redirection folders
I am currently testing GPO redirection for "My Document" folder.
I am not able to synchronize towards the network drive if the profile already exist on the workstation.
The test are done on a Windows 7 machine and the DC is running 2008 r2 (Forest 2008)
These are the steps I executed:
- If I delete the local profile on the workstation and reconnect (The profile creation on the network gets created and synchronization works perfectly) (This is not a solution because all my current users are using local profiles)
- I activated the GPO to force synchronization at log on and log off
The GPO is configure as follows:
Basic: Redirect everyones folder to the same location
Create a folder for each user under the following path: \\<SERVERNAME>\<SHARENAME>\Username
I unchecked the options:
- Grant the user exclusive rights to documents
- Also apply redirection Policy to Win2000 ....
Do I need to enable anything else?
George S.
↧
Confused about ADMX files? Missing IE Maintenance GPO
I have not yet had need to worik with adding Aministrative Templates to 2008 R2 domains before - until recently, all the default stuff that comes with 2008 R2 was enough.
I have a domain-wide GPO set under User Config > Policies > Windows Settings > Internet Explorer Maintenance to provide some company-standard URLs under Favorites. Today I went to edit them and found that the IE Maintenance option is gone form this GPO.Also we just put IE 10 on these systems maybe a week or so ago and from what I've read, putting IE10 in the mix is what made this IE Maintenance GPO option disappear and there's no way to get it back.
I'm still reading about how to handle this but so far I gather my best choice is to find some IE10 admx file. I've never worked with admx files before. Right now I'm reading through a few documents:
Using Administrative Templates (a subsection of Technet's IE 10 deployment documentation)
http://technet.microsoft.com/en-us/library/jj822355.aspx
Managing Group Policy ADMX Files Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc709647.aspx
I'm not done reading either of these but already one question comes up. In the Using Admin Temmplates document it says the following:
You can create a central store that provides all administrators who edit domain-based Group Policy Objects (GPOs) access to the same set of Administrative Template files. The central store is an administrator-created folder on SYSVOL that provides a single centralized storage location for all Administrative Template files (ADMX and ADML) for the domain. Once you create the central store, the Group Policy tools use only the ADMX files in the central store and ignore ADMX versions stored locally. The central store is optional; if you do not create it, the Group Policy tools use the local ADMX files. The root folder for the central store must be namedPolicyDefinitions (that is, %SystemRoot%\SYSVOL\domain\policies\PolicyDefinitions). For more information about creating a central store, seeScenario 1: Editing the Local GPO Using ADMX Files.
First, I would think any organization would prefer to hvae all this stuff centralized so why this is optional is beyond me, but as I said I'm new to this stuff. But what confuses me is whether or not I should do this central store. My concern is that if I create it, what if upgrading some future version of IE introduces a new admx file that I don't know about (or any patch or other upgrade other than IE causing need for a new admx) and places it in the local PolicyDefinitions folder of the domain controller. I don't know how to be notified of when a new admx file is needed so as I see it, the product (IE in this case) will get updated, but since I don't know about a need for an admx file, GPO breaks because I didn't think to put a new admx in the central store. This method of management doens't sound ideal to me.
Cna anybody advise on what is the best practice here? Thank you.
↧
How can I deploy EFS using Group Policy and automatically encrypt computers for ALL users who login?
How can I deploy EFS using Group Policy and Active Directory with a goal to automatically encrypt computers for ALL users who login? (NOT an option for me to use BitLocker)
I was asked to deploy EFS to encrypt the user my documents folder and profile on all of the users laptops. The laptops are in common areas (board meeting rooms, etc) and security of files is a must.
I successfully created a recovery certificate in AD. I created an OU and setup an EFS policy and users can now login and select to encrypt their own files. The issue is that management would like to have automaticy Encrypt ALL users my documents AUTOMATICALLY when a user login.
Can this be done?
Please help
↧