For various reasons we are using W7 but still on IE8. There is an option in IE8 i want to change but i am not able to find out in GPO. The setting is in Internet Explorer > tools > internet options > security tab >
internet zone > custom level > launching applications and unsafe files. i want this setting set to "prompt". as i said, cant seem to find in on Group Policy
↧
change a setting in IE8
↧
EventID 4907 generated by wbengine.exe
Greetings,
All 4907 events comes from a service called wbengine.exe, present in our Active Directory servers.
This wbengine.exe service is part of "Active Directory Backup and Restore" solution (http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx), and it is utilised in our processes.
Are this events a threat? Are normal events? What configurations have to do to configure properly wbengine.exe
↧
↧
Disable IEAK Setting - "Delete existing favorites and links, if present"
Hi! We have had a workstation image (Windows 7 x64) deployed to numerous machines (including my own) with the following IEAK setting enabled:
"Delete existing Favorites and Links, if present"
The setting is located in gpedit, under User Configuration/Windows Settings/Internet Explorer Maintenance/URLs/Favorites and Links
The image is being fixed, but customer service is looking to have us fix via GPO. I have been scouring the net, trying to figure out a way to do this. I haven't found a registry switch and if I configure a GPO for this, it just sets that particular setting to "not configured" and won't disable it on those that have had it enabled. The only way I can see to do this is manually on each machine, but that's not my preferred option, obviously. Does anyone know of a way to disable this setting via GPO? Batch script, VB, reg fix?
Thanks!
-Brandon
↧
Block firefox installation
Hi,
How to restrict Firefox installation from Group Policy Management?
↧
How to enable the WMI entry in the firewall configuration using GPO on Win7
How could I enable the "Windows Management Instrumentation (WMI)" entry in the Windows 7 firewall using a group policy?
I'm able to add custom ports and programs for inbound access but it seems not to be possible to activate the predefined entries using group policies.
Best regards, Nils.
I'm able to add custom ports and programs for inbound access but it seems not to be possible to activate the predefined entries using group policies.
Best regards, Nils.
↧
↧
Netlogon Access Denied
I have 2012 Essential Server. I found so many articles regarding to this issue, but did not understand any of them.
I have 7 users and I want to create automatic mappings when they logon to the server.
Reading articles on the web found that I have to create a GPO. So, I went to the Group Policy Management and created a GPO call “Map Users Folders”.
On that folder I right click and went to EDIT, and Policies, Windows Settings and under that folder a click Scripts (Logon/Logoff). On the right site of the screen I click on LOGON, a Logon Properties Windows Opened.
Then I went to show files button, when the windows open, I did copy and paste my batch file into it.
Getting the ACCESS DENIED ERROR,
The user that I’m using is the Administrator user? Please HELPPPPPPPPPPPPPPPPPP.
↧
IE Added Primary & Secondary Start Pages - Randon 3rd and 4th tabs popping up
I created a GPO that adds a primary and secondary home page tabs in IE. I am using:
User Configuration -> Preferences -> Windows Settings -> Registry
New Registry Item:
Action: Update
Hive: HKCU
Key Path: Software\Microsoft\Internet Explorer\Main\
Value Name: Start Page or Secondary Start Page
Value Type: Reg_SZ
Value Data: http://mysites.com
When I open the browser, I get the two sites I added, but additionally I get another 3rd or 4th tab that opens to urls with random strings such as: http://xn--foa3045d/
The only thing that is common is the http://xn--
Any idea why this may be occurring. I am pretty sure it isn't malware because if I remove the GPO, the random tabs go away.
Thanks!
↧
Software Restriction Policy for IE 64 bit
I created a software restriction policy in a GPO that disables access to 64 bit version of IE. I used a path based policy and pointed it to C:\Program Files\Internet Explorer\iexplore.exe. I created the policy under the Computer Policy section. The GPO applies to OU that contains RDSH (TS) servers running Server 2008 R2.
The policy stops users from running 64 bit IE. They get a popup saying that access to that software is restricted.
The issue is that is also restricts access to 32bit IE. They don't get any popup, the program just doesn't start. This is logged in the Event Viewer:
Access to C:\Program Files\Internet Explorer\IEXPLORE.EXE has been restricted by your Administrator by location with policy rule {02ef9438-7adb-4234-aa75-9ad24e3b19c9} placed on path C:\Program Files\Internet Explorer\iexplore.exe.
I manually navigated to the 32bit version of Internet Explorer though.
↧
Deny 'Apply Group Policy' doesn't work.
Hi guys,
I have an OU in which I put a computer account Server100(running on Windows server 2003) and some domain user accounts inside (including domain admins). Now I create a group policy in which a logoff scripts is added under theuser settings to automatically emply user's %temp% folder when they logoff Server100.
Now the scripts works perfectly fine for all the domain users in the OU including domain admins, but actually I have denied 'apply group policy' for doamin admins group under the 'delegation' tab of the group policy.
I ahave tried to remove the computer account server100 from the OU, unfortunately I found that none of the users in the OU can apply this policy.
All I need is that this policy can apply to all domain users in the OU except domain admins. Why my configuration can't work? I need your advice. Thank you.
↧
↧
GRoup Policy -System Services- Path Not Found !?!!
Hiiii
I have a Windows server 2008 R2 SP1 Ent
But there is no way under the Group Policy
Computer Configuration\Windows Settings\Security Settings\System Services
I use gpedit.msc I got this Policy, My network is not Domain Model .
↧
Printer deployment with GPO not working
I am doing a manual migration from a single label domain to a domain with a proper name. The single label domain is running at a 2008 functional level and the new domain is running at a 2008 R2 level on a server 2012 machine.
In the old domain I had deployed printers through GPOs by accessing Computer Configuration:Preferences: Control Panel Settings:Printers. I would then setup a new TCP/IP printer. This worked pretty well in the old domain so I setup the same thing in the new
domain. ALL printer names are the same in both domains.
On the computers that I moved from the old domain to the new domain the printers are still installed and they still function,which I kind of expected. I found that I could remove the printers that were installed by the old GPO with the new GPO by selecting the "Delete" action in the printer properties of the new GPO. However, when I change the properties to "Create" it does not reinstall the printer.
On brand new computers that I have just added to the new domain the GPO will create the TCP/IP port on the local computer but the printer never shows up in Devices and Printers.
I can however browse to the shared printer on the server from the local computer and connect to it that way just fine no matter if it is one of the old computers or one of the brand new computers.
I have only noticed this on Windows 7 64bit computers so far.
I hope I explained it clearly enough and thank you for any advice.
↧
windows 7 modify explorer taskbar target
Hi all,
for users in a particular OU, I'd like to change the target of the taskbar explorer icon so that it shows "computer" instead of "libraries". I found that I could replace the target with this:
"%SystemRoot%\explorer.exe /e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
and I should use the "replace" feature in the user's GPO shortcut preference.
what would be the correct procedure to achieve this?
thanks
↧
ADM templates for office 2003 on Windows server 2012
Hi Guys,
i am planing to upgrade from server 2003 to server 2012 but we will still be using office 2003.
Can i install office 2003 adm templates on server 2012?
Many thanks for your help
Theo
↧
↧
Group Policy for Win 7 clients on SBS 08 domain
I am using SBS 2008 Server. I recently added a client machine running windows 7 to the domain.
The Windows 7 client does not recieve group policy from the SBS 2008 server.
I checked the group policy on the sbs 08 server and I do not see a setting for Windows 7 machines. I only see policies for windows vista and windows xp.
How do I get the server to apply group policy to Windows 7 machines??
Thanks for your help.
↧
Make new local admin user account a member for the default administrator's group
Hello,
I have followed the steps in the link below to create a GPO with a new local admin user account and have disabled the built-in admin account. I need to be able to make the new local admin user account a member of the built-in administrator's account just like the original "Administrator". What is the best way to do this?
http://www.dannyeckes.com/create-local-admin-group-policy-gpo/comment-page-1/#comment-2829
Thanks,
Roger
↧
Group Policy to deny access to old software version
We frequently update a software application and the old version sometimes causes issues. I am trying to create a group policy that will block old software versions and am looking at the best way to accomplish this. Thoughts and or suggestions appreciated.
Right now the solftware version is store in a registry key which I can look at.
I though about hash rules but this would mean I would need to maintain old versions to grab the hash.
What would be the easiest way to do the following...
Software exe has deny access applied if reg key version does not equal x, y or z? and where would I set this in the GPO. My goal is to only allow stable versions to operate in my environment and if a computer slipped by the upgrade and is an old version then access to the file would be denied, thus prevent users from inadvertently running the software.
Thanks
John
↧
Audit all printers deployed via GPO
I am in the process of cleaning up our old print servers and have run across several issues with multiple objects referencing the same IP. I want to clean up these objects and combine them in to one. The issue is I don't know if these objects are deployed
via GPO. Is there a way to determine if a print server object is deployed via GPO and if so what GPO is deploying it?
↧
↧
MSI Instal on Windows 7 fails on 2008 R2 DC works on 2008 DC with no issues
I search the FAQ's and didn't find a straight answer. I have a GPO policy to install an MSI file. If I attach the Windows 7 to a 2008 DC the program installs with no issues and works fine. However, using the same policy on 2008 R2 DC and the Windows 7
does not install the MSI file. When I run a rsop it shows the path and policy for the MSI package, but on the Win 7 attached to the 2008 R2 DC there is a yellow triangle. I can manually install from the domain share. Any ideas of what I may be looking at?
Thanks
↧
Allow Domain Users to Change Their Time On Workstation
Is there a way to allow authenticated users on the domain to change their time on their workstations? Ive added Domain Users, Domain Computers and Users to the Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment in the Default Domain Policy but nothing seems to change. Ive forced the GP update as well.
Any help would be appreciated.
↧
Drive Map GPO and Item-Level targeting using DNS Computer Name not working as expected
I've run into a snag trying to move from logon script based drive mappings, to a GPO based Drive map solution and I'm hoping somebody can shed some light on the problem that I am seeing. We started down the GPO based drive mappings because we have a handful of Windows 8 client computers which don't run the logon script based drive mappings.
I put together a basic Drive Maps GPO. I'm mapping 3 drives, I've linked the GPO to a computer container OU for testing and everything is working just fine. I have 3 different Windows 8 client PC, all domain joined, and all 3 run the GPO as expected.
The problem is when I attempt to apply Item-level targeting. I've found that if I define item-level targeting to use the NetBIOS name of the computer, I can either apply the GPO at an individual computer level, or I can exclude the GPO for that individual computer by toggling between IS and IS NOT. However, when I choose to define the computer name by choosing the DNS option, the GPO does not apply as expected.
So, if I say "the DNS computer name is example1.mydomain.com" and I apply the GPO, it applies to example1, example2 and example3. And if I instead say, "the DNS computer name is not example1.mydomain.com", then it doesn't apply to example1, example2 or example3. Obviously, I would expect it to apply or not apply only to example1.mydomain.com.
If instead, I say "the NetBIOS computer name is example1", and apply the GPO, then example1 gets it, and example2 and example3 do not. If I say, "the netBIOS name is not example 1", then example1 does NOT get the drive mapping, but example 2 and example3 do. < This is exactly what I want and I can continue to just use NetBIOS names...but I don't understand why DNS isn't working in the same manner.
My clients are all using DHCP and using domain controllers for DNS. All 3 machines are in the mydomain.com namespace. The mydomain.com namespace is an active directory integrated zone. We have reverse zones in place for the dns records. I can ping the machines from the DC's as well as the machines themselves. I can run nslookup and resolve the computer name for each host using the FQDN. I can also run a ping -a IP_ADDY and get the FQDN back. The DC's themselves are running Server 2008 R2. I honestly don't see any issues from a name resolution standpoint on the network itself.
So, any suggestions as to why defining the shortened NetBIOS name works just fine, but using DNS with a FQDN does not? (I've tried the DNS name using just the name, the name., as well as name.mydomain.com and name.mydomain.com.)
↧