Hi ,
We have a single OU having 100 users .we want to restrict internet on basis of userid bu using group policy . or any other way in whcih full internet access can be blocked to certain users in AD.
↧
Restrict internet access to rdp users
↧
Server 2008 R2 & Windows 8.1/2012R2 ADMX (Group Policy)
Hey guys, thanks in advance for your help with my question.
I have two Domain Controllers. DC1 (2003) & DC2 (2008R2). I have two client machines. CL1 (8.1Ent) & CL2 (2012). I have just now updated the Central Store on my 2008R2 Domain Controller with all of the 8.1 and 2012R2 ADMX/ADML files.
I have read that I will not be able to apply these new policies until I have a 2012R2 Domain Controller on the network, unless I use an 8.1 or 2012R2 client machine to administer these new policies. Is this true? I ask because I can see the new policies when I open Group Policy Management on my Windows 7 machines. Am I good to go? Is my domain ready to apply these new policies to my 8.1 laptops, even though I do not have a 2012R2 DC yet?
Thanks!
↧
↧
Add Password in IE using GPO
Hello there
We're using a service hosted by another company via https.
I'd like to send to users the credentials to access this website via GPO, like if they set it and use "remember password" (the credentials are remembered in the client, and we only have to click in a field to autocomplete fields).
This is to not allow to clients to know the interface credentials, and to not to be able to access the service out of our company place - their home for example-.
Is it possible to do this ?
Thanks in advance
Nicolas
↧
CONTROL PANEL HAS STOPED WORKING
ok so when i open control panel it freezes and i can wait all day long but stil it wont do anything pls help.
PS: i have olso a problem with the windows 8 store, and music they open but they freez just like control panel, and i have no sound at the right down corrner there is a red X on the icon pls olso help with that.
↧
Sysvol Not Replicated Gpt.ini File Have a Differnet Version
Hi,
I have 3 domain controllers
1.Id-dc1 - its the main dc (server2008 R2)
2.id-dc2 (server2008 R2)
3.id-dc3 (server2003)
On Id-dc1(server2008 r2) & id-dc3(server2003) the sysvol folder its good the same folders and its the same version in gpt.ini file.
On id-dc2 (server 2008 r2) the sysvol folder not the same i have just 6 folders of 14 folders.
How i can Sync Sysvol folder on this server ?
Thanks
↧
↧
Gpt.ini mismach
Hi,
I have 3 domain controllers
1.Id-dc1 - its the main dc (server2008 R2)
2.id-dc2 (server2008 R2)
3.id-dc3 (server2003)
On Id-dc1(server2008 r2) & id-dc3(server2003) the sysvol folder its good the same folders and its the same version in gpt.ini file.
On id-dc2 (server 2008 r2) the sysvol folder not the same i have just 6 folders of 14 folders.
How i can Sync Sysvol folder on this server ?
Thanks
↧
Restrict Local Administrators from change Network property
In my office Environment we are using Development machines on which every developer has Local Administrator rights on there system. We are using 2 Internet lines in which one line is fast speed and another one is slow one, due to slow internet speed on
second line some peoples manually change the Gateway IP and switch from slow to Fast one, to stop this we need to restrict those users from changing IP on windows 7. Only domain Administrator can able to change that Setting. we are using Window Server 2008
R2 as ADDS. is there any way to stop this using domain group Policy? or Local security policy?
↧
GPO preference not applying to map network drive?
Hello,
Server 2008 r2 GPO preference not applying to users to map network drive? When I see errors on client pc, here is the error I found?
Log Name: Application
Source: Group Policy Drive Maps
Date: 1/7/2014 1:47:33 PM
Event ID: 4098
Task Category: (2)
Level: Warning
Keywords: Classic
User: SYSTEM
Description:
The user 'S:' preference item in the 'GPO {C990F58F-E8B2-41BF-B6FD-E1BAC389C4F1}' Group Policy object did not apply because it failed with error code '0x80070037 The specified network resource or device is no longer available.' This error was suppressed.
GPresult shows following message on client pc:
The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.
Winning GPO Name GPO
Result: Failure (Error Code: 0x80070037)
I also have tried using full server name in the share, IP address but no success. :(
I'm using variable %username% in share location: \\servername\share\%username%
Any idea? Please help. Thanks
↧
Disable Security tab settings in GPO Preferences for Internet Explorer 10 settings.
Hi
In Group Policy Preferences for Internet Explorer 8 & 9 Settings, I could disable the settings in the Security tab.
So I only set the homepage option and the GPO result page will show only that setting is enabled.
In Group Policy Preferences for Internet Explorer 10 Settings, I cannot disable anything in the Security tab.
So when I try to accomplish the same result as above (only setting the homepage option), the GPO result page shows that Security tab settings are set for zones, and Protected mode.
Is it not possible to disable the security tab settings in GPO Preference for Internet Explorer 10 settings?
In Group Policy Preferences for Internet Explorer 8 & 9 Settings, I could disable the settings in the Security tab.
So I only set the homepage option and the GPO result page will show only that setting is enabled.
In Group Policy Preferences for Internet Explorer 10 Settings, I cannot disable anything in the Security tab.
So when I try to accomplish the same result as above (only setting the homepage option), the GPO result page shows that Security tab settings are set for zones, and Protected mode.
Is it not possible to disable the security tab settings in GPO Preference for Internet Explorer 10 settings?
↧
↧
Add custom ADM template
I cant add the custom ADM. Task needs to set a registry value to clients soI create an ADM. but it cant add to goup policy object edit. Is there any speical work before I add it? I use domain admin account. Thanks.
↧
Confused about ADMX files? Missing IE Maintenance GPO
I have not yet had need to worik with adding Aministrative Templates to 2008 R2 domains before - until recently, all the default stuff that comes with 2008 R2 was enough.
I have a domain-wide GPO set under User Config > Policies > Windows Settings > Internet Explorer Maintenance to provide some company-standard URLs under Favorites. Today I went to edit them and found that the IE Maintenance option is gone form this GPO.Also we just put IE 10 on these systems maybe a week or so ago and from what I've read, putting IE10 in the mix is what made this IE Maintenance GPO option disappear and there's no way to get it back.
I'm still reading about how to handle this but so far I gather my best choice is to find some IE10 admx file. I've never worked with admx files before. Right now I'm reading through a few documents:
Using Administrative Templates (a subsection of Technet's IE 10 deployment documentation)
http://technet.microsoft.com/en-us/library/jj822355.aspx
Managing Group Policy ADMX Files Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc709647.aspx
I'm not done reading either of these but already one question comes up. In the Using Admin Temmplates document it says the following:
You can create a central store that provides all administrators who edit domain-based Group Policy Objects (GPOs) access to the same set of Administrative Template files. The central store is an administrator-created folder on SYSVOL that provides a single centralized storage location for all Administrative Template files (ADMX and ADML) for the domain. Once you create the central store, the Group Policy tools use only the ADMX files in the central store and ignore ADMX versions stored locally. The central store is optional; if you do not create it, the Group Policy tools use the local ADMX files. The root folder for the central store must be namedPolicyDefinitions (that is, %SystemRoot%\SYSVOL\domain\policies\PolicyDefinitions). For more information about creating a central store, seeScenario 1: Editing the Local GPO Using ADMX Files.
First, I would think any organization would prefer to hvae all this stuff centralized so why this is optional is beyond me, but as I said I'm new to this stuff. But what confuses me is whether or not I should do this central store. My concern is that if I create it, what if upgrading some future version of IE introduces a new admx file that I don't know about (or any patch or other upgrade other than IE causing need for a new admx) and places it in the local PolicyDefinitions folder of the domain controller. I don't know how to be notified of when a new admx file is needed so as I see it, the product (IE in this case) will get updated, but since I don't know about a need for an admx file, GPO breaks because I didn't think to put a new admx in the central store. This method of management doens't sound ideal to me.
Cna anybody advise on what is the best practice here? Thank you.
↧
Deploying Lync 2013 Pro Client - created Lync OCT file, cannot find .msi to deploy via GPO!
Hi,
As above, I am deploying Lync 2013 onto 100 machines approx that already have Office 2010 Pro Plus installed. Looks like the only option is to install it via Group Policy. I have created the Lync 2013 OCT file using these instructions as these were the closest to my goals (for lync 2013 basic install):
http://unifiedme.co.uk/2013/04/silent-installation-of-lync-basic-2013-client/
Now, I am trying to find the beloved Lync 2013 msi file but I am racking my brains now. No where to be found and searched for the folder on my machine where the msi folder is. C: \ Program Files (x86) \ OCSetup No where to be found. How am I going to do this without going into writing a script/zap file (using .exe)?
Software - Lync 2013 Pro (Lync 2013 Servers installed) - Windows 7 Enterprise SP1 - Office 2010 Pro Plus SP1
DC - 2008 R2.
hope you can help.
↧
GP to map drives works except for one
The customer has a relatively new SBS2011 server. I am using GP to map a total of 12 drives depending on the user. I added one today but it is not taking. I limited it to 2 users. Confirmed their permissions but no. With this one I shared a users desktop folder in Redirected Folders. I tried testing it with net use n:\\server\desktop but that did not work. Net use n:\\server\Data\Users\FolderRedirections\hrspecial\Desktop did work. However using that UNC string in the GP still does not work.
What am I missing?
Thanks, John
↧
↧
Unable to access sysvol using path \\domain.local\sysvol
Hi,
We found that our newly configured workstations were unable to read/apply GPOs. Upon checking, we are able to access the path \\domain.local. However, when trying to open sysvol folder (or any other shared folder on the domain controller), we receive the following error:
We cannot also access the folders when using domain netbios name. Strangely enough, when using IP address or DC name, we can successfully map the sysvol folder.
Have also tried running DCdiag and the test NCSecDesc fails with error:
Hope anyone can shed some light on what went wrong.
Thank you.
↧
GPO: Network Name cannot be found
Hi
When opening Group Policy Editor on a Remote DC i am getting the following error:
The network name cannot b found.
My set up is:
Head Office:
DC1 - Server 2008 R2 (10.1.*.*/23)
DC2 - Server 2008 R2 (10.1.*.*/23)
MPLS Link to Branch Office
DC3 - Server 2008 R2 (192.168.10.*/24)
DC3 is the one with the issue
I have attempted the Burflags recommendation on the TechNet but to no success.
I can the see the SYSVOL folder is not Shared on DC3 - so i shared it.
I have one DNS Error: (but i dont think this is related)
DNS: Zone_msdcs.Office.elitetele.com is an Active Directory integrated DNS Zone and must be available
Connectivity between DC1 and DC3 is fine with no issues (15ms Ping round times)
It resolves all server names with no problems
I ran a DCDIAG and got the following:
(I changed the servernames to the above, so you know which is which)
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC3
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Elite-Cornhill\DC3
Starting test: Connectivity
......................... DC3 passed test Connectivity
Doing primary tests
Testing server: Elite-Cornhill\DC3
Starting test: Advertising
Warning: DsGetDcName returned information for
\\DC2.DOmain.DOmain.com, when we were trying to reach
DC3.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DC3 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC3 passed test FrsEvent
Starting test: DFSREvent
......................... DC3 passed test DFSREvent
Starting test: SysVolCheck
......................... DC3 passed test SysVolCheck
Starting test: KccEvent
......................... DC3 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC3 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC3 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=office,DC=elitetele,DC=com
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=office,DC=elitetele,DC=com
......................... DC3 failed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\DC3\netlogon)
[DC3] An net use or LsaPolicy operation failed with error
67, The network name cannot be found..
......................... DC3 failed test NetLogons
Starting test: ObjectsReplicated
......................... DC3 passed test ObjectsReplicated
Starting test: Replications
......................... DC3 passed test Replications
Starting test: RidManager
......................... DC3 passed test RidManager
Starting test: Services
......................... DC3 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x00000457
Time Generated: 01/08/2014 07:56:42
Event String:
Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 01/08/2014 07:56:47
Event String:
Driver TOSHIBA Universal Printer 2 required for printer !!ELIFNP01!Tosh_2040_Accounts_DawsonHouse_Colour is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 01/08/2014 07:56:48
Event String:
Driver SwyxFax Printer Driver required for printer SwyxFax is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 01/08/2014 07:56:49
Event String:
Driver WebEx Document Loader required for printer WebEx Document Loader is unknown. Contact the administrator to install the driver before you log in again.
......................... DC3 failed test SystemLog
Starting test: VerifyReferences
......................... DC3 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : office
Starting test: CheckSDRefDom
......................... office passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... office passed test CrossRefValidation
Running enterprise tests on : Domain.DOmain.com
Starting test: LocatorCheck
......................... Domain.Domain.com passed test
LocatorCheck
Starting test: Intersite
......................... Domain.Domain.com passed test Intersite
↧
"Properties" Doesn’t Appear on GPME
I am trying to disable “Allow users to select new root certification authorities (CAs) to trust” on Windows 2008 R2 domain controller; so I opened the GPO in the editor and right clicked on “Public Key Policies” to select “Properties” to disable it from there but the “Properties” option didn’t show up ( there are only these options: View, Refresh, Export List, Help). I am a member in the Administrators group on that server. Could you please, help me to sort this issue out?
↧
GPO - Write Protection SD Card
Hello Guys,
In the company I work, there are some Windows XP machines and my manager wants to block SD Card devices.
How can I block on machines with Windows XP via GPO?
Thanks
↧
↧
2012 R2 - One GPO not being applied
Hello,
I've had a look at other posts of similar issues but I couldn't find a solution..
Quick history:
I have a forest with a single DC. The forest started as a 2012 forest on a single Windows Server 2012 DC. After about a year (a month ago) I have joined a 2012 R2 DC, demoted the 2012 DC and raised the functional level to 2012 R2.
Problem I'm having:
I have one user GPO which doesn't get applied anymore (it used to). When running Group Policy Modelling in GPMC I can see the policy being applied in the report, as it should. However when running Group Policy Results in GPMC that policy doesn't exist in the report at all.
Troubleshooting:
I've confirmed the following to be correct and done the following to try and resolve the issue:
-GPO's security filtering
-GPO's delegation permissions
-GPO is assigned to the correct OU and enabled
-Move GPO to a different OU
-No WMI filters are applied
Any help will be greatly appreciated! Thanks
↧
Share & NTFS permissions on Users folder to map with GPO preference???
Hello,
I need help to set share and ntfs permissions on Users home folder because I'm trying to map user home directories through GPO preference.
Required permissions on home and user directories:
Domain administrators will have full access on all directories.
Users will have full access on their own home directory.
Users will not be able to open/access other user's directories.
I Shared Home folder (\\Server\Home$) which contains user's directories. I manually have created user directories in Home folder matched with usernames because since I'm using GPO preference to map them so GPO will only map already created directories.
I have set following permissions on Home folder:
Shared permissions:
- System - Full Control
- Domain Admins - Full Control
- Everyone - Full
NTFS permissions: Also Removed permission inheritance
- CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
- System - Full Control (Apply onto: This Folder, Subfolders and Files)
- Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
- Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
- Everyone - List Folder/Read Data (Apply onto: This Folder Only)
- Everyone - Read Attributes (Apply onto: This Folder Only)
- Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)
After setting above permissions GPO is not able to map their drives because user is also not able to access it's own directory share from client pc: \\server\home$\user
User directory is not accessible because I have manually created user directory on file server with domain administrator account that's why domain administrator is the directory owner and user cannot access it and can't be mapped with GPO. As Everyone is permission is set to "This folder only' and only Creator Owner have full access. Can anyone please help me to achieve this within my scenario?
Want to use GPO to map drives with above required permissions set.
Thanks
↧
Group Policy Commands set from either the registry or a run command
Hi, I need to be able to enable two (possibly more) commands that exist in the gpedit.msc from a run command or a reg file. The two commands I'm looking at are "Computer Configuration/Administrative Templates/System/User Profiles" - Only allow
local user profiles - needs to be enabled and Prevent Roaming profile changes from propagating to the server - needs enabling. Any help is much appreciated. Thanks
↧