We get a Security Alert popup when accessing a https site
"You are abut to view pages over a secure connection....."
With previous version of IE, user can simply check box for "In the future, do not show this warning" and it will not pop up again, however, w/ the new IE 10 and IE 11, it keeps coming back. What is the group policy rule to disable this pop up?
Thanks in advance.
Roget Luo
Good Day all
I have a piece of software called "RoboForm_enterprise.msi" and a VBS Script called "2_RoboForm_Deployment_MSI". I need to get these to deploy through GPO in a 2012 Domain Controller. It is a bit different than 2008 and was wondering if someone could walk me through it
Scott Cummins
I've been mulling this problem over for a while and I finally have to accept I can't use IE Maintenance anymore for managing proxy settings. I've been reading up on how to make Server 2008 R2 work with GPP settings for IE 9 - 11. Everything I've read says I need to install the .admx files (link below) or install IE 10+ to get the IE Preferences to show up for 9, 10, and 11. But when I look at my .admx files in %systemroot%/PolicyDefinitions it has the same exact .admx file that I download from the Admin Templates. I can not see the policy preferences for IE 9, 10, or 11 and need these options so I can configure a Proxy server. How do I go about getting these preferences to become available in Server 2008 R2 SP 1?
#admx link
http://www.microsoft.com/en-us/download/details.aspx?id=36991
Note that I also tried the following to manually add support while testing but it didn't help me:
Open up the policy, and create an IE8 Preference: User Configuration --> Preferences --> Control Panel Settings --> Internet Settings --> New --> Internet Explorer 8 -> Set your proxy settings
Navigate to C:\Windows\SYSVOL\domain\Policies was an easier route, then sort by date for the recently created IE entry.
Navigate to User\Preferences\InternetSettings
Open up the "InternetSettings.xml file, and change the MAX value to something above 10.0.0.0 (I usually put 10.5.0.0). This way, the policy won't trip up later on if IE 11 comes out and doesn't support any of these policies, but at least you'll be safe
until 10.5.0, or until a hotfix is available. "
max="10.5.0.0"
Hello,
I hope someone can help in my situation. I have windows 2012 Active Directory and windows 7 clients.
I need to add domain user to the local admin group for computer that they own. each user should have local admin rights for his machine only. so if a domain users logins to other machine they should not have admin privilege. its each user to his computer only.
I thought about creating OU for each computer and then assign group policy (Computer Configuration > Preferences > Control Panel Settings > Local User and Groups ) but this would mean if I have 200 computer then I would need to create 200 OU and 200 policies which is a bad design. I could be wrong in thinking this scenario.
Any other suggestions to make this simple ? script or group policy setting that I'm not aware of.
Thank you
Asad
The customer has a relatively new SBS2011 server. I am using GP to map a total of 12 drives depending on the user. I added one today but it is not taking. I limited it to 2 users. Confirmed their permissions but no. With this one I shared a users desktop folder in Redirected Folders. I tried testing it with net use n:\\server\desktop but that did not work. Net use n:\\server\Data\Users\FolderRedirections\hrspecial\Desktop did work. However using that UNC string in the GP still does not work.
What am I missing?
Thanks, John
I have not yet had need to worik with adding Aministrative Templates to 2008 R2 domains before - until recently, all the default stuff that comes with 2008 R2 was enough.
I have a domain-wide GPO set under User Config > Policies > Windows Settings > Internet Explorer Maintenance to provide some company-standard URLs under Favorites. Today I went to edit them and found that the IE Maintenance option is gone form this GPO.Also we just put IE 10 on these systems maybe a week or so ago and from what I've read, putting IE10 in the mix is what made this IE Maintenance GPO option disappear and there's no way to get it back.
I'm still reading about how to handle this but so far I gather my best choice is to find some IE10 admx file. I've never worked with admx files before. Right now I'm reading through a few documents:
Using Administrative Templates (a subsection of Technet's IE 10 deployment documentation)
http://technet.microsoft.com/en-us/library/jj822355.aspx
Managing Group Policy ADMX Files Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc709647.aspx
I'm not done reading either of these but already one question comes up. In the Using Admin Temmplates document it says the following:
You can create a central store that provides all administrators who edit domain-based Group Policy Objects (GPOs) access to the same set of Administrative Template files. The central store is an administrator-created folder on SYSVOL that provides a single centralized storage location for all Administrative Template files (ADMX and ADML) for the domain. Once you create the central store, the Group Policy tools use only the ADMX files in the central store and ignore ADMX versions stored locally. The central store is optional; if you do not create it, the Group Policy tools use the local ADMX files. The root folder for the central store must be namedPolicyDefinitions (that is, %SystemRoot%\SYSVOL\domain\policies\PolicyDefinitions). For more information about creating a central store, seeScenario 1: Editing the Local GPO Using ADMX Files.
First, I would think any organization would prefer to hvae all this stuff centralized so why this is optional is beyond me, but as I said I'm new to this stuff. But what confuses me is whether or not I should do this central store. My concern is that if I create it, what if upgrading some future version of IE introduces a new admx file that I don't know about (or any patch or other upgrade other than IE causing need for a new admx) and places it in the local PolicyDefinitions folder of the domain controller. I don't know how to be notified of when a new admx file is needed so as I see it, the product (IE in this case) will get updated, but since I don't know about a need for an admx file, GPO breaks because I didn't think to put a new admx in the central store. This method of management doens't sound ideal to me.
Cna anybody advise on what is the best practice here? Thank you.
Hello,
I want to prevent a couple or users and computers held in a specific OU, to be not able to install any .exe files. What is the best practice/tools/GPO to achieve this? I wish if I can stick to a GPO!
Please note these users are and need local admin privilege for their work culture but I don't want them to install any single piece of an app and when they need, I will strike the 'RUN AS' and pump my domain admin credentials.
I don't think disabling Windows Installer (GPO) is not a good idea, is it? Because it stops me too...
Tips are thanked :)
We frequently update a software application and the old version sometimes causes issues. I am trying to create a group policy that will block old software versions and am looking at the best way to accomplish this. Thoughts and or suggestions appreciated.
Right now the solftware version is store in a registry key which I can look at.
I though about hash rules but this would mean I would need to maintain old versions to grab the hash.
What would be the easiest way to do the following...
Software exe has deny access applied if reg key version does not equal x, y or z? and where would I set this in the GPO. My goal is to only allow stable versions to operate in my environment and if a computer slipped by the upgrade and is an old version then access to the file would be denied, thus prevent users from inadvertently running the software.
Thanks
John
Hello,
I have a Group Policy object configured to only allow certain apps from the Windows store. But, I have just discovered today that users are able to install any app on their workstations.
I have run Get-AppLocker Policy -Effective - XML on my machine and have pasted the result below. It appears to me that the policy is "Enforced" and it is my understanding that if you put a single Allow policy in place that anything that is not 'allowed' should be blocked. I also created a default Deny rule as a test measure today but all apps are still able to install and run.
Any assistance in figuring out how to block Apps will be greatly appreciated,
<AppLockerPolicy Version="1"><RuleCollection Type="Appx" EnforcementMode="Enabled"><FilePublisherRule Id="19b8c144-462c-418a-9855-95310e1ec45d" Name="All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Deny"><Conditions><FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"><BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="1489bc3c-7d6a-4009-803a-c7774cb97c10" Name="The New York Times App" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=2F92D1C2-F1CF-4B70-B356-ED490ADEC791" ProductName="TheNewYorkTimes.TheNewYorkTimes" BinaryName="*"><BinaryVersionRange LowSection="*" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="151b732a-0f73-4d31-b1e5-250d28748f8e" Name="Microsoft ZuneVideo signed by Microsoft Corporation" Description="Microsoft ZuneVideo signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.ZuneVideo" BinaryName="*"><BinaryVersionRange LowSection="2.2.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="37c046b4-afa9-4bd9-aa24-959583c57576" Name="Microsoft SkypeApp signed by Skype" Description="Microsoft SkypeApp signed by Skype" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Skype Software Sarl, O=Microsoft Corporation, L=Luxembourg, S=Luxembourg, C=LU" ProductName="Microsoft.SkypeApp" BinaryName="*"><BinaryVersionRange LowSection="2.0.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="3f1e6a80-0e7f-443f-bbe7-6fcee9288e7c" Name="Microsoft MoCamera signed by Microsoft Corporation" Description="Microsoft MoCamera signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MoCamera" BinaryName="*"><BinaryVersionRange LowSection="6.3.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="446042cd-64c5-4bbd-ad50-c0d69880e1d5" Name="TD Ameritrade" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=71B8AF03-F191-474C-817D-F57BF8D52E5D" ProductName="TDAmeritradeMobileLLC.TDAmeritrade" BinaryName="*"><BinaryVersionRange LowSection="1.1.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="584defc8-4071-46bd-bc47-0d3ee29e2375" Name="The Economist" Description="TheEconomistNewspaper.TheEconomistonWindows, from The Economist Newspaper" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=6F36EE64-F85C-4AFB-8ABB-A3EA7D54FDBC" ProductName="TheEconomistNewspaper.TheEconomistonWindows" BinaryName="*"><BinaryVersionRange LowSection="*" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="5b42e54e-bb5b-44bc-aead-bc8bf5ecf732" Name="Microsoft Winstore signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="winstore" BinaryName="*"><BinaryVersionRange LowSection="1.0.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="7963bb10-70ec-46d4-92b7-3478463c7237" Name="Citrix GoToMeeting signed by Citrix" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=AA827FA5-A4F1-46AD-BB20-8A79D9C08518" ProductName="D50536CD.GoToMeeting" BinaryName="*"><BinaryVersionRange LowSection="1.0.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="84d1fa6b-f45c-46c9-9a49-ce9f22ce5a53" Name="Evernote" Description="Packaged app: Evernote.Evernote signed by Evernote" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=DCD4AC3C-C7E0-46FF-8387-51FDC8CBC467" ProductName="Evernote.Evernote" BinaryName="*"><BinaryVersionRange LowSection="2.1.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="8b836e78-c7e7-423e-a779-23537689a960" Name="Microsoft HelpAndTips signed by Microsoft Corporation" Description="Microsoft.HelpAndTips signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.HelpAndTips" BinaryName="*"><BinaryVersionRange LowSection="6.3.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="a02a399a-c4eb-4f23-a6fe-581c5335a08c" Name="Financial Times" Description="FinancialTimes.FinancialTimes, from Financial Times" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=369E114A-516A-4C8F-A9BB-34AB93BF9A6C" ProductName="FinancialTimes.FinancialTimes" BinaryName="*"><BinaryVersionRange LowSection="*" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="a4604690-70a0-4fd9-ab63-d356815c0690" Name="Microsoft ZuneMusic signed by Microsoft Corporation" Description="Microsoft ZuneMusic signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.ZuneMusic" BinaryName="*"><BinaryVersionRange LowSection="2.2.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="b6d42f3c-5e41-49ce-bb0a-3b10cd97f266" Name="Wall Street Journal" Description="DBA50444.53881C1868EDA, version 2.1.0.0 and above, from Dow Jones & Company, Inc." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=6827DD24-1114-4F7D-8EF4-DB7F587FD8E4" ProductName="DBA50444.53881C1868EDA" BinaryName="*"><BinaryVersionRange LowSection="2.1.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="b87497c5-0212-4ce9-b516-e7f30f15d041" Name="Microsoft Bing Weather" Description="Microsoft.BingWeather signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BingWeather" BinaryName="*"><BinaryVersionRange LowSection="3.0.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="ba8198f5-b3e1-4a2b-a0da-338421e3c3de" Name="Microsoft Windows SoundRecorder signed by Microsoft Corporation" Description="Microsoft WindowsSoundRecorder signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsSoundRecorder" BinaryName="*"><BinaryVersionRange LowSection="6.3.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="bbad875a-41c9-451c-bf59-42e43db5ecb6" Name="Microsoft Windows immersivecontrolpanel signed by Microsoft Corporation" Description="Microsoft windows.immersivecontrolpanel signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="windows.immersivecontrolpanel" BinaryName="*"><BinaryVersionRange LowSection="6.2.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="cad22c08-788c-43c2-915b-0a18a88626a3" Name="Microsoft Windows Alarms signed by Microsoft Corporation" Description="Microsoft WindowsAlarms signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsAlarms" BinaryName="*"><BinaryVersionRange LowSection="6.3.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="ccf05b01-2c83-414d-b002-f9b08dedad86" Name="Microsoft Windows ReadingList signed by Microsoft Corporation" Description="Microsoft WindowsReadingList signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsReadingList" BinaryName="*"><BinaryVersionRange LowSection="6.3.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="d43e619a-5b1a-418a-983a-8c81bb3e9dd0" Name="Microsoft Windows Calculator signed by Microsoft Corporation" Description="Microsoft WindowsCalculator signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsCalculator" BinaryName="*"><BinaryVersionRange LowSection="6.3.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="e27bc9a4-3503-42df-8468-8acf590f7133" Name="Aljazeera" Description="65224AljazeeraMediaNetwor.AlJazeera, version 1.0.0.0 and above, from Aljazeera Media Network" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=FFE13013-57F2-495F-AA95-33EC1F5CA210" ProductName="65224AljazeeraMediaNetwor.AlJazeera" BinaryName="*"><BinaryVersionRange LowSection="1.0.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="e2a158c0-344a-465b-b790-07eda53b10fa" Name="Microsoft Bing Finance" Description="Microsoft.BingFinance signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BingFinance" BinaryName="*"><BinaryVersionRange LowSection="3.0.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="ed42e8c9-dfc1-4c6c-8501-87d6a8ae2a9f" Name="Microsoft Reader signed by Microsoft Corporation" Description="Microsoft.Reader signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Reader" BinaryName="*"><BinaryVersionRange LowSection="6.3.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="f1702d41-6c0d-495f-a965-0e9c9333d60f" Name="Amazon Kindle" Description="AMZNMobileLLC.KindleforWindows8 signed by AMZN Mobile LLC" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=2C9A58C0-E6B3-4889-8D46-5C3C1A2D0836" ProductName="AMZNMobileLLC.KindleforWindows8" BinaryName="*"><BinaryVersionRange LowSection="2.1.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="f1b8aa67-1b82-486a-8f9c-3b4d446487f0" Name="Flipboard" Description="Flipboard.Flipboard, version 2.0.0.0 and above, from Flipboard" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=E7268B71-AD1D-4F1F-BD8B-1F3D76F6C653" ProductName="Flipboard.Flipboard" BinaryName="*"><BinaryVersionRange LowSection="2.0.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule></RuleCollection><RuleCollection Type="Dll" EnforcementMode="NotConfigured" /><RuleCollection Type="Exe" EnforcementMode="NotConfigured" /><RuleCollection Type="Msi" EnforcementMode="NotConfigured" /><RuleCollection Type="Script" EnforcementMode="NotConfigured" /></AppLockerPolicy>
Is there a secure way to change the password for the local administrator account on multiple Machines?
I was thinking to change the password for the local administrator account without scripting.
Then I found this way with GPP, nice.. esay to administrate
but it have an Exploit...so bad
Auto-Gpppassword.ps1
https://github.com/roo7break/PowerShell-Scripts/tree/master/auto-gpppassword/
I would like to not use script so what to do?
third party add-on
or
We have SCCM 2012, use that to deploy an script that runs with a Schedule?
/SaiTech
I'm trying to add the admx files for Office 2013 (will try for 2010 later). I followed the support article on how to create the PolicyDefinitions folder, and then copy the en-us directory and admx files in to that folder.
when I open the editor to make changes, the old policies are gone. I only list policies for Office2013 (Outlook doesn't even show up).
Am I missing an important step here?
Hello,
It is possible to install to have a GPO perform an install of office 2012 while the user is logged in as an local administrator. I trying to figure out if you can have software installed while not having the machine restart or having the user login with a domain account?
Is this possible or startup\logon the only way to ge the instllation to kick off?
Hi,
I'm trying to create a SNMP ADMX (based of the MS-provided one) to provide me with the ability to distribute read-write communities (the MS-bundled ADMX won't do this). All looks great, except the listbox is writing REG_SZ values to registry instead of DWORDs - which means it doesn't work. Below is the ADMX code.
Is there any way to get an explicitValue listbox to output DWORDS?
Any assistance would be much appreciated!
<?xml version="1.0" encoding="utf-8"?><!-- (c) 2006 Microsoft Corporation --><policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions"><policyNamespaces><target prefix="TEST-snmp" namespace="TEST.Policies.SNMP" /><using prefix="windows" namespace="Microsoft.Policies.Windows" /></policyNamespaces><resources minRequiredRevision="1.0" /><categories><category name="SNMP_TEST" displayName="$(string.SNMP_TEST)"><parentCategory ref="windows:Network" /></category></categories><policies><policy name="SNMP_Communities" class="Machine" displayName="$(string.SNMP_Communities)" explainText="$(string.SNMP_ValidCommunities_Help)" presentation="$(presentation.SNMP_Communities)" key="Software\Policies\SNMP\Parameters"><parentCategory ref="SNMP_TEST" /><supportedOn ref="windows:SUPPORTED_WindowsXP" /><elements><list id="SNMP_CommunitiesListbox" key="Software\Policies\SNMP\Parameters\ValidCommunities" explicitValue="true" /></elements></policy><policy name="SNMP_PermittedManagers" class="Machine" displayName="$(string.SNMP_PermittedManagers)" explainText="$(string.SNMP_PermittedManagers_Help)" presentation="$(presentation.SNMP_PermittedManagers)" key="Software\Policies\SNMP\Parameters"><parentCategory ref="SNMP_TEST" /><supportedOn ref="windows:SUPPORTED_WindowsXP" /><elements><list id="SNMP_PermittedManagersListbox" key="Software\Policies\SNMP\Parameters\PermittedManagers" valuePrefix="" /></elements></policy><policy name="SNMP_Traps_Public" class="Machine" displayName="$(string.SNMP_Traps_Public)" explainText="$(string.SNMP_TrapDestinations_Help)" presentation="$(presentation.SNMP_Traps_Public)" key="Software\Policies\SNMP\Parameters"><parentCategory ref="SNMP_TEST" /><supportedOn ref="windows:SUPPORTED_WindowsXP" /><elements><list id="SNMP_Traps_PublicListbox" key="Software\Policies\SNMP\Parameters\TrapConfiguration\public" valuePrefix="" /></elements></policy></policies></policyDefinitions>
Cheers,
Ben.
We have set a power plan for Windows 7 with sleep and hibernate after set to "0."
This works to the extent that the machines stay running online all day and never sleep or hibernate automatically.
However, hibernation is not truly disabled because the hibernate file of several gigs remains and even if we run the command powercfg /h off, it deletes the file for a moment, but the file is recreated within seconds. We cannot remove the file permanently.
The shutdown menu still shows the sleep and hibernation options even though the machines never hibernate based on a time limit.
How can we disable hibernate in a way so the hiberfil.sys file goes away permanently and the workstation cannot hibernate at all?
Everywhere I find in a web search says run the command powercfg -h off or powercfg,.exe /h off and that is not the solution for is because the hibernation file comes right back. That command is not a permanent solution.
Hello,
I have an exe that installed Sophos. I will need to convert this to a .msi a Windows installler package.
If I use the software installation in GPO. Is there a way to have the software installed without a logon\logoff or a restart. Also, how does it know that the software is already installed and doesn't keep installing it everytime someone reboots.
Recently I have deployed Software Restriction Policies to block certain paths from being able to run *.EXEs .
I have found this to be extremely successful and easy to manage with one exception:Java.
Here is what I have implemented as of now.
Please disregard Spotify being allowed. It is a client network, so I lost that battle.
The current rule for Java works like a champ. The only problem with this is that Java changes its updater name with every version pushed out. So here is the question...How to I allow java in such a way that I don't have to add an exemption for each version? (I know I can do this ahead of time, but with a great number of clients this isn't a practical solution. Neither do I want more than a couple rules for one program)
I have tried using wildcards to no avail. It seems the wildcards don't work as I would think they would. The following is a small sample of what I have tried.
%userprofile%\appdata\local\Temp\jre-*.exe
%userprofile%\appdata\local\Temp\jre*.exe
%userprofile%\appdata\local\Temp\jre*-windows-i586-iftw.exe
%userprofile%\appdata\local\Temp\jre-?u??-windows-i586-iftw.exe
%userprofile%\appdata\local\Temp\jre???????????????????????.exe
At this point I understand it may not be possible, but I figured I would bring it the forum to get some over-sized brains together.
Obviously this is a response to CryptoLocker, Zeus and the others. If I cant find a way to dynamically allow certain programs like this I may just use the zipped folder paths, and scrap the rest. It seems that the main point of infection for my clients are the fraudulent emails (not the compromised sites) which generally encapsulate their EXEs in zipped folders.
Thanks in advance!
Hi everyone!
I'm trying to do a remote gpupdate of my xp clients in our 2012 AD domain, but it's giving me the "The RPC was cancelled"8007071a error. For some machines i get the error "access denied".
Another problem i'm having, is that, when I do a gpupdate on the clients, the correct gpo's only are being applied from my secondary DC. When he "receives" the gpo's from the PDC, it seems that nothing is happening (wrong gpo's, etc)
I checked the DFS health and created new gpo's to verify the replication (OK)
Can anyone help me with these issues?
Thanks alot!
I have a policy enabled for "Display all websites in Compatibility view" in my environment, this policy works till IE 10 and for IE 11 this policy is not getting effective, i have read through some blogs and understand that this policy has been removed. Also there is no option IE 11 itself for this setting.<o:p></o:p>
So how do i achieve this for IE 11?? please help.Any suggestions..<o:p></o:p>
Also, i have one more policy in place "Turn on Internet Explorer Standards Mode for Local Intranet" to display intranet websites in compatibility mode, this also only works till IE 10 i guess. But this option present in IE 11 compatibility setting unlike the 1st one.
How do i enable compatibility sites for IE 11... Please help.<o:p></o:p>
<o:p></o:p>
Hi,
I am trying to create a lot of Group Policy Drive Mapps
http://technet.microsoft.com/en-us/library/cc770902.aspx
I have been looking for some API's / powershell to do this?
Is there any way of automating this so I don't need to do
edit the GPO Object manually for every mapping?
Thanks,
Ward
I get following error, The same GPO works well for other computers (Win XP, 7 2008).. Test1.bat is a simple script to copy a file to system32 or SysWOW64 folder based on architecture. It does copy the file when I run the code manually from the win 8 computer but not through GPO.
----------------------------------------------------------------------------------------------------------------------------------------------
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 12/18/2013 12:53:13 PM
Event ID: 1130
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: LA1008.test.domain.com
Description:
Startup script failed.
GPO Name : GP_WP_Test
GPO File System Path :
%7D/Machine">file://test.domain.com/SysVol/test.domain.com/Policies/%<GUID>%7D/Machine)
Script Name: Test1.bat
----------------------------------------------------------------------------------------------------------------------------------------------Test1.bat content is following..
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" goto 64BIT
IF NOT EXIST "%windir%\system32\test.ini" COPY \\Server\test\test.ini"%windir%\system32"
:64BIT
IF NOT EXIST "%windir%\SysWOW64\test.ini" COPY
\\Server\test\test.ini"%windir%\SysWOW64"
-Edatha-