I'm managing a domain with roughly 450 clients, all running Windows 7 Ent x64, and about 50 printers. All clients have the same desktop image with the exception of a few desktops need special additional software. I push out printers via GPO and it was running fine until recently. The client pc would reset it default printer every time the pc reboot or log off. First, there was only a handful and now it spreads to almost half the number of pc are being effect with this problem. I've tried different approaches, even completely rewrite the GPOs with no success. The pc would reset to either PDFCreator or OneNote or XPS or Fax. I found that if I re-image the client desktop the default printer would remain default but I'm keeping that as the last option since it involves with data migrating and probably consumes a whole lot of time (200+ effected pc). Any leads or suggestions are much appreciated, my clients are not happy and they are chewing me alive :)

 I must add that setting default printer via GPO is not an option for me since people with different groups or branches are sharing the same building/floor.

Hi,

I'm currently testing a group policy that has security filtering to deny AGP on a particular group. I've added a user to that group however, when running gpresult, the group is not listed on the "The user is a part of the following security groups:". Replication seems to be OK - I've tried running gpresult on a different computer and all groups show up there except for this one server. Tried adding to another test group, but it also doesn't show up.

Would really appreciate your help.

Thanks.

Hello there

We're using a service hosted by another company via https.

I'd like to send to users the credentials to access this website via GPO, like if they set it and use "remember password" (the credentials are remembered in the client, and we only have to click in a field to autocomplete fields).

This is to not allow to clients to know the interface credentials, and to not to be able to access the service out of our company place - their home for example-.

Is it possible to do this ?

Thanks in advance

Nicolas

I've been mulling this problem over for a while and I finally have to accept I can't use IE Maintenance anymore for managing proxy settings.  I've been reading up on how to make Server 2008 R2 work with GPP settings for IE 9 - 11.  Everything I've read says I need to install the .admx files (link below) or install IE 10+ to get the IE Preferences to show up for 9, 10, and 11.  But when I look at my .admx files in %systemroot%/PolicyDefinitions it has the same exact .admx file that I download from the Admin Templates.  I can not see the policy preferences for IE 9, 10, or 11 and need these options so I can configure a Proxy server.  How do I go about getting these preferences to become available in Server 2008 R2 SP 1? 

#admx link

http://www.microsoft.com/en-us/download/details.aspx?id=36991

Note that I also tried the following to manually add support while testing but it didn't help me:

Open up the policy, and create an IE8 Preference: User Configuration --> Preferences --> Control Panel Settings --> Internet Settings --> New --> Internet Explorer 8 -> Set your proxy settings

Navigate to C:\Windows\SYSVOL\domain\Policies was an easier route, then sort by date for the recently created IE entry.

Navigate to User\Preferences\InternetSettings

Open up the "InternetSettings.xml file, and change the MAX value to something above 10.0.0.0 (I usually put 10.5.0.0). This way, the policy won't trip up later on if IE 11 comes out and doesn't support any of these policies, but at least you'll be safe until 10.5.0, or until a hotfix is available. "

max="10.5.0.0"

As a follow-up on some kind of bug in sharepoint ( http://social.technet.microsoft.com/Forums/en/sharepointgeneral/thread/f3dbe651-be99-491b-8c6c-fc4792ae0b22 ) I need to turn off Auto detect settings in IE on all my clients, as this speeds up sharepoint on many clients.

"The Internet Explorer Maintenance settings can be set in two modes: policy mode (to enable by Computer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance policy processing) or preference mode(to enable by right-clicking Internet Explorer Maintenance)." (snipped from http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/57d81da5-de30-4930-8649-197d204b2a6c )


Well, I have problem configuring Automatically detect settings. I have no trouble changing other parts of the same policy (changes are applied to all my computers), e.g. trusted sites and such. However I cannot turn off Auto Detect settings. I wonder if unchecking Auto Detect Settings really means "no change"/unconfigured?

Is the only option then to use a hardcoded reg change?
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\ControlPanel\Autoconfig ?

We have recently introduced a couple of Windows 8 computers in our network, and we are having issues applying the Internet Explorer Proxy Server settings.

We use a Microsoft TMG 2010 server as our proxy server for accessing the internet. We have been using a GPO with the following settings to automatically configure our Windows 7 computers running IE9 with the appropriate Proxy settings:

User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Connection/Proxy Settings

• “Enable Proxy Settings” : Checked
• “Address of proxy” : server.domain.local
• “Port” : 8080
• “Use the same proxy server for all addresses” : Checked
• “Exceptions” : Here we have a list of several internal or partner sites that should not be proxied.

This GPO has worked beautifully for our Windows XP and Windows 7 users with IE 7, 8 and 9. Now with Windows 8 and IE10, this no longer works. I’ve therefore added a Windows Server 2012 Domain Controller to the network, and using GPMC on that new DC, I created a new GPO with the following settings:

User Configuration\Preferences\Control Panel Settings\Internet Settings\Internet Explorer 10

Now, seeing as these are preferences, it’s a little different.  But, I’ve “checked off” the option “Use a proxy server for your LAN” as well as “Bypass proxy server for local addresses”. Then I click on “Advanced” and setup all my proxy settings the way I would like them, including the proxy server name, port and exceptions list.

When this new group policy gets applied to my Windows 8 PC, the only setting that gets applied is the “Use a proxy server for your LAN”. It does not configure the name or port of the proxy server nor does it configure the exceptions list. If I go back to the GPMC, and edit the new GPO, the settings are all there. However, if I just view the settings from the main GPMC screen (without opening the GPO itself), I don’t see all of those settings (again, only the one “Use a proxy server…”)

What am I missing???

Hi,

 I'm trying to redirect the appdata folder for users due to a performance impact on network file shares. Currently we have AppData redirected to:

\\filerserver\Redirect$\%username%\

 I've modified the GPO User config\Policies\Windows Settings\Folder Redirection\App Data Roaming. I have the following configured:

Target
Basic - Redirect everyone's folder to the same location
Target folder location - redirect to the local userprofile location

Settings
Grant user exclusive rights to AppData(Roaming)
Move the contents of AppData to the new location

Policy Removal
Redirect the folder back to the local profile when policy is removed

The issue I have is that my GPO redirect settings do not work for end uers straight away, I have to delete the local user profile first using the computer properties
remove profile GUI tool.Once I do that, login with my test user and then browse %AppData% the folder redirection has worked.

1.Why is this and does anyone know how to get around the need to delete the user profile?

2. Not all of the AppData folders are copied from the roaming location on \\fileserver to the local profile (c:\users\), which causes a loss of settings (i.e. Outlook config and printers). I'm not using roaming profiles and I don't know how the GPO would even know where to copy the user's roaming data from.

Thanks in advance

2012 Std R2

Added certificate authority role with web services

configuring via library hh831625

I have verified that IIS has the default site ADPolicyProvider_CEP_Kerbos and I copied the URI <a href="https:///ADPolicyProvider_CEP_Kerbos/service.svc/CEP">https://<server>/ADPolicyProvider_CEP_Kerbos/service.svc/CEP

I added a domain GPO per directions Certificate Enrollment Policy Web Services. I am editing the GPO for Computer->Policies->Windows Settings-> Security Settings->Public Key Policies. I double click Certificate Services Client - Certificate Enrollment Policy. I enable the policy and ADD certificate enrollment policy list. I paste the above URI, Authentication type is "Windows Integrated". When I validate server I get the following error:

An error occurred while obtaining certificate enrollment policy

URI:https://<server>/ADPolicyProvider_CEP_Kerbos/services.svc/CEP

Error: The remote endpoint does not exist or could not be located. 0x803d00d (-21434855939 WS_E_ENDPOINT_NOT_FOUND)

Help with this final validation is appreciated. Logged on as administrator with domain admin rights and enterprise Admins rights

John Lenz

Hi,

i want to restrict users connecting to direct (DSL / Free) internet by their Laptops via LAN or Wireless.

we have to enabled the DHCP  on all Laptops by company policy.

i think by sticking DNS setting to all connections we can achieve this, but could not find any policies related to this.

pls. advice.

Hello all,

As I understand it, the Internet Explorer Maintenance Package with IE 10 is being discontinued. The issue I am running into is I downloaded the ADM in order to load the latest IE group policy template but I still have the IE 8 ADM loaded up as IE 8 is still in production in this environment with settings that are still in use under the maintenance window so I cannot just go ahead and replace that older template at the current time. I just want to test drive the new one. Is this possible to have both of these ADMs loaded up without any conflicts? Or should I just load up the IE 10 ADM once we have migrated everything over to IE 10? How is it possible to just test the IE 10 template without disrupting current operations?

Hello,

I have an exe that installed Sophos. I will need to convert this to a .msi a Windows installler package.

If I use the software installation in GPO. Is there a way to have the software installed without a logon\logoff or a restart. Also, how does it know that the software is already installed and doesn't keep installing it everytime someone reboots.

We have set a power plan for Windows 7 with sleep and hibernate after set to "0."

This works to the extent that the machines stay running online all day and never sleep or hibernate automatically.

However, hibernation is not truly disabled because the hibernate file of several gigs remains and even if we run the command powercfg /h off, it deletes the file for a moment, but the file is recreated within seconds.  We cannot remove the file permanently.

The shutdown menu still shows the sleep and hibernation options even though the machines never hibernate based on a time limit.

How can we disable hibernate in a way so the hiberfil.sys file goes away permanently and the workstation cannot hibernate at all?

Everywhere I find in a web search says run the command powercfg -h off or powercfg,.exe /h off and that is not the solution for is because the hibernation file comes right back.  That command is not a permanent solution.

Hi,

I am looking for blocking USB devices in our Win 2008R2 SP1 server. I am already aware about GPO policy "\User Configuration\Policies\Administrative Templates\System\Removable Storage Access" & it's working perfectly here.

Only there are few concern's as below.

1: I want to exclude certain users/groups from this policy.

2: All other rules/policy's in original "default domain controller policy" should be applied to everyone like PW policies, WSUS policies etc..

Thanks,

Sandesh

Hello,

I have a Group Policy object configured to only allow certain apps from the Windows store.  But, I have just discovered today that users are able to install any app on their workstations.

I have run Get-AppLocker Policy -Effective - XML on my machine and have pasted the result below.  It appears to me that the policy is "Enforced" and it is my understanding that if you put a single Allow policy in place that anything that is not 'allowed' should be blocked.  I also created a default Deny rule as a test measure today but all apps are still able to install and run.

Any assistance in figuring out how to block Apps will be greatly appreciated,

<AppLockerPolicy Version="1"><RuleCollection Type="Appx" EnforcementMode="Enabled"><FilePublisherRule Id="19b8c144-462c-418a-9855-95310e1ec45d" Name="All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Deny"><Conditions><FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"><BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="1489bc3c-7d6a-4009-803a-c7774cb97c10" Name="The New York Times App" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=2F92D1C2-F1CF-4B70-B356-ED490ADEC791" ProductName="TheNewYorkTimes.TheNewYorkTimes" BinaryName="*"><BinaryVersionRange LowSection="*" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="151b732a-0f73-4d31-b1e5-250d28748f8e" Name="Microsoft ZuneVideo signed by Microsoft Corporation" Description="Microsoft ZuneVideo signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.ZuneVideo" BinaryName="*"><BinaryVersionRange LowSection="2.2.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="37c046b4-afa9-4bd9-aa24-959583c57576" Name="Microsoft SkypeApp signed by Skype" Description="Microsoft SkypeApp signed by Skype" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Skype Software Sarl, O=Microsoft Corporation, L=Luxembourg, S=Luxembourg, C=LU" ProductName="Microsoft.SkypeApp" BinaryName="*"><BinaryVersionRange LowSection="2.0.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="3f1e6a80-0e7f-443f-bbe7-6fcee9288e7c" Name="Microsoft MoCamera signed by Microsoft Corporation" Description="Microsoft MoCamera signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MoCamera" BinaryName="*"><BinaryVersionRange LowSection="6.3.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="446042cd-64c5-4bbd-ad50-c0d69880e1d5" Name="TD Ameritrade" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=71B8AF03-F191-474C-817D-F57BF8D52E5D" ProductName="TDAmeritradeMobileLLC.TDAmeritrade" BinaryName="*"><BinaryVersionRange LowSection="1.1.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="584defc8-4071-46bd-bc47-0d3ee29e2375" Name="The Economist" Description="TheEconomistNewspaper.TheEconomistonWindows, from The Economist Newspaper" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=6F36EE64-F85C-4AFB-8ABB-A3EA7D54FDBC" ProductName="TheEconomistNewspaper.TheEconomistonWindows" BinaryName="*"><BinaryVersionRange LowSection="*" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="5b42e54e-bb5b-44bc-aead-bc8bf5ecf732" Name="Microsoft Winstore signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="winstore" BinaryName="*"><BinaryVersionRange LowSection="1.0.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="7963bb10-70ec-46d4-92b7-3478463c7237" Name="Citrix GoToMeeting signed by Citrix" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=AA827FA5-A4F1-46AD-BB20-8A79D9C08518" ProductName="D50536CD.GoToMeeting" BinaryName="*"><BinaryVersionRange LowSection="1.0.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="84d1fa6b-f45c-46c9-9a49-ce9f22ce5a53" Name="Evernote" Description="Packaged app: Evernote.Evernote signed by Evernote" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=DCD4AC3C-C7E0-46FF-8387-51FDC8CBC467" ProductName="Evernote.Evernote" BinaryName="*"><BinaryVersionRange LowSection="2.1.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="8b836e78-c7e7-423e-a779-23537689a960" Name="Microsoft HelpAndTips signed by Microsoft Corporation" Description="Microsoft.HelpAndTips signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.HelpAndTips" BinaryName="*"><BinaryVersionRange LowSection="6.3.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="a02a399a-c4eb-4f23-a6fe-581c5335a08c" Name="Financial Times" Description="FinancialTimes.FinancialTimes, from Financial Times" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=369E114A-516A-4C8F-A9BB-34AB93BF9A6C" ProductName="FinancialTimes.FinancialTimes" BinaryName="*"><BinaryVersionRange LowSection="*" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="a4604690-70a0-4fd9-ab63-d356815c0690" Name="Microsoft ZuneMusic signed by Microsoft Corporation" Description="Microsoft ZuneMusic signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.ZuneMusic" BinaryName="*"><BinaryVersionRange LowSection="2.2.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="b6d42f3c-5e41-49ce-bb0a-3b10cd97f266" Name="Wall Street Journal" Description="DBA50444.53881C1868EDA, version 2.1.0.0 and above, from Dow Jones &amp; Company, Inc." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=6827DD24-1114-4F7D-8EF4-DB7F587FD8E4" ProductName="DBA50444.53881C1868EDA" BinaryName="*"><BinaryVersionRange LowSection="2.1.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="b87497c5-0212-4ce9-b516-e7f30f15d041" Name="Microsoft Bing Weather" Description="Microsoft.BingWeather signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BingWeather" BinaryName="*"><BinaryVersionRange LowSection="3.0.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="ba8198f5-b3e1-4a2b-a0da-338421e3c3de" Name="Microsoft Windows SoundRecorder signed by Microsoft Corporation" Description="Microsoft WindowsSoundRecorder signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsSoundRecorder" BinaryName="*"><BinaryVersionRange LowSection="6.3.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="bbad875a-41c9-451c-bf59-42e43db5ecb6" Name="Microsoft Windows immersivecontrolpanel signed by Microsoft Corporation" Description="Microsoft windows.immersivecontrolpanel signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="windows.immersivecontrolpanel" BinaryName="*"><BinaryVersionRange LowSection="6.2.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="cad22c08-788c-43c2-915b-0a18a88626a3" Name="Microsoft Windows Alarms signed by Microsoft Corporation" Description="Microsoft WindowsAlarms signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsAlarms" BinaryName="*"><BinaryVersionRange LowSection="6.3.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="ccf05b01-2c83-414d-b002-f9b08dedad86" Name="Microsoft Windows ReadingList signed by Microsoft Corporation" Description="Microsoft WindowsReadingList signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsReadingList" BinaryName="*"><BinaryVersionRange LowSection="6.3.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="d43e619a-5b1a-418a-983a-8c81bb3e9dd0" Name="Microsoft Windows Calculator signed by Microsoft Corporation" Description="Microsoft WindowsCalculator signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsCalculator" BinaryName="*"><BinaryVersionRange LowSection="6.3.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="e27bc9a4-3503-42df-8468-8acf590f7133" Name="Aljazeera" Description="65224AljazeeraMediaNetwor.AlJazeera, version 1.0.0.0 and above, from Aljazeera Media Network" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=FFE13013-57F2-495F-AA95-33EC1F5CA210" ProductName="65224AljazeeraMediaNetwor.AlJazeera" BinaryName="*"><BinaryVersionRange LowSection="1.0.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="e2a158c0-344a-465b-b790-07eda53b10fa" Name="Microsoft Bing Finance" Description="Microsoft.BingFinance signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BingFinance" BinaryName="*"><BinaryVersionRange LowSection="3.0.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="ed42e8c9-dfc1-4c6c-8501-87d6a8ae2a9f" Name="Microsoft Reader signed by Microsoft Corporation" Description="Microsoft.Reader signed by Microsoft Corporation" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Reader" BinaryName="*"><BinaryVersionRange LowSection="6.3.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="f1702d41-6c0d-495f-a965-0e9c9333d60f" Name="Amazon Kindle" Description="AMZNMobileLLC.KindleforWindows8 signed by AMZN Mobile LLC" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=2C9A58C0-E6B3-4889-8D46-5C3C1A2D0836" ProductName="AMZNMobileLLC.KindleforWindows8" BinaryName="*"><BinaryVersionRange LowSection="2.1.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule><FilePublisherRule Id="f1b8aa67-1b82-486a-8f9c-3b4d446487f0" Name="Flipboard" Description="Flipboard.Flipboard, version 2.0.0.0 and above, from Flipboard" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="CN=E7268B71-AD1D-4F1F-BD8B-1F3D76F6C653" ProductName="Flipboard.Flipboard" BinaryName="*"><BinaryVersionRange LowSection="2.0.0.0" HighSection="*" /></FilePublisherCondition></Conditions></FilePublisherRule></RuleCollection><RuleCollection Type="Dll" EnforcementMode="NotConfigured" /><RuleCollection Type="Exe" EnforcementMode="NotConfigured" /><RuleCollection Type="Msi" EnforcementMode="NotConfigured" /><RuleCollection Type="Script" EnforcementMode="NotConfigured" /></AppLockerPolicy>

Hi,

I'm trying to create a SNMP ADMX (based of the MS-provided one) to provide me with the ability to distribute read-write communities (the MS-bundled ADMX won't do this).  All looks great, except the listbox is writing REG_SZ values to registry instead of DWORDs - which means it doesn't work.  Below is the ADMX code.  

Is there any way to get an explicitValue listbox to output DWORDS?

Any assistance would be much appreciated!

<?xml version="1.0" encoding="utf-8"?><!--  (c) 2006 Microsoft Corporation  --><policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions"><policyNamespaces><target prefix="TEST-snmp" namespace="TEST.Policies.SNMP" /><using prefix="windows" namespace="Microsoft.Policies.Windows" /></policyNamespaces><resources minRequiredRevision="1.0" /><categories><category name="SNMP_TEST" displayName="$(string.SNMP_TEST)"><parentCategory ref="windows:Network" /></category></categories><policies><policy name="SNMP_Communities" class="Machine" displayName="$(string.SNMP_Communities)" explainText="$(string.SNMP_ValidCommunities_Help)" presentation="$(presentation.SNMP_Communities)" key="Software\Policies\SNMP\Parameters"><parentCategory ref="SNMP_TEST" /><supportedOn ref="windows:SUPPORTED_WindowsXP" /><elements><list id="SNMP_CommunitiesListbox" key="Software\Policies\SNMP\Parameters\ValidCommunities" explicitValue="true" /></elements></policy><policy name="SNMP_PermittedManagers" class="Machine" displayName="$(string.SNMP_PermittedManagers)" explainText="$(string.SNMP_PermittedManagers_Help)" presentation="$(presentation.SNMP_PermittedManagers)" key="Software\Policies\SNMP\Parameters"><parentCategory ref="SNMP_TEST" /><supportedOn ref="windows:SUPPORTED_WindowsXP" /><elements><list id="SNMP_PermittedManagersListbox" key="Software\Policies\SNMP\Parameters\PermittedManagers" valuePrefix="" /></elements></policy><policy name="SNMP_Traps_Public" class="Machine" displayName="$(string.SNMP_Traps_Public)" explainText="$(string.SNMP_TrapDestinations_Help)" presentation="$(presentation.SNMP_Traps_Public)" key="Software\Policies\SNMP\Parameters"><parentCategory ref="SNMP_TEST" /><supportedOn ref="windows:SUPPORTED_WindowsXP" /><elements><list id="SNMP_Traps_PublicListbox" key="Software\Policies\SNMP\Parameters\TrapConfiguration\public" valuePrefix="" /></elements></policy></policies></policyDefinitions>

Cheers,

Ben.

I've seen this post, when end users try to change there p/w they continue to get not meeting complexity error, I dont think its because must meet complexity is enabled, I think its because the minimum password age is set to 30. so this means the end user has to wait till 30 days to do a password change?

current settings

enforce password history 2 passwords remembered

maximum password age 365 days

minimum password age 30 days

minimum password length 7 characters

password must meet complexity requirements enabled

store passwords using reversible encryption disabled

password must meet complexity requirements enabled

store passwords using reversible encryption disabled

I read that the "minimum password age 30 days " the number 30 means end users can not change there

password till 30 days? so this seems to be the issue and the the complexity enabled is not the issue for example

when a user wants to change there password although they are following the requirements they

still get the not meeting the complexity message. This example should be a good password to use B05ketb011!

This article describes two possible causes of IPSec policy related event 1091 and event 1085 being generated intermittently in Event Viewer.

The descriptions of IPSec policy related event 1091 and event 1085 is as follows:

Event ID 1091:
Windows could not record the Resultant Set of Policy (RSoP) information for the Group Policy extension<IP Security>. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.

Event ID 1085:
Windows failed to apply the IP Security settings. IP Security settings might have its own log file. Please click on the “More information” link.

Scenario One:

Symptom:
We configure the IPSec policy, assign it in GPOs, and publish the policy to machines. However, this policy can’t be applied and event 1091 and event 1085 keep being logged in Event Viewers on these machines.

Possible Cause:
This can be caused by the fact that the targeted machines do not have enough permissions to access the IPSec policy container. For machines to apply IPSec policies, they need to haveRead, Read All Properties, and List Contents permissions on the IPsec container underAD Users and Computers.

Solution:       

Step 1: open Active Directory Users & Computers

Step 2: click View, choose Advanced Features

Step 3: go to <Domain>\System\IP Security

Step 4: select IP Security container, right click it and choose Properties, go to the Security tab, and check whether the targeted machines are in the list underGroup or user names
Step 5: If these machines aren’t in the list, add these machines and allow them appropriate permissions.

For example, for domain computers to apply IPSec polices, they should be allowed permissions as shown in Figure 1:

Figure 1  IP Security Properties

Scenario Two:

Symptom:
In Active Directory environment, there is no IPSec policy being assigned or we assign a new IPSec policy but this new policy can’t get applied to the targeted machines, and both event 1091 and event 1085 keep being logged in Event Viewer with regular intervals on these machines.

Possible cause:
This can happen if we delete an IPSec policy without un-assigning the IPSec policy. There may be other policies which are linked to the deleted IPSec policy object. We can assign an IPSec policy in different GPOs, for it doesn’t belong to a specific GPO.

Solution:
To verify whether this is the cause to the issue we experience, log on to the problematic machine and go to the following registry path (Figure 2):

HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\GPTIPSECPolicy


Figure 2   GPTIPSECPolicy

In Figure 2, we find that the Data of DSIPSECPolicyName is New IP Security Policy (1). If we open IPSec policy editing snap-in (Figure 3) from any GPO on a Domain Controller, however, we don’t see this IPSec Policy.

Computer Configuration\Policies\Windows Settings\Security Settings\IP Security Policies on Active Directory

Figure 3    IP Security Policies snap-in

This proves that there is an old IPSec policy named New IP Security Policy (1) which is still in place. In fact, if we delete the IPSec policy without un-assigning it, computers in the Active Directory container to which the IPSec policy is assigned might treat the IPSec policy as if it cannot be located and continue to use a cached copy.

To fix the issue, we must find all the GPOs in which this deleted IPSec policy was assigned. 

To do this, we can run the following command on CMD (Run as administrator):

ldifde –r “(objectClass=IpsecPolicy)” –f C:\ipsec.txt

This command will list out all the objects related to IPSec policy in the ipsec.txt (Figure 4). We can search the name New IP Security Policy (1) in the ipsec.txt.

  Figure 4 ipsec.txt

In Figure 4, we find this name is a part of the following two objects:

dn: CN=IPSEC, CN=Windows, CN=Microsoft, CN=Machine, CN= {31B2F340-016D-11D2-945F-00C04FB984F9}, CN=Policies, CN=System, DC=*, DC=com

dn: CN=IPSEC, CN=Windows, CN=Microsoft, CN=Machine, CN= {6AC1786C-016F-11D2-945F-00C04FB984F9}, CN=Policies, CN=System, DC=*, DC=com

From CN=Policies, we can conclude that these two objects are GPOs. Besides, we can see the GUIDs of these two GPOs in the distinguished name (dn). As a result, we can utilize each GUID to identify its corresponding GPO.

An easy way to identify GPOs with their GUIDs is to use Powershell command, and we can run the command as follows:

Get-GPO –All | select displayname, id

This command will list the names and GUIDs of all GPOs (Figure 5) in our Active Directory environment.
Figure 5   Displaynames and GUIDs of GPOs

In Figure 5, it can tell that we once configured this IPSec policy in the default domain policy and default domain controller policy, for {31B2F340-016D-11D2-945F-00C04FB984F9} is the GUID of default domain policy and {6AC1786C-016F-11D2945F-00C04FB984F9} is the GUID of default domain controller policy .

Now, to resolve the issue, we need assign another IPSec policy in all GPOs in which we assigned the deleted IPSec policy.

Using this case as an example, we perform the following steps:

          1. Find an existing IPSec policy or create a new IPSec policy in any GPO
          2. Assign this IPSec policy in both default domain policy object and default domain controller policy object. 
          3. Waiting after group policy getting updated on the problematic machines, un-assign this newly assigned IPSec policy in these two GPOs.

Dear All,

I have been given a task by Management to write a GPO in such a way that the user have login to the url without giving the username and password

I have checked with various parameters but not able to get the same

http://kb.kerio.com/product/kerio-control/microsoft-active-directory-apple-open-directory/how-to-use-a-windows-active-directory-group-policy-object-gpo-to-logon-and-logout-automatically-users-from-kerio-control-917.html

Parameters Checked

IEM --- > Security Settings

Windows Configuration----> Site Zone Allignment

User Configuration -----> Site Zone Allignment

Can someone let me know how to proceed further

Note: Most of the Machines are using IE8 and IE 9

Regards

Naveen Chandra G.V

Naveen Chandra G.V