Hello All,
I have configure group policy to change date and time only administrator. The problem is Windows XP machine cannot view the calendar but windows 7 can. So i need to view the calender for windows XP machine.
Error: you do not have proper privilege to change the date and time.
Please suggest.
Thanks
Hello,
Our domain has 2003 DCs. For some reason, someone has unlinked Default Domain Controllers Policy from Domain Controllers OU and also modified it extensively.
Domain Controllers OU has a GPO with basically same settings as DDCP but it has also been heavily modified.
I'm in the process of upgrading our domain to 2012 level and would like to sort out DDCP before doing so.
What would be the best course of action to restore DDCP in its place? I was planning to match all settings between custom GPO and currently unlinked DDCP and then disable custom GPO and enable DDCP. But sincerily I'm not sure what would be the best way to go.
Hi All,
We would like to achieve the following by GPO
We could not send Control Alt Del to Windows 7 when we use VNC to remote desktop.
We found a solution as per link
In the step 5, I cannot find Windows logon Options, however I can only find the option in Local Group Policy not in Domain Policy. is it because of windows server 2003? Any help would be appreciated.
Hi!
I have 2 domain controllers: DC1 and DC2, both Win 2012 Standard.
Problem is that the policies are not to replicated. GPMC says that "1 Domain controller(s) with replication in progress" and "0 Domain controller(s) with replication in sync. The version numbers in \\domaincontroller#\sysvol\mydomain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
are different.
"dcdiag /a" shows that all tests pass. repadmin /syncall and /replsummary show that replication goes fine. Adreplstatus is satisfied.
I can run wbemtest.exe and connect to the namespace \\machinename\root\cimv2 ;Click Query; Query "Select * from Win32_ComputerSystem" shows my DC's hostname.
After changing GP Objects, Event Viewer shows in DC1:
Source:WMI-Activity, Event ID: 5858, User:System
Id = {E60841D0-2CF1-4370-9CBB-0ED864592E53}; ClientMachine = DC1; User = ; ClientProcessId = 988; Component = Unknown; Operation = Start IWbemServices::DeleteInstance - Root\Rsop\Computer : RSOP_ExtensionStatus.extensionGuid="{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}";
ResultCode = 0x80041002; PossibleCause = Unknown
and in DC2 accordingly:
Id = {D51B7C8D-5AA0-4C57-8D3B-9A1C8C8692A5}; ClientMachine = DC2; User = ; ClientProcessId = 1012; Component = Unknown; Operation = Start IWbemServices::DeleteInstance - Root\Rsop\Computer : RSOP_ExtensionStatus.extensionGuid="{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}"; ResultCode = 0x80041002; PossibleCause = Unknown
RSOP_ExtensionStatus.extensionGuid varies in events.
How to repair? What should I test and try?
Hi,
I have 02 domain controllers Windows Server 2012 and another third domain controller thatthephysical serverhadproblem andwas removedfrom the NTDSUTIL tool. Actually the funcional level is "Windows Server 2012".
The following error is presente in event log of my domain controllers and when i execute GPUPDATE /FORCE in my workstations:
The processing of Group Policy failed. Windows attempted to read the file \\lopes.local\SysVol\lopes.local\Policies\{644ABCBC-6F33-4769-BB54-A5D88B5BEF61}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
OBS: The GPO GUID in the event log is not presente in sysvol share.
Network comunication with the domain controllers and workstation is working.
Best regards,
Paulo Mira.
I have been assigned to create a update a vbs script previously used by the company to update connection and drivers to users.
Part of the requirement was to migrate the script to PowerShell. After encountering problems in retrieving printers configure by computer. The PowerShell script will not retrieve these printers while vbs will unless if I will add the connection thru PowerShell first. Finally I decided to look for others means of deploying printer, I found that GPP(Client Side Extension) is very easy to do this task and it also provide a way to monitor problems by tracking the EventId generated when printer problems occurs.
Having confirmed this. There is documentation, from the previous admin who try to use GP to deploy printers and encounter configuration problems when they switch to HP printers. Previous Printer Server reside in a Windows 2003 dedicated server in AD 2008 R2 and workstation Windows 7. Is there any documentation or article that confirm this abnormality?
michael john ocasio
In testing one of our first software deployments using a GPO, a rather glaring issue seems to have appeared. It appears that if a user uninstalls an application that was deployed by GPO, the application is not reinstalled unless an update for that software is applied to the GPO. For example:
1.) Application gets installed to client machine via software group policy (Computer policy, assigned install)
2.) User of client machine uninstalls application that was installed via GPO
3.) When restarted, the client machine does NOT reinstall the removed software.
Is this expected behavior? Ideally, we'd like to have applications that are deployed by GPO either, a.) automatically reinstalled if they are removed or b.) prohibited from being uninstalled in the first place.
Any suggestions?
Thanks!
Aaron P.
I'm trying to add the admx files for Office 2013 (will try for 2010 later). I followed the support article on how to create the PolicyDefinitions folder, and then copy the en-us directory and admx files in to that folder.
when I open the editor to make changes, the old policies are gone. I only list policies for Office2013 (Outlook doesn't even show up).
Am I missing an important step here?
In Computer Config/Admin Templates/Network/Offline Files, I have Configure slow-link mode set to Disabled, but I think this is causing performance issues when users are VPN'd in, as in it's forcing them to be in online mode and if they have a large folder, it could take a minute or two for it to open up due to connection speeds.
If I want to undo this setting, what is the proper way to do it? If I set it back to Not Configured does this undo it? Do I have to set it to Enabled, then after a couple days I can set it back to Not Configured? I tried looking online but couldn't find an article that says exactly.
Hi All,
I have a large domain and a long list of websites that are trusted using the following group policy setting:
On all (XP/vista/win7) workstations across the domain I'm getting the following error:
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Event ID: 1085
Task Category: None
Level: Warning
Keywords: Description: Windows failed to apply the Internet Explorer Zonemapping settings. Internet Explorer Zonemapping settings might have its own log file.
There's nothing either side of this error in the log that shines any more light on the issue.
I know which group policy object its applying these settings but cant find which of the entries in the site to zone assignment list is causing this issue. I looked in theGroup Policy/Operational log but all I see is the following entry which says "completed" but is logged as an error:
After some research I'm guessing that the issue is an incorrect wild-card. This is what my trusted sites list looks like (with names removed of course):
http://servername.*
*.internaldomain.com.au
*.domain.com.au
*.domain.*
*.externaldomain.com
*.domain.inernaldomain.com.au
*.domain.*
*.domain/name.*
*.domain.inernaldomain.au*
*.domain.com
Is there something obviously incorrect here?
Does anyone know where I could find an article that clearly outlines the acceptable wildcard syntax for the"Security page\ site to zone assignment list" group policy? Ive read every forum post, website and blog I could find on the internet but nothing is clear and I wasn't able to find an MS document that steps it out. I've also changed the
existing list a number of times based on blog posts etc but had no luck.
**Please Note**
I dont want to change to a different method or have an intellectual debate re why I would have these sites/wildacrd/policy set. I'm really looking to see what entry is invalid and where the documentation is for this policy setting so i can make sure they are
always correct in the future.
thanks in advance for your time and assistance
Simone
PS: I've already read the following posts a number of times:
.
.
.
UPDATE:
I disabled the original policy and created a new one with only one trusted site address in it. Then I logged into a clean test machine did some testing.What I found after a few hours of testing was; regardless of the site that I have listed in group policy -
I wasn't able to determine any pattern to the failures, I tried stopping some of the processes on that machine but didn't find anything that would make it fail/succeed reliably.
There is no AV or firewalls installed on my test machine
Anyone have any more ideas? I think I might install filemon and try to capture some more data unless there's a better tool?
Hi guys,
We are about to do a software deployment through GPO's, same package across multiple sites. Unfortunately I got turned down for using DFS to make the package available at the local sites so I'll be looking to just create multiple GPO's (one for each site and pointing it to a local UNC at the site).
I was planning on using AD Sites (subnet) to apply the local package to clients as each site is it's own subnet but I had a few questions:
1. I can foresee users moving between sites, if this happens and they change subnet's will the package be uninstalled and installed again when the new GPO is applied?
2. Once the package is installed, if another GPO applies the same package will it cause issues? (The MSI is identical) Or will the GPO see the package there already and skip it?
I guess it really is kind of one question! If I don't enable the uninstall when moving out of scope, will the GPO jsut leave the package there even if it is applied by another GPO?
Thanks in advance for any help!
Current infrastructure is AD Windows Server 2008 R2
dedicated server as Print Server Windows Server 2003
workstations Windows 7
a. Task to migrate Print Server settings to a new dedicated server Print Server Windows 2008 R2.
To retrieve currents settings from server and move to a new Print Server, it could either be done
1. Power Shell
Export the settings to a file from 2003 Print Server and import then from file to 2008 Print Server.
2. Print Management features from Windows Server 2008 R2 to transfer the settings.
which method is more reliable or permissible?
b. The second, question is about the deployment of printers in the organization
Present time, No GP define to control or limit the amount of printers in the organization (65 and Plotter no accessible to any regular users.
c. Also no present means to schedule a task to monitor event id 4098 or any other event id associate with jam printers
About the second requirement I just could not persuade management to limit printers by department location.
So user will get all 65 printers to connect too. (Shared Network). Could this present a security breach?
In order to monitor printer problems, there should be one GPP at the Domain level and generate the task?
Can someone clarify the best course of actions for all three bullets?
michael john ocasio
Hi, I wonder if someone can help,
I am trying to find out if it is possible through Active Directory to set up a group policy so that a user will be able to install apps from the windows store but be unable to install any other applications. I have seen that the store can be enabled or disabled from windows server 2012, but have yet to find out if this is sufficient to allow store installs but no other external applications.
THanks
Hi,
There are actually several questions:
1.a. Is IP_TOS with IPPROTO_IP for the command setsockopt of the winsock2 interface supported for Windows 2012?
Comment : With setsockopt(ConnectSocket, IPPROTO_IP, IP_TOS, (char*)&tosBits, sizeof(tosBits)) initiated in an application, the DSCP value for a sent ip packet could be set on earlier Windows Version (Windows 2003 Server) and Unix etc. I assume that Windows 2012 is also forced to satisfy the winsock2 interface.
1.b. If yes, what do I have to configure on a Windows 2012 Server that the above setsockopt command remains working?
1.c. If no, how does the alternative code snipped look like and what do I have to configure on a Windows 2012 Server that the alternate code is running?
Best Regards
Hi all;
Please look at the following figure:
This figure has been captured from a DC with Windows Server 2012 OS.
Any ideas?
Thanks
Please VOTE as HELPFUL if the post helps you and remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Hello,
I've had a look at other posts of similar issues but I couldn't find a solution..
Quick history:
I have a forest with a single DC. The forest started as a 2012 forest on a single Windows Server 2012 DC. After about a year (a month ago) I have joined a 2012 R2 DC, demoted the 2012 DC and raised the functional level to 2012 R2.
Problem I'm having:
I have one user GPO which doesn't get applied anymore (it used to). When running Group Policy Modelling in GPMC I can see the policy being applied in the report, as it should. However when running Group Policy Results in GPMC that policy doesn't exist in the report at all.
Troubleshooting:
I've confirmed the following to be correct and done the following to try and resolve the issue:
-GPO's security filtering
-GPO's delegation permissions
-GPO is assigned to the correct OU and enabled
-Move GPO to a different OU
-No WMI filters are applied
Any help will be greatly appreciated! Thanks
We have a GPO configured primarily for RDP settings. This GPO is linked and enabled at the top of the domain and uses the default security filtering of "authenticated users".
Specifically in the GP we are trying to configure "Computer Configuration > Admin Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host" settings. The GPO objects themselves say "at LEAST windows XP & 2003"
All of our server OS (2008R2, 2012) are applying the GPO and it's settings correctly.
All of our desktop OS (7, 8) are applying the GPO, but none of the settings apply.
We have tried creating brand new GPOs, enabling/disabling enforcement, changing GPO priorities. We are at a loss as to why a GPO setting (which exists in windows 7 & 8) is not accepting the configuration settings it is receiving.
Thanks
I've created 2 GPO's for managing printers. One GPO is used to add all the printers, there are about 40, to all users, I've then made another which adds a particular printer using targets. My theory is that all the printers are added in the first one, the second one then overrides the individual printer depending on the group assignment.
My problem is that it's intermittent. If I run a gpupdate /force it works and assigns correctly, but although it adds them on logon, the default isn't set.
I've been getting the odd message as below
Group Policy object did not apply because it failed with error code '0x8007000a The environment is incorrect.' This error was suppressed.
and applied the following fix
"Do not apply during periodic background processing" needs to be enabled in the following policy. [COMPUTER POLICY\ADMINISTRATIVE TEMPLATES\SYSTEM\GROUP POLICY\Printers preference extension policy processing]
but it's still not happening for me on logon.
Can someone confirm whether I should be using Create/Replace/Update for both policies and any other settings that I should look out for.
Many thanks
I've been mulling this problem over for a while and I finally have to accept I can't use IE Maintenance anymore for managing proxy settings. I've been reading up on how to make Server 2008 R2 work with GPP settings for IE 9 - 11. Everything I've read says I need to install the .admx files (link below) or install IE 10+ to get the IE Preferences to show up for 9, 10, and 11. But when I look at my .admx files in %systemroot%/PolicyDefinitions it has the same exact .admx file that I download from the Admin Templates. I can not see the policy preferences for IE 9, 10, or 11 and need these options so I can configure a Proxy server. How do I go about getting these preferences to become available in Server 2008 R2 SP 1?
#admx link
http://www.microsoft.com/en-us/download/details.aspx?id=36991
Note that I also tried the following to manually add support while testing but it didn't help me:
Open up the policy, and create an IE8 Preference: User Configuration --> Preferences --> Control Panel Settings --> Internet Settings --> New --> Internet Explorer 8 -> Set your proxy settings
Navigate to C:\Windows\SYSVOL\domain\Policies was an easier route, then sort by date for the recently created IE entry.
Navigate to User\Preferences\InternetSettings
Open up the "InternetSettings.xml file, and change the MAX value to something above 10.0.0.0 (I usually put 10.5.0.0). This way, the policy won't trip up later on if IE 11 comes out and doesn't support any of these policies, but at least you'll be safe
until 10.5.0, or until a hotfix is available. "
max="10.5.0.0"