Removing Printers Deployed with GPP

August 22, 2010, 11:09 pm

≫ Next: GPP Delete policy not working on Windows Server 2008 R2 RDS when deleting shared printers with status access denied.

≪ Previous: Added PolicyDefinitions folder to add admx files, but other policies disappeared

I've been testing out using GPP to deploy printers to two 2008R2 servers in our Remote Desktop farm. We have a 2008R2 print server, which I have set up all of our printers on (18 printers total). I've created a new GPO to deploy the printers and used ILT to specify the specific user groups that have access to each printer in a single GPO policy. This part seems to be working well.

The problem I run into is when I move a user from one security group to another, the printers in their old security group still show up in the Printers window, but they have a yellow "!" and can't be accessed.

I have tried the following methods to clean out these "ghost" printers (none of which have worked):

Check the box in the common tab for "Remove this item when it is no longer applied".
Create a new shared printer with the same name, but set it to delete, and set ILT for anyone not in the specific group for this printer (and modified the order to put this on top)
Create a new local printer with the same name, but set it to delete, and set ILT for anyone not in the specific group for this printer (and modified the order to put this on top)
Create a GPP registry setting to delete the "HKCU\Printers\Connections\,,SERVER,PRINTER" and set ILT for anyone not in the specific group for this printer

So far the only way I have found to remove these ghost printers:

Have the user manually right-click and remove them
Use a logon script of reg del "hkcu\Printers\Connections" /f

The registry script is a way to automate it, but if I delete these every time a user logs on or off, it increases their logon time because GPP has to setup their printers from scratch.

Any ideas? In the past I have just installed the printers locally as TCPIP on each server, but I would like to automate this with GPP for better scalability as we roll out new terminal servers.

↧

GPP Delete policy not working on Windows Server 2008 R2 RDS when deleting shared printers with status access denied.

January 21, 2014, 5:49 am

≫ Next: Server 2012 R2 ADM files for Server 2008

≪ Previous: Removing Printers Deployed with GPP

Hi!
I Have one AD Security group for each shared printer, I have one GPP that map the printer if the user is in the security group that belong to the printer. And one GPP to delete the printer if the user is NOT member of the security group. The security group is also applied in “Security” tab on the printsrv with PRINT rights and “everyone” is removed. This works 100 % on Windows 7 clients and Windows 2003 Terminal Servers. But on Windows 2008 R2 RDS this dont work.The Delete Policy will not delete the shared printer. No warning in any logs, and the gpresult shows that the gpo setting applyed sucessfully. The only way I can make the Delete policy work is if i give the user print rights on the printer on the printsrv. Looks like for the policy to work on 2008 R2 the user must have print rights on the printer object on the printserver. The GPP Delete Policy will not delete printers that have status : access denied. Anyone else had this problem?

↧

Server 2012 R2 ADM files for Server 2008

January 14, 2014, 10:24 am

≫ Next: Proper way to undo Configure slow-link mode setting for Offline Files

≪ Previous: GPP Delete policy not working on Windows Server 2008 R2 RDS when deleting shared printers with status access denied.

I'm trying to load adm files for Server 2012 R2 into a 2008 Domain. I downloaded and "installed" the adm files but they installed as adml files and I'm unable to load the templates into a policy. I'm just curious what I'm doing wrong and how I can get these policies to work properly in a 2008 domain.

Vincent Sprague

↧

Proper way to undo Configure slow-link mode setting for Offline Files

January 16, 2014, 12:51 pm

≫ Next: GPO for computer OU and GPO for user OU, conflict, how to override computer OU GPO over user OU GPO - office 2010

≪ Previous: Server 2012 R2 ADM files for Server 2008

In Computer Config/Admin Templates/Network/Offline Files, I have Configure slow-link mode set to Disabled, but I think this is causing performance issues when users are VPN'd in, as in it's forcing them to be in online mode and if they have a large folder, it could take a minute or two for it to open up due to connection speeds.

If I want to undo this setting, what is the proper way to do it? If I set it back to Not Configured does this undo it? Do I have to set it to Enabled, then after a couple days I can set it back to Not Configured? I tried looking online but couldn't find an article that says exactly.

↧

GPO for computer OU and GPO for user OU, conflict, how to override computer OU GPO over user OU GPO - office 2010

January 21, 2014, 5:05 am

≫ Next: Best way to check for duplicate GPO settings with inherited policies

≪ Previous: Proper way to undo Configure slow-link mode setting for Offline Files

I have an issue with GPO for office 2010 (default save location) and would like some help

I have users in a user OU called 'admin'
these users login to computers which are member of a OU called 'admin desktops'
NEW - some of these users have access to a laptop which are member of an OU called 'admin laptops'

there is a GPO (office h:) linked to the users OU which sets the default save location for office applications to H: drive

this has worked well for 4 years but we are now configuring laptops for some of the admin users and i need to change the default save location for these laptops to:

%USERPROFILE%\DatAnywhere\HOME\%username%\

if i create a new GPO (office DN) and link it to the computer OU the office h: GPO applies (looks like user settings in a GPO take precedence over user GPO linked to an computer OU.

I cannot move these admin users with laptops to a different user gpo which only has the office DN gpo applied as it causes problem with other OU linked services (for instance our MDM solution cannot cope with this) so the users have to remain in the same admin OU (users) and I need to set something up where the GPO 'office DN' is applied if they logon to their laptop and 'office H:' is applied when they logon to their desktop

how can I achieve this?

↧

Best way to check for duplicate GPO settings with inherited policies

January 16, 2014, 11:42 am

≫ Next: Group policy preferences CSE

≪ Previous: GPO for computer OU and GPO for user OU, conflict, how to override computer OU GPO over user OU GPO - office 2010

We get some policies pushed down from the top level of our AD domain, but I don't have permission to actually view those GPOs, I can only do that on my subOU's GPOs. What would be the best way to make sure that my policies aren't applying the same settings as higher GPOs?

↧

Group policy preferences CSE

January 21, 2014, 8:39 am

≫ Next: GPO - Inbound Rules - Machine picks up GPO but does not input settings?

≪ Previous: Best way to check for duplicate GPO settings with inherited policies

Hi,

I'm in a mixed server infra (2008 and 2003) and would like to deploy GPE for rebooting, I've tried to approve KB9433729 but wsus will not approve as its expired, what is the quickest way to get this update out to the 2003 servers.

↧

GPO - Inbound Rules - Machine picks up GPO but does not input settings?

January 21, 2014, 8:50 am

≫ Next: Using GPO to pin a preset list of icons on the taskbar for each user that logs onto their workstation?

≪ Previous: Group policy preferences CSE

Hi, I have created a GPO on a 2008 R2 DC, which adds File+Printer Sharing settings. When i run a gpresult /r command the computer picks up the gpo. When i run the gp wizard on the DC, i get the below. checked event viewer logs, no luck.

DC - 2008 R2, OS- Windows 7 Enterprise SP1.

Inbound Ruleshide

Name

Description

Winning GPO

File and Printer Sharing (NB-Session-In)

Inbound rule for File and Printer Sharing to allow NetBIOS Session Service connections. [TCP 139]

SD_SCCM File Print Install Test_MOC ver 2

This rule may contain some elements that cannot be interpreted by current version of GPMC reporting module
Enabled	True
Program	System
Action	Allow
Security	Require authentication
Authorized computers
Authorized users
Protocol	6
Local port	139
Remote port	Any
ICMP settings	Any
Local scope	Any
Remote scope	Any
Profile	All
Network interface type	All
Service	All programs and services
Allow edge traversal	False
Thanks	File and Printer Sharing

↧

Using GPO to pin a preset list of icons on the taskbar for each user that logs onto their workstation?

January 21, 2014, 8:34 am

≫ Next: I've place a Public Key Policies computers are not getting it.

≪ Previous: GPO - Inbound Rules - Machine picks up GPO but does not input settings?

I would like to have the taskbar show a predetermined set of icons (Word, Excel, PPT, etc.) pinned to taskbar when a user first logs into their host machine. Is this doable through a default GPO setting or do I need to do this via scripting?

↧

I've place a Public Key Policies computers are not getting it.

January 21, 2014, 6:02 am

≫ Next: Desktop Background GPO setting not working as expected

≪ Previous: Using GPO to pin a preset list of icons on the taskbar for each user that logs onto their workstation?

Just did a gpresult /z > c:\policy.txt and I can see that Public Key Polices are N/A

There are computers on that OU and I set GPO of Public Key Policies. Please advise. thank you

↧

Desktop Background GPO setting not working as expected

January 21, 2014, 7:06 am

≫ Next: Newer GPO Import from Windows 2012 to Windows 2008 R2 DC

≪ Previous: I've place a Public Key Policies computers are not getting it.

Hi there,<o:p></o:p>

I'm using Windows Server 2008 R2 ADDS and my client machines are Windows 8 and Windows 7 Prof. I've configured a GPO to deploy an image (.jpg) as desktop background at the same I want user would be able to change the background if they want. Unfortunately it is not working as expected. User can see the wallpaper as background but unable to change it.<o:p></o:p>

From client desktop i can click on 'Desktop Background' and select other picture locations. Finally clicking on Save Setting does not have any effect. The background image is the same that I've deployed using group policy.

Does anybody know how to resolve the problem?<o:p></o:p>

Thanks<o:p></o:p>

Enam<o:p></o:p>

↧

Newer GPO Import from Windows 2012 to Windows 2008 R2 DC

January 21, 2014, 1:22 pm

≫ Next: 0x5 Errors in Applications and Services Log>Microsoft>Windows>Group Policy>Operational - Notify Access Check Failed, Access Check based on security descriptor failed

≪ Previous: Desktop Background GPO setting not working as expected

We have a large Windows 2008 R2 forest and a few isolated forests with Windows 2012 DCs. W2012 environment is using some latest/newer GPOs.
We are looking to consolidate the forests and bringing all users in Windows 2008 R2 forest. Can we import newer GPOs from Windows 2012 environment into Windows 2008 R2 environment? Is there a technet article supporting the process?

thanks

Navgup

↧

0x5 Errors in Applications and Services Log>Microsoft>Windows>Group Policy>Operational - Notify Access Check Failed, Access Check based on security descriptor failed

January 21, 2014, 8:49 am

≫ Next: Map drives using both Group Policy and Login script

≪ Previous: Newer GPO Import from Windows 2012 to Windows 2008 R2 DC

My Group Policy is working, however, I have two persistent errors in "Applications and Services Log>Microsoft>Windows>Group Policy>Operational"

Event ID: 7320 - Group Policy notify access check failed. Error code 0x5 (error description %%4109, error code 5)

Event ID: 7320 - Access check based on security descriptor failed. Error code 0x5 (error description %%4105, error code 5).

They generate six times each when user logs into the workstation.

Environment: AD 2008R2, Win7 Pro

What little bit I find points to access/permissions issues. Any help on identifying or troubleshooting these errors would be helpful.

Charlie Newman

↧

Map drives using both Group Policy and Login script

January 21, 2014, 9:57 am

≫ Next: GPO to allow RDP

≪ Previous: 0x5 Errors in Applications and Services Log>Microsoft>Windows>Group Policy>Operational - Notify Access Check Failed, Access Check based on security descriptor failed

Started our network in Windows 2003 w/ Windows 2000 and XP, at the time, a simple .vbs login script worked great w/ setting it the profiles of the user in AD Users and Computers. Over the years, we added Server 2008, Windows 7 and now 8.1 into the environment and it seems that the newer system doesn't work well w/ the script. It will run at times, and sometime, staff will report that none of the network drives are mapped, and at times, even a complete rebooting the machine doesn't trigger the login script. My questions are:

1. Why isn't the script "firing" correctly for all users / computers? (most users have the same security access)

2. Is there a better option to map drives? I know using GP is an option, however, a lot of our users need specific mapped drives which makes it difficult to set an "universal" policy.

3. Is there a way to make the mapping process visible so I can see exactly what the script is doing when mapping the drives?

Thanks in advance.

Roget Luo

↧

GPO to allow RDP

January 20, 2014, 11:52 pm

≫ Next: "Make proxy settings per-machine (rather than per user)" Group Policy setting not applied until login as a local Administrator

≪ Previous: Map drives using both Group Policy and Login script

Hello everyone

I am using Windows Server 2003 x64 , i want to enable RDP on all windows 7 x64 x86, Windows XP computers through Group policy

Please do guide me

↧

"Make proxy settings per-machine (rather than per user)" Group Policy setting not applied until login as a local Administrator

January 22, 2014, 7:25 am

≫ Next: Audit 2008r2 DC not logging 4625 events

≪ Previous: GPO to allow RDP

We want to deploy to all our desktop the pac file to configure proxy. We have a Windows 2008 R2 server, and i've enabled the GPO "Make proxy settings per-machine (rather than per user)", and i've add a registry key AutoConfigURL in "HKLM\Software\Microsoft\Windows\Current Version\Internet Settings" with the pac file link.

I've tested on my pc, and all was configured without any problem. I've try to login to my computer with another user (without admin rights) and the automatic configuration proxy was compiled and not modificable. It's seems that all works.

But, our users are not local admin, so i've tried to deploy the GPO in a collegue computer. I've forced the update of GPO, checked on registry that all new keys are added, and i've reboot the pc. When i've check on IE settings, autoconfig URL was empty and grey. I'm disconnected from user and i've login to the pc with a local admin. With my surprise, the IE settings was compiled. When i'm come bac to the user profile the IE settings was compiled and not modificable.

The problem is: i've over 750 users in 3 countries, and i don't want grant them the local admin permissions. How can i configure proxy settings via GPO without login to every machine at least one time?

↧

Audit 2008r2 DC not logging 4625 events

January 22, 2014, 7:27 am

≫ Next: GPO

≪ Previous: "Make proxy settings per-machine (rather than per user)" Group Policy setting not applied until login as a local Administrator

Hi Everyone

We have 4 DCs 2008r2 and I have edited Default Domain Controllers Policy and Default Domain Policy

Default Domain Policy/Computer Configuration/Policies/Windows Setting/Security Settings
Local Policies/ enable Audit account logon events for failure

Default Domain Controllers Policy/Computer Configuration/Policies Window Settings/Security Settings

Local Policies/ enable Audit account logon events for failure

Did a GP update/force and restarted the DC but if a user logs onto her PC with the wrong credentials the DCs do not log it?

Can someone please help me or point me in the correct direction

Thanks advance

↧

GPO

January 19, 2014, 1:21 am

≫ Next: How can we implement WSUS Group Policy to Computers not on Users

≪ Previous: Audit 2008r2 DC not logging 4625 events

Hi all,

I want to disable the MS excel 2010 and internet for the certain domain users on the windows 7 client using group policy on the server 2008 R2.

Can someone help me?

Many thanks !!!!

↧

How can we implement WSUS Group Policy to Computers not on Users

January 22, 2014, 5:24 am

≫ Next: Unable to push IE compatibility view list

≪ Previous: GPO

Hi All,

How I can implement a WSUS patches update policy through Group Policy to all the computers. I don't want to implement to Users.

Thanks

Mukesh

Mukesh Bisht

↧

Unable to push IE compatibility view list

January 22, 2014, 10:30 am

≫ Next: GPO Internet Explorer Maintenance missing in WS 2008 R2

≪ Previous: How can we implement WSUS Group Policy to Computers not on Users

The GPO is not working for me. I am using:

Computer or User Configuration-> Policies-> Administrative Templates-> Windows Components ->Internet Explorer -> Compatibility View -> Use Policy List of Internet Explorer 7 sites

The format I am using for the list is:
stackoverflow.com
etc

I have pushed to client PCs (winXP with IE8, and win7 with IE10), and have verified via rsop.msc that the setting is correctly pushed. I also verified the regkey is getting pushed to Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList\

What doesn't work: IE does not display sites in compat view. I am checking by loading the web site, then inspecting the compat view icon next to the address bar, and bringing up the f12 developer window and checking the browser mode label.

Thanks,
Jaime

↧