Hi all
suddenly I missed the Internet Explorer Maintenance in WS 2008 R2, when I show the settings tab on the GPO it self its showing properly, but I cant find it when I try to edit.
any assistance on that ?
↧
GPO Internet Explorer Maintenance missing in WS 2008 R2
↧
Problem deploying Software InstallationGPO in AGPM 4
I can create a controlled GPO, Check Out, edit, create a software installation GPO, and CheckIN, When I attempt to Deploy or Check out a second time to edit the GPO I receive the following error:
Check Out GPO: Test Application GPO...Failed
The overall error was: Check Out operation failed. The data is invalid. (Exception from HRESULT: 0x8007000D)
Additional details follow.
[GPMC Error] The task cannot be completed. The application deployment script (.aas file) for [\\vistaprint.net\netlogon\AppInstall\Digitizer\v24.2Copy\Intellistitch.msi] cannot be regenerated.
The following error occurred:
The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
----------------------------------------------------------------------
1 actions failed.
AGPM server is running on Server 2008 R2, AGPM client can be both Server 2008 R2 and Windows 7 SP1. Same error. Domain and Forest is at Server 2003 Native.
Jim Managan Lead Systems Administrator
↧
↧
Cannot Remove Internet Explorer Branding
We had a custom titlebar a while ago, applied in the "Default Domain Policy" (which is problematic, since I cannot just delete the GPO and recreate it). I only discovered this policy after upgrading all clients to IE 10 and our DCs to 2008.
I've used RSTAT from a computer with IE 8 and removed the branding from the GPO (so it no longer shows in the "Settings"), but we're still getting the "Internet Explorer Branding" Failed "The specified procedure cannot be found" message on the clients.
I want to completely remove Internet Explorer Branding from group policy as it's not wanted. I have located two GPOs in the SYSVOL directory with IEAK directories, one with a "BRANDING" directory.
How can I get rid of IE Branding once and for all? Thank you kindly!
↧
Move contents of Documents to new location.
If this was initially checked when setup and then unchecked will it copy the contents back down to the local computer user profile?
↧
Windows Updates GPO and restarts
Our environment consists of 15-20 Windows 2008 virtual servers, and ideally I would like for updates to download and install at a specified time. Getting that right seems easy enough via GPO, but what I am trying to avoid is the server auto-restarting afterwards. My goal is to just be able to go in manually after scheduled updates should have occurred and reboot the server on my own.
I can see where you can enable "No auto-restart with logged on users for scheduled automatic updates installations", but my concern is the "logged on users" part.
Meaning, I log on and off to my servers via RDP to do anything. So with that in mind, if my scheduled updates are taking place late at night when nobody is "logged on", it would seem this setting would have it auto-restart because nobody appears logged on. Am I thinking correctly on this?
↧
↧
2012 R2 - One GPO not being applied
Hello,
I've had a look at other posts of similar issues but I couldn't find a solution..
Quick history:
I have a forest with a single DC. The forest started as a 2012 forest on a single Windows Server 2012 DC. After about a year (a month ago) I have joined a 2012 R2 DC, demoted the 2012 DC and raised the functional level to 2012 R2.
Problem I'm having:
I have one user GPO which doesn't get applied anymore (it used to). When running Group Policy Modelling in GPMC I can see the policy being applied in the report, as it should. However when running Group Policy Results in GPMC that policy doesn't exist in the report at all.
Troubleshooting:
I've confirmed the following to be correct and done the following to try and resolve the issue:
-GPO's security filtering
-GPO's delegation permissions
-GPO is assigned to the correct OU and enabled
-Move GPO to a different OU
-No WMI filters are applied
Any help will be greatly appreciated! Thanks
↧
Request for Sticky #2 - Advanced Group Policy Troubleshooting Help
GPOMG!
Group Policy driving you crazy? Here are some advanced troubleshooting tools (beyond RSOP, GPRESULT, etc.) that may be helpful. For first level troubleshooting, check out this link:
http://technet.microsoft.com/en-us/library/cc787386(v=WS.10).aspx
EVENT VIEWER (NEW & IMPROVED!)
Event viewer in Windows 7 has more detail about Group Policy. Start your event viewer (may need to run as an admin. account). Navigate to:
Applications and Services Logs>Microsoft>Windows>GroupPolicy>Operational
Here you will find events that are related to Group Policy processing. You can determine how long it takes to run the various pieces of your particular GP as well as diagnostic information that can be very helpful when trying to figure out what is happening with GP.
http://technet.microsoft.com/en-us/library/cc749336(WS.10).aspx
- Events 4016 and 5016 show the start and end of processing of groups of policies, including how long it took to apply each one in the end event.
- Event 5312 shows policies that will be applied, and 5317 shows policies that are explicitly filtered out.
- Events 8000 and 8001 respectively show the total processing time for computer boot and user boot GP processing, and 8006 and 8007 show the same for interim/periodic GP processing.
GPLOGVIEW TOOL
A similar tool is called GPLOGVIEW. You must run this from the elevated command prompt. It will produce a XML, HTML, or simple text file of the GP events for export and review. You can even do a live monitor while you run GPUPDATE /force.
http://technet.microsoft.com/en-us/magazine/dd315424.aspx
GPSVR/GPSVC LOG FILE
If the normal tricks above don’t provide you with enough information, this should do it! There is a service called GPSVR that gives you everything you ever wanted to know about Group Policy running on your workstation. Here is how to get more information from the GPSVR service in Windows 2008/Visa/Win 7.
Step 1: Enable logging in the Gpsvc.log file. To enable logging in the Gpsvc.log file, follow these steps:
Click Start, click Run, type regedit, and then click OK (might want to backup your registry first).
- Make sure that you have the folder %windir%\debug\usermode, if the usermode folder is not there, then manually create it.
- Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
- On the Edit menu, point to New, and then click Key.
- Type Diagnostics, and then press ENTER.
- Right-click the Diagnostics subkey, point to New, and then click DWORD Value.
- Type GPSvcDebugLevel, and then press ENTER.
- Right-click GPSvcDebugLevel, and then click Modify.
- In the Value data box, type 30002 (as hex), and then click OK.
- Exit Registry Editor.
- Reboot machine.
- At a command prompt, type the following command, and then press ENTER: gpupdate /force
- You will find the Gpsvc.log file in the following folder: %windir%\debug\usermode
Step 2: I use Notepad ++ to analyze this log file. It can help you troubleshoot, step, by step what GP is doing as your workstation/user is getting logged in. Timing, access/permission issues, SID information and more are all included in this log file.
Step 3: When you are done, change the value of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics|GPSvcDebugLevel to 0x00000000 to disable the debug log or else it will continue to grow.
Charlie Newman
↧
Group policy wallpaper not working in Windows 8
Hi,
We are using Windows server 2008 R2 Server and Windows 7 and Windows 8 Client machines. After restarting the Windows 8 Machines the wallpaper that we set using GPO is not working. We tried to check the policy status using RSOP.MSC it shows policy have been applied. Why its showing the Black instead of the wall paper that we applied ?
↧
Granular Password Settings
Hi,
I have following questions on the deployment:
1) Do the deployment impact existing user if the settings apply to new global security group?
2) Do I get the standard windows pop out message about password expiry and etc.?
↧
↧
cannot create a new GPO
when i try to create a new GPO. I get the error "network name not found"
↧
Forum FAQ: How to deploy Windows 7 Taskbar Pinned Icons by Group Policy?
Question
How to deploy Windows 7 Taskbar Pinned Icons by Group Policy
Answer
Windows 7 taskbar pinned icons are stored in the following locations:
File System:
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
Registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
To deploy it, you can perform the following steps:
1. Configure Pinned items on a Windows 7 system as a reference computer.
2. Export Reigstry Key to pinned.reg file:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
And copy items in the "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" to a shared folder.
3. Create a logon script to deploy the registry keys and copy the corresponding files.
Please note that the “%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned” folder is only created after a user has pinned an icon to the taskbar. In the logon script, you will need to create the “%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar” folder if it does not exist.
More Information
If you want to pin items to the Start Menu, you may refer to the following script:
Pin Items to the Start Menu or Windows 7 Taskbar via Script
Applies to
Windows 7
↧
registry name and value to check if server has internet connection
Hi
I want to check that if server has internet connection though registry value. Can any one help me the path of registry to check if server has an internet connection or not
↧
GPP Delete policy not working on Windows Server 2008 R2 RDS when deleting shared printers with status access denied.
Hi!
I Have one AD Security group for each shared printer, I have one GPP that map the printer if the user is in the security group that belong to the printer. And one GPP to delete the printer if the user is NOT member of the security group. The security group is also applied in “Security” tab on the printsrv with PRINT rights and “everyone” is removed. This works 100 % on Windows 7 clients and Windows 2003 Terminal Servers. But on Windows 2008 R2 RDS this dont work.The Delete Policy will not delete the shared printer. No warning in any logs, and the gpresult shows that the gpo setting applyed sucessfully. The only way I can make the Delete policy work is if i give the user print rights on the printer on the printsrv. Looks like for the policy to work on 2008 R2 the user must have print rights on the printer object on the printserver. The GPP Delete Policy will not delete printers that have status : access denied. Anyone else had this problem?
I Have one AD Security group for each shared printer, I have one GPP that map the printer if the user is in the security group that belong to the printer. And one GPP to delete the printer if the user is NOT member of the security group. The security group is also applied in “Security” tab on the printsrv with PRINT rights and “everyone” is removed. This works 100 % on Windows 7 clients and Windows 2003 Terminal Servers. But on Windows 2008 R2 RDS this dont work.The Delete Policy will not delete the shared printer. No warning in any logs, and the gpresult shows that the gpo setting applyed sucessfully. The only way I can make the Delete policy work is if i give the user print rights on the printer on the printsrv. Looks like for the policy to work on 2008 R2 the user must have print rights on the printer object on the printserver. The GPP Delete Policy will not delete printers that have status : access denied. Anyone else had this problem?
↧
↧
GPO Scheduled Task Duplicate
Hi All,
For some odd reason, one of the tasks I created using Task Scheduler, via GPO, has created a duplicate. I tried deleting the task and re-creating it, but I wind up with the same result. The following screenshot should better explain what I'm talking about:
↧
Windows 7 - Windows Update - Get updates for other Microsoft Products
Is there a group policy to control the "Get updates for other Microsoft products" - "Find out more". We are rolling out Windows 7 and finding out other updates are not be applied because of this setting is not set.
Thanks in advanced
↧
Can't change domain users password on Windows 7 Professional 64-bit joined to Windows 2003 server domain
We have succesfully joined pcs to Windows 2003 server domain but pc domain users of Win7 pc can't change password because Windows says a massage such that "Unable toupdate the password.The valueprovided for the newpassworddoes not meet thelength, complexity,orhistoryof the domain.", in every pc.
I have:
- done a "gpresult /V" on the pc and here there are the password policies:
...
Criteri account
---------------
Oggetto Criteri di gruppo: Criteri password
Criterio: MaximumPasswordAge
Impostazione computer: 90
Oggetto Criteri di gruppo: Criteri password
Criterio: MinimumPasswordAge
Impostazione computer: N/D
Oggetto Criteri di gruppo: Default Domain Policy
Criterio: LockoutBadCount
Impostazione computer: N/D
Oggetto Criteri di gruppo: Criteri password
Criterio: PasswordHistorySize
Impostazione computer: N/D
Oggetto Criteri di gruppo: Criteri password
Criterio: MinimumPasswordLength
Impostazione computer: 8
...
- on the pc, executed "secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose", advised in a forum, and then "gpupdate": computer and user policies updated succesfully;
- checked that in the registry there isn't the "HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network" key: ok, there isn't;
- tried to enter in pc with a new domain user: windows let me change manually the password the first time (Ctrl-Alt-Canc - Change password), then, the second time, can't change password no more with the message above again ("Unable toupdate the password.The value...").
What can I do to find out what is wrong?
Thanks
I have:
- done a "gpresult /V" on the pc and here there are the password policies:
...
Criteri account
---------------
Oggetto Criteri di gruppo: Criteri password
Criterio: MaximumPasswordAge
Impostazione computer: 90
Oggetto Criteri di gruppo: Criteri password
Criterio: MinimumPasswordAge
Impostazione computer: N/D
Oggetto Criteri di gruppo: Default Domain Policy
Criterio: LockoutBadCount
Impostazione computer: N/D
Oggetto Criteri di gruppo: Criteri password
Criterio: PasswordHistorySize
Impostazione computer: N/D
Oggetto Criteri di gruppo: Criteri password
Criterio: MinimumPasswordLength
Impostazione computer: 8
...
- on the pc, executed "secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose", advised in a forum, and then "gpupdate": computer and user policies updated succesfully;
- checked that in the registry there isn't the "HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network" key: ok, there isn't;
- tried to enter in pc with a new domain user: windows let me change manually the password the first time (Ctrl-Alt-Canc - Change password), then, the second time, can't change password no more with the message above again ("Unable toupdate the password.The value...").
What can I do to find out what is wrong?
Thanks
↧
how to change homepage in firefox 22 through group policy in windwos 2008 R2
Hi
I need to set homepage or change homepage in firefox 22 through group policy in windwos 2008 R2
↧
↧
User Profile Logon Script not applying
Hi,
Having trouble getting a user profile logon script (set in AD user properties) called 'unitofsound.bat' to apply after creating an application whitelist with GPO.
I have found if I set 'User Config-> Policies-> Windows Settings -> Security Settings -> Software Restriction Policies -> Security levels ->' to Unrestricted unitofsound.bat will successfully map the network drive with drive letter 'P'.
If I set 'User Config-> Policies-> Windows Settings -> Security Settings -> Software Restriction Policies -> Security levels ->' to Disallowed, nothing seems to happen.
The batch file resides in '\\woodside.local\sysvol\woodside.local\scripts\un itofsound.bat'. I have attached a screenshot of additional rules:
![]()
What am I missing here? Would be grateful for any help![]( "Smile")
Having trouble getting a user profile logon script (set in AD user properties) called 'unitofsound.bat' to apply after creating an application whitelist with GPO.
I have found if I set 'User Config-> Policies-> Windows Settings -> Security Settings -> Software Restriction Policies -> Security levels ->' to Unrestricted unitofsound.bat will successfully map the network drive with drive letter 'P'.
If I set 'User Config-> Policies-> Windows Settings -> Security Settings -> Software Restriction Policies -> Security levels ->' to Disallowed, nothing seems to happen.
The batch file resides in '\\woodside.local\sysvol\woodside.local\scripts\un itofsound.bat'. I have attached a screenshot of additional rules:
What am I missing here? Would be grateful for any help
↧
Basic GPO question
Goodmorning all,
I recently implemented a windows server 2008 R2 with windows 7 clients.
However I noticed that I bummed into a problem.
You see, I am creating policies just like always and then I realized that I was adding computer policy settings to a gpo that I was assigning to a user OU.... Obviously this won't work.
However, my question is: Is it best practice to have 1 gpo with both user policies and computer policies and assign it to the user OU and computer OU OR is it best practice to create seperate GPO's for both OU's?
If you have an article about this kind of best practices that would be great.
Andre
↧
RSOP showing RedX under defined policy
Hi guys,
We have basically no auditing on our 2008 R2 Domain Controllers. It was working fine. When I get on the DCs and run gpresult /r I can see that the default domain controller GPO is getting applied and is not being filtered. When I go into rsop.msc on the DCs, I can look up auditing and see the correct policy settings coming from the Default Domain Controller policy, but those settings have a red X on them. An example is
(Red X)Policy:Audit account logon events Computer Setting: Success,Faulre Source GPO: Default Domain Controllers Policy
I know that Group policy auditing can get a lot more granular with 2008R2, butI am getting almost nothing in the daily security logs. When I do run gpresult /h and output the settings look correct there(no red X). In RSOP, when I do go to properties on one Red X settings, it says "the policy engine did not attempt to configure the setting" Any ideas?
In the winlogon.log it mentions "Legacy audit settings are disabled. skipped configuration of legacy audit settings"
This is my guess as to the problem. We do have an Advanced Audit Configuration setting set and so maybe the legacy policies were ignored.
As soon as you start applying Advanced Audit Configuration Policy, legacy policieswill be completely ignored. The only way to get a Win7/R2 computer to start using legacy policy is to set the security policy“Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” to DISABLED. - http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
Dan Heim
↧