Windows 2008 R2 Server (remote office server acting as a DC, GC and print server); clients run Windows 7 Enterprise x64 (users have roaming profiles with folder redirection)

I deployed 5 network printers using Group Policy (per machine): Printer1, Printer2...Printer5

Printer1 was the very first printer queue created on the server and deployed to users via Group Policy.

Users login for the first time and get all five network printers, and Printer1 becomes their default printer automatically (which is fine for their first login). However, when users change their default printer, in this case Printer1, to some other printer - eventually their default printer goes back to Printer1. Is there a way to make sure the new default printer stays and it doesn't go back to Printer1?

I've searched and searched, and can't find a resolution to my issue.

I just upgraded my workstation to Windows 8.1 for work, and am having issues with a drive mapping from GPO. Only one is giving me a problem, I have a drive map in our GPO to //share/users/%username%, and what I actually get as the map is //share/users. I've tried with %LogonUser% as well, which didn't help. I've also tried the common option to 'run as logged on user'. This drive map works fine for Windows 7 and Windows XP workstations, and we're on WS2k8 R2 domain.

I know that the %username% system variable is getting processed, because that's what I use as the drive label.

Any thoughts?

Hi, I'm a DBA installing SQL Server 2012.  SQL Server setup is creating service SIDs (e.g., NT SERVICE\MSSQLSERVER, NT SERVICE\MsDtsServer110, etc.) and granting them rights (e.g., SeServiceLogonRight, SeAssignPrimaryTokenPrivilege, etc.). 

Our GPO is removing rights from the service SIDs created by SQL setup.  We have been unable to add a service SID to GPO.  I think there is an error that the account does not exist.  We can add just the name (e.g., MSSQLSERVER, MsDtsServer110, etc.), but this does not seem to work as rights on the service SID are still removed. 

We did add NT SERVICE\ALL SERVICES (no error) and grant it SeServiceLogonRight.  I think this covers all service SIDs.  This appears to be working; however, I’m reluctant to grant some of the other rights to all services using service SIDs. 

Are only “well known” service SID values valid in GPO?  Is there any way to add a service SID such as "NT SERVICE\MsDtsServer110" into GPO?  Is there a best practice for handling service SIDs and group policy? 

Thanks.

Randy in Marin

Hello!

I encounter some problems during applying Group Policy Preferences on my clients. I noticed Event log entries with source GroupPolicy, the ID 5016 and a message like "Completed Group Policy Environment Extension Processing in 125269 milliseconds."

So, in that case, the extension processing took 120 seconds! It varies from 1 second to 200 seconds. It takes only long time after rebooting the PC, not with group policy updates during runtime. In the cases of longer processing (10 sec and more) I see errors like the following in the gpsvc.log:

GPSVC(420.560) 17:27:47:767 ProcessGPOs: Processing extension Group Policy Environment
GPSVC(420.560) 17:27:47:767 ReadStatus: Read Extension's Previous status successfully.
GPSVC(420.560) 17:27:47:767 CompareGPOLists:  The lists are the same.
GPSVC(420.560) 17:27:47:767 GPLockPolicySection: Sid = (null), dwTimeout = 30000, dwFlags = 0
GPSVC(420.560) 17:27:47:767 LockPolicySection called for user <Machine>
GPSVC(420.560) 17:27:47:767 Sync Lock Called
GPSVC(420.560) 17:27:47:767 Writer Lock got immediately.
GPSVC(420.560) 17:27:47:767 Lock taken successfully
GPSVC(420.560) 17:27:47:767 ProcessGPOList: Entering for extension Group Policy Environment
GPSVC(420.560) 17:27:47:767 MachinePolicyCallback: Setting status UI to Richtlinie "Group Policy Environment" wird übernommen...
GPSVC(420.560) 17:27:47:767 ProcessGPOList: No changes. CSE will not be passed in the IwbemServices intf ptr
GPSVC(420.438) 17:27:49:530 Target = Machine
GPSVC(420.438) 17:27:49:530 Target = Machine, ChangeNumber 0
GPSVC(420.560) 17:28:04:381 ProcessGroupPolicyCompletedExInternal: Entering. Extension = {0E28E245-9368-4853-AD84-6DA3BA35BB75}, dwStatus = 0x0
GPSVC(420.560) 17:28:04:553 GetWbemServices: CoCreateInstance succeeded
GPSVC(1d8.804) 17:28:04:678 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x8c4
GPSVC(1d8.804) 17:28:04:678 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(420.438) 17:28:04:678 Target = Machine
GPSVC(1d8.804) 17:28:04:678 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(1d8.804) 17:28:04:678 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(420.438) 17:28:06:206 Target = Machine
GPSVC(420.438) 17:28:06:206 Target = Machine, ChangeNumber 0
GPSVC(420.438) 17:28:06:206 Target = S-1-5-18
GPSVC(420.438) 17:28:06:206 Could not find user by sid, finding user by session id
GPSVC(420.438) 17:28:06:206 Caller requesting for user notification/lock is from session 0
GPSVC(420.438) 17:28:06:206 Target = S-1-5-18, ChangeNumber 0
GPSVC(420.438) 17:28:06:206 Could not find user by sid, finding user by session id
GPSVC(420.438) 17:28:06:206 Caller requesting for user notification/lock is from session 0
GPSVC(3fc.a3c) 17:29:12:631 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x378
GPSVC(3fc.a3c) 17:29:12:631 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(420.484) 17:29:12:631 Target = Machine
GPSVC(3fc.a3c) 17:29:12:647 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(420.484) 17:29:12:647 Target = Machine, ChangeNumber 0
GPSVC(420.484) 17:29:13:973 Target = Machine
GPSVC(420.484) 17:29:13:973 Target = Machine, ChangeNumber 0
GPSVC(420.484) 17:29:14:800 Target = Machine
GPSVC(420.484) 17:29:14:800 Target = Machine, ChangeNumber 0
GPSVC(420.484) 17:29:14:800 Sid = (null), dwTimeout = 600000, dwFlags = 268435456
GPSVC(420.484) 17:29:14:800 LockPolicySection called for user <Machine>
GPSVC(420.484) 17:29:14:800 Async Lock called
GPSVC(420.484) 17:29:14:862 Reader has to wait for lock. ReaderID : 1.
GPSVC(420.484) 17:29:14:862 Registering wait for lock notification
GPSVC(1d8.b38) 17:29:16:765 CGPNotify::RegisterForNotification: Entering with target Machine and event 0xa58
GPSVC(1d8.b38) 17:29:16:765 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(420.484) 17:29:16:765 Target = Machine
GPSVC(1d8.b38) 17:29:16:765 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(1d8.b38) 17:29:16:765 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(520.53c) 17:29:19:480 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x260
GPSVC(520.53c) 17:29:19:495 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(420.484) 17:29:19:495 Target = Machine
GPSVC(520.53c) 17:29:19:495 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(520.53c) 17:29:19:495 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(520.53c) 17:29:20:431 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x478
GPSVC(520.53c) 17:29:20:431 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(420.484) 17:29:20:431 Target = Machine
GPSVC(520.53c) 17:29:20:431 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(520.53c) 17:29:20:431 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(520.b7c) 17:29:20:806 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x49c
GPSVC(520.b7c) 17:29:20:806 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(420.484) 17:29:20:806 Target = Machine
GPSVC(520.b7c) 17:29:20:806 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(520.b7c) 17:29:20:806 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(420.484) 17:29:20:806 Target = Machine, ChangeNumber 0
GPSVC(420.484) 17:29:44:085 Target = Machine
GPSVC(420.484) 17:29:44:085 Target = Machine, ChangeNumber 0
GPSVC(420.484) 17:29:44:241 Target = Machine
GPSVC(420.484) 17:29:44:241 Target = Machine, ChangeNumber 0
GPSVC(420.560) 17:29:54:353 ConnectToNameSpace: ConnectServer returned 0x0
GPSVC(420.560) 17:29:54:353 ProcessGroupPolicyCompletedExInternal: Extension {0E28E245-9368-4853-AD84-6DA3BA35BB75} was able to log data. Error = 0x0, dwRet = 0. Clearing the dirty bit
GPSVC(420.560) 17:29:54:697 ProcessGroupPolicyCompletedExInternal: Finished processing extension <Group Policy Environment> at 146609 ticks (ms)
GPSVC(420.560) 17:29:54:697 ProcessGroupPolicyCompletedExInternal: Leaving. Extension = {0E28E245-9368-4853-AD84-6DA3BA35BB75}, Return status dwRet = 0x0
GPSVC(420.560) 17:29:54:697 ProcessGPOList: Extension Group Policy Environment returned 0x0.
GPSVC(420.560) 17:29:54:697 ProcessGPOList: Extension Group Policy Environment status was not updated because there was no changes and no transition or rsop wasn't enabled
GPSVC(420.560) 17:29:54:697 UnLockPolicySection called for user <Machine>
GPSVC(420.560) 17:29:54:697 Waking up reader with ID [1]
GPSVC(420.484) 17:29:54:697 Found the Waiting Rpc Reader in the waiting list. Removing it...
GPSVC(420.560) 17:29:54:697 Setting lock state as lockedByReaders
GPSVC(420.484) 17:29:54:697 Lock taken successfully
GPSVC(420.560) 17:29:54:697 UnLocked successfully
GPSVC(420.484) 17:29:54:697 Sid = (null)
GPSVC(420.484) 17:29:54:697 UnLockPolicySection called for user <Machine>
GPSVC(420.484) 17:29:54:697 Found the caller in the ReaderHavingLock List. Removing it...
GPSVC(420.484) 17:29:54:697 Setting lock state as notLocked
GPSVC(420.484) 17:29:54:697 UnLocked successfully
GPSVC(420.560) 17:29:54:697 ProcessGPOs: -----------------------

In other cases i geht other "Entering with target Machine anc event" codes (like 0x8b4, 0x348, ...). Also the repeats of "Target = Machine, ChangeNumber 0" lines varies (in that case 8, in another for example 5). But I always have the"Could not find user by sid, finding user by session id" line with the SID of the local system account.

If I remove the GPO with Enviroment Prefrences, another extension take long time, like Device Settings or Registry etc.

I applied the hotfix KB2775511, I renamed the setup.etl, and anything else i found on the internet. But nothing helped. DNS should work fine, the Eventlog also says, the client found a DC and successfully bound to it (in some milliseconds).

Does anyone have an idea, what als that "Target = Machine" and "Could not find user by sid" stuff means?

Thank you!

I would like to know, if it is possible, to use Group Policy, Folder Redirection, to redirect my users Home Drive, to their Office 365 SkyDrive Pro, in the cloud.  Currently all users home drives are redirected to a on premise file server.  Can Group Policy redirect it to SkyDrive Pro?

I know that I can use the SkyDrive Pro app, that comes with the Office 2013 install, to redirect a local share and do offline file sync, but I would like to get this data off the on premise file server and move it to SkyDrive Pro and then do offline file sync to the local PC.  I want to automate as much as possible, for my users.

Thank you,

Ed

Hello,

We are a Windows 2008R2 & Windows 7 Ent Shop with System Center 2012 R2 & PKI Servers.

We need to deploy 30 Windows 8.1 Enterprise Lenovo Tablets to the field.

Would all our Windows 7 GPO still work if we upgrade/update our Central Store with Windows 2012 & 8.1 Definitions?

Can any problem occur that we should be prepared for?

Thanks!

Dear Fellows,

Please guide me. How I can stop users to delete files and folders from the shared folder on server by group policy.

I know the permission (Read Only), But for all users how I can restrict them to delete the data from the shared folder.

I want to use in group policy.

Salman

We have a large Windows 2008 R2 forest and a few isolated forests with Windows 2012 DCs. W2012 environment is using some latest/newer GPOs. 
We are looking to consolidate the forests and bringing all users in Windows 2008 R2 forest.  Can we import newer GPOs from Windows 2012 environment into Windows 2008 R2 environment?  Is there a technet article supporting the process?

thanks

Navgup

Good day all

I have an MSI and a script I am trying to push out through GP, using the "Computer Configuration" Under "software Installation"

And a script that is supposed to run before it In "windows settings" Scripts, startup..

I have all users with permissions to read and execute in the folder that contains the MSI, But I can't seem to get this on any users machines. Can anyone assist me in figuring out why it won't load on a users machine

Scott Cummins

I am trying to set the Trusted Security Zone to Low in IE (all versions).

I have made the change under Computer > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone Template (and also tried under User). With User logged in I can see rsop which shows the setting, but in IE it remains at Medium.

I’ve had a request to use group policy to prevent the creation of PST files in Outlook 2013 but allow existing PST files to be opened. I’ve found a group policy setting that disabled opening and creating them, but can’t identify a setting or combination of settings to fulfil the request.

Is anyone aware if this can actually be done? Even if there’s a combination of registry values I can set via GPP that’ll do.

I am getting the following warning in my Application Log:

Hi Team,

I am facing below error message on windows7 64bit oprating system,

please help how get it done..

Regards, Kumar.V

Hi,

We have a Windows 2008 domain, and now we need to configure IE 10 options, so we have to import the Windows 8 / 2012 ADMX files. Can we just do the following:

1. Download http://www.microsoft.com/en-us/download/details.aspx?id=36991

2. Unzip it and copy the .admx files to c:\Windows\Sysvol\<domain>\policies and create a directory called policydefinitions

3. Then just re-open Group Policy Management ?

Correct way or not? Will this have any implication on network or any old GPO.

Thanks for reply

/Regards Andreas

Hi all,

Having a strange problem here in which Proxy Settings aren't applying to specific users. We have an OU of 'Examination Accounts' which the students use instead of their main AD accounts for controlled assessments.

They have mandatory profiles assigned and home folders set on a samba file share.

Proxy settings are applied via GPO under Internet Explorer Maintenance. They have Internet Explorer 8 installed and hotfix KB2530309 has already been applied.

When I log into a machine (Seems to be any) using a test Exam account, the Proxy settings do not apply, even though RSOP and gpresult both confirm the settings as applied.

**On some machines, this happens only every other reboot**

Normal accounts on the same machines are fine.

They use the same inherited GPO's as normal users, except for a couple of drive maps for resources.

chrome//:net-internals/ shows direct access for proxy (i.e not configured) and standard time-out errors when trying to browse.

Any help much appreciated, if you need any other information please ask.

Tom

We have recently introduced a couple of Windows 8 computers in our network, and we are having issues applying the Internet Explorer Proxy Server settings.

We use a Microsoft TMG 2010 server as our proxy server for accessing the internet. We have been using a GPO with the following settings to automatically configure our Windows 7 computers running IE9 with the appropriate Proxy settings:

User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Connection/Proxy Settings

• “Enable Proxy Settings” : Checked
• “Address of proxy” : server.domain.local
• “Port” : 8080
• “Use the same proxy server for all addresses” : Checked
• “Exceptions” : Here we have a list of several internal or partner sites that should not be proxied.

This GPO has worked beautifully for our Windows XP and Windows 7 users with IE 7, 8 and 9. Now with Windows 8 and IE10, this no longer works. I’ve therefore added a Windows Server 2012 Domain Controller to the network, and using GPMC on that new DC, I created a new GPO with the following settings:

User Configuration\Preferences\Control Panel Settings\Internet Settings\Internet Explorer 10

Now, seeing as these are preferences, it’s a little different.  But, I’ve “checked off” the option “Use a proxy server for your LAN” as well as “Bypass proxy server for local addresses”. Then I click on “Advanced” and setup all my proxy settings the way I would like them, including the proxy server name, port and exceptions list.

When this new group policy gets applied to my Windows 8 PC, the only setting that gets applied is the “Use a proxy server for your LAN”. It does not configure the name or port of the proxy server nor does it configure the exceptions list. If I go back to the GPMC, and edit the new GPO, the settings are all there. However, if I just view the settings from the main GPMC screen (without opening the GPO itself), I don’t see all of those settings (again, only the one “Use a proxy server…”)

What am I missing???

Hello Experts, We have 2 proxy servers 10.1.1.1. and 10.1.1.5 .I have applied proxy IP address as 10.1.1.1 in group Policy (Windows 2008) and all my clients are getting as 10.1.1.1 but users are able to change it to 10.1.1.5 (which is other proxy server). (How come some group policy settings are editable)

I applied other group policy of IE settings (as mentioned below) and it's greyed out.that's how it should work.



My Questions are:

1. Why some group policy IE settings are editable by users ?

2. If i want users to change the setting (Attached Image) what i need to do.?

3. All users are part of local admin group.

Thanks

Senior System Engineer.

Hi All,

I have a Windows server 2008R2 DC and ADC. I have configured GPO's in DC. I am in a fix about a scenario,

If I delete a GPO from ADC, whether it is completely deleted from the domain or will it get replicated from the MAIN DC?

It might sound silly but am struck up on this!

Thanks in advance.

Regards,

Charles Vincent

MCSA - Windows Server 2012,MCTS-Active directory and Virtualization and CCNA

Hello,

I have a batch that is copying a file to "%public%\desktop\" (windows 7) folder through a logon GPO (GPO from user configuration).
Everytime I try, I have an "access denied". I know it is because UAC and I don't want to disable it.

Through explorer.exe, I can copy this file with no problem with this same account.

How can I copy a file to such folder through group policy please ?

I dont want to use GPP as the script is used on WinXP too and I dont have the hotfix to support GPP on this operating systems.

Thank you

I had slow link mode set to Disabled, but I want to use it with the default values, but it doesn't let me OK out of the screen without setting a value up.   So should I just put in a * and latency=80 and that will essentially give me the Windows 7 default values?

Or since I had it disabled, if I set it back to Not Configured would that do the same thing?  I know sometimes if something is Disabled, you have to Enable it to undo the original disabling.