I have upgraded all my workstations to Windows 7 and now I would like to remove all settings in my policies that effect only Windows XP systems and leave everything that effects my Windows 7 systems. What is the best way to do this?
Thanks,
Dennis
↧
Delete all Windows XP settings from group policies
↧
Event id 1110 Group Policy problem
On Server 2008 R2 Enterprise, I keep getting event id 1110 errors from Group Policy, indicating Windows cannot tell if the user and computer are in the same forest. I can't find any obvious issue on the domain controllers. I can ping the DCs and nltest /server:<dcname> against the DCs returns no error. When I have a user execute gpresult /H GPOResult.html as suggested in Technet, it hangs. Reboot fixes the issue, but I need to find a better solution for the production environment. I also notice that if I go to add a user or group to the local Administrators group, it does not display the domain as a location from which to add users, just the local computer and "Entire Directory". Interestingly enough, if I select "Entire Directory" and enter a samid, it resolves it fine. Can someone point me in the right direction to resolve this issue?
Thanks
↧
↧
Unable to edit Default Domain policy on Server 2012 R2 domain controller
Hello,
I recently built a Server 2012 R2 domain controller and added it to my domain. When trying to edit the default domain policy I get the following error:
I can make edits to other GPO objects. All the other domain controllers are Server 2008 and are able to edit that GPO. The issue is on the Server 2012 box only. I've checked the delegated permissions, I'm a domain admin, and have opened GPMC as administrator. Does anyone know what I'm missing? Thank you for your time.
Tino
↧
Gruop Policy Guru? Group Policy and Windows 7 erratic and inconsistant.
I've had a premier call open with MS since August. This week I had a Microsoft Technician in-house. Though we eliminated some possibilities, we're not really closer to a cause or solution.
Every time we work with an expert, I get a different explanation to describe the situation we are viewing.
Quick summery of the issue: We've been using Group Policy to manage most Windows XP and 7 settings for years, but starting the middle of last year, we began having clients with machines where some or all group policies would fail to apply. These could be long assigned policies, new polices, or changes to policies. It would never affect everyone or even a majority at once, and the resolution is never the same. Sometimes a GPUDPATE /FORCE sometimes fixed automajically the next day, sometimes (but very rarely) longer.
Troubleshooting History:
What we found in early troubleshooting, that these machines, had errors in Event Viewer for Netlogon, Time-Sync, and Group Policy. The other issue we noticed, was that our GPRESULT /H reports were missing security groups and the denied section was nothing but SSID's. The first issue pointed me to:
Event ID 5719 and event ID 1129 may be logged when a non-Microsoft DHCP Relay Agent is used
I installed these Hot Fixes. No change to any of the errors in event viewer, or to our Group Policy problems.
Initial work with Premier Support found that Netlogon, Time-Sync, and Group Policy, were failing before loading of the network stack. The suggestion was to apply the group policy setting "Always wait for the network at computer startup and logon". At the time, this seemed not to work. The policy was set on a test bed of laptops and desktops, and no changes in behavior were seen after 3 days.
Windows 7 Clients intermittently fail to apply group policy at startup
For some time after this, we were collecting GPSVC and NetTrace logs for Premeir Support, trying to document and troubleshoot the problem. Eventually we got fed up and asked our TAM to call in a pro to get this resolved. We were sent an engineer for 3 days. For three days we banged away on this issue. We verified AD and replication health, we tried numerous fixes and workarounds. I learned 3 different desriptions of how Group Policy works, and in the end we thought we had a workaround using the "Always wait for the network at computer startup and logon" because of a single success late in the day. On day 3 we tried replicating this fix, and quickly realized that the same issue we were having preventing other GPOs to apply, were also preventing our "fix" GPO from applying. So we went the route of using a registry entry. I also had a problem that even though it was making the process more consistant, it was still taking 3 reboots for a Computer Policy, assigned to a computer object via Security Group, to fully take affect on a computer.
I used the registry methods in the above article. It didn't work, no sign it was having the same affect the GPO had had.
Our support engineer claimed this was the proper method, but that path wasn't even close in a Windows 7 SP1 registry, and after creating all the keys that were not present, it still didn't work.
Always wait for the network at computer startup and logon - AzureWeb
We ran out of time, our engineer returned home.
I can understand how these errors indicate a problem applying Group Policy at boot. But to me it doesn't explain why it doesn't correct post boot, and after a GPUDPATE /FORCE and a reboot.
It also doesn't explain why we were working fine for years, then all of a sudden DHCP is being outrun by background services. (By the way logging showed DHCP wasn't significantly delayed, out boot process was actually excellent, health wise.) Why all of a sudden is this not behaving optimly? No changes to network design or function. No changes to the domain since 2008 R2 was installed in 2011.
Today I'm reading through all these KB's and articles again, and took some time to read:
[Forum FAQ] Common steps to start troubleshooting Group Policy application and it's links below.
We ran though all of that before and during the 3-day onsite. It's not getting us any closer to the cause or a solution.
I found and begin some deep reading in this link today. It has some additional information I will try to use next week:
Group Policy Basics - Part 3: How Clients Process GPOs
The one unanswered question I have is this. How is group policy supposed to apply to a computer, when that policy is applied to a AD Security Group, in which the computer object is a member?
Before we began having this problem, we would assign a computer GPO, then ask the user to reboot. If it were a user GPO, we'd ask the user to log off, or reboot. Either way, if we allowed a few minutes for AD and FRS replication, the user would log back in with that new policy in affect. A new imaged machine would boot with all the GPO's linked to that domain and assigned to "Authenticated Users", already in affect. Admin groups would be present in administrators, proxy settings would be set in Internet Explorer, etc.
Now I'm aked to beleive this was never the case from Premeier Support and Microsoft Engineers. That those policies require the equilent of a "GPUPDATE /FORCE" that was executed by the Local_System account. That 3 reboots may be nessessary for a group policy to be applied. One for the AD Security Group to be applied. One for the Computer Policy to be applied. And a final one for the policy in the GPO to be applied to Windows.
Can someone confirm or correct this information please? It's imperitive to my troubleshootng.
There's no place like 127.0.0.1
↧
cross forest processing of gpo (password policy)
We have cross forest processing going on due to a stricter password policy from forestA to forestB users. ForestB\User must continually receive the default password policy from ForestA.
Our concern is if an admin in ForestB disables the cross forest gpo/link, how would the admins in ForestA get notified/alerted for it? What event id will appear on ForestA and ForestB domain controller?
Can a cross forest gpo be processed asynchronously?
thanks,
Navgup
↧
↧
GPO Internet Explorer maintenance Issues
HI,
I have create the GPO to push the IE FAV Folders and links. But i cannot find in any of my Clients? only the DC i have applied can see it. IE 8 . All my clients are Windows 7 and IE 9 to 11?
AS
↧
GPO for firewall inbound connections still allows change from "Block (Default)" to "Block all connections"
Hello,
I found an interesting issue where I set a GPO to control the firewall policy to "Block (default)" the inbound connections, however that setting is not completely enforced. It still allows an administrator to alter it from "Block (default)" to "Block all connections". Why is the GPO not forcing the setting I provided?
In more detail:
The settings i'm referring to are in:
- Go to Windows Advanced Firewall
- Right click on properties
- Under any profile tab, in my case Doman Profile
- State > Inbound Connections
The GPO is set explicitly to "Block (default)", however this option can still be changed once the GPO is applied.
GPO Setting:
GPO result on server where the policy is applied:
Thanks,
Paul
↧
Default printer - GPO problem
Hi all,
We have a policy in the domain to install printers to users. In this policy we have not defined any default printer for the user to choose the one they prefer.
No user was having trouble, except just a few who have migrated to this domain, the policy applies right but when they start the computer the next day, lose the default, can anyone help me with this?
The policy is configured in User Configuration -> Preferences -> Control Panel Settings -> Printers are shared printers.
Thanks for your help,
Regards,
↧
How to disable only inactive firewall notification in the action center by GPO
Hi
I need to disable only inactive notifications firewall in the action center PCs through GPO.
I have seen several posts and it seems possible disable by GPO only all notifications in the action center and not only firewall notifications.
I have a DC with Win server 2012 R2.
Have you any ideas?
Regards
Christian
↧
↧
Is \\\NETLOGON\ the best place to launch .bat and .vbs scripts for GPO clients?
I am trying to figure out what the optimal shared location is for launching a script via GPO, that will put specific shortcuts on my users' taskbar when when they first login to Windows 7 and create their profile.
Is putting these scripts in the NETLOGON share on the closest domain controller the best method for doing this?
↧
Users Folder Shared Automatically
Hi!
Many of our domain connected pcs are automatically sharing the users folder on their pcs. How can we disable it through Group Policy instead of disabling it separately on each pc?
DC: Windows 2008 R2
Thanks.
↧
Daylight Saving Time in Windows 7 ultimate SP 1
Dear Sir,
I am from India and using Windows 7 ultimate SP1 on my PC.
My clock in the above windows does not get changed automatically and a message is displaying -
Daylight Saving time is not being observed in this zone.
I have tried to find answers in the from of Microsoft, but not able to solve this problem, being not Computer Saavy.
May I get a simplest method to solve this problem so that I do not have to change the date and time every day.
Thanking you,
csmidha
↧
Can I force Windows Update to "receive updates for windows and other products" using group a policy?
I would like to force Windows Update to "receive updates for windows and other products" using group a policy. Is that possible?
I am not using WSUS.
I would like the policy to apply to Win7 / 2008 R2 and newer.
Alternately: Is there another way in which I might force this?
↧
↧
configure TCP/IP alternate configuration
Hi,
is there a way to configure TCP/IP for an alternate configuration in group policy? I know you can disable APIPA through registry, but I can't find how configue alternate configuration. Thank you.
↧
How can my .pac file change dynamically based on the physical site Im located in?
Hello,
Users travel from one location to another which requires their laptops to 'load/use' a different .pac file for Internet connectivity, which is the option below. How/where do I config Group Policy to 'dynamically' load/use the correct .pac file based on their location (or subnet I would guess)?
The specific IE Options location is the 'Use Automatic Configuration Script' below:
Thanks for your help! SdeDot
↧
Set Security Level per Security Zone in IE
I am trying to set the Trusted Security Zone to Low in IE (all versions).
I have made the change under Computer > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone Template (and also tried under User). With User logged in I can see rsop which shows the setting, but in IE it remains at Medium.
↧
How to run local script on client with group policy?
Is there a way to launch a local .cmd batch file with Group Policy? I have a migration project where a number of PS and .cmd scripts are being distributed with GPP (no passwords involved). These scripts need to run locally to effect config changes on Win7 / Win8 workstations (2012 domain).
How do I launch these local scripts with a GPO? Can I call a script on a client workstation with a GP login script?
The goal is to pick and choose which users and which scripts run. That way it's a staged migration. Once the scripts have been distributed, I want to be able to link/unlink a GPO to control which scripts are launched and which users are migrated.
I'm guessing this is a fairly common scenario... any help appreciated.
↧
↧
Sever 2012 biometric framework domain log in applications
Hey for a school project i need an application that can be blocked as a "biometric log in application". I tried rohos free facial recognition
but i don't think the windows biometric framework (WBF) GPO settings recognize it as a biometric application. Does anyone know of a free or cheap application that is recognized by the WBF, as in one to log into the domain with? I think when it says biometric
it means a fingerprint scanner.
↧
Obtain Microsoft softwares installed on computers and servers with cd-key
Hi,
to check our Microsoft licenses and value if change the Microsoft License Program I need to obtain the Microsoft software installed on any computer and server of my domain.
↧
How do you map network on Windows 8.1?
Anyone know how to map network on Windows 8.1? I've searched the web and can't find anything regarding 8.1.
↧