I have made a batchfile which uninstalles office 2003 and installs office 2010. Office 2010 is configured thru OCT so starts in the batchfile with a msp file.

Uninstalling and installing 2010 is started thru a computer startup script in Group Policy. 

Installing goes fine however in the OCT i have configured that the user can see that office is beiing installed, this is however not displayed on the users system. Also build in a command in the batchfile that a screen must displayd that office is beiing installed, also this box is not displayed.

Conclusion: when the batchfile runs thru computer startup policy no info boxes are displayed, nothing is displayed so there is nothing for the user to see when the install is ready, how can i arrange that when installing thru computer startup script?

When starting the setup with the msp from OCT office install the box display are displayed only thru gpo nothing is displayed?

freddie

Hi everyone.

I have an odd situation with Folder redirection on server 2012.

Policy is being applied perfectly.

As soon as new user logs on, the folders are being redirected to the share. Documents, Desktop etc.

The problem I have is:

Files/folders created on the local machine by the user are seen straight away on the share...

Files/folders can be deleted from the share by the admin and this is reflected on the local machine... However

files/folders CREATED ON THE SHARE by the admin do not appear on the local machine. :(

Any ideas?

Security settings for the users folder on the share are:

CREATOR OWNER - Special

SYSTEM - FULL

domain admin - FULL

Owner of the folder - Special

Local admin - full

Thank you.

Can the templates for 2012 and win8 be used on a domain with windows 2008 functional level (not R2)?

thanks

Hi guys! This has been giving me a hard time the last day or so.  I've got some Win8 machines in our 2003 domain. I've got some GPO's applying with WMI filtering for win8 machines. Mostly these are ok, but i'm having a huge problem with Desktop Folder Redirection. 

After a fresh build and first login, everything works fine. Drive mappings are all there and the Desktop is redirected to to users home drive on the file server. This is being done with Advanced settings using group membership and set to "Create a folder for each user under the root path" \\dfs1\users. This location is correct and permissions are fine of course as everything works for a while.

After a little while or some unknown event, this redirection stops working.

check these two screengrabs. These are different users on different machines. The machines are identical, are in the same OU and have the same image. The users are different but have the same group memberships and are in the same OU. 

This is a working machine. Not the Folder Redirection component was processed and the Policy exists.

This machine is not working. Folder Redirection is processed, but the Policy is missing. Running a gpresult /v on this machine yields: 

 Folder Redirection
 ------------------
     N/A

It was working fine yesterday and this morning. Now at some point a policy refresh stopped it from working. Just trying to figure out what! These are the exact settings currently in place for our win 7 machines which all work just fine. Going a bit crazy tbh and usually when i post questions i figure it out shortly afterwards anyway huhu. Any help is appreciated! 

h 

I've noticed recently some issues when trying to "Deploy" updated group policy objects using AGPM.  AGPM will respond with Event 2006

On the domain controller in the DFS event log you see an entry like this:

This only seemed to start once we switched SYSVOL replication from FRS to DFS.  Has anyone else seen this issue?

I came across an article that made a tip stating “As a best practice tip, don’t combine Group Policy Settings and Group Policy Preferences in the same Group Policy Object. Due to the way Group Policy settings and Group Policy Preferences get applied, combining them will add significantly to the boot and logon times in your environment.” 

What is the general consensus here? I don’t have any other sources to back this up other than this article. Any seasoned GP pros out there have personal experiences with this? I have combined preferences w/ policies and it takes less than 4 seconds to process if no changes are detected. Even if changes are made, I don’t see a significant increase in logon times. 

Any comments are appreciated! 

Thanks.

PS: Source of tip: http://4sysops.com/archives/internet-explorer-10-administration-part-3-group-policy-preferences/

Charlie Newman

(*If you don't feel like reading everything, skip to the bottom two paragraphs for my questions)

I've had a premier call open with MS since August. This week I had a Microsoft Technician in-house.  Though we eliminated some possibilities, we're not really closer to a cause or solution.

Every time we work with an expert, I get a different explanation to describe the situation we are viewing.

Quick summery of the issue:  We've been using Group Policy to manage most Windows XP and 7 settings for years, but starting the middle of last year, we began having clients with machines where some or all group policies would fail to apply.  These could be long assigned policies, new polices, or changes to policies.  It would never affect everyone or even a majority at once, and the resolution is never the same.  Sometimes a GPUDPATE /FORCE sometimes fixed automajically the next day, sometimes (but very rarely) longer.

Troubleshooting History:

What we found in early troubleshooting, that these machines, had errors in Event Viewer for Netlogon, Time-Sync, and Group Policy.  The other issue we noticed, was that our GPRESULT /H reports were missing security groups and the denied section was nothing but SSID's.  The first issue pointed me to:

Event ID 5719 and event ID 1129 may be logged when a non-Microsoft DHCP Relay Agent is used

I installed these Hot Fixes.  No change to any of the errors in event viewer, or to our Group Policy problems.

Initial work with Premier Support found that Netlogon, Time-Sync, and Group Policy, were failing before loading of the network stack.  The suggestion was to apply the group policy setting "Always wait for the network at computer startup and logon".  At the time, this seemed not to work.  The policy was set on a test bed of laptops and desktops, and no changes in behavior were seen after 3 days.

Windows 7 Clients intermittently fail to apply group policy at startup

For some time after this, we were collecting GPSVC and NetTrace logs for Premeir Support, trying to document and troubleshoot the problem.  Eventually we got fed up and asked our TAM to call in a pro to get this resolved.  We were sent an engineer for 3 days.  For three days we banged away on this issue.  We verified AD and replication health, we tried numerous fixes and workarounds.  I learned 3 different desriptions of how Group Policy works, and in the end we thought we had a workaround using the "Always wait for the network at computer startup and logon" because of a single success late in the day.  On day 3 we tried replicating this fix, and quickly realized that the same issue we were having preventing other GPOs to apply, were also preventing our "fix" GPO from applying.  So we went the route of using a registry entry.  I also had a problem that even though it was making the process more consistant, it was still taking 3 reboots for a Computer Policy, assigned to a computer object via Security Group, to fully take affect on a computer.

I used the registry methods in the above article.  It didn't work, no sign it was having the same affect the GPO had had.

Our support engineer claimed this was the proper method, but that path wasn't even close in a Windows 7 SP1 registry, and after creating all the keys that were not present, it still didn't work.

Always wait for the network at computer startup and logon - AzureWeb

We ran out of time, our engineer returned home.

I can understand how these errors indicate a problem applying Group Policy at boot.  But to me it doesn't explain why it doesn't correct post boot, and after a GPUDPATE /FORCE and a reboot.

It also doesn't explain why we were working fine for years, then all of a sudden DHCP is being outrun by background services.  (By the way logging showed DHCP wasn't significantly delayed, out boot process was actually excellent, health wise.)  Why all of a sudden is this not behaving optimly?  No changes to network design or function.  No changes to the domain since 2008 R2 was installed in 2011.

Today I'm reading through all these KB's and articles again, and took some time to read:

[Forum FAQ] Common steps to start troubleshooting Group Policy application and it's links below.

We ran though all of that before and during the 3-day onsite.  It's not getting us any closer to the cause or a solution.

I found and begin some deep reading in this link today.  It has some additional information I will try to use next week:

Group Policy Basics - Part 3: How Clients Process GPOs

The one unanswered question I have is this.  How is group policy supposed to apply to a computer, when that policy is applied to a AD Security Group, in which the computer object is a member?

Before we began having this problem, we would assign a computer GPO, then ask the user to reboot.  If it were a user GPO, we'd ask the user to log off, or reboot.  Either way, if we allowed a few minutes for AD and FRS replication, the user would log back in with that new policy in affect.  A new imaged machine would boot with all the GPO's linked to that domain and assigned to "Authenticated Users", already in affect.  Admin groups would be present in administrators, proxy settings would be set in Internet Explorer, etc.

Now I'm aked to beleive this was never the case from Premeier Support and Microsoft Engineers.  That those policies require the equilent of a "GPUPDATE /FORCE" that was executed by the Local_System account.  That 3 reboots may be nessessary for a group policy to be applied.  One for the AD Security Group to be applied.  One for the Computer Policy to be applied.  And a final one for the policy in the GPO to be applied to Windows.

Can someone confirm or correct this information please?  It's imperitive to my troubleshootng.

There's no place like 127.0.0.1

I've been mulling this problem over for a while and I finally have to accept I can't use IE Maintenance anymore for managing proxy settings.  I've been reading up on how to make Server 2008 R2 work with GPP settings for IE 9 - 11.  Everything I've read says I need to install the .admx files (link below) or install IE 10+ to get the IE Preferences to show up for 9, 10, and 11.  But when I look at my .admx files in %systemroot%/PolicyDefinitions it has the same exact .admx file that I download from the Admin Templates.  I can not see the policy preferences for IE 9, 10, or 11 and need these options so I can configure a Proxy server.  How do I go about getting these preferences to become available in Server 2008 R2 SP 1? 

#admx link

http://www.microsoft.com/en-us/download/details.aspx?id=36991

Note that I also tried the following to manually add support while testing but it didn't help me:

Open up the policy, and create an IE8 Preference: User Configuration --> Preferences --> Control Panel Settings --> Internet Settings --> New --> Internet Explorer 8 -> Set your proxy settings

Navigate to C:\Windows\SYSVOL\domain\Policies was an easier route, then sort by date for the recently created IE entry.

Navigate to User\Preferences\InternetSettings

Open up the "InternetSettings.xml file, and change the MAX value to something above 10.0.0.0 (I usually put 10.5.0.0). This way, the policy won't trip up later on if IE 11 comes out and doesn't support any of these policies, but at least you'll be safe until 10.5.0, or until a hotfix is available. "

max="10.5.0.0"

Hello,

I'm having an error when I'm trying to deploy service pack 1 of Windows Server 2008 R2.

I tryed install the SP1 in a workgroup machine and the results were successful.

But when I'm trying to install in my Domain it doesn't work, I think that some GPO or registry keys are modified on their permission.

So I removed the machine from the Domain and again try install the SP1 but doesn't work either.

I think that some GPO removes permission on some files and folders.

What permissions in files or folder should I have to successful deploy of Service Pack 1 on a Windows 2008 in my Domain?

Thanks in advice.

Manuel

Manuel´s Microsoft Forums Threads

I'm working with an issue caused by the Log on as a service policy being applied and enforced from the top of the domain hierarchy. Basically, the settings of the policy are fairly restrictive. So, administrators have used a work around that is undesirable. Any time the Log on as a service right is needed and the account is not explicitly listed in the policy, they have made the service account a member of the local Administrators group. I'd like to decrease the number of accounts in the local admins group, and I'm looking for a way to undo the policy.

I like to change the domain policy to Not Configured, but, from looking at the Managed settings and what I see on Local Security Policy consoles, it appears that if I made that change, the local policy would revert to default and only NETWORK SERVICE would have the right to log on as a service.

Does anyone have experience trying to undo this GPO setting? Will I have to determine in advance all the servers that will be affected by undoing the policy and then endure a painful maintenance window requiring server reboots and granting the right as appropriate?

We are running 2008r2 with Win7 clients.  Our printers are always installed manually by our techs to print directly to the printers at different sites.  We do not care for printservers, because we have always felt it is just one more thing that can break and would need to be clustered, etc.  Can we use GPP to push out different print drivers and set it up so the clients to print directly to an IP, instead of a unc for a printserver?  If anyone has any ideas of a good way to manage a large environment for this, please let me know.  If anyone has a clustered printserver environment and has comments, etc. I would appreciate the feedback.

Dan

Dan Heim

Hello guys,

I want to implement a group policy/policies across the network to perform the following;

1) Restart users PCs across the network on the last Friday of every month

2) Update the PCs with Microsoft patches or updates if any during the restart

3) Send a notification message on Wednesdays preceding that Friday to the users, informing them to save their work and close all the programs and files as their PCs will be restarted on Friday.

Any help on this would be greatly appreciated.

Thanks in advance

Cheers

I'm wondering if anyone else out there has run into the same issue as I am seeing.  The environment is all Server 2012(not R2), with Windows 8.1 clients.  

I configure a GPO that is linked to the entire domain/authenticated users and contains a Windows Vista and Later wireless network profile.  Let's call it "GPO_Wireless.  It is configured to automatically connect it to a specific SSID, the encryption settings are unimportant, as I've tried numerous approaches.  In our case, we're trying to do EAP-TLS with the NPS role.  We have the CA rolled out, NPS has a proper cert, and the clients are auto-enrolling for both Computer and User certs.  This is all verified as working.  We've also tried straight password authentication.

I refresh group policy on a Windows 8.1 client and see that Computer Policy "GPO_Wireless" is being applied to the client.  I restart the computer, but it does not connect to the wireless network.

I run "netsh wlan show profiles" and under "Group Policy Profiles(read only)" it is blank.

I run gpresult /r /scope computer again, and it shows "GPO_Wireless" is being applied.

The last note is that Windows 7 clients can connect to the wireless just fine.

Hi Technet,

I've recently deployed Windows 7 Enterprise x64 in my environment and am seeing behavior that I don't understand and would like some clarification on.

I'm running Active Directory with a DFL of 2008 R2.  All users have a Home Folder mapped via the profile tab in Active Directory that connects to an SMB Share specific to their user account, for example:  \\bbcfileserver\users\johndoe

The issues that I'm seeing are best described as follows:

1 - If a user is on the network at the office, and then puts their laptop to sleep / shuts down and goes home (or to any other location), then wakes up their laptop - their mapped drive disappears completely when the computer wakes up and they log in.  It's not just there but disconnected  with a red x - it's totally gone.

2 - If a user is on the network and puts their laptop to sleep /shuts down and then logs back in later via cached credentials before their network adapter can initialize, their home drive is not mapped at all, and is not available until they wait for the network adapter to connect, log out, and log back in after connecting.

I understand in either case that the drive is not mapping because the user has no network connection - but my question is why it's simply not mapped and unavailable until they do connect to the network.  Is there a GP setting I can put in place to make it so the mapping is persistent?  Would using folder redirection accomplish this persistent mapping perhaps?  My users have VPN connectivity via third party software and often want to work remotely - but have issues with losing their home drive, and it's also troubling to have them log in and out multiple times at the office during the day just to gain access to their home drive.

Any clarification or suggestions on how I can make this better / easier would be greatly appreciated.

Thanks as always!

-Keith

Dear Support,

I am using windows server 2003 as our domain controller, and having 2 more ADC on branches,

we are already using GPO for our network, but when i try to do some changes it is not applied on win 7 and win 8,

when i try to do gpupdate /force , it is going me following error

---------------

Ali SJ -MCITP 2008-

We have cross forest processing going on due to a stricter password policy from forestA to forestB users. ForestB\User must continually receive the default password policy from ForestA.

Our concern is if an admin in ForestB disables the cross forest gpo/link, how would the admins in ForestA get notified/alerted for it?  What event id will appear on ForestA and ForestB domain controller?

Can a cross forest gpo be processed asynchronously?

thanks,

Navgup

Hi there,

We have a problem with domain users "losing" work due to saving to "My Computer"

In group policy we "Hide these specified drives in My Computer" and "Prevent access to drives from My Computer" for the C: drive in this location: 

User Configuration\Administrative Templates\Windows Components\File Explorer

How do we stop people saving to "My Computer"? We weren't even aware that you could do this until we started investigating reports of missing files and found them deep in the appdata folder - places like C:\Users\username\AppData\Roaming\Microsoft\Windows\Network Shortcuts

Thanks,
Kieran.

Hi all! I have run into an issue while deploying Windows 8.1 Enterprise using MDT 2013 with applocker policies applied. During testing I have had no issues with the default provisioned Store Apps but I have recently configured an applocker policy that will prevent any apps from being installed other than those provided by Windows. When I test the policy on a running computer it appears that everything is working correctly - any of the original provisioned apps can be run or re-installed from the Store and any other apps will not install.

With this policy applied when a machine images and joins the domain none of the provisioned apps will successfully download and install but instead they get an x in the lower right-hand corner. I have verified that the Applocker policy is the culprit by disabling it and imaging a new computer which successfully installed the default apps. What is going on here? If the policy seems to work on a computer during normal operation why does it prevent the apps from initially downloading? Is this a bug in the way Applocker works?

The policy is configured as such:

Executable Rules - Enforced Audit Only - Created default rules

Packaged App Rules - Enforced - Auto-created rules based on a machine with default configured apps

One workaround I am considering is to make sure the Applocker policy doesn't apply in the staging OU so the apps will download and be in a working state. These computers could then be moved to an OU with the Applocker policy linked so that it will begin to prevent the installation of other apps. This is not a desirable method but could be a stop-gap until this bug is worked out.

Please let me know if there is any other info I can provide to make this issue clearer. Thanks!

I created a GP that disables IPV6, when I do IPCONFIG /ALL I see that it is disabled and working as intended however the IPV6 checkbox is still selected. Move often a policy would at least grey it out etc.

I used this method http://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx

Wondering if this is normal or how I can uncheck that via policy?