Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

How to request a digital certificate from a client computer joined to a windows server 2003?

$
0
0

I have a windows xp and 7 joined to a windows server 2003 and that server 2003 has Enterprise CA installed now I want to request a digital certificate from a windows 7 or xp.

Can someone give me some info please?

Thanks.


Applocker - Allow Regedit.exe

$
0
0

I am working with Windows 7 x86 Enterprise machines and trying to configure AppLocker for different application development teams.  We do not want them to have full administrative access to their machines but we do want them to have control over their programs.  

One of the teams needs to be able to adjust regedit.exe (HKLM > Software > Oracle) binaries.  I have set the Application Identity service to auto start on boot and made sure AppLocker properties had a check next to configured for executables and enforce rules.  

I imported the default rules and added a PATH rule for regedit.exe and allowed for a specific domain user.  I have also set the allow for all files in the windows folder for the domain user.  

The problem is this doesn't work and they still get errors when trying to change keys in the registry.  Any advice?  We do not have Group Policy set for Applocker.  I am thinking if it isn't defined then it isn't managed.  Would a GPO have to be created before this would work?

SRP - Authenticated users vs Domain users

$
0
0

Hi there,

I've recently started testing SRP on my test users/workstations.

I created a GP with SRP turned on where i have "Enforcement" set as "All users except local administrators"

What I've noticed: if a user is a member of Domain Admins group and that group is a part of Local Users on a particular machines, that user is prevented from performing administrative tasks...even though intuitively it should not.

I read that the "Security Filtering" of the GP i created has default "Authenticated Users" which is the reason Domain Users are not excluded from the GP.

So I replaced Authenticated Users with Domain users and now my Domain Admins user is able to perform administrative tasks just fine.

My question is: How does this impact the security and enforcement of SRP? Obviously Authenticated Users is set by default for a reason. Before i settle for the aforementioned solution, I would like to be sure I am not not creating a serious security flaw.

Please advise,

Thank you!


ie11 administrative template settings not applied

$
0
0

2008 R2 domain with mostly windows 7 clients running ie8. upcoming project to upgrade them to ie11.

I copied the inetres.admx and inetres.adml files from the PolicyDefinitions folder on a windows 8.1 PC with ie11 and pasted them into the central store.

I created a new GPO that configures "access data across domains" to "disabled" from user configuration/policies/administrative templates/windows components/internet explorer/internet control panel/security page/internet zone.

I logged into four test machines with the same user account.

windows 7 with ie8
windows 7 with ie9
windows 8 with ie10
windows 8.1 with ie11

all four machines show this setting correctly Disabled with my GPO as the winning GPO in RSOP, but *only* the ie8 machine properly shows this setting as Disabled in its Internet Settings. the ie9, ie10, and ie11 machines all have the setting Enabled in their Internet Settings.

full disclosure: there is an old-school Internet Explorer Maintenance GPO in place that sets this to Enabled. but in theory, that GPO should only affect the ie8 and ie9 machines, right? and yet the ie8 machine is the only one getting the correct setting from my new administrative template GPO.

is there an easy way in GPMC to tell if i'm actually working with the ie11 version of inetres.admx or not? some setting that's new for this version?

How can you set up a new tab to open to the home page in internet explore 11 with group policy in windows Server 2012?

$
0
0

Hi everyone,

It's simple to setup IE 10 to open two tab as home page but I can't find this feature for IE 11. Is that possible with IE 11?

Thanks


Flavio Ribeiro

Show desktop icons

$
0
0

Is there a GPO or registry edit that will remove the option of "Show Desktop Icons"?

Accessed from, right click desktop > view > show desktop icons.

How to unlock local administrator accounts

$
0
0

Hi all,

I have a XP machine that is a member of Win2008 domain and the local
administrator account is locked out

whenerver i restart xp machine automaticaly locked out admin accounts.

how to unlock the xp or windows 7 machines local admin accounts over gpo.

Regards,

Udaiyar

GP policy for script

$
0
0

Dear Exprt,

I have script to run (computer configuration) on logon and its run after computer restart however is there any other way to run this policy without restarting computer or any other place in GP to add script to run without restarting machine.


Support@Mytechnet.me



locked out of a folder as the admin

$
0
0
This kind of complicated to explain, but I will do my best. The user created three folders that they wanted to be viewed by only certain employees. So when I was in the file under the security tab I saw a bunch of groups had access to the file. One of the groups being "everyone" So naturally I denied that group access. Not knowing that the admin profile was in the everyone group. "I did not set this up, took over support just recently" So as the admin, I am now locked out. I created another account and managed to get in, but now I can only see 2 of the 3 folders. I managed to unlock them, but I need to get into the third folder. As the original admin, I can see the folder, but not open it. As the user I created I cant see it at all. Any suggestions would be very helpful. 

Laptop lose mappings once disconnected from Network

$
0
0

We are using GP to map all of our network drives to users. Most of our laptop users that work remotely, when they login the drives are disconnected but they are still mapped. Once they connect to the VPN, they can access those drives. Others laptop users that we have, when they login to their machines, the drives are not mapped. When they VPN in the drives are still not mapped or connected.

I need the drives to stay mapped on those end users machines once they leave the network, so when they VPN in, the drives will not be accessible. 

"Redirect folders on primary computers only" setting being ignored

$
0
0
Our AD schema is 2012 and we've applied a Folder Redirection GPO which has "Redirect folders on primary computers only" enabled.

We've designated one Windows 8.1 computer as the "primary computer" of a specific user. Checking the AD attributes for the computer and the user, we can verify that the DNs have been saved in the msDS-PrimaryComputer (for the user) and msDS-IsPrimaryComputerFor (for the computer)

On the designated primary computer we can tell that the GPO is being applied successfully and folders are being redirected for this user.

However, when we go to a non-primary computer with this user's account, folders ARE ALSO redirected. (Yes, we even tried doing this on a computer which the user had never logged onto before)

Checking the event logs for both "Folder Redirection" and "User Profile Service" we DO NOT see any indication of whether the primary computer attribute is being evaluated.  The following article has examples of what one should see if things are being evaluated correctly: http://blogs.technet.com/b/askds/archive/2012/10/23/digging-a-little-deeper-into-windows-8-primary-computer.aspx

What could cause Windows to not evaluate the primary computer status and to proceed with folder redirection anyway?

Windows 8 Group Policy Preferences Local Users and Groups, error 0x8007052a

$
0
0

I am testing an existing GPO Preference with Windows 8 that renames the Builtin Administrator account and sets the password.  It works on XP and Win 7 but not on Win 8.  RSOP reports that the GPO completed successfully but provides the following additional information:

Group Policy Local Users and Groups completed successfully.
Additional Information:
The computer 'Administrator (built-in)' preference item in the 'Test_Policy {guid}' Group Policy Object did not apply because it failed with error code '0x8007052a This operation is disallowed as it could result in an administration account being disabled, deleted or unable to logon.'%%100790273

Sounds like there is a setting somewhere that is preventing changes to the builtin administrator account, but I can't find our where it is to toggle it off.  Any ideas?

GPO - How to uncheck Display intranet sites in Compatibility View

$
0
0

Hello,

How do you uncheck the (IE8) "Display intranet sites in compatibility view" through group policy? I read several conversations regarding the this default setting, however I did not see how this can be done.

Thanks

Registry Permission change GPO

$
0
0

I need to modify the permissions on reg key ofHKEY_LOCAL_MACHINE\Appid\{86F80216-5DD6-4F43-953B-35EF40A35AFEE} so it hides the wireless key in windows 7 so people cannot view it. I have 500 systems to set this up on as I need to remove the CElevatedWLANUI and any other groups and replace it with domain admins so that is the only group that can see it. I do not want to have to modify this key on 500 systems as it would take a long time.

How can I modify this key permssions on the reg key value and then deploy it via Group Policy to all workstations.

Group Policy on Windows server 2003 Enterprise

$
0
0

Dear Sir,

I am applying Group Policy on windows server 2003 Enterprise it is working but my all User System Operating system is Windows XP  is working 100% but my for system user Windows 7 Professional this wallpapers Group Policy is not working on windows 7 only wallpaper problem user system screen is black .this is my problem Please Help me .  thanks. 


MS Acess and Excel DB connectors

$
0
0
using GP is there a way to disable the tools in Office that allow connections to our SQL databases?

Need to pin a website to taskbar

$
0
0

I have a Win Svr 2012 r2 std DC of which I'm tasked to create a group policy for all users to have a specific internet explorer shortcut to all employee PC's Desktop, and PINNED to the start bar.

How can you do this easily? Please provide step by step please.

Thank you,

VB startup script not running on Win7

$
0
0

Hi,

my startup VB script not working on Windows 7. The script should install or uninstall office 2010 based on group membership. 

I tested scipt on Windows XP and everything works. When I run script manually, it works.

Quite similiar batch file works, office are installed but not same functionality for me.

I turn UAC off, bot not working.. Also add dword EnableLinkedConnections  but nothing change.

Batch file works but VBScript not!

Any advice? Thx

Folder Redirection not working

$
0
0

We have recently moved from Windows 2003 server to 2008 R2, and from XP clients to Windows 7.  I am now trying to get folder redirection to work.  I am trying to keep it as simple as possible.  I only need to redirect the documents folder to an existing network share.  I created a GPO specifically to do this.  I configured the offline files.  I have set the user home directory in AD, and verified the environment variable is correct on the client system.  I am trying to get it to work with my account, which has full administrator rights - and I have exclusive ownership to my home folder.  In the GPO I have set the documents folder to do a basic redirect to the users home directory. It will not redirect.  I have enabled userevent logging, and have the following information below.  I continue to get the event log warning message that folder redirection policy application has been delayed until the next logon...which happens at every logon, so I know this is not expected behavior, at least not an expected result.  Any help would be greatly appreciated.

CheckGPOs: No GPO changes but called in force refresh flag or extension Folder Redirection needs to run force refresh in foreground processing

ProcessGPOList: Extension Folder Redirection returned 0x0.

Also - I have selected grant exclusive access to user home directory on the second page of the GP documents option.


How to config user email

$
0
0

Hi,

In our company we use SCCM 2012 SP1 to deploy Office 2013 to all our client machines. The problem is when a client open its outlook, he/she need to confiure all settings. How I can configure this automatically?

Thanks in advance.

Viewing all 19997 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>