Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Restrict printers based on security groups

February 13, 2014, 3:23 pm
$
0
0

We have set up all of our printers on a server and deployed them via group policy.  I am looking for a way to restrict printing based on which security group the user is in.  We have got it working by setting permissions in the printer security tab in the server.  But I would like a more elegant solution, since the printers that the user can't print to are greyed out with an X over the icon.  I would like to have the printer not even show up in the printer list if that user isn't allowed to print there.

Is this possible?

We are running Windows Server 2008 R2 and our clients are all Windows 7.

Thank you.

Search

Do not require smartcard for specific user logon

February 17, 2014, 8:42 pm
$
0
0

Hi everyone!

I set up a GPO setting for some application server "Interactive logon: Require smart card" to "enabled". So, now I need to allow a specific user (admin, for example) to logon to this computer without smartcard. How can I do this?

Note, that I need to allow only one user to logon without smartcard and other users must use their smartcards (but strongly they must use smartcards only for this application server - so, they should be able to logon to other domain computers without smartcard). How can I reach this goal?

Google Chrome - Bookmarks

February 15, 2014, 6:10 am
$
0
0

Hi all,

We're currently testing deploying bookmarks for Chrome via a GPO which copies a bookmarks file from a network share to:

c:\users\%username%\appdata\local\google\chrome\user data\default\bookmarks.

This appears to work initially, however the user loses any bookmarks they've saved if we update and rollout an updated bookmark file.

Is there a way of us being able to rollout new default bookmarks without overwritting bookmarks created by the user?

Cheers.

How to reverse Go to desktop instead of start

February 17, 2014, 8:48 am
$
0
0

On windows sever 2012 R2 running RDS, I have applied the "Go to desktop instead of start" via GPO. However now I want to go back and change the GPO has no impact. I checked that GPO results show that the setting applied is now disabled but... No worky!

Can someone adise what registry key is set so I can unset it :-)

Many thanks

@virtualfat

“Simplicity is the ultimate sophistication” - Leonardo DaVinci

GPO created in AGPM is not appearing in Sysvol.

February 18, 2014, 3:40 am
$
0
0

Hi guys,

I am facing a weird issue, could somebody advise please?

I created a template in AGPM (using an existing GPO) and from the template deployed a New GPO into the production.

I can see the GPO in AGPM, I can Edit it, I can link it, etc, i.e. everything works fine inside the AGPM.  But the New GPO is not appearing in Sysvol, therefore not being applied. I tried recreating the template from a different GPO and creating another New GPO, still the same. The GPO is not in the Sysvol. Waited overnight hoping it is just a time (replication), still no luck, the GPO is not in Sysvol.

Any help?

Thanks, 

сила в справедливости

2008R2 IE 11 Group Policy Preference Proxy Configuration Issues

January 8, 2014, 6:51 am
$
0
0

I've been mulling this problem over for a while and I finally have to accept I can't use IE Maintenance anymore for managing proxy settings.  I've been reading up on how to make Server 2008 R2 work with GPP settings for IE 9 - 11.  Everything I've read says I need to install the .admx files (link below) or install IE 10+ to get the IE Preferences to show up for 9, 10, and 11.  But when I look at my .admx files in %systemroot%/PolicyDefinitions it has the same exact .admx file that I download from the Admin Templates.  I can not see the policy preferences for IE 9, 10, or 11 and need these options so I can configure a Proxy server.  How do I go about getting these preferences to become available in Server 2008 R2 SP 1? 

#admx link

http://www.microsoft.com/en-us/download/details.aspx?id=36991

Note that I also tried the following to manually add support while testing but it didn't help me:

Open up the policy, and create an IE8 Preference: User Configuration --> Preferences --> Control Panel Settings --> Internet Settings --> New --> Internet Explorer 8 -> Set your proxy settings


Navigate to C:\Windows\SYSVOL\domain\Policies was an easier route, then sort by date for the recently created IE entry.

Navigate to User\Preferences\InternetSettings

Open up the "InternetSettings.xml file, and change the MAX value to something above 10.0.0.0 (I usually put 10.5.0.0). This way, the policy won't trip up later on if IE 11 comes out and doesn't support any of these policies, but at least you'll be safe until 10.5.0, or until a hotfix is available. "

max="10.5.0.0"



Group policy problem

February 17, 2014, 10:42 am
$
0
0
hi i create a Group policy object For my domain to block access to control panel it blocks it fine when i log on locally as a normal user but if i logon to the domain from another computer the control panel is not blocked how do i sort this?

Updating policy... Computer policy could not be updated successfully. The following errors were enc ountered: The processing of Group Policy failed. Windows could not authenticate to the Act ive Directory service on a domain controller. (LDAP Bind funct

February 18, 2014, 12:22 am
$
0
0

Hello group member,

          when I run the command on my new windows 2012 addtional domain controller it give the below message:

Updating policy...

Computer policy could not be updated successfully. The following errors were enc
ountered:

The processing of Group Policy failed. Windows could not authenticate to the Act
ive Directory service on a domain controller. (LDAP Bind function call failed).
Look in the details tab for error code and description.
User Policy update has completed successfully.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.

Please advice that what is the issue

Search

Is there a group policy to force all workstations in an OU to logoff?

February 18, 2014, 9:35 am
$
0
0

Hello,

Is there a group policy to force all workstations in an OU to logoff?

Thanks in advance.

GPM Custom GPO-Settings: An error occurred while generating report: Object reference not set to an instance of an object.

February 18, 2014, 10:06 am
$
0
0

Hello,

As you can tell from the title of this question, I am no expert with GPO's.  Before I begin, I spent a few minutes to an hour searching and reading in hopes of finding the solution and avoid putting myself out there as a "GPO Newb".  While I found several posts and answers that were similar and were related, the questions and answers were more advanced and did present the solutions providing the person had initial knowledge already.  That is not necessarily my case and I would ask for a little patience and a bit of 'hand-holding' for what I need.

I run SBS 2011, and in Group Policy Management I have a custom GPO.  In this GPO I define all my settings.  I understand this may not be the best or most practical method of applying policies, but I am not very strict and have few settings.  This policy existed prior to my joining the company, and was migrated in to this SBS '11 from SBS '03.  That may be the issue, but before making any changes I am seeking expert advice.

When I select that GPO, named "Main GPO", and click on the tab at the top "Settings" I see the error: "An error occurred while generating report: Object reference not set to an instance of an object."

I saw that when I right click the GPO > View > Options and select the tab "Reporting" that it states that for reporting to work the location of the .adm files must be specified.  I see that my option for the location is set to "Default" which by my guessing would be located in the C:\Windows\sysvol directory.  Below is what I see there:

C:\Windows\sysvol\domain
C:\Windows\sysvol\staging
C:\Windows\sysvol\staging areas
C:\Windows\sysvol\sysvol

I think the problem is that my custom GPO are not inside the default location, which I speculate is: C:\Windows\sysvol\domain\policies (which I do see some objects there).
But instead I also see items in this folder: C:\Windows\sysvol\sysvol\JOHN.LOCAL\policies (while where I just typed 'JOHN.LOCAL' is my actual local domain).

To further this, when I edit that custom GPO, then at the very top of the tree I right click on it and select Properties, I see a Unique Name listed there as a long string of numbers and letters, similar to a registry entry.  I searched my server for that same Unique Name and found it listed inside the folder: C:\Windows\sysvol\domain\policies

If I am correct with my assumption and basic knowledge, I should move all objects as follows:
-Move FROM: C:\Windows\sysvol\domain\policies
-Move TO: C:\Windows\sysvol\sysvol\JOHN.LOCAL\policies

My concerns are that I am not correct at all, that I will break something, that there may be an easier fix than moving anything, or that I am overlooking something causing this error altogether. 

Thank you for anyone's help and time with assisting me with this request.

John Fester



Group Policy does not run logon script

February 18, 2014, 8:51 am
$
0
0

Seems I've got code blindness or there is some permission preventing a script in my GPO from running.

Here's the script:

Dim objShell
Dim cmd
Set objShell = CreateObject("Wscript.Shell")
cmd = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nologo -noProfile -NonInteractive -ExecutionPolicy bypass -File \\MYDOMAINCTLR\SYSVOL\my.domain.com\scripts\mydir1\mydir2\myfile.ps1"
objShell.Run cmd,0

It's a vbs script that calls a powershell script (located in the netlogon share).  Calling the powershell script this way bypasses execution policy and suppresses popup windows.  The powershell script copies files (with robocopy) and does some other things.  Nothing too complicated.

The script is located here:

\\my.domain.com\SysVol\my.domain.com\Policies\{GUID}\Users\Scripts\Logon

In the GP Management Console, I go to User Configuration > Windows Settings > Scripts > Logon/Logoff.  The location above with the GUID is the location the GP Management Console creates when I configure the script.  To get the script in this location I right-click the window, create a new text document, edit it with the above script contents, and then change the extension.

The script works as expected when I right click it (from the GP Management Console window) and select "Open With... Windows Scripting Host."  The results are applied to the domain controller.  So the script itself has been tested successfully.  It's just not kicking off when users log in.

I've linked the GPO to the OU containing the users the script is designed to work, but nothing happens on logon.  There is no entry in the Event Log indicating failure of the GPO.

I've added "Everyone" and "Domain Users" (full control) to the security of the GPO and verified the paths of everything.

UAC is enabled on the Domain Controller - could this be the problem?  Is there something I did wrong creating the OU?  What permission could I missing?  Other ideas?

Allow Users To Login Locally, Shut Down, But Not Allowed To Browse

February 18, 2014, 9:45 am
$
0
0

Hello

We have a Server 2008 R2 Domain Controller, we want users to be able to login onto the server and shut down. 

I have created a Global Group "SHUT DOWN SERVER" and added users to the group

Under 'User Rights Assignment' I have add this group to 'Allow Login On Locally' and 'Shut Down The Server'

This works grest, my issue / question is how do I limit any browsing or accessing tools? 

I know there is no difference with a user logging onto a desktop and browsing, they get restricted with security, but, if the same user logs onto the server to shut down, how do I restrict those staff from "looking around"?

OR - is there a way to set this if they login to the server in th group, the server automatically shuts down?

Thanks

B.

Software Installation GPO Issues

February 18, 2014, 11:35 am
$
0
0

I'm currently trying to automate the installation of a MSI in Server 2012.  It's going to be a computer config that will install anti virus software at startup (at least that's my end goal).  However, I'm struggling in the troubleshooting process in that I cannot get the GPO to work properly.

The steps I've taken thus far:

1)Deployed MSI package in Computer Config using full UNC to file share (giving domain user rights for the share)

2)Troubleshoot issue of Event ID 1129 which led me to believe its a syncing issue with the network/DC

- So I created another GPO Enabling Both "Startup policy processing time" and "Always wait for the network

at computer startup and logon"

3)Ran a GPUPDATE, restarted the PC (This is a wireless laptop - my test work station) and still no luck with the install

4)Double Checked that the PC/User account has Local Admin Rights

Now the issue is that Event Viewer doesn't tell me anything in regards to the failed GPO, which is leaving me quite baffled.

Any help or tips on how to successfully 

Thanks!

Updated Password Policy doesn't apply to existing machines

February 18, 2014, 11:52 am
$
0
0

I've needed to make domain wide password changes to the different office regions around the world. I've updated the Administrator (Built-in) account password within the group policy itself, and all new machines that are created and joined to the domain retrieve that new password.

However, all existing machines still have the old password. I'm sure this is fixed by a gpupdate /force; however, the machines should eventually do that, but it has been a couple months and the same password still exists.

Do I need to enable the Group Policy refresh interval for computers in order to ensure that all computers get the new password?

-R-

Win 2K8 R2 - Group Policy Management - Failed to Open Group Policy Object. You may not have appropriate rights. The network path was not found.

February 18, 2014, 1:09 am
$
0
0

New to Windows Server 2008 R2 Administration.

I setup this Windows 2008 R2 Server on a Dell 2950 Poweredge server and have been migrating users off of an old NT style domain running on Samba 3.6 on CentOS.

I have the domain setup (nicholas.sacredheartsaratoga.org), added users, and have moved users / computers over to the new domain and working.

When attempting to setup Group Policy Objects, I continually get the "Failed to Open Group Policy Object" Error.  This is driving me nuts and seems to be a 49 error.. which I have done a ton of research on but none of the suggested fixes seem to be working.

I've been working at this for a couple of weeks and really need this fixed to be able to set GPO's correctly.

Here is my IPCONFIG /ALL

C:\Users\Administrator.NICHOLAS.000>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : NICHOLAS
   Primary Dns Suffix  . . . . . . . : sacredheartsaratoga.org
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : nicholas.sacredheartsaratoga.org

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client) #2
   Physical Address. . . . . . . . . : 00-1D-09-27-F1-63
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::542:43f2:2aaf:d903%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.20.21(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.20.3
   DHCPv6 IAID . . . . . . . . . . . : 301997321
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-7D-DC-B6-00-1D-09-27-F1-61

   DNS Servers . . . . . . . . . . . : 10.10.20.21
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{41653A38-9372-4740-BB03-41950A9C9BC0}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Search

Lync 2013 client- Group policy question

February 18, 2014, 11:33 am
$
0
0

Lync 2013 client- Group policy question

 Turn off client Logging on the Lync 2013 client after is deployed to the users.

 Can this be performed using group policy?

Group Policy and user profile logging?

February 17, 2014, 6:59 pm
$
0
0

Could anyone point me in the direction on how I can troubleshoot group policy and user profile issues (specially slow logons or staying at waiting for user profile service)

I can't seem to find the documentation from Microsoft on how to troubleshoot this

Unable to edit Default Domain policy on Server 2012 R2 domain controller

February 7, 2014, 3:13 pm
$
0
0

Hello,

I recently built a Server 2012 R2 domain controller and added it to my domain.  When trying to edit the default domain policy I get the following error:

I can make edits to other GPO objects.  All the other domain controllers are Server 2008 and are able to edit that GPO.  The issue is on the Server 2012 box only.  I've checked the delegated permissions, I'm a domain admin, and have opened GPMC as administrator.  Does anyone know what I'm missing?  Thank you for your time.

Tino

group policy changed/device drivers

February 14, 2014, 7:52 pm
$
0
0
  I admit, I should not have used slimdrivers to undtae my drivers but, I did.  I only used it once and decided I wanted to use my pcs tools to updated rivers. I restored all drivers from slimdrivers and then went to device manager to update my drivers.  Ok, so far, im trying to get to my problem bare with me.  After I did all this, I had been having troubles with my browser so I changed to comodo dragon.  I was having problems with my point device (synaptics) and though maybe the driver didn't install correctly or at all so when I went to device manager to update from there again, an error report came up saying that I have installed another ps/2 pointing device driver please uninstall the synaptics driver by clicking yes then you need to reinstall your pointing device driver for your external device again. first off, I didn't change drivers for an external device.  unless its referring to my laptop which is a HP G60-635Dx notebook, windows 7 (2009) It asked me if I wanted to uninstall and I said no.  My cursor was moving erratically while pointing to my game icons on zoo world 1 game on Facebook. it doesn't do this anywhere else when im on my laptop. just on the game. and only in  comodo dragon.  I switched back to IE 10 for now. chrome isn't an option as I deleted my user profile upon uninstalling it and deleting the browser history during uninstall. (I read later you cant so that or chrome wont reinstall)  Unless you go to registry and reset the values to zero and im to chicken to try it. I got the insturctions but, not the confidence.  Ok so back to my problem.  when slimdrivers was installed, from what I researched, did I give them permission as an administrator to update drivers?  and did that take away my advantages as an admin ?  Im only asking this because when I was going thru the motions to control panel to figure things out, a lot of errors arose. one being that I changed my group policies and I know I didn't do it manually.  Thru my research, all I came up with is that group policies can be changed when you do something Like I did getting another website to download and install drivers. if I am right about this, how can I change the policy? should I e-mail slimdrivers?  or is there an easy way I can do it from my pc?  another issue that arose was my error report says that my fire wall failed to load recommended setting for the firewall error code )x 80070422. I researched that on MS community by the error code but didn't get a fix.  another error code when I tried to go to advanced setting to change firewall settings was )x609. I couldn't have 2 firewalls set to on so I turned off windows defend FW because everytime Kaspersky updates the software, they turn theirs back on but windows wont during their updates.  I got all these problems because os slimdrivers. I didn't have nay of them before.  restore points didn't work for me either. Do you think a tecj from here can help me solve these issues one at a time. I am a middle of the road Pc user but unstand directions as long as abrv. aren't always used when helping me.  thank you so very much.  J.R.

uninstall programs through MSIEXEC /X

February 16, 2014, 6:21 am
$
0
0

HI,

We have Windows 2k8 server with 200 users. I would like to uninstall one programs through msiexec /x through group policy but it doesn't work.

I hv created batch file & add into users login script.

Command is MsiExec.exe /X{3F4EC504-1858-497A-83EB-5C8A3F0395E7} /qn.

Kindly Advise.

Viewing all 19997 articles
Browse latest View live
Search