Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

On resume, display log on screen, check box grayed out

February 19, 2014, 5:48 am
$
0
0
The check box to disable showing the log on screen is grayed out, and not click-able.

How would I go about creating a GPO that would only allow a few PCs the option to disable this or let the end user using those PCs able to configure this setting.  I am looking to set the GPO at a computer level and not at the user level.  Any assistance would be helpful.

Thank you!
Search

Need to execute bat file by GPO with admin rights

February 19, 2014, 2:43 am
$
0
0

Hi all

I created a specific bat file that run regini.exe with specific parameters to set a specific permission in a specific registry key.

I can execute this bat file from GPO but I need that this bat runs with domain admins rights otherwise script not set the permission in user's registry key.

Have you any ideas?

Thanks

Chris

Server 2008 R2 continously trying to apply a failed update

February 19, 2014, 5:28 am
$
0
0

Hi

I have a server 2008 r2 machine that happens to be an exchange server. It recently received server updates (for windows not exchange) of which one failed. these updates are managed with a gpo and are controlled on the local network. How could go about getting rid of this annoyance? everytime the server reboots it tries to install this update and it goes into a retry loop for about 40 minutes until it decides that its not going to work afterall.

Its preventing me from installing any other software since it complains that installer service can't be accessed.

Any help or suggestions would be appreciated.

The event logs report a number of failed updates all of them using the same error code: 0x80070643

Roaming profile for admin

February 17, 2014, 2:42 am
$
0
0
I have roaming profiles setup but I am wanting the administrator's account to not leave a profile on the local machine. I have looked at delprof.exe but it appears that utility cannot be used to one specific profile just all profiles unused for an amount of time. What I am hoping to accomplish is to remove (or never create in the first place) the administrator account from the local profiles folder. Is this possible?

Search will not show programs search

February 19, 2014, 7:52 am
$
0
0

Hi as a user we cant use search to return a program search (start menu)

C: drive is Hidden and restricted

The users profile is redirected to a network drive

No restrictions put on search and they can use search to find documents and files on there Network drive

can you help

this is in a domain at a school so need the drive restrictions

if I go in as a domain user no problem at all

Is the any way round this problem

I would be grateful for any help

Loop-back processing with folder redirection

February 19, 2014, 7:14 am
$
0
0

I am currently using loop-back processing on our terminal servers. Basically we have about 15 branch sites with a VPN to the main location. The main location has load balanced terminal servers (using Citrix).

I'm wanting to move their user profiles to a new location. Normally I can do this by changing the path and making sure it says to move the data, but how can I keep this policy and do a more granular per user setting but only for the terminal servers?

We don't have fodler redirection happening on the local computers which is why we did this. But I don't want 500 users who come in at 8am to have their profile migrated to the new file server clusters we have setup and kill the system. I want to do this a branch at a time.

Any good ideas on how to accomplish this?

ie11 administrative template settings not applied

February 12, 2014, 11:46 am
$
0
0

2008 R2 domain with mostly windows 7 clients running ie8. upcoming project to upgrade them to ie11.

I copied the inetres.admx and inetres.adml files from the PolicyDefinitions folder on a windows 8.1 PC with ie11 and pasted them into the central store.

I created a new GPO that configures "access data across domains" to "disabled" from user configuration/policies/administrative templates/windows components/internet explorer/internet control panel/security page/internet zone.

I logged into four test machines with the same user account.

windows 7 with ie8
windows 7 with ie9
windows 8 with ie10
windows 8.1 with ie11

all four machines show this setting correctly Disabled with my GPO as the winning GPO in RSOP, but *only* the ie8 machine properly shows this setting as Disabled in its Internet Settings. the ie9, ie10, and ie11 machines all have the setting Enabled in their Internet Settings.

full disclosure: there is an old-school Internet Explorer Maintenance GPO in place that sets this to Enabled. but in theory, that GPO should only affect the ie8 and ie9 machines, right? and yet the ie8 machine is the only one getting the correct setting from my new administrative template GPO.

is there an easy way in GPMC to tell if i'm actually working with the ie11 version of inetres.admx or not? some setting that's new for this version?

Windows 7 x64 retaines old dfs share so unable to do folder redirection with new one.

February 19, 2014, 10:54 am
$
0
0

Kindly help me on this issue.

One of my Tech created a new DFS share in the name of (example) \\abc.com\uae\Users05  instead of \\abc.com\SA\force-Users02 and modified the user’s home folders in this location pointing towards the new DFS share.

Modified the corresponding GPO setting for folder redirection.

At client end, ran the gpudate /force command and after the reboot, we can see that my redirection path is still the same(\\abc.com\SA\force-Users02).

The issues currently facing is user profile pointing to the old DFS path and no offline sync works.

only  Microsoft Windows 7 64 bit OS client machines are facing  offline folder synchronization issue.

Regards,

Senvaas

Search

Log on as a service Policy

February 10, 2014, 2:35 pm
$
0
0

I'm working with an issue caused by the Log on as a service policy being applied and enforced from the top of the domain hierarchy. Basically, the settings of the policy are fairly restrictive. So, administrators have used a work around that is undesirable. Any time the Log on as a service right is needed and the account is not explicitly listed in the policy, they have made the service account a member of the local Administrators group. I'd like to decrease the number of accounts in the local admins group, and I'm looking for a way to undo the policy.

I like to change the domain policy to Not Configured, but, from looking at the Managed settings and what I see on Local Security Policy consoles, it appears that if I made that change, the local policy would revert to default and only NETWORK SERVICE would have the right to log on as a service.

Does anyone have experience trying to undo this GPO setting? Will I have to determine in advance all the servers that will be affected by undoing the policy and then endure a painful maintenance window requiring server reboots and granting the right as appropriate?

how to uncheck Check for publisher’s certificate revocation in IE ??

February 19, 2014, 12:57 pm
$
0
0
There is an IE setting.  Internet Explorer > Internet Options > Advanced Tab > Security settings menu (uncheck the option for "Check for publisher’s certificate revocation")

There is no default setting for this.   I found this web site.  http://blogs.msdn.com/b/askie/archive/2009/07/09/custom-adm-template-for-managing-check-for-publisher-s-certificate-revocation-in-internet-explorer.aspx   I created this new .adm file and no matter how I try to apply it the settings never happen.

We need to "Uncheck" this box since it is currently enabled on all Windows XP machines.

I created a new OU in AD.  I added my test machine to this OU.
In GPO I found my newly created OU and I created a new GPO on this OU.   
I added the ADM template and made the change. and I've tried every combo within this ADM file too)
I run a gpupdate /force and I reboot

The setting never get's applied.  the setting is still checked.


How do I uncheck this setting using GPO's?

Winddows 7 domain-joined losing profiles

February 19, 2014, 2:14 pm
$
0
0
We have a situation where a couple of users sharing a  Win 7 2008R2 domain- joined workstation are losing their desktops after a logout.  There are no roaming profiles here - a GPO seems to be redirecting folders and their desktop to the server. Everything was working fine for the first user until the second user began to share their computer. They each have individual ID's they use to log on. Any troubleshooting steps are appreciated.

Posting to Sharepoint forum from Outlook

February 19, 2014, 2:16 pm
$
0
0
We have built a Sharepoint forum that has topics and subtopics. We want people from wherever to be able to post to a subtopic from Outlook as opposed to having to log in to the Sharepoint forum.  For instance if we had topic-x with subtopic-y we would like to be able to send people some kind of link e.g. topic-x.subtopic-y@sharepoint.domainz.com -
that would end up in the thread of subtopic-y.

What would we need to do to get this working? I am assuming we will need Exchange tied in with the Sharepoint. However the forum is for users who will not necessarily be internal users of Exchange - they just need to be able to post via Outlook.

I am looking first preference for someone who has this in place to respond as opposed to general information - field experience is the most helpful.

IE11 - Where is the ADMX file?

February 19, 2014, 2:57 pm

Long Logon Times For Users Not Connected to Domain Network

February 15, 2014, 6:36 pm
$
0
0

I am experiencing an issue similar to here: http://social.technet.microsoft.com/Forums/windows/en-US/577ab221-8fe1-4e29-9a3f-5ea9c0d7faa8/logon-takes-very-long-when-connected-to-foreign-network-using-domain-login?forum=w7itproperf

Environment is Windows Server 2012 DCs with Windows 8 clients.

For our clients using Win 8, logon times:

  1. Connect to our domain network: 5-15 seconds
  2. Connected to a non-domain network: ~60 seconds
  3. Not connected to any network: ~60 seconds

Partial solution was to set GPO Computer Configuration\Policies\Administrative Templates\System\User Profiles\Set maximum wait time for the network is a user has a roaming user profile or remote home directory to 5 seconds.

This has had the following effect:

  1. Connect to our domain network: 5-15 seconds
  2. Connected to a non-domain network: ~60 seconds
  3. Not connected to any network: 10-15 seconds

The effect of this GPO is that when not connected to any network, the login is now very quick. But, we are still having very long login times when connected to a non-domain network (such as when remote users are auto connected to their home wifi when their computer boots up).

Any suggestions?






Automatic Timeout GP not working

February 1, 2014, 1:23 am
$
0
0

Hi All,

I have an issue with a wkst where a GP is not applying even though it is showing when you run the gpresult.

The gpupdate is not showing any error message, the workstation is in the right OU and the GP applies to all the other computers successfully.

Tried to log in with domain admin, local admin and regular user but still not working.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft
Corporation.  All rights reserved.
C:\Users\****>gpupdate
/target:user
Updating Policy...
User Policy update has
completed successfully.

C:\Users\****>gpupdate
/target:computer
Updating Policy...
Computer Policy update
has completed successfully.

Result of the gpresult

C:\Users\****>gpresult/r  /scope:computer

Applied Group Policy Objects
    -----------------------------
       
Windows SBS Client - Windows Vista Policy
        Windows SBS Client
Policy
        DCentral Agent Install
        Workstation Auto
Lock
        Default Domain Policy
        Update Services Client
Computers Policy
        Update Services Common Settings Policy
       
Workstation Auto Lock

Any idea ? 

Search

MSI Deployment Hit or Miss

February 20, 2014, 7:16 am
$
0
0

I have a question in regards to deploying MSI packages via GPO.  I am using Server 2012, and trying to automate a lot of administrative installation work.  I have had success with some software installations using Computer config > Software Installation feature in GPMC, but it seems to be hit or miss.

I have successfully installed well known published apps such as Chrome, Adobe, and Anti Virus.  However, if I try to use third party MSI's or EXE to MSI converters - I have no luck.

Are there elements to the MSI packages that are a must that I'm missing?  Unfortunately, there are a lot of apps I want to automate but are only in the form of .EXE such as FireFox.

Also, are there any well known tools to help on this?

Thanks!

Local folder redirection with GPO

February 20, 2014, 1:38 am
$
0
0

Hello,

I'm currently running a small network in a WORKGROUP environment.

This network is composed of four computers (two desktop and two laptop). One desktop and the laptops run Seven, and one desktop run Windows 2008. All these  three stations are setup with two disk labelled C: (SSD128Go) and D: (HDD) . Actually, i redirected some folders ( Desktop, Download, My Documents ) into the D: Drive with the utility on the properties tab on each computer.

I would like to set-up a domain with the Windows 2008 as a domain controller. I promoted it with dcpromo.

I've done some test to migrate a Windows 7 test local accounts to the corresponding domain account. This test worked but i didn't find any parameters in domain GPO to setup the local redirection (and not the windows folder redirection to a file server!). Is it possible to redirect the folders ( Desktop / My documents / Download ) on a local drive (D:) with a GPO for domain account ?

Also during my test migration from local to domain account i noticed some strange behavior when using a tool (profwiz) which i saw on this forum. Issue was like if a local admin account was migrated to the domain account corresponding, the new domain account will have administrator rights on the station .... and the old profile was used instead of the new profile under C:\Users\.

The second issue is if my DC breaks, how could i do to have exactly the same session when logging offline (with a local account ?) ?

Thanks in advance for your feedback,

Anyone pushing printers through GPP? Possible to do that without creating printservers?

February 10, 2014, 11:42 am
$
0
0

We are running 2008r2 with Win7 clients.  Our printers are always installed manually by our techs to print directly to the printers at different sites.  We do not care for printservers, because we have always felt it is just one more thing that can break and would need to be clustered, etc.  Can we use GPP to push out different print drivers and set it up so the clients to print directly to an IP, instead of a unc for a printserver?  If anyone has any ideas of a good way to manage a large environment for this, please let me know.  If anyone has a clustered printserver environment and has comments, etc. I would appreciate the feedback.

Dan

Dan Heim

GPO Shortcut - Apply once for user

February 14, 2014, 1:37 am
$
0
0

Dear experts,

I have a shortcut GPO configured and is applied successfully where I want (desktop), but I'd like that when the GPO is applied, the GPO is not being applied again for this user.

For example: in the user desktop one shortcut has appeared and the user move the shorcut to their favourite folder, then, when the user reboot the computer again the shorcut will appear in the desktop another time. Then what I want to do is apply the GPO only for one time (for each user).

Domain environment:

Windows 2008 (DC,DNS).

Client computers (Windows 7).

Thanks for your help.

Best Regards,



Auditing Password group policy

February 19, 2014, 9:20 pm
$
0
0

We have requirement to audit Domain Password policy for any changes made to it.

I  am aware of Audit policy in Windows 2008R2, however how can i prevent audit policy from getting changed/disabled?

if a rogue admin disable the audit policy, then i would not know if the password policy will get changed. This may never happen but the impact could be very severe. 

ideally i would like to audit the password policies and immediately send alerts to a group of other admins. Basically asking - how to audit the audit and password policy. What is the best way to achieve this?

Navgup

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>