Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

w7 client machine stuck on startup "Group Policy Files Policy"

June 5, 2012, 9:55 am
$
0
0

we have some w7 machine getting stuck on boot up before ctrl-alt-del, once verbose message was turned on for troubleshooting, we noticed they were stuck at "applying group policy files policy".

we had let it wait for more than 60 minutes at time and it would still be stuck. (thou mouse / kb still responsive)

this problem however, is not re-produceable on demand, if we power off the machine, it boots back up with no issues.

checking the group policy log, we didn't find anything weird, but was not sure if that's the right place to look thou.

we do have two group policy preferences pushing out host files as well as desktop shortcuts, might that be the culprit?

thanks!

Search

Item-level targeting TS Client name group or OU

March 11, 2014, 2:07 am
$
0
0

Hi.

Our setup contains 6 sites, all the client computers are in domain, and they are almost only used to logon to RDP servers.

I am trying to find the smartest way of deploying / assigning printers to users when they logon to the RDP servers.

The deployment shoud be based on the location of the client pc, and site/ip adresses range is not good enough.

The best way, is if I can control the printer deployment by only putting the client computer in the right OU, but if that is not possible, it would be ok with security groups too.

Right now, we are running with a mix of RDP and GPO printers, but I want every printer to be deployed directy to the user when they logon on the RDP server, so in the end, I can disable the RDP print in our RDP files.

I found the item-level targeting, where I can choose terminal session and Client name, but I dont now what to type in the parameter value. It would make no sense to type the client name, because that would be a nightmare to administrate.

Is it possible to specify a OU or a security group in the "Client name" value?

Mabye it is not possible to deploy printers this way at GPO level, mabye it can be done by logon script instead?

English is not my first language, but I hope I make my self understandable, please feel free to ask any questions or to come with other suggestions.

Our servers and clients:
DC1: server 2003 R2
DC2: server 2008 R2
RDP Servers: server 2008 R2
Client computers: Windows 7

Best Regards
Grohnheit

Unable to edit the "Default Domain Controllers Policy" from a Server 2012 machine

March 13, 2014, 7:47 am
$
0
0

I am unable to edit the "Default Domain Controllers Policy" from a Server 2012 machine. The error message i recieve is:

"Failed to open the group policy object.  You might not have the appropriate rights.  Details: The volume for a file has been externally altered so that the open file is no longer valid."

The domain controllers are running Windows 2012 R2 upgraded from Windows 2008 R2, the domain functional level is Server 2012.

I am able to edit the policy from both a Windows 7 and Server 2008 R2 machine.

The following post is identical however the fix for them does not work for me:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/2d968a05-2cff-4dd0-9c5d-dd810d1fa66f/cant-edit-default-domain-controllers-policy-on-windows-8-or-server-2012

Any ideas?

Group Policy Software Installation Upgrades

March 13, 2014, 10:05 am
$
0
0

Hello.

I am currently using gpo to distribute certain software updates (Java, Flash, Shockwave etc.) I add the new .msi to the software package list and it does a really good job at identifying the earlier version to upgrade. My questions are about removing the old packages (and their .msi files).

1) I see the icons change on some packages from a disk with a green arrow to a disk with what looks like a yellow box. Does this mean they are no longer in use and the package can be removed form the policy?

2) how long do I need to keep the original .msi files? does group policy need them in place for uninstalls or some other function?

I have about 10 different packages for Flash alone at this point and would ike to start cleaning out the old ones.

Thanks for any thoughts.

How do I use "File" preferences to keep files in sync?

March 13, 2014, 11:00 am
$
0
0

Hello,

I"m trying to figure out what is the best way to copy files from UNC share to local file system without causing excessive constant update/replace traffic. Ultimately I want files on local filesystem to be exact copy of files on UNC share.

I configured "Create" Preferences and it works fine. Now question what do I do if I update files on UNC share? Filenames stay the same so they would not be copied over on refresh.

If configure "Replace" instead of "Create" then every 90 minutes all the files will be copied over regardless if they are the same or not.

How do I do it right?

Thanks,

G

Accesses: Delete in Security Audit Log

February 27, 2014, 2:24 pm
$
0
0

I am trying to determine if someone is maliciously deleting files from a folder and have auditing turned on for the directory.  In combing through the Security Event viewer, I see the files in question with DELETE in the Accesses field.  I just want to be sure that this means that the user id associated with this event actually deleted the file specified in the Object Name field of the event in the log.  This particular event also shows "ReadAttributes" in the Accesses field.  

Can someone confirm that when I see DELETE in the event log, that this is indeed a delete?  

Thanks.

Thanks, Linda

Group Policy issues

March 4, 2014, 1:39 pm
$
0
0

I set the following option on several servers: Allow users to connect remotely using Terminal Services -

I wanted to limit the users that were able to access the server through RDP but in the process of this being enforced users that access those server through UNC paths and mapped drives were no longer able to access those machines.

Does anyone know if that is an expected side affect of making that change or was this something odd?

Thanks

Using Windows GPO to automatically run McAfee Virus Scan

March 13, 2014, 5:09 am
$
0
0
Is it possible to write a GPO to run Virus scan automatically?
Search

GPO Disk space to use (8-1024 MB) for Temporary Internet Files and History Settings

March 13, 2014, 12:26 pm
$
0
0

I am trying to create a GPO that will allow me to specify 1024 (MB) for Disk space to use to go to IE, the General Tab, Settings,

In the box below there is a box fo Disk space to use.  There is a GPO for this under...

User configuration, windows settings, Internet Explorer Maintenance, (use preferred mode) Corporate Settings, Temporary Internet Files, (I select for the settings) Every visit to the page

Set amount of disk space to use (in MB)

It maxes out at 256 MB  - I tried to manually adjust this but it does not work....

I tried to adjust some equivalent registry entries for under content, cachelimit (decimal) 102400 but it did not work.

Any ideas how to adjust it so that it will allow to use 1024 MB?  I tried just about everything....

Server 2012 enable Content Advisor through GPO?

June 17, 2013, 4:18 pm
$
0
0

I'm running server 2012, and trying to enable content advisor through GPO.  I want to have advisor on for user and off for admin.  Is this the good way or is there a better practice for what am I doing?  I had looked under group policy preference, but content advisor is greyed out when I tried.  Any insight will be appreciate.  


Correr GPO Startup de Autologin en Windows 7

March 11, 2014, 11:46 am
$
0
0

Mi name is Emiliano from Argentina. (sorry for my bad english)

 

I'm testing GPO Startup AutoLogin on a LAB 

 

I have a Windows server 2012 (Domain Controller) and Workstation Windows 7. (Client)

 

The GPO to this OU linked where the Workstation and the idea is that the workstation make a auto login of a service user in the domain. 

 

The script in this format. BAT in the following path in the GPO (Computer Configuration \ Windows Settings \ scripts \ startup) (\\domain\sysvol\policies\scripts\startup\Autologin.BAT)

 

The script has the following content. 

 

@ echo off 

 

reg import\\domain\sysvol\policies\scripts\startup\Autologin.REG)

 

When the workstation starts, the script does not apply.

Login with the Administrator, restart the computer again, and the GPO applies. 

Delete registry keys, restart and GPO does not apply, it's like applying after I make the Login and then reboot.

 

I need the GPO applies Auto-Login during Startup SO.


Copy file via preference

March 13, 2014, 2:07 pm
$
0
0

Hello,

I am having issues getting group policy to copy a file. I keep getting 0x80070003.

I have tried putting this in Computer Configuration and User Configuration and both fail.

Action:Replace
Source File: \\Server\Share\Java\deployment.properties
Destination: C:\users\%userprofile%\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

NOTE: %userprofile% I have tried different variables to achieve this and all that I have tried has failed. For an example, I simply used %userprofile% to fill the space.

Are there any gotchas that I am missing, or am I even on the right track. TIA

New Proxy Setting Not Applying

March 13, 2014, 11:26 am
$
0
0
We are applying a 2 part proxy GPO the computer part is applying but not the user part. We have unlinked and deleted the old policy from the OU but for some reason the old policy is still applying in the user policy. The only difference between the two policy is the proxy info and the cert.

lipanitech | http://www.allamericancomputerrepair.com | A+,Network+,Linux+,Security+,MCTS,HP Pro

Exclude proxy settings on my laptops

March 13, 2014, 6:25 pm
$
0
0

I have a web filter that is setup as a proxy.  it is not inline. I have a group policy user setting that sets the proxy information. It works great.  I have laptop users that have an agent to connect them to the web filter while mobile.  How can I exclude the user setting on my laptop users. I have an OU created for the laptops but the group policy is a user policy not a computer policy so it will still apply even if I block inheritance on that OU...  right.

Group Policy issues

March 5, 2014, 8:14 pm
$
0
0

Hi All,

Am facing plenty of issues in Group policies.. Like when i run this command "gpresult /v" i could see the same policy applied in as thrice in applied group policy.. and that policy is default domain policy.. also trying to add one of intranet site in Internet Group policy maintenance policy but its not reflected to users.. even i forced the policy..  Please advice me on this.

i have given the gpresult fyr.. some have a quick look and advice me accordingly.


Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 3/6/2014 at 9:20:31 AM



RSOP data for OURDOMAIN\venkat2r on INBRLT141 : Logging Mode
--------------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   N/A
Roaming Profile:             N/A
Local Profile:               C:\Users\venkat2r
Connected over a slow link?: No


USER SETTINGS
--------------
    
    Last time Group Policy was applied: 3/6/2014 at 9:07:33 AM
    Group Policy was applied from:      INCHDC01.OURDOMAIN.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        OURDOMAIN
    Domain Type:                        WindowsNT 4
    
    Applied Group Policy Objects
    -----------------------------
        ourdomain_Policy_Customized
        Global_Wallpaper
        ourdomain_Policy_Customized
        ourdomain_Policy_Customized

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        High Mandatory Level
        
    The user has the following security privileges
    ----------------------------------------------


    Resultant Set Of Policies for User
    -----------------------------------

        Software Installations
        ----------------------
            N/A

        Logon Scripts
        -------------
            N/A

        Logoff Scripts
        --------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
            GPO: Global_Wallpaper
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: ourdomain_Policy_Customized
                KeyName:     Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut
                Value:       54, 0, 48, 0, 48, 0, 0, 0
                State:       Enabled

            GPO: Global_Wallpaper
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\System\Wallpaper
                Value:       67, 0, 58, 0, 92, 0, 87, 0, 105, 0, 110, 0, 100, 0, 111, 0, 119, 0, 115, 0, 92, 0, 87, 0, 101, 0, 98, 0, 92, 0, 87, 0, 97, 0, 108, 0, 108, 0, 112, 0, 97, 0, 112, 0, 101, 0, 114, 0, 92, 0, 69, 0, 109, 0, 101, 0, 114, 0, 105, 0, 111, 0, 46, 0, 106, 0, 112, 0, 103, 0, 0, 0
                State:       Enabled

            GPO: ourdomain_Policy_Customized
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: ourdomain_Policy_Customized
                KeyName:     Software\Policies\Microsoft\Internet Explorer\Main\Start Page
                Value:       104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 115, 0, 116, 0, 97, 0, 114, 0, 46, 0, 101, 0, 109, 0, 101, 0, 114, 0, 105, 0, 111, 0, 99, 0, 111, 0, 114, 0, 112, 0, 46, 0, 99, 0, 111, 0, 109, 0, 47, 0, 83, 0, 105, 0, 110, 0, 103, 0, 97, 0, 112, 0, 111, 0, 114, 0, 101, 0, 47, 0, 100, 0, 101, 0, 102, 0, 97, 0, 117, 0, 108, 0, 116, 0, 46, 0, 97, 0, 115, 0, 112, 0, 120, 0, 0, 0
                State:       Enabled

            GPO: ourdomain_Policy_Customized
                KeyName:     Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure
                Value:       49, 0, 0, 0
                State:       Enabled

            GPO: Global_Wallpaper
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Global_Wallpaper
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab
                Value:       1, 0, 0, 0
                State:       Enabled

            GPO: Global_Wallpaper
                KeyName:     Software\Microsoft\Windows\CurrentVersion\Policies\System\WallpaperStyle
                Value:       52, 0, 0, 0
                State:       Enabled

        Folder Redirection
        ------------------
            N/A

        Internet Explorer Browser User Interface
        ----------------------------------------
            GPO: ourdomain_Policy_Customized
                Large Animated Bitmap Name:      N/A
                Large Custom Logo Bitmap Name:   N/A
                Title BarText:                   ourdomain
                UserAgent Text:                  N/A
                Delete existing toolbar buttons: No

        Internet Explorer Connection
        ----------------------------
            HTTP Proxy Server:   N/A
            Secure Proxy Server: N/A
            FTP Proxy Server:    N/A
            Gopher Proxy Server: N/A
            Socks Proxy Server:  N/A
            Auto Config Enable:  No
            Enable Proxy:        No
            Use same Proxy:      No

        Internet Explorer URLs
        ----------------------
            GPO: ourdomain_Policy_Customized
                Home page URL:           http://star.OURDOMAIN.com/Singapore/default.aspx
                Search page URL:         N/A
                Online support page URL: N/A

        Internet Explorer Security
        --------------------------
            Always Viewable Sites:     N/A
            Password Override Enabled: False

            GPO: ourdomain_Policy_Customized
                Import the current Content Ratings Settings:      No
                Import the current Security Zones Settings:       Yes
                Import current Authenticode Security Information: No
                Enable trusted publisher lockdown:                No

        Internet Explorer Programs
        --------------------------
            GPO: ourdomain_Policy_Customized
                Import the current Program Settings: No

Thanks, Venkatesh. "Hardwork Never Fails"

Search

Group Policy Software Installation fails to install only on Surface tablets with Windows 8.1

March 14, 2014, 1:34 am
$
0
0

Hello,

My domain controllers are Windows 2008 r2 Enterprise and I have various laptop & desktops clients (Windows XP, 7, 8.1, all Professional versions)

I have a software deployment USER group policy that installs MS Remote App shortcuts (MSI are generated from RemoteApp console).  This group policy works flawlessly on all my desktop & latops clients regardelss of the Windows version (XP, 7, 8.1)

I recently received 2 Microsoft Surface 2 Pro tablet with Windows 8.1 pre-installed.  This Group Policy never worked on those clients.

Here's what I have in the Event Log (translated from french, but I think it's pretty accurate):

"The preference item "xxxx" computer of the GPO "[policy name] {915874C2-97D4-4F3B-9797-B84EC3FD28BA}" group was not applied because it failed with code error "0x80070002 The specified file was not found. "This error has been removed."

Strangely enough the "preference item xxxx" refers to the name of the Start Menu folder where the RemoteApps icon installed from my MSI files should be copied.

The error is not really telling me if that's a network problem or a MSI problem.  I tried to use the Ethernet adapter on the surface tablet during logon, but it doesn't work either.

Did anyone expercienced this odd behaviour on Surface tablets ?

Thanks !

Internet Explorer Settings - IE10

March 10, 2014, 8:19 am
$
0
0

Good Afternoon,

I have 4 DC's in my domain 2 Windows server 2008 and 2 Windows server 2012.

Since upgrading to IE11 on my 2008 DC's I've since lost the functionality to update my IE group policy settings, since this I have now configured them using my 2012 DC's under User configuration, control panel settings, internet settings, IE10.

When I apply this GPO to a test amount of users, they do not pull down the correct settings, a RSOP confirmed that the GPO is being applied to the test users but not replication to IE10.

My questions are:

1. I can still see my 'Old' proxy/IE settings but I am unable to edit them due to the removal of the internet explorer maintenance, will this have any effect on new settings applying to users?

2. When looking at the RSOP console I can see that 'Internet explorer branding' has failed when applying, would this affect the application of the proxy/IE settings in my new RSOP ?

Thanks for any replies in advance.

San.

BugCheck GPO

February 27, 2014, 8:37 am
$
0
0

Hello,

Is there a way to create a GPO in order to prevent a "BugCheck" failure from restarting a server?  I want to prevent the server from rebooting until this bug can be corrected.

Also, is there a tool available to evalute the results of a failed bugcheck?

I am running 2008R2.

The bugcheck was:

The bugcheck was: 0x00000019 (0x0000000000000020,0xfffff8a0106a6b10,0xfffff8a0106a6ba0,0x0000000005090409)

Thanks in advance for your help with this matter.

Apply GPO only when logon

March 14, 2014, 4:26 am
$
0
0

Hi All,

This is my case:

My customer has several Access 2013 frontend files. Based on the membership of a security group will be the correct frontend file copied to the desktop of the user. This file is copied by a GPO (file preferences). In the preferences is "Item-level targeting" configured, so only members of a defined group get the correct frontend. This work fine. So the users logged in, the GPO applied, the right frontend file will be copied and the users can work.

But, after a few hours users start complaining about an error in Access. Some research told me that the frontend was copied again in the meanwhile. Because Access was already open, errors appeared. I suspect that the GPO is applied again. How can I take care about this? The GPO must only run when the user logon... 

Group Policy Internet Explorer, Add-on list not working

March 11, 2014, 5:36 am
$
0
0

We have group policy setup at our company something similar to the setup below

Domain Policy

OU Policy

The domain policy is set to enabled for "Do not allow users to enable or disable add-ons" under"Computer Configuration\Administrative Templates\Windows Components\Internet Explorer". Now that settings also refers to a "Add-On list" which is an exception list, I believe located "Internet Explorer\Security Features\Add-on Management". I have configured the exception list for my OU using our OU policy, it includes the CSLID for adobe flash and real player (the add-ons arn't really important I'm just naming those two for simplicity) and I've set it to a value of 2 (allow user enabling/disabling of add-ons).

However the problem is that it makes no difference, users still have no control at all over flash and real player.

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>