Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

GPO Disk space to use (8-1024 MB) for Temporary Internet Files and History Settings

March 13, 2014, 12:26 pm
$
0
0

I am trying to create a GPO that will allow me to specify 1024 (MB) for Disk space to use to go to IE, the General Tab, Settings,

In the box below there is a box fo Disk space to use.  There is a GPO for this under...

User configuration, windows settings, Internet Explorer Maintenance, (use preferred mode) Corporate Settings, Temporary Internet Files, (I select for the settings) Every visit to the page

Set amount of disk space to use (in MB)

It maxes out at 256 MB  - I tried to manually adjust this but it does not work....

I tried to adjust some equivalent registry entries for under content, cachelimit (decimal) 102400 but it did not work.

Any ideas how to adjust it so that it will allow to use 1024 MB?  I tried just about everything....

Search

GPO and Service SID?

July 24, 2013, 2:57 pm
$
0
0
 

Hi, I'm a DBA installing SQL Server 2012.  SQL Server setup is creating service SIDs (e.g., NT SERVICE\MSSQLSERVER, NT SERVICE\MsDtsServer110, etc.) and granting them rights (e.g., SeServiceLogonRight, SeAssignPrimaryTokenPrivilege, etc.). 

Our GPO is removing rights from the service SIDs created by SQL setup.  We have been unable to add a service SID to GPO.  I think there is an error that the account does not exist.  We can add just the name (e.g., MSSQLSERVER, MsDtsServer110, etc.), but this does not seem to work as rights on the service SID are still removed. 

We did add NT SERVICE\ALL SERVICES (no error) and grant it SeServiceLogonRight.  I think this covers all service SIDs.  This appears to be working; however, I’m reluctant to grant some of the other rights to all services using service SIDs. 

Are only “well known” service SID values valid in GPO?  Is there any way to add a service SID such as "NT SERVICE\MsDtsServer110" into GPO?  Is there a best practice for handling service SIDs and group policy? 

Thanks.

Randy in Marin


Changing owner on GPO give error

March 18, 2014, 8:10 am
$
0
0

My account is in Group Policy Creator Owners and can create GPOs fine.  I can modify permissions via the Delegation tab as well.  But when I go to try and change the owner of a policy, I get:

Unable to set owner on <GUID>. The parameter is incorrect.

It shows me having Modify Owner access on this policy so why would this not work for me?  Thanks.

BTW, a Domain Admin can change this with no error.

Set "always show all icons and notifications on the taskbar" via Group policy

July 29, 2010, 2:14 pm
$
0
0

Any ideas on how to set "always show all icons and notifications on the taskbar" on a set of users?

 I thought it would be under User Configuration\Administrative Templates\Start Menu and Taskbar, but I cannot find it.

Anyone know if this can be enforced via policy?

 

Error with IE compatibility settings

March 18, 2014, 8:02 am
$
0
0

We have a particular in-house site that needs to be displayed with compatibility mode on to work.  We set the policy for "Use Policy List of Internet Explorer 7 Sites" under the Computer Configuration node using the top level domain for the site.  This is only needing to be applied to a few rooms, which are split up into separate OUs, so we linked the policy to the OUs for those rooms.  When trying to do a GPUpdate /Force for those rooms, we get the following error.  We forced replication already, so we've run out of ideas at this point.

C:\Users\fcc-h138>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows attempted to read the file
\\domain.com\SysVol\domain.com\Policies\{7C5F707A-37BC-49E7-BF7C-BEDB99524684}\gpt.ini
from a domain controller and was not successful. Group Policy settings may 
not be applied until this event is resolved. This issue may be transient and 
could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controllerhas 
not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to
access information about Group Policy results.
I've gone through several posts now and tried stuff, but nothings helped this issue.  We've made sure the policy replicated to the other AD servers.  Is there maybe something else that needs replicating that hasn't replicated properly?


Edit: Upon further investigation, we discovered the GPT.ini file doesn't exist in the directory for that policy, the other policies do have a GPT.ini file.  Any ideas what would prevent this file from being created?

Drives mapped via GPO, NET USE shows mapping but doesn't show up in Explorer - Win 8.1

March 18, 2014, 3:43 pm
$
0
0

I first posted this in the Win 8.1 forums, but no one knows anything there... hoping someone might have an idea here.

Fresh install of Windows Enterprise 8.1

Connected PC to domain, logged in, drive mapping worked as it should.

Rebooted a few times after installing software that I normally install on my computers (from the same sources/locally from my file server, etc).  Rebooted a few more times all is well.

A few reboots later, the only drive that is mapped is X: which is my user drive done via the user profile in AD.  The rest of the mappings that normally show up done by the GPO no longer show up.

After some digging, and noticing no errors in any logs I ran NET USE in a CMD prompt window, low and behold the drives are actually mapped and I can access them via the CLI without issue.  I can navigate via their mapped drive letters, etc.

They just don't show up in Windows Explorer at all and I cannot navigate to the drive letters via the address bar.  Strangely enough, it still kinda works since the Downloads start menu item is mapped to a network drive and that still works (Q:\) and Chrome can access it as well if I try to download something.

I'm really not sure what else to check/try here. 

Have other Windows 7 and Windows 8.1 machines (my laptop) and all works just fine, so it's only this specific install on my desktop that is showing this issue.

A few days later as a test, I decided to wipe the computer, and re-install (this time with 8.1 Pro N).

Installing went great, installed only Video drivers (Nvidia), then connected to the DC.  After that I logged into the PC with the domain user as usual, and all the drives appeared as normal (mapped via the existing GPO).

I then manually disconnected my user profile mapping (X:) and logged off, after logging off and logging back in I now have the exact same issue as before.  None of the drives mapped by the GPO are showing up in Explorer.  Only the X: drive which is mapped in the user Account from the DC is mapped.

But as usual if I check with NET USE under the CLI it shows that all the drives are mapped and I can access them normally under the CLI.

Here is a screenshot:

h t t p://i.imgur.com/IzaO9WV.jpg

Cheers!

Internet Explorer 10 - cannot find all options to configure

March 11, 2014, 12:45 am
$
0
0

Our Customer requested to configure some security settings of IE10 and I cannot find all desired options to configure. Missing options I cannot find are;


- Privacy level slide lock
- "Never allow websites to request your physical location" (I found registry values, but it will not become mandatory then)
- Pop-up blocker allow-list is empty on IE10 machine, but on IE8 machine I see our internal server list which I create in GPO.
- User is able to create new Dial-up or VPN connection via IE. How I can prohibit this?
- "Enable Strict P3P Validation" is not found in GPO options
- "Block unsecured images with other mixed content" is not found in GPO options

Maybe I missed something. Thanks for help in advance.

Group Policy Internet Explorer, Add-on list not working

March 11, 2014, 5:36 am
$
0
0

We have group policy setup at our company something similar to the setup below

Domain Policy

OU Policy

The domain policy is set to enabled for "Do not allow users to enable or disable add-ons" under"Computer Configuration\Administrative Templates\Windows Components\Internet Explorer". Now that settings also refers to a "Add-On list" which is an exception list, I believe located "Internet Explorer\Security Features\Add-on Management". I have configured the exception list for my OU using our OU policy, it includes the CSLID for adobe flash and real player (the add-ons arn't really important I'm just naming those two for simplicity) and I've set it to a value of 2 (allow user enabling/disabling of add-ons).

However the problem is that it makes no difference, users still have no control at all over flash and real player.

Search

Audit Policy and Event Viewer

March 19, 2014, 2:41 am
$
0
0

Hi everyone,

I'm a junior IT auditor seeking for answers about audit policy and event viewer.

First of all I would like to know what are the difference of log that we obtain from audit policy and event viewer?

I would like to know that can event viewer show these logs:

Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege user
Audit process tracking
Audit system events

Thanks in advanced :)

Error when adding shared printer to GPP

July 2, 2013, 10:39 am
$
0
0

I'm creating a new GPP for shared printers. This is on Server 2012 I've done this several times before and have never run into this problem. I added 2 printers with no problem but when I try to add the third I get the error "The object selected does not match the type of destination source. Select again. I tried deleting the printer and re-adding it but I get the same error.

Anyone have any idea what is going on and how to fix it? Like I said, I've created GPP for printers several times before and have not run into this problem. I tried searching for the error but haven't found anything helpful.

Jonathan

How do you add a shortcut to file explorer favorites?

March 19, 2014, 8:46 am
$
0
0

I need to add a shortcut to a UNC patch in the file explorer favorites using a GPO.

Shortcuts in Preferences do not have the option to create shortcuts in this location.

I have discovered that the shortcuts are in a Links subdirectory under each user.  However, that folder is redirected.

I can use Files under preferences to copy a shortcut but I don't know of any variable that references the link directory.  I know you can type "shell:links" in file explorer to get to the links directory but that doesn't work in the GPO.

Any advise would be appreciated.

Change default windows directory to c:/windows

March 19, 2014, 9:21 am
$
0
0

I'm running an application that must place a file and then read a file from c:/windows.  I'm running into an issue where the users (even the administrator) all have their own windows directories, however.  (c:/users/administrator/windows).

Anyone know how to change this so that all of the users look to c:/windows rather than their individual directories?

Windows server 2008.

Unable to edit the "Default Domain Controllers Policy" from a Server 2012 machine

March 13, 2014, 7:47 am
$
0
0

I am unable to edit the "Default Domain Controllers Policy" from a Server 2012 machine. The error message i recieve is:

"Failed to open the group policy object.  You might not have the appropriate rights.  Details: The volume for a file has been externally altered so that the open file is no longer valid."

The domain controllers are running Windows 2012 R2 upgraded from Windows 2008 R2, the domain functional level is Server 2012.

I am able to edit the policy from both a Windows 7 and Server 2008 R2 machine.

The following post is identical however the fix for them does not work for me:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/2d968a05-2cff-4dd0-9c5d-dd810d1fa66f/cant-edit-default-domain-controllers-policy-on-windows-8-or-server-2012

Any ideas?

AGPM 4.0 SP2 Editors cannot open "Windows Firewall with Advanced Security" area of a GPO

March 19, 2014, 9:54 am
$
0
0

When attempting to Edit a checked-out GPO in AGPM, & navigating to "Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP://CN...." Editors get:

"There was an error opening the Windows Firewall with Advanced Security snap-in

An error occurred while trying to open the policy.

Error: The system cannot find the path specified

Code 0x3"

This happens with GPOs that existed prior to AGPM install where the GPO was "controlled", and with new Controlled GPOs created within AGPM.  A workaround is to grant the user Full Control within AGPM (and have them re-launch Group Policy Management MMC via Shift right-click "Run as different user"), but this circumvents the Change Control we are attempting to use AGPM for.  Any ideas of how to fix this, or how to file a bug report?

Also, changes made to Incoming Firewall rules do not show up in the AGPM Settings or Differences reports.  I'd imagine this is related to the known issue described on the Release Notes page here:

http://technet.microsoft.com/en-us/library/dn458958.aspx

Group Policy/PowerShell: Copy-GPO Doesn't Migrate all DACLs?

March 19, 2014, 9:55 am
$
0
0

Hi All -

I haven't found a solution or official MS resource that describes whether or not the following is supported:

ISSUE: 

When copying a GPO from one production (child) domain to another (child) domain using Copy-GPO and a migration table, certain DACLs are not transformed and no errors are present.

HOW TO REPRODUCE:

1.  On Child Domain DEATHSTAR, there is a "EMET Settings" GPO that contains specific EMET configuration settings that need to be present on all the child domains in the forest.  Additionally, the EMET Settings GPO security (Delegation tab) shows all Group Policy default permissions plus one additional item:  DEATHSTAR\EMET Collector Server = Allow - Read and Deny - Apply Group Policy.  The reason is because the GPO is linked to an OU where all the settings need to be applied to all member computers EXCEPT the EMET Collector Server.

2.  Using PowerShell (version 2.0) from a DEATHSTAR Domain Controller, I type the following:

Copy-GPO -SourceName "EMET Settings" -SourceDomain deathstar.empire.local -TargetName "EMET Settings" -TargetDomain coruscant.empire.local -MigrationTable "c:\users\vader\desktop\emet-collector.migtable" -SourceDomainController deathstar-dc01 -TargetDomainController coruscant-dc01

Outside of the default GPO permissions (such as ENTERPRISE DOMAIN CONTROLLERS, Enterprise Admins, etc. that don't requrie a domain-specific migration path), there are only two items that are in the migration table:

a) DEATHSTAR\Domain Admins is mapped to CORUSCANT\Domain Admins

b) DEATHSTAR\EMET Collector Server (which is a Global Security Group containing the computer object of the EMET collector server) is supposed to be mapped to CORUSCANT\EMET Collector Server (which contains the EMET collector server in that domain)

RESULT:

DEATHSTAR\Domain Admins is properly "migrated" to CORUSCANT\Domain Admins, but DEATHSTAR\EMET Collector Server is not migrated and doesn't even appear on the target domain GPO.

OTHER MIGITATIONS:

1.  The Migration Table was made from GPMC.
2.  I also attempted to run the Copy-GPO cmdlet with a combination of the following arguments:

-CopyAcl and -MigrationTable = No change (results identical to above)
-CopyAcl only = Copies the source domain DACLs (including the DEATHSTAT\EMET Collector Server permission) to the target domain and no migration is performed (expected result)

3.  Same result with other GPOs and other items in a migration table

4.  Using GPMC, I can copy the GPO and the migration table is "honored" meaning that both objects that I'm attempting to "transform" are migrated properly from the source domain to the target domain.  I'm really hoping to script the action with PoSH instead of going through the GPMC copy wizard over-and-over.

Is that "expected" behavior for the copy-gpo cmdlet, is it a possible bug, is there another (supported) way to accomplish the same result with PoSH, and/or should this question be in the PowerShell forum instead?

Thanks!


S. Oxford MCT, MCSE, MCSA (Security + Exchange), MCP (SMS 2003), CCNP, CCNA, Security+, Server+, Network+, A+

Search

Folder Redirection user losing connection

March 19, 2014, 9:57 am
$
0
0
I have a network with about 100 users using roaming profiles and folder redirection. I have a couple of users who continually drop connection to the server where their profiles and redirection data is stored.  When this happens everything on their desktop disappears. If they hit F5 and refresh the desktop it all comes back with no issues most of the time, but I would like to have it stop happening in the first place. I have changed ethernet cables and even went as far as replacing the motherboard with onboard NIC on one users machine. I did all of this to no avail. I am very rapidly running out of ideas.

Group Policy Shortcuts Fail: The system cannot find the path specified.

March 19, 2014, 6:56 am
$
0
0

The executable I'm pointing to is under C:\Foldername\file.exe

I know it's there, I tested it, I pasted the very same path into the run dialog, it works. The path is correct, so why can't group policy find it?


I even tried putting the exe in the root of C:\ and pointing the shortcut there, it can't even see it there. Is it blind? I can see it. I'm looking right at it.

Windows 2012 R2/Windows 8.1 GPO Folder Redirection Woes

November 9, 2013, 9:50 am
$
0
0

So now I am starting to use windows 8.1 and Windows 2012 R2.  DCs are 2012R2, Forest Level 2012 R2, Domain Level 2012 R2. Folder Redirection works for Windows 7, Windows 8, 2008, 2008 R2, 2012. Does not work for Windows 8.1/2012R2. No errors are logged in event viewer, says completed successfully. GPResult /v only says:

 Folder Redirection
------------------
    N/A

Group Policy Results Wizard says:

Component NameStatusTime TakenLast Process TimeEvent Log
Group Policy InfrastructureSuccess218 Millisecond(s)11/9/2013 12:28:30
PM		View
Log
ConfigMgr User State Management Extension.Success32 Millisecond(s)11/9/2013 12:28:30
PM		View
Log
Folder RedirectionSuccess31 Millisecond(s)11/9/2013 12:28:30
PM

View Log

I have tried disabling all other policies (computer and User) except the one that has the folder redirection with no luck. I have tried putting Folder redirection in its own GPO, no luck.

NONE of the following are checked in the Folder redirection (but I have tried it both ways for each):

  1. Grant the User exclusive rights to ....
  2. Move the contents of ....... to the new location
  3. Also apply redirection policy to windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems.

DCDiag returns no errors. Sysvol is replicating properly between both DCs

Everything else EXCEPT Folder redirection applies properly.

Thanks!


vergrendelingsscherm na afmelden personaliseren

March 19, 2014, 12:02 pm
$
0
0
Na het afmelden verschijnt er een standaard vergrendelingsscherm in plaats van mijn gepersonaliseerd vergrendelingsscherm. Hoe kan ik dit aanpassen?

GPO setting for UAC is being over-ridden by local machine.

March 10, 2014, 5:02 pm
$
0
0

Hello,

I'm configuring a system image and one of the tools we use requires a certain setting in the policy to beDisabled which is User Account Control: Admin Approval Mode for the built-in Administrator account. This is the default setting, but this setting, however, is being changed back to Enabled on it's own each time after reboot. I tried to fix this with a GPO and it still doesn't stayDisabled. As a matter of fact, when I enable the GPO to define this setting, it is grayed out in gpedit.msc as if the GPO applied, but it still stays enabled. The GPO is enforced and none of the inherited GPOs even define this setting. Even dropping UAC down to None doesn't fix it nor does editing the Registry key.  

How can I get this setting to remain consistent? It is clear something on the machine is causing this, but I have no direction as to what.

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>