Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

GPO - Enable disabled USB

December 16, 2012, 4:09 pm
$
0
0

I have a customer who has approximately 50 GPOs to be PCI Compliant.

They have a GPO that locks down USB and need to enable it.

I have performed a RSOP on the OU where the computer sits.

I can only see one thing that correlates to possibly this USB issue - the plug and play service has a red cross on it. Attached to this is a higher policy, where the Plug and Play service is set to start - but under no account.

I have checked GPOs for registry (the normal way of disabling USB) but none exist.

I have scoured the RSOP, the other GPOs attached to the computer but have found zero.

The device manager starts, but is empty.

Any advice on where I should be looking would be great. It may just be a simple issue.


Search

Generate Publisher only applocker rule from powershell

December 17, 2012, 6:17 am
$
0
0

Hi

I'm using the powershell cmdlets

get-applockerfileinformation  "C:\windows\system32\notepad.exe" | new-applockerpolicy -ruletype publisher -xml > myxmlfile.xml

to generate an xml file to import later to a GPO. I'm trying to create one Microsoft publisher rule but the output of that command also gives detials for notepad which I don't want.

I can do this via the gui for the Applocker GPO by using the slider which replaces the file and versions for Notepad with a *.

This is a simple example. What I eventually would like to achieve is to point the get-applockerfileinformation cmdlet to the c:\ and let it recurse creating just one rule for each publisher on that drive.

Does anyone know of a way to do this?

Thanks

Jeff

Folder Redirection not working

October 17, 2012, 11:37 am
$
0
0
We have migrated a 2003 server to a 2008 R2 copying over all policies and folders etc.  One policy is causing much confusion.  They have a folder redirection GPO that is not working for 2 out of 100 users.  Both users are on XP professional sp3.  Their my documents and desktop folders did not migrate successfully.  We were able to get the documents over, but the desktop is locked down as Read-only.  No matter who we give permission to, it's still stating "access is denied."  Any suggestions????

Outlook 2007 AutoArchive Settings confusion

December 27, 2012, 6:03 am
$
0
0

We have a third party archiving solution, so I want to prevent Outlook 2007's AutoArchive feature from ever running, or if it is setup to run for it to no longer be setup.  I found User Config/Admin Templates/Microsoft Office Outlook 2007/Tools...Options/Other/AutoArchive's AutoArchive Settings, but I'm confused what to set it as.

Do I first need to enable the policy with all the options unchecked (to take care of people who had auto archiving setup already in their Outlooks) then wait a while then switch it to disabled so any new users won't have AutoArchive ever enabled and cannot enable it themselves?

Or can I just set it to Disabled and that will prevent it from ever running again or being setup through Outlook by users?

GPO & RDP question Server 2008 R2

December 27, 2012, 8:50 am
$
0
0

Hello,

I am needing some help with GPO and Terminal server. I am doing a lab and have a few requirements I need to accomplish. Here is what they are asking me to do in the lab.

Set one of the users to access notepad on the server using remote app with “user privileges”. Set the second user should have access to a published desktop on the server. The 3rd users should not have RDP access. All users should have a “documents” mapped drive set through group policy to a share created on the server (mapped both for the PC and published desktop). Setup folders under this with permissions so that full control access is granted to that user’s folder, but read only access is provided to another folder, and access is denied for other user’s folders.

Any assistance would be greatly appreciated.

GPO Assigned and updated software fails to install on fresh computers

December 27, 2012, 9:03 am
$
0
0

I'm trying to verify what I think is true, and if it is true, I'd like some assistance on the correct way to work around the problem.

My problem is that I currently have a GPO created and functional to deploy Microsoft Online Services Sign-In assistant.  I originally created the GPO back in early 2012 to deploy the then current version of msoidcrl.msi.  In October I used the Upgrade feature within the GPO to Assign (Replace) the Sign-In assistant with msoidcli.msi

I believe this functioned correctly for all of the computers that were currently on the network and using Office365, however when I have attempted to setup new computers, the GPO fails with a series of errors.  The errors seem to indicate that it is waiting for the Microsoft Online Services Sign-in Assistant service to start.  It's not installed yet.  Eventually after several failures while waiting for the service to start I receive an error message in the System Event Logs "The Install of application ... from policy failed error was %%1603"  In the MSI....Log file the error listed is 1920.  I'm logging in as a domain admin, and have tried specifically granting the domain admin 'admin' rights on the computer with no change.  

On the computer that I'm trying to test with, multiple restarts did not fix the issue.  After installing the original file that the GPO specifies is being upgraded, the GPO does install the program after needing a reboot.  This time the reboot is required because 'changes were being processed'

Am I correct to assume from this that Group Policy will not install the 'new' version of the software without the 'old' one being present?  If so do I need to create a an additional software install GPO to handle fresh computers who don't have software installed.  

Thanks

:edit: One other note is that the version listed in the Group Policy shows as 7.250 for both version of the msi.  but on the computer one version shows as 7.250.4209.0 and the other as 7.250.4303.0.  Both installed programs are listed in the successfully updated computer's add/remove programs.  

Cannot remove Scheduled Tasks created using Preferences

December 27, 2012, 1:01 pm
$
0
0

Greetings,

The scenario is the following:

  • Domain with Windows 2003/2008-based Domnain Controllers.
  • WinXP/Win7 clients
  • Scheduled tasks was created using preferences (http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/2099e8da-ba89-4743-80f5-a80436d5f1ae/). The scheduled tasks run at user logon.

The problem is:

  • When I remove the GPO from the OU where the user accounts reside (preference settings at user level) the scheduled tasks run at user logon.

I have tried the following:

  • Re-apply the GPO to the OU and delete the scheduled tasks from the GPO. Result: the problem remains.
  • Re-create the scheduled tasks in the GPO, and configure the action to "Delete". Result: the scheduled tasks don't run at user logon, but still exists in the client and cannot


The question is:

What is the process to delete completely the scheduled tasks from the clients?

Thanks in advance!

Win 2008 R2 Install Font to multiple XP and Windows 7 PC using GPO

December 27, 2012, 8:17 pm
$
0
0

Hi Team,

We have to install some fonts to approx 200 XP + Windows 7 PCS (Domain : Windows 2008 R2)

What is the best way to deploy this using group Policy (i Mean need to create MSI OR Using Script) ?

Viral Rathod Blog : http://viralr.wordpress.com

Search

Deny 'Apply Group Policy' doesn't work.

December 27, 2012, 11:11 pm
$
0
0

Hi guys,

I have an OU in which I put a computer account Server100(running on Windows server 2003) and some domain user accounts inside (domain admins not included). Now I create a group policy in which a logoff scripts is added under the user settings to automatically clear user's %temp% folder when they logoff Server100. Now the scripts works perfectly fine for the domain users in the OU, but when I used domain administrator account to login and logoff the server, it is also working although I have denied 'apply group policy' for doamin admins group under the 'delegation' tab of the group policy.

Why it is like this? Should I remove the computer account server100 from the OU because logoff scripts only deal with the 'user settings' in the group policy?

I need anyone's advice, thanks!

Interactive logon: Number of previous logons to cache

December 27, 2012, 8:18 pm
$
0
0

We want to implement this settings for all users :

Interactive logon: Number of previous logons to cache

Question :

1) What us the Limit we need to set for "Number of previous logons to cache "

2) Shall we put this into Domain Policy OR Need to craete new Policy ?

Regards,

Viral Rathod

Viral Rathod Blog : http://viralr.wordpress.com

legal notice using group Policy

December 27, 2012, 1:51 am
$
0
0
I want to configure "Legal Notice" when user press Alt+Ctr+Del in domain, I have tried to configure "Legal Notice" using GP path as below 

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options --> Interactive Logon : Message text for users attempting to log on 

But I am not getting any output, Kindly advice me how to configure it.

With warm regards, Kiran Sawant

Events based task in task scheduler deploying by GPO

December 27, 2012, 3:27 am
$
0
0

Hi all,

if are create task based on event in system, f.E. if event ID 4036 happen, it send me an Email., its possible to distribute this task via GPO?I found some help about scheduled task via GPO, but no event based task :(

Any resolution?

Redirect Start Menu Devices and Printers

November 5, 2012, 10:55 pm
$
0
0
Is iit possible to redirect the butoon on the start menu for Devices and Printers?

GPO is applied, but see no results?

July 30, 2012, 12:05 pm
$
0
0

Hi everyone

I've been searching high and low all day through the forums and Google and finally come to a stand still on getting this to work.

I am trying to deploy Office 2010 through Group Policy and when I run rsop.msc on the PC with the user or the Group Policy Results wizard on the same PC with the same user from the Group Policy Management console I see what I should: the batch file as a Startup script to deploy office, UAC settings so it doesn't interfere, and loopback enable with Replaced.

However, when I login into my test PC... nadda.  There's no setup.exe that runs.

I'm unsure if this is a GP problem or something I did incorrectly with the deployment package but that part was pretty straight forward and not sure how to troubleshoot.

Thanks!

Ryan



Denied myself access to GPO

December 28, 2012, 5:55 am
$
0
0

I am a member of Group1  which has permission on GPO's (granted as delegate permission)

The Allowed Permission is : Edit Settings ,delete,modify Security

Also i am member of Group2 where i mistakenly set the permission for Deny on (Apply Group Policy and Read)

Now the GPO where i set this deny permission show inaccessible in the GPMC console.

I tried to follow http://blog.rhysgoodwin.com/windows-admin/deny-yourself-access-to-a-gpo/

http://social.technet.microsoft.com/wiki/contents/articles/how-to-restore-settings-if-you-accidentally-modify-the-gpo-permissions-and-give-deny-access-to-enterprise-admin-and-domain-administrators.aspx

However it says i do not have permission

I am not a domain admin.

Is there any way i can fix this or only domain admin can fix this.

Search

Prevent GPO from applying

December 28, 2012, 6:10 am
$
0
0

We have an OU for terminal Servers , we have blocked the inheritances so that no domain GPO apply on this OU.

This OU has all the Servers with terminal Server role installed.

Now we created 3 separate GPO's and applied them to the Terminal Server OU

GPO1 - For Computers

GPO2 - For Users

Q:1 - The gpo created for computers have User Configuration settings disabled

What we setup in this are various server settings for TS and we also enabled a policy named:

Set user profile path for all users logging on to this computer

All was fine until i realized even the administrators who login to these servers get this , which i did not wanted.

So i looked around and found "How to prevent domain Group Policies from applying to certain user or computer accounts"

http://support.microsoft.com/kb/816100

I Added a Group for the users who belong to admin group in the delegation tab in GPMC and followed the steps to deny GPO as mentioned in above article.

I ran Gpupdate /force couple of times 

Rebooted servers 

But the users who belong to this group still get their profile roaming .

I do not want these policies to be applied to the Admins. 

Is there something i am doing wrong.

Is there anyway i can reset all group policies 

How soon does a GPO become available after we edited it

does it depend on the replication ? in AD

Completely prevent internet history deletion despite 'reset defaults' & allow temporary file deletion.

May 22, 2012, 10:06 am
$
0
0

I have a need to retain Internet Explorer history for a long period of time for auditing purposes, outside of what our reporting appliances are already doing, mostly for a psychological deterrent to users. 

The site in question is a domain with a mix of Windows XP & Windows 7 PC's. The group policy server is a Windows 2003 Server which has received updated inetres.adm and furthermore administered by a Windows 7 Professional PC with group policy console for newer group policy control for the Windows 7 systems.

This is my preferred scenario:

  1. User cannot delete history and history is retained for 120 days. 
  2. User can delete temporary internet files.
  3. User can reset Internet Explorer settings.
  4. Points 2 and 3 do not affect point 1. 

Basically, using the obvious settings in User Configuration | Administrative Templates | Internet Explorer | Delete Browsing History to:

  • Turn off "Delete Browsing History" functionalityEnabled
  • Prevent Deleting Web sites that the User has VisitedEnabled
  • Disable "Configuring History" Enabled
  • Prevent Deleting Temporary Internet Files Disabled
  • Prevent Deleting CookiesDisabled
  • Prevent the deletion of temporary Internet Files and cookiesDisabled
  • Configure Delete Browsing History on exit PropertiesDisabled

All of these options do not provide the intended requirements I've listed above. 

So in other words, I never want users to be able to use any form of trickery or intelligence to delete their history (other than deleting the history file which is basically unpreventable) yet I want them to be able to delete their temporary internet files, their cookies and reset their web settings, none of which should affect history. 

Intuitively, I'd expect Microsoft to allow us to distinguish between browsing history and temporary files since they've done this with group policies and buttons in Internet Explorer, and theyreally are as far as the English language is concerned. 

Thanks in advance. 


Server 2012 Windows Update Group Policy

December 28, 2012, 10:31 am
$
0
0

I've deployed a few 2012 Servers using the same Group Policies that I have been using on our 2008 R2 SP1 servers for Windows Update.  On the 2008 R2 SP1 servers the boxes install updates at 2:00am and restart.  The 2012 servers install the updates at 3:00am and display a prompt that they will restart in a couple days.  It is now 14 days later and they still have not rebooted.  This is the only Group Policy applied to the OU these servers are in.  When looking at the UI for Windows Update > Change Settings, it says "Some settings are managed by your system administrator" but you cannot see the details like you used to so I know that Group Policy is at least trying to control Windows Update.  I've looked in the registry on the 2012 servers and the Group Policy settings are there but not all of them appear to be working.  Why is this occurring and what do I need to do to fix it?  Thanks.

GPP Drive Maps cannot apply to multiple session under Terminal Services

May 27, 2010, 9:12 am
$
0
0

Hi folks,

A strange issue that I created a new GPO and configured the GPP Drive Maps policy, meanwhile I created a new OU then linked the new GPO to it.

I created a user in the new OU, then tried use this user to login to the terminal server (Windows Server 2008 x64 RTM, patched SP2), all drives get mapped prefectly, in this case, the session is 1, this computer is CLIENT01.

Then I went to CLIENT02, use the same user to login to th terminal server again, the session is 2, both sessions are online.

In the session 2, I cannot see any drives get mapped.

Then I log off from both sessions, next to login to terminal server from CLIENT02, this time, all drives get mapped like dream.

All then I got the problem, when I login to the terminal server from CLIENT01 using the same user account, no drive can be mapped.

What's the root cause of this issue? misconfiguration or known issue or something else?

I tested the scenario in Windows Server 2008 R2 Terminal Server, no such issue.

 

a245ac8356cd89088a3a0e0536223c20 56cd89088a3a0e05 c093d70f088499c3a837cae00c042f14

Group policy and trusted sites issue

December 28, 2012, 5:47 am
$
0
0

Last week I set a new IE home page through group policy (User Config\Windows Settings\Internet Explorere Maintenance\URLS/Important URLs) and added a couple sites the the IE Favorites.  Seem to be fine, so I pushed it out.  Shortly after people started saying that they couldn't log into secure sites.  I found that for some reason this wiped out everything in each users trusted sites and blocked their ability to add individually.  Removing the policy didn't fix.  So, I've made a mad scrample to add the most important sites manually through the GPO, but why would this happen?  I've seen on some posts that this is by design, but is there a way to do both.  I can add, but still allow users add also?

Another affect of this is that some users have lost the ability to open hyperlinks from Outlook.  Says that they are unable to open because of administrator restrictions.  Is there a GPO setting for this?

Any help is MUCH appreciated.

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>