Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

GPO Block Control Panel

May 13, 2014, 1:18 am
$
0
0
Hellofriends,I need help.I createdan OUinmy domainandthisOUputthe user's computerand alsothis user account, I created aGPO tolock the control panel,onlythe lock isnot happening,I ran thecommandgpresult/ron the machine and the resultshowsBlock_Cpanelthat theGPOisapplied, except that the control panelis there,freefor anyone to access.

Any idea whatmight be happeningand how to resolvethis issue?


Thank you!

Ivanildo Teixeira Galvão

Search

Enable firewall with GP but allow users to disable....

November 30, 2010, 8:06 am
$
0
0
I'm wondering how I can enable the firewall in group policy but allow a user to disable it if they have to.  I see that it says "settings are controlled by group policy" when I go to try to turn it off on a vista machine.  Thanks.

Need help with using Windows 7 as a Kiosk

August 17, 2011, 4:52 pm
$
0
0

Good day everyone,

I'm trying to get away from our old, outdated kiosk software in favor of using the native features of Windows 7(32X) Professional to accomplish this. I have a few PCs at my work that are used soley by guests and I need them to be fairly locked down while still functional to most of their needs. I have a decent start going as I have already accomplished several items via Group Policy enforced on a standard user profile that are needed however, I'm finding a few things to be rather difficult to find answers to. Here is what I am looking for:

Currently i have my documents folder available to guests and the desktop and drives completely locked down, which is what I want. However, I need help with these aspects:

 

01. Guests should not be able to alter or delete the my documents folder (which they currently can).

02 In the group policy settings, I must have turned something on that hides all files within the my documents folder. Does anyone know which policy this is since I can't seem to find it? If i create a file in that folder it will stay there until i close the folder and reopen it, then it becomes hidden.

03. I need the only two places a file can be saved is the my documents folder and/or a guest thumb drive, including downloads from IE.

04. I need the user profile to revert back to this default profile Im working on after the guest logs off, clearing any settings they may have changed within programs or otherwise as well as permanently deleting any files that they saved to the my documents folder. This could also fix issue 01 if there is no way to stop the deletion of that folder.

 

I hope I can find answers to these issues since I have been working on these for a while and really need to get these PCs deployed as soon as possible.

Thank you very much.


Blocking Specific Files

February 28, 2013, 10:26 am
$
0
0

Hi everyone,

I've been using McAfee user defined policies to block files by extensions or a specific file name from being created,modified,executed,,,,. I want to do away with McAfee and I would like to know if there's a way of accomplishing this using Group Policy or another MS product that you know.

Meshack

Old GPO deployed printers keep coming back, but no GP exists for them anymore

May 13, 2014, 7:21 pm
$
0
0

During a transition from our new AD domain we had at one point configured a GPO that deployed printers that were on a trusted domain server.  That domain and the server have been decommissioned and we deleted the GPO that was deploying the printer objects.  However, those objects keep being deployed to user's and computers.  If we manually delete the printers they come right back at next login.

How can we find where this is still being deployed and get rid of it?  We have already looked in every GPO in the organization and these printers are not listed in any of them.  They also are not in the local machine policy either.

Negative selection possible

May 8, 2014, 7:56 am
$
0
0

Is there a way to have group policy Settings only apply to machines that do NOT have a certain Service installed?

I couldn't create an WQL filter for that...

Account Lockout policy is not working on Windows Server 2008 R2 DC

May 8, 2014, 3:00 am
$
0
0

I have configured Windows 2008 R2 server DC on my office. I have created account lockout policy on Default Domain Policy and enforced it.  The policy is as follow:

Account Lockout Duration: 99999 minutes
Account Lockout Threshold: 3 invalid attempts
Reset Account lockout counter after: 120 minutes

There is almost 150 client pc which is connected with the DC and most client operating system is windows xp sp2. i have created OU for each department and created relevant user account under the OU. For testing the policy i have typed wrong password 3 times on client pc and checked that the user account is locked out on the server. But then i typed correct password and logged on to the account, account lockout message did not appeared. I am not understanding how can i logon to the account which shows locked out on the server.  After logging on the user account i saw that the account is still locked out on the server.It occurs when i lock the desktop, but when i logoff or restart the pc and entered  wrong password 3 times and then entered correct password the message user account is locked out shows. I have tested several pc, but i got same result. The account lockout policy is not working on locked computer, but it works when i power on the pc or restart/logoff the pc.  After that, i have also created the same policy on Default Domain Controllers Policy and  servers local policy. But the problem is not solved. Can anyone please help me with this issue?

Change the password prompts on domain joined computers to reflect configured password policy

May 5, 2014, 6:00 am
$
0
0

Hi All

Is this possible? at the very least we would like to maybe supply a static message with some more detail about the password requirements at the time when the password change is needed.

At the moment when you change password and it does not meet complexity requirements it will list all the possible reasons your password change request was denied, History, age etc.

Search

A few GPO questions

May 13, 2014, 6:03 am
$
0
0

Hi All,

I have a few questions regarding GPO creation:

1) How do you group your GPOs? Ie decide whether to use an existing GPO or create another?

2) For a given GPO, how can I quickly see the edited options? Either via GUI or Powershell.

Thanks,

My password policies can't be changed

May 14, 2014, 12:51 am
$
0
0
My password policies can't be changed on my FRD or my RODC it is blocked out so when I click on it nothing happens and  I can't type. I'm trying to make it so I have two different password policies in two different locations. Please help.

Managing the Windows XP Windows 7 Firewall via Group Policy

February 5, 2012, 6:48 am
$
0
0

OK, we have ~100 clients still on Windows XP and ~300 clients on Windows 7.  We're in the midst of a Group Policy revamp that also involves reorganizing the Active Directory OU structure also.  Our new AD structure resembles the following:

Workstations
>> Desktops
>> Laptops

Servers

All of our Windows XP and Windows 7 workstations are dispersed among the Desktop and  Laptop OU's with the majority of GP settings being applied via a GPO linked to the Workstations OU, including the firewall settings.  The issue is Windows Firewall with Advanced Security settings in the GPO (Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security) are only applied to the Windows 7 workstations and the Windows XP workstations receive nothing since their firewall settings are received via the settings under the Admin Templates section (Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall).  And if we attempt to apply firewall settings in this location the Windows XP workstations receive the correct settings and the settings on the Windows 7 machines are not as granular as we would like them. 

Whats the best method to work around this issue, other than immediately upgrading the remaining workstations to Windows XP workstations to Windows 7?  Create separate Windows XP / Windows 7 OU's and apply firewall settings at this OU level? Or use some type of filtering?  I've never dealt with GPO filtering to any major extent so if you recommend this method, any guidance would be most appreciated.

 

GPP runs in System account even if specified that it should run i user context

May 20, 2013, 2:20 am
$
0
0

The user 'xlsx' preference item in the 'USER-Microsoft-Office  Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.

I have a problem with GPP that should make a program (Libreoffce or Microsoft office) the default opening option for certain file-types (.doc, xls, .ppt etc...)

But the GPP runs in system account even tho I have set the policy to "Run in user's security context"

Group policy for ie setting fail

May 13, 2014, 3:30 am
$
0
0

I want to let all domain user to open sharepoint site without login, use their current domain user to login automatically, so I added a group policy on windows server 2008 r2 sp1, setting the following:

1. User Configuration -> Policies -> windows settings -> Internet Explorer Maintenance -> security -> Security Zones and Content Ratings: add sharepoint sites to intranet and set"Automatic login with current user name and password"

2. computer confinguration->Policies->Administrative templates->Windows components->Internet explorer->Internet control panel->Security page->Select "Site to zone assignment list"

3. User Configuration ->Policies->Administrative templates->Windows components->Internet explorer->Internet control panel->Security page->Select "Site to zone assignment list"

But when I open sharepoint site on client machine, it always lets me to enter username and password. It seems the group policy is not working.

Awen


File GPP preference item fails path not found

May 1, 2014, 3:39 pm
$
0
0

Hi,

I have a GPP preference item, for a file, to copy it from a file share to C:\ on my servers.

The computer 'SetACL.exe' preference item in the 'Base Tools {0CC263CF-2996-40A5-8690-9C8E7A2314C5}' Group Policy Object did not apply because it failed with error code '0x80070003 The system cannot find the path specified.' This error was suppressed.

However, the file sits on a share at H:\BASETOOLS\, on both domain controllers and the member server in question. However, despite being able to browse to the file and domain computers and the computer account for the member server having permission to the share, I get the error above.

Is it due to the fact that the drive mapping is done via another gpo and maybe the file is attempting to be accessed by this gpo before the mapping of the drive? Can I influence this order?

Thanks

All GPOs apply without error, but they do not process security settings

May 14, 2014, 1:47 am
$
0
0

Hey everyone, been a while since I have posted but I desperately need some help. Any help you can provide is eternally appreciated, I have been pulling my hair out on this for 2 days and its fricken ridiculous.

My Situation

The "security settings" in all my GPOs do not apply plain and simple. All other settings in all the GPOs apply except the security settings portion.

Both GPResult on the PDC and on the local computer show that all the GPOs applied successfully, but when you actually look at the settings it does not show any of the settings in the security settings section are being applied, it actually acts like those settings are not configured in the GPOs.

The kicker? My computer I use every day gets all the GPOs fine, its literally every other computer that is messed up.

RSOP shows same issue but does not show any errors.

What I have done.

 - Deleted every GPO in the domain, ran GPOFix and then created new GPOs and imported the settings.

 - Verified that the SysVol folder permissions were correct.

 - Verified the folder permissions of "%windir%/security" folder and all sub-folders were correct.

 - Ensured GPOs were enabled.

 - Ensured WMI filters were not the problem

 - Imported Local Security Policy with SECEDIT to ensure the local security policy database is not corrupt.

 - ran SFC /SCANNOW

 - Ran Disk Check

 - ran GPUpdate /Force

 - Restarted

 - No Firewall enabled

 - Ensured group policy are configured to apply to authenticated users.

 - Verified replication.

 - Powered off backup DCs to force GPOs to come from PDC and still same issue.

 - All policies are configured on the root level.

 - All GPOs have link enabled

 - All GPOs have all sections enabled.

Notes:

The only computers in the domain are Windows 7(x32) and Server 2008 R2 (x64)

Policy Events shows no errors.

Event Viewer shows no errors.

Process monitor on the client shows that there are hundreds of "File Not Present" when its querying the registry, but when you manually check the registry the keys are definitely there.

Loopback Processing is disabled

Slow Link Detection is disabled


Search

ADM template for office and AD - Group policy

May 14, 2014, 3:09 am
$
0
0

Hi,

I need to enforce English (UK) as the editing language in office application (2010 & 2013).

I have downloaded the ADM template saved it on C drive on the AD server.

Then I loaded the ADM template for office to a GOP which I created on test basis and added an AD user to it.

On the template I enabled the setting for primary editing language as English (UK) .

on the client side , when I open an office application eg outlook or word, I can still see English (US) as the set language.

what am I doing wrong ?

also how do I use the ADMX template ? because when from the GPO editor I try to browse add the its template the window show blank.

event id : 4098

May 15, 2014, 1:37 am
$
0
0

The computer 'RpcSs' preference item in the 'Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}' Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.

GPO to disable changing wireless profile settings

May 7, 2014, 8:56 pm
$
0
0

I've got a GPO to deploy a PEAP MSCHAP v2 wireless profile to certain domain computers. The computers receive the wireless profile assigned through GPO, the connection works, however, I noticed that users (including non-admin users) can modify certain settings of the wireless profile.

When you open the wireless profile, on the connection tab, all options are greyed out with a notification stating "These settings are managed by your system administrator". When you switch to the security tab you see the same thing, however, there are two buttons that even non-admin users can select and change settings.

The Security (tab) > Choose a network authentication method > Microsoft: Protected EAP (PEAP) > Settings button

and

The Security (tab) > Advanced Settings button.

When you select the "Advanced Settings" button, it opens 802.1X settings (tab) and 802.11 settings (tab) and all of the options are greyed out, but when you open then "Settings" button you can edit the settings.

Typically, I wouldn't be too concerned about this, however, you can uncheck the "validate server certificate" option, the option that allows you to specify the RADIUS authentication server, which Trusted Root Certification Authorities can be used for the connection, whether or not NAP should be enforced, etc. Some of these could increase your attack surface (such as a man-in-the-middle attack if you aren't validating the server, etc.).

I looked around a bit, but couldn't find any GPOs that would restrict this. I apologize in advance if I missed something simple and thanks in advance for your time in considering this.

Different Items

May 7, 2014, 2:41 pm
$
0
0

After making sure I had the RDP 8.0 Update installed on my Windows 7 (Pro w/SP1) client, I used the Group Policy Management tool to "Enable Remote Desktop Protocol 8.0" on my domain, under "Computer Conf. -> Adm. Temp. -> Windows Comp. -> Remote Desktop Services -> Remote Desktop Session Host -> Remote Session Environment".

My 2 domain controllers are a 2008 and a 2008 R2.

The Group Policy on the 2008 R2 does have the entire "path" listed above, but the item "Enable Remote Desktop Protocol 8.0" is not showing.

The Group Policy on the 2008 does not even have "Remote Desktop Services" under "Windows Components".

I assume that the setting is there, but not sure if it's working when I can't see it on any of the DC's.

Is there a way to "upgrade" the Group Policy on those two servers to show all the items/fields that are there but not showing?

I hope I explained this well enough.

Thanks.

Group Policy not being pushed out

May 14, 2014, 7:56 am
$
0
0

HI,

I have a problem with Group Policy updates.  The domain controllers are Server 2008 R2 and the clients are all Windows 7 64bit.  It looks like the clients are not updating their group policies.  We've recently added a certificate for our new corporate wifi.  During testing we used gpupdate /force and the computers installed the certificates.  It has been several weeks since the GP was published and we have announced the new wifi.  Users are still being prompted to accept the certificate even though they should have received it from the GP.  If I try to do a RSOP, of a users computer, I get "The RPC Server is unavailable"  Any ideas on how to fix this?

Thanks

Ron Soulliard

Ron Soulliard Systems Administrator Polaris Ventures

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>