Recently I cannot edit the domain group policy or any existing gpo policies.I am running win2003 SP2 with 1 domain controllers (SRV-1), 5 workstations, 1 win7 wokstation .When I try to edit the GPO from the DC I get the following error.

EventType:   Error

 EventType:   Error
Event Source:   Userenv
Event Category:    None
Event ID:    1058
Date:        12/2/2012
Time:        8:23:57 AM
User:        NT AUTHORITY\SYSTEM

Results DCDIAG /v:

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine SRV-1, is a DC.
   * Connecting to directory service on server SRV-1.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 1 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\SRV-1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
            *** Warning: could not

Hi,

I'm looking to design a GPO that will be applied to server 2012 member servers, specifically looking at Security Settings / User Rights at the moment.

Within the group policy that is being applied I have the log on as a service setting set to Contoso\Test1

How does setting this policy for example affect the ability to install IIS/SQL for example?

If I look at RSOP on the member server it shows only Contoso\Test1 within the setting.

If I look at local security policy on the member servers it shows Contoso\Test1 and the domain account that I used to install SQL under, all geyed out.

I am also able to to configure IIS/SQL to use another service account.

My understaning was that if a group policy setting was specifically being applied it would overwrite the local security / local group policy on the member server.

In this case they seemed to be merged. You cannot directly edit the setting in local security / local group policy as they are greyed out but it looks like SQL & IIS are still able to update these settings?

Does this mean I don't have to worry about these settings in group policy? (my concern was if i set something in a group policy) it would mean that we would not be able to install IIS/SQL etc.

Thanks,

Nigel.

Hello,

I am having some issues getting my scheduled task to work.  Any help would be greatly appreciated.  I am trying to display a message at a scheduled time.  Down below are the steps I performed:

* Created an OU
* Placed my computer into the OU
* Opened up the Group Policy Management Console
* Right clicked that OU -> Create a GPO and link it here
* Under Security Filtering added Authenticated Users and Domain Computers
* Linked and enforced the GPO
* Right Click GPO -> Edit
* Computer Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks
* Right Click Scheduled Tasks -> New Task (Scheduled Task Windows Vista and Later)
* Action: Update, Run only when user is logged on, Run with Highest Prvileges, Configure for Windows 7
* I set the schedule time and action to display a message

* I also enabled loopback processing on the Computer Configuration

However, I am unable to get it to display a message.  I tried the "Run task as as possible after a scheduled start is missed" and set the time extra early.  I've tried displaying a message on start up.  Both resulted in no luck.

Thanks,

Jkwong

I want to login wireless AP using 802.1x PEAP, but client using Smart card or other certificate by default, so login will fail.

I want to make PEAP as default EAP type for any wireless network connection of all client computer in AD domain, instead of Smart card or other certificate.

I don't want to add wireless network connection in group policy.

Hello,

We have a separate domain where the domain controllers are windows server 2003 R2, there's no "Change the time zone" option in 
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment, thats only available since windows server 2008, any other options to disable regular users from changing the time zone? 

I am using Windows Server 2003 R2 as a Domain Controller and running on XP SP3 client PC's.

My colleagues has complained to me that they are shutting down the computers every day when they go home. but it is already on for login screen when they come to office next day. Looks like the computers starting itself after 10 - 20 minutes.

I haven't done anything in the Domain Controller / Group policy. but i am installing all the critical updates using WSUS.

Does anyone knows what could be the issue?

Is there any setting can be changed in the Group policy level to fix it?

Thank you

Shaheed

Want to know if there is way to use Group policy to add a security group of users in AD to security group of computers and put them in the local admin group? These machines are spread throughout different OUs and not located in just one OU. The goal is to grant access to a specific group local admin rights to these machines.

One thought was to add them via the security tab of security group of computers and grant full access.  I selected 'this object and all descendant objects' objects and ensured all boxed are checked. The other options in that list was 'descendent computer objects' also. Just haven't tested it out to see what works. Thanks in advance!

Hi I have been trying to deploy UltraVNC over a network but it is interminettent. The workstations seem to be able to pull the .ini file from the UNC folder but would not pull the .msi installer that contains the software.

I get various errors after changing a group policy to point to a network storage drive

The users have full permissions and I am moving files manually

tried recreating users profile

ran gpupdate /force several times

gpresult says policy is applied but event viewer says thinsg about cant create the various prfoile folders, but they already exist in that location

noticed that I cant acces the Document or picture libraries

any ideas?

this is a LInux based NAS drive so I cant set NTFS permmissions on the folder althouogh it is a domain memeber and will allow users to have full permissiosn I cant allow any built in system accounts to ahve full access...

David Sheetz MCP

So we deployed all of our printers through GPP. Everything seems to be working fine, but we are receiving a warning in the event log on 2 servers and 1 Win7 Machine. The Win7 machine had to be reinstalled today, and is not showing any errors now.

Each Printer is set up as Shared. Each printer is installed, then each printer is set to default based on item-level targetting of Security Group Membership. All Print Processors are WinPrint/RAW. SERVER2 reported installation fine on 12/12/12, but warnings on 12/11/12 & 12/13/12. Same thing happened days before and after. As far as I know, these are the only 2 warnings left in our domain for GPP Printer Deployment. I have no idea what is causing these errors. Can anyone help please? 

Warnings-

SERVER1(Print Server)(Server 2003): 16/18 printers report this warning. The 2 printers not being reported are installed by item-level targeting.

Event Type:Warning
Event Source:Group Policy Printers
Event Category:(2)
Event ID:4098
Date:12/19/2012
Time:6:28:23 PM
User:NT AUTHORITY\SYSTEM
Computer:SERVER1
Description:
The user 'Trans' preference item in the 'PrinterDeployment {87BB1FF1-CD2A-4056-A672-103161D9E09A}' Group Policy object did not apply because it failed with error code '0x8007007b The filename, directory name, or volume label syntax is incorrect.' This error was suppressed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

SERVER2(Server 2008R2): 16/18 printers report this warning. The 2 printers not being reported are installed by item-level targeting.

Log Name:      Application
Source:        Group Policy Printers
Date:          12/19/2012 7:12:24 PM
Event ID:      4098
Task Category: (2)
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:      SERVER2
Description:
The user 'Trans' preference item in the 'PrinterDeployment {87BB1FF1-CD2A-4056-A672-103161D9E09A}' Group Policy object did not apply because it failed with error code '0x80070bc4 No printers were found.' This error was suppressed.

I am trying to apply account policy (password + account lockout) for selected domain users.

1.       Created a group and included the users into this group (GroupA).
2.       In “Default Domain Policy” which is applied at the domain level (top most), I have edited the security setting of the policy as follows:
   1.       For “Authenticated Users”, “Read” is checked but “Apply Group Policy” is not checked.
   2.      For “GroupA”, “Read” and “Apply Group Policy” is checked.
3.       Sufficient time given for replication. Also used gpupdate /force. Also rebooted the domain controllers.

However, when I purposely type the wrong password, the account (which is a member of GroupA) does not get locked. FYI, I am using Windows 2003 R2 SP2 as my domain controllers. Do I have to maintain “Authenticated Users” for the policy for it to work? Also, I used the ADSIedit tool to check and found that the parameter “lockThreshold” at the domain level (top most) is set to “0”. Any idea why my policy is not applying? I have referred to these forums for information as well and followed accordingly but it does not work.

I have three Windows Server 2012 domain controllers running Active Directory at a functional level of Windows Server 2008 R2.  The domain controllers were recently replaced with the 2012 DCs.

When I open the new Group Policy Management console on a domain controller, click on my domain, click the new Status tab, clickDetect Now (button on the bottom right) I receive this error:

Group Policy Management
A processing error occurred collecting data using this base domain controller. Please change the base domain controller and try again.

This server is the Primary Domain Controller (PDC).

Any thoughts?

Hi,

I'm trying to troubleshoot my GPO

when using when using GPRESULT /R on windows8 client machine COMPUTER SETTINGS are not displayed only the USER SETTINGS and getting an error:

   The user is a part of the following security groups
   ---------------------------------------------------
       ERROR: An unexpected error occurred.

What could be causing this?

Hi, 

i have strange issue. use file copy in GPP and on client there is event 4098 with info 

... 0x80070041 Network access is denied ...

but from client i can copy this file 

Voytas

Hi All,

I have a large domain and a long list of websites that are trusted using the following group policy setting:

On all (XP/vista/win7) workstations across the domain I'm getting the following error:

Log Name:  System
Source:  Microsoft-Windows-GroupPolicy
Event ID: 1085
Task Category: None
Level: Warning
Keywords:   Description: Windows failed to apply the Internet Explorer Zonemapping settings. Internet Explorer Zonemapping settings might have its own log file.

There's nothing either side of this error in the log that shines any more light on the issue.

I know which group policy object its applying these settings but cant find which of the entries in the site to zone assignment list is causing this issue. I looked in theGroup Policy/Operational log but all I see is the following entry which says "completed" but is logged as an error:

After some research I'm guessing that the issue is an incorrect wild-card. This is what my trusted sites list looks like (with names removed of course):

http://servername.*  

*.internaldomain.com.au  

*.domain.com.au  

*.domain.*  

*.externaldomain.com  
 
*.domain.inernaldomain.com.au  

*.domain.*  

*.domain/name.*  

*.domain.inernaldomain.au*  

*.domain.com

Is there something obviously incorrect here?
Does anyone know where I could find an article that clearly outlines the acceptable wildcard syntax for the"Security page\ site to zone assignment list" group policy?  Ive read every forum post, website and blog I could find on the internet but nothing is clear and I wasn't able to find an MS document that steps it out. I've also changed the existing list a number of times based on blog posts etc but had no luck.

**Please Note**
I dont want to change to a different method or have an intellectual debate re why I would have these sites/wildacrd/policy set. I'm really looking to see what entry is invalid and where the documentation is for this policy setting so i can make sure they are always correct in the future. 

thanks in advance for your time and assistance
Simone

PS: I've already read the following posts a number of times:

• I get no data but have identified the GP that is causing the issue:
  A test case for troubleshooting group policy application – Event ID 1085 and 7016 - http://blogs.technet.com/b/askds/archive/2008/08/21/a-test-case-for-troubleshooting-group-policy-application-event-id-1085-and-7016.aspx 
  
• I dont have any 2 letter domain names:
  Problems Adding Top-Level Domains to Zone Sites List - http://support.microsoft.com/kb/259493
  
  
• I tried formatting the list per this article:
  [Solved] The Group Policy client-side extension Internet Explorer Zonemapping failed to execute  - http://daily-it.blogspot.com.au/2008/09/solved-group-policy-client-side.html
  
  
• Has no domain wildcard format info:
  Behavior of Site to Zone Assignment List  - http://blogcastrepository.com/blogs/mattbro/archive/2006/09/07/2183.aspx
  
  
• Great article, no wildcard data:
  Internet Explorer Policy Settings  - http://technet.microsoft.com/en-us/library/bb457144.aspx
  
  

• Internet zonemapping problem: http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/a8756a27-b562-42ad-8782-87d284e6bcfb/
• Spiceworks Event 1085 (Warning) - http://community.spiceworks.com/windows_event/show/1582-microsoft-windows-grouppolicy-1085
• Event ID 1085 — Application of Group Policy - http://technet.microsoft.com/en-us/library/cc727303%28v=ws.10%29.aspx
  Application of group policy - http://technet.microsoft.com/en-us/library/cc727312%28v=ws.10%29.aspx
• Evt ID 1085 GP client-side extension IE ZoneMapping failed to exec  - http://www.winvistatips.com/evt-id-1085-gp-client-side-extension-ie-zonemapping-failed-exec-t706399.html
• Event 1085 - Internet Explorer Zonemapping - http://www.minasi.com/forum/topic.asp?TOPIC_ID=29206
• EventID.net - http://www.eventid.net/display.asp?eventid=1085&eventno=1412&source=Userenv&phase=1
• Event ID 1085 - Internet Explorer Zonemapping failed to execute - http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24897522.html

.

.

.

UPDATE:

I disabled the original policy and created a new one with only one trusted site address in it. Then I logged into a clean test machine did some testing.What I found after a few hours of testing was; regardless of the site that I have listed in group policy -

• The HKCU\Software\Policies\Microsoft\Current version\Internet Settings\Zone Map Key registry entry isalways updated with that entry on the workstation. So the workstation's registry always updates the key with*.sitename.com per the site that I have set in GP
• If I run GPUPDATE /FORCE over and over again, on the same machine, under the same user account, using the same DC I get:Failure, Failure, Failure, Success, Success, Success, Failure etc

I wasn't able to determine any pattern to the failures, I tried stopping some of the processes on that machine but didn't find anything that would make it fail/succeed reliably.
There is no AV or firewalls installed on my test machine

Anyone have any more ideas?  I think I might install filemon and try to capture some more data unless there's a better tool?

Hi,

I have created a GPO to audit a folder in a Windows 2008 Standard server for a global groupe that contains users to be audited, users having permissions on the folder are audited but others that don't have it are not, and am interested to know if someone try to get access to this folder.

In a test server on Windows 2008 R2 i've done a filter in the Event Security Log so i can view failed access to the folder but in windows 2008 no, i notice that the option "detailed filesharing" don't exist i have just "file sharing" in the filter wich don't give me the details that i need.

Please i need your help and the same thing for Windows 2003 R2.

Kind Regards.

Hi, we're using Windows Server 2008 SBS and have just added our first Windows 7 client to the domain. I want to be able to administer its settings so I've located the Policy Files (in c:\windows\PolicyDefinitions and copied that directory into\\SERVER\SYSVOL\domain\Policies as described elsewhere.

When I start the Group Policy Editor these policy files are not automatically added. And if do an Add Templates, and navigate to the ADMX files, when I try to add one I get the message "only files that end with the adm extension can be added to this group policy object". I thought Server 2008 supported ADMX files, so why am I getting this message, and how can I enable the Windows 7 settings in my Group Policy Editor?

This post (http://social.technet.microsoft.com/Forums/en/winserverGP/thread/0e2dd2c5-87a8-4d4a-8ef5-b03ffcd392d3) has the same question but no answer other than use Server 2008 R2 - which will cost me money!

Thanks in advance.

I have a mix of 2003 and 2008 servers.   Is there a place in the Group Policy Management, that I can Deny anyone from using a Local Account to RDP ?   I just want users to be allowed to use there Domain Creds, and prevent (Deny) Local Accounts to RDP.

Thank you