Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Internet zonemapping problem

June 28, 2011, 6:56 am
$
0
0

Hi

we are having problems with a certain group policy. We have a rather large environment, and have implemented a while ago, a group policy to centrally manage the Trusted Sites/Local Intranet sites:Windows Components/Internet Explorer/Internet Control Panel/Security Page

The GPO seems to be working well. The sites are recognized as stated in the policy.

Nevertheless, we get an error message in the event viewer:

Error 1085: The Group Policy client-side extension Internet Explorer Zonemapping failed to execute. Please look for any errors reported earlier by that extension.

With RSOP.msc I get this result:

Internet Explorer Zonemapping Failed (no data) 28/06/2011 15:33:11 Internet Explorer Zonemapping failed due to the error listed below.

The parameter is incorrect.

I can give you the list of all zone assignments if needed. We allready recreated it...

thanks for you help

Davy

 

Search

What are the best printer deployment practices for Win Server 2012 R2?

August 4, 2014, 1:10 pm
$
0
0

I have about 40 printers deployed around my school. My users move around my building and log into several computers throughout the day. I need to consistently get the correct group of printers to map to the computer upon startup and set a default printer. I have tried to use GP, but the inability to set a default printer within the computer policy is a crippling issue. I have tried using third party software (Kaseya DPM) where I can set printers and default printers, but the real-world, daily deployment is inconsistent. I have a logon script that I used to use, but the printers were trying to map before the network was established; the printer mapping was failing because the script was too fast.

This is not a new idea. What is the best way to consistently deploy printers that are mapped to specific computers?

After a restart, first powershell wants an Execution Policy Change

October 26, 2013, 2:58 pm
$
0
0

Hello all,

I fouled something up when I tried to set the ExecutionPolicy to RemoteSigned via GPO.  I have since removed that and have reviewed several forum posts, but none have "fixed" my problem.

I reboot and then login.

The first powershell script I run, via right-click & 'Run with Powershell' causes the "Execution Policy Change" prompt to appear.  This appears before anything in the script has run.

Doing a Get-ExecutionPolicy -List results in 5 returns.  MachinePolicy, UserPolicy, and CurrentUser all return Undefined, Process returns Bypass, and LocalMachine returns RemoteSigned.

I've been doing some testing on a machine and here is what I see.  The first command in the script is Get-ExecutionPolicy -List

I restart and login.  Run powershell via the powershell shortcut.  No prompt.  Process is undefined, not bypass.

restart and login.  right click script and get prompt.  Say Y and Process is Bypass.

restart and login.  right click script and get prompt.  Say N and Process is Undefined.

restart and login.  run powershell, cd to script location, .\script and no prompt.  Process is Undefined.  Right-click script and run it and no prompt, but Process is Bypass.

If I run the same script again, there is no prompt and the Process is Bypass.  No matter how I answered the first time.

What gives?  Why is it trying to (apparently) set the Process to Bypass?  Why does it prompt only the first time after a restart of the system?  Why is it only when I execute the script via the right-click?  Two different machines, two different scripts.  same results.

-g

Drive Mapping Group Policy with Item Targeting for multiple groups

August 4, 2014, 2:06 pm
$
0
0

Is it possible to the following using Item-Targeting:

1. I have security groups created for various departments like so:

HR-Dept Security Group
HR-subDept1 Security Group
HR-subDept2 Security Group

Legal-Dept Security Group
Legal-subDept1 Security Group
Legal-subDept2 Security Group

2. Separate departmental group policies have been created and are filtered to the departmental security group.

3. There are departmental file shares created and access is granted based on membership to the group(s) above.

The departmental group policy has a drive-mapping setting created to map drives for the departmental users. So all members of the HR-subDept1 Security Group have access to their data. I've tested this and it works for both departments.

To take this to the next level I need to make it so that other sub-department groups recieve the same policy settings but to different sub-folders like so:

HR-Dept UNC = \\share\hr-dept (parent)
HR-subDept1 group UNC = \\share\hr-subdept1
HR-subDept2 group UNC = \\share\hr-subdept2

The question here is if it's possible for the drive mapping to show only the folders the user is configured to see? So if in this group show this, or these, folders and not those folders. All would be housed under the same drive letter which points to the parent share.

So I create a new drive mapping policy and have it point to the folder root:

\\share\hr-dept

I label it accordingly, HR and assign a drive letter, H.

Next Common - item-level targeting
New item - Security group
Browse to the parent group, HR-DEPT, and can see it's SID.
I add another item - security group and choose OR.

Am I right in assuming that if the user is a member of the first or either of the other groups they will see the drive mapping? I'm hoping this control which shares they'd see? So if not a member of the HR-subDept2 group UNC =\\share\hr-subdept2 then they don't see that share.

Excuses if the typed version of this request confuses some. I'm thinking this is better than creating multiple GPO's for the sub-departments. In the end there would be just one departmental GP with drive mappings specific to that sub-department. The goal is for that department to all use the same drive letter.

Any responses appreciated.

Pushing trusted sites

July 7, 2014, 10:43 am
$
0
0
I would like to push a few trusted sites to IE, however when I apply the setting through group policy, it prevents the local user from adding trusted sites. Is there any way to do this while still allowing the user to add their own sites?

GPO error 1030 - Server 2008 R2

August 4, 2014, 3:03 pm
$
0
0

Ok,

 After reading and reading and trying different fixes, I cant seem to get rid of the Event ID 1030 on my AD server.

We have 3 servers all in the forest, the AD server is the only one having this problem.

I have tried gpupdate, replicating from another server, misc other reg edits to no avail.

The error is:

"The processing of Group policy failed. Windows attempted to retrieve new Group Policy settings for this user of computer. Look in the details tab for error code and description. Windows will automatically retry this operation at refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings."

The Error Code is 8341

This happening every 5 minutes.

I need help!!!

Also, I am having outlook problems on all the end users machines. Could this be related?

Servers are running 2008 R2, all updates and end users are using Win 7.

Suggestions?

Thanks

Mike

Discrepancy in Default Domain Policy

July 29, 2014, 6:13 pm
$
0
0

Hello, 

About 6 months ago we migrated from DC's running Windows 2003 R2 to Windows 2012 R2. At that time we raised our domain functional level to "Windows Server 2008 R2"

I am trying to audit my Group Policy and have found a problem I am unable to explain. I have installed RSAT tools on my local workstation, and I have been using it to view group policy to perform my audit. Everything was going fine until I came across:

"Default Domain Policy"
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities

However when I attempted to edit the policy to look at the settings, nothing is there, the certificate is just missing.

Furthermore, when I look in the Group Policy Management on the DC, It does not even show "Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\TrustedRoot Certification Authorities"

Can anyone explain to me the following:

1. Why does my local workstations RSAT tools show settings that are not reflected on the DC?

2. Why is my RSAT tools showing settings on a certificate the does not exist? Is it because there used to be a cert there when we were using 2k3 domain controllers, and the cert wasn't migrated?

3. How can I fix this so that my RSAT Group Policy Manager on my Workstations is synched with my Domain Controllers?

Thank You in advance for any assistance. 

P.S. I had several pictures setup that made the explanation of all this much easier, but I was not allowed to add them because "Body text cannot contain images or links until we are able to verify your account."  




Inetres.admx and Enterprise Mode.

August 4, 2014, 6:50 pm
$
0
0

Hi Guys,

I was looking at implementing Enterprise Mode for IE11. I downloaded the latest ADMX files from MS. ( Windows 8.1 Update 1) and I noticed that the version of inetres.admx/adml does have the enterprise mode settings.

The only way I could have these settings was installing IE11 on to my workstation and uploading inetres.admx/adml up to my central store for GPMC to manage it.

My question is, why isn't enterprise mode a part of the latest downloaded ADMX file from MS?

Thanks in advance.

Jase.

Search

GPO forces rights elevation for ANY admin work, but domain can't be contacted

August 4, 2014, 7:53 pm
$
0
0

Due to domain GPO; local machine admin can not display network properties without elevating rights via Domain/admin, however the domain can not be contacted.

How can I change properties without a domain controller available?

Minimum & maximum pasword age

August 4, 2014, 9:46 pm
$
0
0

Hello,

I am making a security policy document and require to give a short definition for Minimum and Maximum password age.

Minimum Password Age

Defines minimum age of password before it can be changed

Maximum Password Age

Defines maximum age of password before it expires

Could someone give me guidance, is the above definition is correct?

Thanks.

Windows 8.1 and 2012 R2 ADMX

August 4, 2014, 6:59 am
$
0
0

Hi,

I have 5 DCs, 4 running Windows 2008 R2 and 1 running Windows 2008 (32bit) and the forest functional level is Windows 2008. Recently we have started to add Windows 2012 / 2012 R2 and Windows 8 / 8.1 servers and clients to the domain however there are some limitation with group policy. Therefore I would like to install ADMX for Windows 8.1 / Server 2012 R2 but I have a few questions before I do this:

I have downloaded the following files RTM.msi from TechNet and imagine that it also has all the relevant policies for Windows 8 and Server 2012

At the moment all my GPO are targeting Windows 7 clients and Windows 2008 and 2008 R2 servers, will the new template break any of my existing policies. For example will any polices be superseded and therefore not work?

Finally the new template is a MSI file how can I installed this in my existing network and are there any method for reverting the change?

Group Policy settings and set the result is not synchronized between domain controllers, is not in effect, how to deal? ?

July 16, 2014, 8:00 pm
$
0
0

Group Policy settings and set the result is not synchronized between domain controllers, is not in effect, how to deal? ? 

I have three DC, DC on the main changes to the account strategy, 

1, was found inside the other two GPMC settings have been changed over, as shown in the left part of; 

2, but the result set, but did not change over the right part of Fig;

3, three issues are the same phenomenon; in AD Sites and Services among pairwise copy without any problems tips success; 

4, the system environment: win 2008 R2 sp1 

5, Net Accounts results are as follows: 

C: \> net accounts 
Force user logoff how long after time expires:? 0 
Minimum password age (days): 0 
Maximum password age (days): 60 
Minimum password length: 8 
Length of password history maintained: 6 
Lockout threshold: 999 
Lockout duration (minutes): 1 
Lockout observation window (minutes): 1 
Computer role: BACKUP 
The command completed successfully.

Move Folder Redirect Location

August 4, 2014, 5:52 am
$
0
0

We currently have users "My Documents" redirected to a network folder using Group Policy.  It is currently located on a 2003 server and I want to move those a 2008 server.

If a create a new GPO and point to the new location and let the users login, the folder should auto create on the new server.  The files are synced for offline use so will it auto copy over their files or will I need to do a copy after they have logged in?

Taking AGPM ownership of a GPO fails

August 3, 2014, 9:42 pm
$
0
0

Hi,

Has anyone experienced the following issue when attempting to place a GPO under AGPM control?

Control GPO: {GPO Name}...Failed

[Error] Could not take ownership of the production GPO. The data area passed to a system call is too small.
----------------------------------------------------------------------

1 actions failed.

Any assistance would be much appreciated.

Regards

Nicholas Papalexion


GPO failed event 1058

August 5, 2014, 4:56 am
$
0
0

Hey

I am having a issue with a terminal server.

we moved the server from a fysical to a virtual and now the GPO for the network drives do not work.

i am getting a 1048 error in the event viewer. and if i look under details and under DCName

it say the wrong servername. i have tryied to flush the dns, and look in the hosts file.

Some of the clients have a local pc where this is not a issue. can somebody help it would be aprisiated. 

event log:

The processing of Group Policy failed. Windows attempted to read the file \\melitek.local\SysVol\melitek.local\Policies\{2602CEE8-9A53-46DE-A125-519E71B6173B}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
a) Name Resolution/Network Connectivity to the current domain controller. 
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
c) The Distributed File System (DFS) client has been disabled.

System 

  - Provider 

   [ Name]  Microsoft-Windows-GroupPolicy 
   [ Guid]  {aea1b4fa-97d1-45f2-a64c-4d69fffd92c9} 
 
   EventID 1058 
 
   Version 0 
 
   Level 2 
 
   Task 0 
 
   Opcode 1 
 
   Keywords 0x8000000000000000 
 
  - TimeCreated 

   [ SystemTime]  2014-08-05T13:18:01.695Z 
 
   EventRecordID 97132 
 
  - Correlation 

   [ ActivityID]  {2C33B962-8B87-4E40-8611-7EA3AD65D364} 
 
  - Execution 

   [ ProcessID]  576 
   [ ThreadID]  14480 
 
   Channel System 
 
   Computer meliteksrv5.melitek.local 
 
  - Security 

   [ UserID]  S-1-5-21-1085031214-616249376-1177238915-3129 
 

- EventData 

  SupportInfo1 4 
  SupportInfo2 840 
  ProcessingMode 0 
  ProcessingTimeInMilliseconds 23853 
  ErrorCode 50 
  ErrorDescription The request is not supported.  
  DCName meliteksrv2.melitek.local 
  GPOCNName cn={2602CEE8-9A53-46DE-A125-519E71B6173B},cn=policies,cn=system,DC=melitek,DC=local 
  FilePath \\melitek.local\SysVol\melitek.local\Policies\{2602CEE8-9A53-46DE-A125-519E71B6173B}\gpt.ini 

Search

Invoke-IpamGpoProvisioning : Failed to import GPO. The system cannot find the file specified. (Exception from HRESULT: 0x80070002)

August 5, 2014, 8:06 am
$
0
0

Hello Im trying to configure IPAM but im getting this error.

PS C:\Users\Administrator.IPADE.MX> Invoke-IpamGpoProvisioning –Domain actdir.ipade.mx –GpoPrefixName IPAM –IpamServerFq
dn minte.actdir.ipade.mx –DelegatedGpoUser Administrator -DomainController discovery.actdir.ipade.mx

Invoke-IpamGpoProvisioning : Failed to import GPO. The system cannot find the file specified. (Exception from HRESULT:
0x80070002)
At line:1 char:1
+ Invoke-IpamGpoProvisioning –Domain actdir.ipade.mx –GpoPrefixName IPAM –IpamServ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Invoke-IpamGpoProvisioning], Exception
    + FullyQualifiedErrorId : InvalidOperation,Invoke-IpamGpoProvisioning

In the event viewer  I founf this but I don't know what to do.

Import of backup failed. Error [The system cannot find the file specified.

].

Details -

     Backup

         Directory: The system cannot find the file specified.

         Instance : C:\Users\Administrator.IPADE.MX\AppData\Local\Temp\1\ipamprov

         Comment  : {09673450-4573-42E8-85D0-104144DF0BA3}

         Source GPO:

             DisplayName: IPAMGPO_DNS

             ID: IPAMGPO_DNS

             Domain: {7F345996-1D92-4194-85BF-72BFB5298EDA}

     Destination GPO:

             DisplayName: ipamtestsetup.com

             ID: IPAM_DNS

             Domain: {447E8380-91AF-4C2D-8DAA-2C090A6400E8}

        

Software Restriction Policy help

August 5, 2014, 6:06 am
$
0
0

This policy was working fine, then all of the sudden it is not working anymore.

Blocking from

%AppData%\*.exe

%AppData%\*\*.exe

Here is the error I get

An error has occurred while collecting data for Software Restriction
Policies.
This error impacts the following settings:
Software Restriction Policies
Software Restriction Policies/Security
Levels
Software Restriction Policies/Additional Rules
The following errors apply to all of the above
settings:
A certificate stored by this extension is not valid. Use the Group Policy
Management Editor to reconfigure the settings in this extension.

Remote Server and MacBook Pro and Password Change

August 5, 2014, 8:36 am
$
0
0

I use a MacBook Pro and am newly connected to office server using Remote Server.  Have been asked to change my password and instructed to use "Control", "Alt" and "End" to get to the change password page but it is not taking me there.  I have no "end" key specifically however, the right arrow key is supposed to be the "end" key.  I will need to change my password monthly.  Any suggestions on how to accomplish this on a MacBook Pro?

GPO Disable user change IP Address

May 31, 2011, 7:31 am
$
0
0
I have Windows 2008 SP2 Domain controller, all my users have joined domain, and put all them have admin local right, so they can change IP address. I want my user have admin local right, but cannot change IP address. How can i create GPO and apply on Domain controller to solve this issue

Issues with GPO for Open With/Folder Type

August 5, 2014, 10:38 am
$
0
0

Hello,

We have a mixed environment of x86 and x64 Windows 7 systems. We are using Windows Server R2 Group Policy. We want to associate certain type of file to open with Excel. In user configurations\Preferences\Folder Options,  I added two entries to associate the file type to open with Excel. One entry for x86 with correct path to Excel.exe and the other the same way for x64 systems. What I have found though is that 2nd entry is the only one that applies to ALL systems. This changes the Registry key HKEY\Classes\Root\Applications\Excel.exe. Therefore, the 32 bit systems receive that GPO with the wrong path to open these files with Excel so it doesnt work.

1. How can I avoid this so that all systems open the file type with Excel, regardless if they are x86 or x64?
2. Why does it allow you to enter muliple lines in the Folder Options, but only apply one of them to everyone?

Thanks

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>