Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Group policy not applying to my DC

August 20, 2014, 8:13 am
$
0
0

When trying to run gpupdate /force on my DC I get the following message for both the computer and user policy:

"Windows failed to record Resultant Set of Policy <RSoP> information, which describes the scope of Group Policy objects applied to the computer or user. This could be caused be RSOP being disabled or Windows Management Instrumentation <WMI> being disabled, stopped, or other WMI errors. Group policy settings successfully applied to the computer or user; however, management tools may not report accurately."

Then if I try to run gpresult /r I get "Access is denied"

If I check secpol.msc it shows that none of my audit settings have been applied to the machine. I have applied the audit settings to the GPO housing the domain controllers and my other domain controllers have the settings applied correctly.

What could cause this?

Search

How to turn off automatic updates with in the application in group policy

August 20, 2014, 4:37 pm
$
0
0
I have an existing active directory with about 300 computers I need to install some software but I need to have the automatic updates turned off with in the application.   How can I go about doing this?   I am using 2008 server and I would like to do this with a silent installation.   I also would like to exclude my engineer dept. because they use something else.  how would I go about doing this in group policy? 

Server 2012-logging out idle users after x time

July 30, 2014, 8:03 am
$
0
0

Hi Guys,

I cant seem to find anything that's working for this & my boss is riding me for this.

I need to set up a rule in Win Server 2012 R2 that will logout users who are Idle for 30 mins, I cant get it through GPO so  hoping for any solutions? its been 2 days, please help?

Office 2010 Shortcuts - All Machines on Network - only with Office 2010 Installed - Group Policy

August 20, 2014, 8:25 am
$
0
0

Hi, I am currently deploying Office 2010 to the network via SCCM. I would like to create a seperate GPO to put Office 2010 shortcuts on all machines that have Office 2010 installed only (some machines still have 2003 office installed). Some machines also have the shortcuts (from an image), some will have been manually put on the desktops by the user.

Basically. I would like this this GPO to run on all machines with 2010, and if the machine already has office 2010 shortcuts not to duplicate it. How would I go about this? Naturally i create a share location to point the gpo shortcut object to.

I dont think there is a WMI filter for this?

GP 2008 R2

OS Windows 7 Ent

Any more info needed, let me know

Thanks


GPEDIT.MSC MISSING WINDOW 8

November 30, 2012, 1:36 pm
$
0
0

When I got windows 8 i started deleted apps all willie nillie. This may have caused a problem with getting to group policy editor.

But as of right now its either missing, does not exit, or im just dumb.

I have used the windows button + R and typed in gpedit.msc to run it and windows says "not found"

please help.

AGPM and policy security/filtering

August 21, 2014, 1:29 am
$
0
0

I'm having a problem figuring out how you change security filtering & WMI filtering under the 'Scope' tab and edit groups/users on the 'Delegation' tab on a controlled policy in AGPM.

All the options are greyed out in GPMC for controlled policies, but not on uncontrolled.

I've tried checking the policy out, but those properties still remain unchangeable.

Is there a special way to change these properties on an AGPM controlled policy? Or is it not possible?

Use Pop-up Blocker disabled policy not working via IE Administrative Templates on Server 2012.

August 21, 2014, 4:15 am
$
0
0

I'm finding I can't make any adjustments to the pop-up blocker setting at all.

I've set Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone and the option in there for "Use Pop-up Blocker" to be disabled. As for trusted sites we want to allow pop ups. however after saving this and using GPupdate /force from a command line and restarting the policy is not applying.

We also tried adding the sites in question to Internet Explorer/Pop-Up Allow List when we found that the trusted sites zone setting was not working but it also does not work that way either.

Deploying Printers with User Specific Settings via Group Policy

August 21, 2014, 7:01 am
$
0
0

Good Morning All,

We are getting ready to switch our print server over and would like to find an easier way to update everyone's printer list.  The issue we are running into is that we have a few large copiers that use a user id number to validate any print jobs.  Is there a way to set that up in GPO so that it will give the correct code directly?  I cannot find anywhere that I can adjust the printer preferences.

Thanks,

Brent

Search

how do you hide all icons on desktop yet still use custom icons?

August 21, 2014, 10:10 am
$
0
0

user config\......\"hide and disable all items on the desktop"  we want to lock down the desktop with this GPO setting.  This of course works but how can we still add our own custom icons to theAll Users Desktop?   We don't want users to be able to do anything on the desktop, no creating shortcuts, nothing!  But we still want 4 icons on the desktop for the most used apps.  is that possible?

mqh7

Give users permission to install fonts under Windows 7

April 15, 2010, 10:17 am
$
0
0

I want to give non-admin users permission to install fonts in Windows 7. Ive tried giving permission to the fonts folder and fontcache.dat file as seen in the policy below, but it is not working.

Any help is greatly appreciated.

-John

File Systemhide
C:\WINDOWS\FONTShide
Winning GPOStudentsInstallFonts
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowCREATOR OWNERFull ControlSubfolders and files only
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
AllowEXP\studentsModifyThis folder, subfolders and files
AllowBUILTIN\UsersRead and ExecuteThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
C:\WINDOWS\SYSTEM32\FNTCACHE.DAThide
Winning GPOStudentsInstallFonts
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowCREATOR OWNERFull ControlSubfolders and files only
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
AllowEXP\studentsModifyThis folder, subfolders and files
AllowBUILTIN\UsersRead and ExecuteThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled

Does using Group Policy Preferences to deploy printers require the print driver to be pre-installed?

October 19, 2009, 8:23 am
$
0
0
I'm trying to prepare our school system for Windows 7 (we currently use XP).  I would like to use the new Group Policy Preferences method of deploying printers.  I pushed out the XP client side extensions through WSUS.  In my test environment, I added the shared printer in group policy preferences.  My XP machine had the printers show up automatically, but my Windows 7 machine did not.  I realized that I had previously connected a printer of the same type to my XP machine before and the drivers were already installed.  To test this theory, I manually connected the shared printers to the Windows 7 machine, deleted them, then logged off and back on.  Now the printers are showing up from group policy.  My question is does using group policy preferences to deploy printers require the print driver to be pre-installed?  If not, then what am I doing wrong?  If so, is there a way to work around this?  Thanks for your help.

EDIT:  To clarify, I am using the share method in GPP.  This is the error message I get in the event log:

The user 'PRINTERNAME' preference item in the 'win7 printer test {946461A1-27F8-406F-A0B3-0A1A05AF34F6}' Group Policy object did not apply because it failed with error code '0x80070bcb The specified printer driver was not found on the system and needs to be downloaded.' This error was suppressed.

Unable to log on to the server

August 21, 2014, 12:17 pm
$
0
0

Hi Guys,

There is a firewalled server but it is connected in the domain so you can login with your normal domain credentials. Thought it is a firewalled server.

Now the issue is, there is one domain service account added in the Administrators Group of the server which allows you to do some daily task on server. But when i m tryin to login via that domain service account i get the below error:

"The Group Policy Client Service Failed to Logon"

Access is denied

Any help, will be highly appreciated!

Adobe Compatibility setting

August 19, 2014, 12:38 pm
$
0
0

Hello Guys,

  I am new in this Filed. I have problem   to sort out this.

I am looking to Change Comparability Setting of Adboe Xi for Windows 8 for 600 User Through GPO. I strugle three days but no success. Please Help me 

Thanks 

A_Ramay

Group policy preventing write access to hard drive for Windows Service

August 21, 2014, 2:48 pm
$
0
0

I recently stood up several SharePoint Servers which use various domain user accounts as service accounts. Everything was going fine until the servers were moved from the staging OU to the production OU which has a server hardening GPO applied to it. Once this occurred, all of SharePoint's logging via the Tracing service broke--because this account doesn't run as Local Service, but rather one of the domain user accounts.

After examining the Application event log, I saw it filled with errors indicating the E:\Logs\ULS and E:\Logs\Usage were not accessible due to error 0x5 -- access denied.

I explicitly granted permissions to the service account to these folders, and gave Full Control perms. I then restarted the service, but the Access Denied errors persisted. I granted Full Control to the entire E: drive -- the root folder -- with inheritance, and made sure the permissions were inherited. And yet the problem persisted.

I installed a different application which can log to different drives, and it writes to the E: drive just fine when run as Local System. If I change it to one of the domain service accounts, it too produces Access Denied errors trying to write to the E: drive, regardless of the NTFS perms.

The E: drive is a hard drive, not a USB or removable drive.

I found several posts here that explain how to disable write access to USB and DVD media, but I cannot find anything how to block writing to a hard drive. The server hardening GPO contains thousands of different settings and it'll take days to comb through them all. Does anyone know of a GPO setting that can block writing to a hard drive, regardless of NTFS perms?

The servers in question are running Windows Server 2012 standard (not R2).

UPDATE: If I grant the service account the ability to log on locally (i.e. add it to the local Users group), and open a command prompt with "Run as User," I can write to the E: drive just fine. But the access denied persists when running as a service. This leads me to believe a GPO is blocking the write access to aservice user but allowing the same account when logging in as an interactiveuser.

Cannot deploy printer with Group Policy Preferences'- Event IDs 600, 601 and 4098

November 21, 2013, 6:03 pm
$
0
0

First, I want to state that I was able to deploy printers to users and computers (per user, per machine) just fine using "basic Group Policy".

*

I wanted to take a look at printer deployment with Group Policy Preferences and discovered... that this just does not work.

*

Yet it should.

*

The printer is a HP LaserJet 4200, a common model for which Windows Server 2012 has built-in, type 4 drivers.

*

The computers, all 64 bit, are as follows:

*

- Domain controller: Windows Server 2012 (DNS and DHCP also)

- Print Server: Windows Server 2012

- Client machine: Windows 7, SP1

*

Having looked at TechNet documentation, forum discussions and other blogs, I thought this would be easy to do. Yet it does not work. These are the error messages:

EventID 600


The print spooler failed to import the printer driver that was downloaded from\\SVR-004\print$\x64\PCC\ntprint.inf_amd64_33076fad6e030706.cabinto the driver store for driver Microsoft enhanced Point and Print compatibility driver. Error code= 800f0247. This can occur if there is a problem with the driver or the digital signature of the driver.

***



EventID 601

The print spooler failed to download and import the printer driver from\\SVR-004into the driver store for driver Microsoft enhanced Point and Print compatibility driver. Error code= 800f0247.

***




EventID 4098

The computer '10.0.0.18' preference item in the 'GPP-PRINT {32F99E49-5138-4A32-9956-50E8FDA2E402}' Group Policy object did not apply because it failed with error code '0x800703eb Cannot complete this function.' This error was suppressed.

*

*

*

For details on how I step up the printer, you can refer to my blog (on Google Blogger). There are also posts where, using "traditional" Group Policy, I was able to deploy printers without a problem.

*

http://davidmtechblog.blogspot.com/2013/11/windows-server-2012-print-management_21.html

*

Can anyone see what is wrong, if indeed something is wrong?

Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.


Search

Software restriction policy applied to SYSTEM account

August 22, 2014, 4:07 am
$
0
0

Windows Server 2008 SP2.

In Application event log I can see many warnings:

Access to C:\Windows\system32\DllHost.exe has been restricted by your Administrator by the default software restriction policy level.

Access to C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe has been restricted by your Administrator by the default software restriction policy level.

Both

Source: SoftwareRestrictionPolicies

Event ID: 865

User: SYSTEM

And another one warning message:

Access to C:\Windows\system32\wbem\wmiprvse.exe has been restricted by your Administrator by the default software restriction policy level.

Source: SoftwareRestrictionPolicies

Event ID: 865

User: NETWORK SERVICE

In System event log I found errors like that:

The processing of Group Policy failed. Windows could not evaluate the Windows Management Instrumentation (WMI) filter for the Group Policy object cn={06E7D6C5-6097-478C-9D56-994E9BA2D4B6},cn=policies,cn=system,DC=domain,DC=com. This could be caused by RSOP being disabled  or Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Make sure the WMI service is started and the startup type is set to automatic. New Group Policy objects or settings will not process until this event has been resolved.

Source: GroupPolicy

Event ID: 1065

User: SYSTEM

System Center Operation Manager generated alert for this server: WMI is unhealthy. How does software restriction policy prevents restricted process run under the System account.

Domain softeare restriction group policy apllies to this server and all was fine before last sunday.

Shared Audit file

August 22, 2014, 4:47 am
$
0
0

My server is 2012 r2,Group policy,I have enabled the File and Folder Auditing ,so I can see in the Events Viewer,which user delete the share file, but i am not able see any report in the even log viewer. Kindly help me in step by step procedure for doing the same.

Regards,

John Paul

Setting Default Web Browser using Preferences in Windows 2008

August 22, 2014, 3:32 am
$
0
0

Hi

our users need to use both IE8 and Google Chrome. IE 8 is necessary due to issues with clinical apps etc. 

However, we need to force IE8 as the default browser but allow users to access Google Chrome and not allow this to be set as default.

There are several posts about "Maintenance Mode" settings but these are no longer available. 

How can I achieve this?

Thanks
Albo

GPO Item-level targeting for IE11

August 21, 2014, 6:37 pm
$
0
0

Hi, hoping someone can help guide me with setting up item-level targeting on a group policy.  I have created a set of IE11 group policy settings, and only want to apply to machines with IE11.  When creating the WMI query what and how do you enter the criteria in the Query, Namespace, Property, and Environment variable name fields.  Any help is much appreciated.

Modify group policy using C++ on Windows XP

August 22, 2014, 5:21 am
$
0
0

Hi All,

How would we be able to modify group policy settings on Windows XP to prevent access to command prompt using C++?

I tried using IGroupPolicyObject interface but not succeeded.

Thanks,

Vaibhav.

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>