Hello,
I have security compliance manager 3.0 installed. I like to import some DISA STIGS (Windows) to SCM to be applied to AD. How could I accomplish this?
TIA TP
↧
DISA STIGS
↧
Why domain users account allowed to logon to servers directly?
I'm using Windows Server 2008 R2 with ADDS.
By default, normal user account (domain users) should not be allowed to logon to Server directly, I mean the physical server or via RDP. They should get the message:
"You cannot log on because the logon method you are using is not allowed on this computer"
I had checked the GPO, under the Computer Configuration -> Windows Setting -> Local Security Policy -> Local Policy -> User Rights Assignment -> Allow Log on Locally, here only contains:
Administrators, Account Operators, Backup Operators, Server Operators, Print Operators
And, nothing set on the Deny Logon Locally.
But, tested that, those accounts with just Domain User Group are able to logon to Server!?
How or where should I check, to not allow normal user account to logon to server directly?
Thank you.
↧
↧
Number of GPOs different in ADSIEdit and sysvol folder
In ADSIEDIT I have 48 GPOs
In \\tgjs.local\SYSVOL\tgjs.local\Policies folder I have 30 GPOs.
Can I delete extra GPOs in the ADSIEDIT? These extra GPOs are causing trouble in the client machines.
The processing of Group Policy failed. Windows attempted to read the file \\tgjs
.local\SysVol\tgjs.local\Policies\{FECAA8AD-85EF-4B96-A13A-3A5D19B68B8D}\gpt.ini
from a domain controller and was not successful.
This particular GPO does not exist in sysvol folder.
If I delete the extra GPOs in ADSI Edit is it going to make any trouble?
↧
User rights assignments and global groups
I am trying to assign the right to login to server using remote desktop services via group policy. When I put a domain group in the assignment, the users who are in the group are getting denied. if I nest the group witin the local Remote Desktop users group which is also part of this user rights assignment, the access is granted.
I do not want to nest this group in the remote desktop users group on all my servers, I would prefer to assign the right via the policy. Any thoughts about what might be affecting the access?
Paul
Paul Glickenhaus
↧
Change local computer password in a 2008 domain environment after Microsoft Gpo patch update.
Hello Guys,
How to change local computer password in a domain environment after Microsoft Gpo patch update, which now restricts changing of password using GPO.
Many Thanks
Krish
↧
↧
Folder Redirection Share Location Change Not Working Reliably
We have changed the Folder Redirection policy to move contents to a new location and it usually works on the first computer a user logs into (normally their desktop PC). However, when they log into their second PC (normally a laptop with cached offline copy of redirected folders, it does not connect to the new share location automatically despite verifying the policy is applied in gpresult command output. This is on the local LAN.
If I run the Group Policy Results wizard, and check the settings, the folder redirection settings for the documents folder is not listed as configured in any way. The laptop is still trying to connect to the old share location despite gpupdate /force commands and multiple reboots.
Sometimes it eventually works and sometimes it won't unless we delete the user profile from the Windows 7 laptop and have the user log in with a newly created Windows profile.
Is there a better and reliable way to all of the user's workstations to pick up the new redirected share location? Deleting local profiles will be drastic and labor intensive.
↧
Internet Explorer Branding Failed
Hey,
I know this has been asked several times such as here and here.
I followed all the suggestions and checked for all GPO that had IME enabled.
I removed all the gUserExtentionPOlicy settings from all affected GPO's.
Ran gpupdate /force, followed by a gpresult /user /h blah.html as an admin.
It still shows up in the results...... but shows an old processing time... How can I remove this?
Extra Info, Win 8.1 (Using RSAT, connecting to Server 2008 R2 DC's)
↧
Offline Files UNC Path Variable issue
I have setup a GPO to use offline files to sync to our file server for our users.
I would like to only have their Documents folder for each user synced.
The path I am using is
\\Server.example.com\Profiles\%username%\Documents
Offline files on the laptop of a user shows the profiles folder as syncing. But gpreults /h shows the path as I typed it above.
I was expecting to see
\\Server.example.com\Profiles\stephen\Documents
Looking deeper I find that the folder that is syncing is
\\Server.example.com\Profiles\
Why isn't Windows syncing the right folder? Does GPO not understand the %username% variable? Does it not care about anything after the %username%?
Anyone having similar issues or found a alternative way to sync a users profile sub-folder?
↧
Hardcode gmail IP
Hello Guys,
Thanks in advance for the replies. We have a sort of issue where gmail doesn't open though a particular ISP. For a temporary fix we are trying to write static routes for gmail to route through alternate ISP. The issue is we are unable to obtain all gmail ips to write static route in a short time. We have a bunch of IPs which we have obtained and are sure it works. Hardcoding the host entries in /etc/hosts for gmail make sure the traffic is routed through our desired ISP. My question is how to hardcode these changes for all users in AD.
I am sure there are lots of other methods to troubleshoot the issue, but i find this a easy temp solution till the issue is fixed. Kindly suggest.
Many Thanks
↧
↧
Undoing the effects of a Printer GPO
i was testing a GPO for printers and i pushed a printer to the whole network (accident). on discovery of this mistake i deleted the GPO.. but the effects are still in play... how do i remove the mapped printer back off the network PCs?
↧
Group Policy for Time and Date Format Windows Server 2012 R2
Dear All,
I need a group policy for change time and date format for all user.
If I change date format and click apply and click ok and re-open then I see the date format did not change.
GPMC\User Configuration\Preferences\Control Panel\Regional Option\new-regional option
Md. Ramin Hossain
↧
AD upgrade - does it update default GPOs?
Apologies for what might seem like a daft question but, when upgrading AD (from 2003 R2 to 2012 R2 in our case), are the default GPOs updated or are the previous settings preserved? I ask as I would quite like to start afresh and am concerned that any settings that are no longer considered 'best practice' may remain in place.
Thanks in advance for any comments :)
↧
Event ID 1058 Error Code 1326 Logon Failure; unknown user name or bad password
I am attempting to apply a group policy to a group of computers and I will get this event ID and error code generated. I can unc to the gpt.ini file. What can I do to resolve this problem? My structure is like this: I have a 2003
R2 DC located at site A (and this computer WIN7 is also located at site A) and I also have other 2003 DC's located at remote offices (across WAN links). This computer seems to be wanting to apply the GPO from one of the remote office DC's as opposed
to the local DC that is much closer - how can I change how GPO is processed on this computer?
↧
↧
OneDrive ADMX file / GPO entry
I'm trying to switch off OneDrive using Group Policy. However the only entry is for SkyDrive, even in the most recently released ADMX files (30th June 2014) and this doesn't work for OneDrive.
I've seen screenshots of it being in Group Policy, but don't know where people have got that from. See:
http://blogs.msdn.com/b/matt-harrington/archive/2014/04/18/how-to-disable-onedrive-file-syncing.aspx
http://www.groovypost.com/howto/hide-disable-skydrive-windows-8-1/
Does this actually exist in the current ADMX files?
↧
Allow RDP access from multiple domains in domain forest
Hi
I'm currently setting up a domain forest. I have a root domain, where all domain admins have their accounts and in the child domain we created a service account, that is in the domain admin group of the child domain.
Domain Forest
--------------------------- | Root Domain | Domain Admins (Group) | Admin | | -------------------------------- | | Child Domain | | Domain Admins (Group) | | ServiceAdmin | --------------------------------
Now I want to access my machines in my child domain with the Admin and the ServiceAdmin account both. I tried to realize this with group policies, but I was either not able to log in with the Admin or the ServiceAdmin. But I want to use them both. How can I realize this?
↧
WMI filter working for some Windows 7 machines but not for others
I'm trying to use this WMI filter for our Windows 7 64bit machines:
select * from Win32_OperatingSystem where (Caption like "Microsoft Windows 7%") or (Version like "6.1%" and ProductType = "1" and OSArchitecture = "64 ビット") or (OSArchitecture like "64%" and ProductType ="1")
The reason there are three clauses is that we have machines in United States, Japan, and France. The first clause works for the United States, the second clause works for Japan, and the third clause SHOULD work for France, but doesn't.
I've run the query manually on the French machine using WMITest.exe (http://www.paessler.com/tools/wmitester) and it works. However, when I run a gpresult /r it shows that the GPO is denied due to the WMI filter.
Why is this happening for French computers only?
↧
Software Deployment not installing
Im running a test environment,
I am trying to install Google Chrome for the computers in my site, there are only specific computers that needs to be installed with this software.
I have made a security group that contains the members of the computers that needs installation, i designed it this way so that future request only needs to be added to that security group and located in the Offices > El Salvador > Computers OU . The name of the GPO is "C - Install Google Chrome".
The computer domain account is already a member of the G_ElSalvador_Computers_Install_GoogleChrome, and G_ElSalvador_Computers_Install_GoogleChrome is a member of DL_ElSalvador_Computers_Install_GoogleChrome, and the following is the definition of the Assigned Software in group policy. This is a computer policy definition.
For God, and Country.
↧
↧
File Explorer - Prevent users from adding files to the root of their Users Files folder
Hey,
I am searching for possibility to prevent users creating folders on %systemdrive% directly via group policy. (just directly - in %systemdrive%\test e.g. they should be able to write files create folders etc.)
While searching I found the information to use GPO "User Settings\Policies\Administrative Templates\Windows Components\File Explorer\Prevent users from adding files to the root of their Users Files folder".
I enabled this GPO - but after apply nothing seems to change (already checked with gpresult if GPO applies successful).
It is still possible to create folders on %systemdrive% and to create folders in %userprofile%
( Can someone explain to which folder/paths this policy has affect?)
I already read the detailed information but to be truth this does not help to understand what it does??
Is this the right GPO for my purpose?
Thank you for help in advance
mk.maddin
↧
Server 2008 R2 local C:\User vs C:\Profiles with Mapped Drives
Hello
I have a server 2008 R2 (64) with Windows 7 (64) Desktops. In AD created myself a Brian user ID and log onto the server with Brian, I was defaulting to server c:\users\Brian.
I created a local c: a folder names \Profiles and created a \Brian under that to use \profiles\brian instead of \users\brian
Under the default domain policy I created a mapped drive H: \profiles\%username% and \profiles\Brian has permisisons
When I log in, I am defaulting H: to \users\brian and not \profiles\brian
I created a non-admin user account and it is using the mapped \profiles
Question: why does admin accts that log onto server directly use \users instead of \profiles, gpupdate /force did not change it
Thanks
b.
↧
Cannot get Folder Redirect to work on RDS Server
OK here is what I am trying to do..
Windows Server 2008 R2 Remote Desktop Services
I want to redirect all user profile folders (Desktop, Music, etc...) to a remote share \\server\share to which the share is actually only giving Read-Only rights. Except for Documents to which they can save there on the RDS Server itself.
I had a server drives hidden (A:, B:, C:, D:) hidden so they could only save to network shares and their local computers. However, the people in the UK complain that saving to their local computers is just painfully slow (the RDS Server is in the US).
So, Now I'm only blocking the Server C: drive. I have a SUBST going on pointing B: to the user profile folders (needed for a different application anyway). I need to have the "B:\Documents" open for these guys to save to however, I want to block saving to any of the other profile folders.
What I tried to do was to set a GPO up like below:
- Computer\Admin Templates\RDS\Session Host\Profiles
Set path for RDS Roaming User Profile Enabled (pointing to \\Server\Share) - User\Windows Settings\Folder Redirection\Desktop
Basic (Redirect everyone's folder to the same location)
Path \\Server\Share
Grant Exclusive rights to Desktop - Disabled
Move contents to the new location - Disabled
Apply to older systems - Disabled
First, is what I am trying to do even workable?
Next why can't I get it working.
↧