Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Roaming Profile is roaming AppData\Local and AppData\LocalLow including Outlook OST file

August 5, 2014, 6:40 am
$
0
0

Hi everyone.

Well my problem with Roaming Profiles here is the AppData\Local and AppData\LocalLow directories are roaming when I believe they should not. I see these folders are kept from roaming by default within the policy. I am concerned because within the Local directory are the OST files. Some are large and I do not want them to roam. I can trick the workstation and configure Outlook to Online mode only and that works but what about all the other directories within Local and LocalLow?

I suspect since we had XP previous to 7, the old folder structure may still be in effect somewhere but am not certain. Others I’ve spoken with have seen this behavior but I have not seen a solution quite yet.

This post (http://social.technet.microsoft.com/Forums/windowsserver/en-US/1c618a22-b48a-43ca-81cc-64836c058207/appdatalocal-and-locallow-following-roaming-profile?forum=winserverGP) is close to my problem but the reason it does not help me is I have created test new test users that have never had Windows XP and started out as new Win7 images. I placed the new users in a particular OU and applied a new folder redirection policy to that OU. There is still a Default Domain Policy in effect for the entire forest but there is nothing in there (that I can see) redirecting any folders. The new policy I linked to the new OU redirects a few folders (music, pictures, desktop) to c:\temp so those do not roam. Everything works fine except the AppData\local and AppData\LocalLow directories are roaming. The registry entry referenced in the above post shows everything to be fine, yet thethe AppData\local and AppData\LocalLow directories still roam.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogonand under ExcludeProfileDirs, type REG_SZ, the value isAppData\Local;AppData\LocalLow;$Recycle.Bin

So now I am stuck. I will scour the Default Domain Policy again but quite frankly, there isn't much in there. Anyone have any other suggestionsas to what to look for in this case?

Thanks!



Search

GPO Map Network Drives - Not applied in Windows XP

October 1, 2010, 6:50 am
$
0
0

Hi guys,

I've been looking for help with this question could someone point me in the right direction.
I have a Server running Server 2008, and a Client running XP.

In my GPO i have a Mapped Network Drive to the public folder but when a user logs into the XP Client the Network Map doesn't apply or connect on the client, but the Drive Map applies to all Vista and Win 7 machines.

Can someone help.

 

How to safely removed Administrators from Restricted Groups?

August 27, 2014, 8:33 am
$
0
0

I would appreciate if I can have assistance, I modified Default Domain Policy yesterday and accidentally added "BUILTIN\Administrators" into Restricted Groups.
# I was following below articles, I did not mean to make a change, but I guess I did it...  :-(

- Restricted Groups Policy Settings
  http://technet.microsoft.com/en-us/library/cc756802(v=ws.10).aspx

Due to this change, all servers are not accessible with admin user account which we normally use for IT maintenance.

Fortunately, I still have a session with our primarily domain controller from yesterday, I tried to erase Administrators from the folder, but I got below error message and not successfully removing the setting...

---
Access is denied.
Failed to save
\\Domain.name\sysvol\Domain.name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf. Make sure that you have the right permissions to this object.
---

Can anyone share some insight so that I can safely remove "BUILTIN\Administrators" from Default Domain Policy?  It is a bit critical since we don't have any access to servers at this moment...

Many thanks in advance,




How are certs encoded in xml backup files?

August 18, 2014, 7:16 am
$
0
0

I need to dynamically build a GP in a script due to not knowing ahead of time the certs that need to be included.  I do not see a programmatic way to do this but am going to try by editing the XML in a backup of a sample policy.  How are the certificates encoded in these backups?  Below is the one I added through the UI as a test.

<q1:Data>040000000100000010000000477892DB8AEC1B5368F01D009C34775E0F00000001000000140000008DF2C761AE6D13B71643F207BE9B82362DCC14921400000001000000140000004974BB0C5EBA7AFE0254EF7BA0C695C6098070961900000001000000100000000369EC222BD877C01803F7E32EEAF6990300000001000000140000008C941B34EA1EA6ED9AE2BC54CF687252B4C9B5615C0000000100000004000000000800002000000001000000740300003082037030820258A003020102020105300D06092A864886F70D0101050500305B310B300906035504061302555331183016060355040A130F552E532E20476F7665726E6D656E74310C300A060355040B1303446F44310C300A060355040B1303504B49311630140603550403130D446F4420526F6F742043412032301E170D3034313231333135303031305A170D3239313230353135303031305A305B310B300906035504061302555331183016060355040A130F552E532E20476F7665726E6D656E74310C300A060355040B1303446F44310C300A060355040B1303504B49311630140603550403130D446F4420526F6F74204341203230820122300D06092A864886F70D01010105000382010F003082010A0282010100C02CC1F68D3BACFF3F3CD671BEB8742207EC704115FCAB40E307AAC1C3D89FFEDA4C3ABF3FC8D8287B4B3601C0AC4525C3D20E0A8F851864103D1A13702A6F8ED7DC8D93B3410F3821CDADABC23D2A05D35711370DCD8C51F993E3CC4649218E14B4CDCB143E38CD7231EEAB12F265EA342E565DFFEE6375CB6DBA9134FC9EF3F42D1CBE50C442DF5988FF6AB3FAA86C3DCB5671710596BB9F80E58045596741B0EBC3AD60A4807506179C0EF443E0990E1BFB7FF5B3CCB28182B1FD32C1B8BE41A464B5603A5A51308CCEDE412C19475C491064B974A98741AF7D6EBAC1B8A1BF65313A0467F9B5BB8E928A0063B8B1E68C385F83FF50D53BA25D6BB210CC630203010001A33F303D301D0603551D0E041604144974BB0C5EBA7AFE0254EF7BA0C695C609807096300B0603551D0F040403020186300F0603551D130101FF040530030101FF300D06092A864886F70D0101050500038201010098918D3F89C8BBF5C06973293B35ACBAB308763D700992E9844421017D14761BEE516C1D8D15372D7B3169F49A44B8AF46CC34FA23CB032719D28321752BE7E01B9926DC844095E8A8D2CCF6585C66EF3F4A9710821DBA0AA2DD5B062B9DA7644EEB2E0135A4B43F13AD55E4D573A8699B11F198F2311E6F40D4F8789F8E91A06F70049066AA062BCEE17A92B57DE1E0D196E7A13A2DCCB19D1F0544ED8799D34D1A7039C1040CE57ED9F1AFD7200EF1227A25A47399CC3FA4072796A8A295ED82B916D39E0B87C2C1F288F562DF68DFC7BC6951EDB15CDC5454290F09399AAC03C1DB0C4DAE6F0A7A1649F1BF91D23894D3F6952CB76CC942B68DCA908D85D9</q1:Data>

Clipboard redirection gpo server 2012r2

August 25, 2014, 11:50 am
$
0
0

HI ,

I am in the process of testing server2012 in our domain . 

And i got a small issue with the clipboard redirection computer GPO . 

We currently allow copy /paste via RDP for some server .

Everything working fine for server 2008r2 , forest level 2008r2 all with all 2012 template up to date .

This gpo setting as been working for year without a itch under 2008r2 . 

But i cannot get it to work under server 2012 or 2012 r2 . 

my gpresult , rsop, and regkey setting show the the proper setting on my server2012 test server and properly applied .

All my other TS config are looking fine . Even my ts clipboard monitor running fine .

But my copy paste either in or out off the server is always gray out .

Anyone have a hint how i can debug this .  

I have reset user profile even new account got this issue.

i am talking about

Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection

Do not allow Clipboard redirection set to  -> Disabled

Drive Mapping via GPO; Not All Drives are Mapping

August 27, 2014, 2:47 pm
$
0
0
So I have various department drives mapped for convenience under our Public Drive. In that mapping, I have various shares set out with Item-Level Targeting. All the drives follow the format of \\SERVER\Public\DEPTNAME. I have created specific Security Groups for each one of these so that the right people get the right drive mapped. Included in this is a general all user mapping for the Public root and then each user's home drive. Some users all drives map perfectly. Others are seeing the Home and Public but not the department specific. I am unsure on what the variables are that is causing a different result for the same formula. All OUs show that the GPO is been Inherited properly.

Deploy Cisco VPN Clinet Software with PCF

August 25, 2014, 10:03 pm
$
0
0

HI All,

  How do i install the VPN client Software for two factor authentication setup? i need Web Certificate to install and add the PCF ?

AS

 

How to change Remote Assistance port number

August 27, 2014, 11:59 pm
$
0
0

 Hi,

I would like to change the port number of remote assistance from the group policy. how can i change it from the GPO?


Search

Automatic Windows Update via Group Policy in Windows 8

August 15, 2014, 12:52 am
$
0
0

Hi,

I have created a new GPO to place some settings on the Automatic Update to all my client pcs. The settings applied as the image i uploaded below. The problem is that this GPO were successfully applied to all my Windows 7 machine but not Windows 8.1 machines. Is there anything that i missed or i should know about Windows 8.1 automatic update configuration via Group Policy?. I've tried to google but cant find any guidance that relates. I'm not using WSUS. Appreciates any advise. Thanks.

Cheers, Sparcx [MCTS,MCITP-EA]

Proxy settings moved from User to Machine not removing user settings.

August 28, 2014, 2:52 am
$
0
0

Hi All,

I have recently moved our company's proxy settings from User based to Machine based as we were having issues after moving from an internal proxy to a hosted external proxy.  What we found was after turning off the internal some users were no longer getting external internet. 

After some investigation we found they were still getting old proxy settings on login and after a GPupdate.exe or normal gpupdate from the server the correct settings would apply. (happened to users logging on for the 1st time) To prevent this from happening I moved the proxy settings to the Computer GPO and it all appeared to work in the test GPO and in live.  But a few days later we got some calls logged to our help desk stating they don't get external internet.  After some more investigation we found that they are still getting the user policy applied to them even though it has all been removed from the User GPO. 

I found if I remove the proxy settings it doesn't always apply to users but if I add info in it always updates to the user.  What can be causing this?  Some of these users have local admin rights and I thought at first it might be something they did but now we are getting non admin users with these issues.

We are using IE 10 and have set the original Proxy settings using the GUI internet control panel and are now applying the proxy settings via Registry updates in the Computer GPO and enabled "Make Proxy settings per-machine" object.  Our SOE is Win 7 ent x64 with IE 10 (1500 units) and Win 8.1 ent x64 IE11 (100 units) And some XP SP3 that are in the process of migrating to Win7.

Any help on this would be much appreciated.

Cheers,

Nat

Disabling 8.3 filename creation doesn't update registry

August 28, 2014, 4:34 am
$
0
0

I have a query around disabling 8.3 filename creation via group policy in a Windows Server 2008 R2 environment. I have made the changes in group policy, and when I check status via fsutil I can see that 8.3 filename creation is disabled with a status of '1' (disabled on all volumes - the setting I require), however the registry keys have a status '2' (enabled on a per volume basis).

Is there a reason why the registry is out of sync with the results of fsutil? I need the two to match up as we have compliance scans that check registry keys for settings in our environment, and on the below result in the registry we'll be marked as non compliant with the agreed settings that should be in place.

Thanks for any help.

Manage map drive GPO clearly

August 28, 2014, 2:00 am
$
0
0

I would like to setup GPO to map drives instead of kixtart login script.

In login script, it had command to map many different drive mapping for all department.
e.g. Account, Shipping, Marketing, Engineering ...etc.
Each department will map several drive based on their requirements in ONE login script. It can be read easily in this file.

To achieve above task in GPO, can map drives based on Item-level targetting for differnet group memebership.

But how should manage GPO clearly. create GPO for each department? Then there will have many GPO_DeptName_MapDrive GPOs there, Right?

or I can create one GPO. And put all mapping drive needed there?

Many thanks.

Email address idea for Infrateam - Network/Server team

August 28, 2014, 1:50 am
$
0
0

Hello Guys,

Due to lack of creativeness, I am requesting you guys to suggest internal email address for my infra team. Already ops@domain.com, noc@domain.com and infra@domain.com are used in our company. Any ideas much appreciated.

Many Thanks

AGPM and policy security/filtering

August 21, 2014, 1:29 am
$
0
0

I'm having a problem figuring out how you change security filtering & WMI filtering under the 'Scope' tab and edit groups/users on the 'Delegation' tab on a controlled policy in AGPM.

All the options are greyed out in GPMC for controlled policies, but not on uncontrolled.

I've tried checking the policy out, but those properties still remain unchangeable.

Is there a special way to change these properties on an AGPM controlled policy? Or is it not possible?

Group Policy Windows 7 from 64-bit down to 32-bit

August 28, 2014, 9:23 am
$
0
0

I am completely unfamiliar with Group Policy -  I have a Powershell script I've written that "builds" a completed image on Windows 7 64-bit PC w/Service Pack 1 and just the "Administrator" account to a completed PC image with other user accounts, applications, settings, printers, et al.  Part of that script is to apply Group Policy, which was just handed to me by someone else to add to my Powershell script and I was given a couple commands to make it run/apply.  To do so, I'm simply changing to the \Support\LocalGroupPolicyObject and then running the command:

UpdateLGPO.exe GroupPolicyUsersMaster

within my Powershell script.  Now I'm having to switch to a Windows 7 32-bit PC and when that command tries to run, I get a message that it will not work on the 32-bit PC. 

Is what I need is to have the UpdateLGPO.exe re-compiled for 32-bit?  Or does everything need to be scrapped and re-done complete in 32-bit?


Search

terminal services access and restricted groups

September 23, 2009, 9:37 pm
$
0
0
Can you guys help me out.
Win 2k3 AD, using Vista GPMC to manage. Using Windows 2K3 Server with terminal services as well as enable RDP to XP workstations and Domain Controllers.

Previously we had no issues with remote desktop connectivity with the following setup and could connect to all above Computers/servers including DC:
1)manually added Domain Admins and a specific security group(bosses) the ability to log on to XP workstations. (under computer-properties-remote-enable remote desktop connections.
2)Created Security Group(remote TS users) and added to remote desktop users group to enable RDP to Win 2k3 hosting terminal services.
 
Last week I decided to try Group Policy restricted groups.
I added the group administrators, then added as members- Domain Admins and the specific security group(bosses).

We then could not remote desktop to any computer recieving the error:
"To log on to the remote computer you must be granted the allow log on through Terminal services right, by default bla bla"

I initially tried adding the Domain Admins and security group(boses) to this priviledge in GP-Computer Configuration-Policies-Windows Settings-Security Settings-Local Policies-User Rights.

That did not help, even after reboots and multiple gpupdate /force commands

I then added the remote TS users group that was previously added remote desktop users group(that also worked before).
Still recieved the error and could not connect.

So I removed the policies and we still couldn't connect.
I reapplied the settings(restriced groups and  allow to log on throgh terminal services)then removed each group individually, then removed the settings.

Seems the trick is not just changing the policy from enabled to not defined, you have to remove the users/groups then change the setting to not defined.

Now we are mostly back to the original config (manual at each workstation) and we can connect to the XP workstation and the Win 2K3 server hosting Terminal Services. 
-But we still cannot connect to any Domain Controllers 2K3 servers thru remote desktop.

I've checked the Computer properties-Remote-allow remote desktop-and made sure the Domain admins group is added locally.

I'm leary about trying the restricted groups and/or Allow log on through terminal services options again.  Is there something else I a missing???
I always thought that local admins we always allowed(granted) the right to connect thru remote desktop by default, and if Domain Admins group is added to the local Administrators group then that right would be enabled???

1)Did I do something wrong?
2)Adding users or groups to the restricted groups under administrators does not allow RDP functionality?
3)Does having the same groups in 'restricted groups(as local admins)' and 'allow to connect thru terminal services' contradict each other?
4)Any suggests to return the ability to RDP into Domain Controllers?

Thanks and sorry this is so long,
Tom

The security database on the server does not have a computer account for this workstation trust relationship

August 28, 2014, 6:04 am
$
0
0

I am facing this problem on routine basis need your help.

Rajesh Khabar

Users can delete GPO deployed printers

August 27, 2014, 11:38 pm
$
0
0

Hello,

I have a problem with a GPO deployed printer per-user using the print services "deploy via GPO".

Printers available for users, that's all right. But users can remove printers in some cases (I'm still can't exactly reproduce this) and this affects other users logged on the same machine. One user removes printer and another can't print. Is it normal behavior or I have missed something?

P.S. In Security tab users can only Print.

P.S.S Client and server on Windows Server 2012 R2


Offline Files UNC Path Variable issue

August 26, 2014, 11:22 am
$
0
0

I have setup a GPO to use offline files to sync to our file server for our users.

I would like to only have their Documents folder for each user synced.

The path I am using is 

\\Server.example.com\Profiles\%username%\Documents

Offline files on the laptop of a user shows the profiles folder as syncing. But gpreults /h shows the path as I typed it above.

I was expecting to see

\\Server.example.com\Profiles\stephen\Documents

Looking deeper I find that the folder that is syncing is 

\\Server.example.com\Profiles\

Why isn't Windows syncing the right folder? Does GPO not understand the %username% variable? Does it not care about anything after the %username%?

Anyone having similar issues or found a alternative way to sync a users profile sub-folder?

Domain advanced audit policy not taking effect on DC.

August 27, 2014, 4:33 pm
$
0
0

Hi.

 I'm having a strange problem getting an advance audit policy to take effect on one of my domain controllers, we'll call it DC1. I have two DCs on this network, and both are in the same OU, however behave wildly differently with the same policy.

For example, on DC1 when I run group policy results wizard from GPMC, I can see the local policy/audit policy settings, but no settings for advanced audit configuration are shown. However, if I log into DC1 itself and look at local security policy, it shows settings in both areas.

No matter what changes I made to either area in the domain policy nothing would change in the local security policy on the system when refreshing group policy on the DC. It was as if it were stuck somehow. If I used the auditpol /get /category:* command it showed default audit settings, and that's it.

I figured I would try to clear them and set them manually, and so I did an auditpol /clear, and now it says No Auditing for all categories. In addition to this, I did a gpupdate /force and it still said no auditing in all cagegories after displaying them with auditpol /get /cagories:*. On DC2 which is in the same OU, when running the group policy result wizard, it shows both advance audit, and basic auditing settings being applied.

If I look in the local security policy it shows no auditing for all basic audit settings, and all the advanced audit settings as being set. Which should be the case when Audit: force audit policy subcategory settings is set (which it is). However, unlike DC1, instead of showing No auditing, it shows all of the advanced audit configuration settings when I type auditpol /get /categories: * at the command prompt, and it's gpresults look good. I even cleared the audit policy off of DC2, and got it to show "no auditing" before doing a gpupdate, and all it's settings came back. Not so with DC1. DC1 seems to apply all other group policy settings without issue.



Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>