I have a server that has a patching tool on it that uses the proxy setting in Internet Explorer. For some reason the check box next to "Use a proxy server for your LAN" keeps getting unchecked. I need to find exactly what is causing this issue. There has to be a Group Policy setting forcing this to be unchecked. I know I can force it back on but I need to find the SOURCE of the problem. I checked all our GPP registry entries and I am not forcing ProxyEnable anywhere.

So I assume it is burried in some GP setting. Any idea's?

Hi Windows Server Expert,

I would like to create a group policy to be pushed down to all Windows 7 Computer. My server is using Windows Server 2008 R2. However, I can only find the policy to be added for Windows XP. it seem that my server 2008 R2 don't have the updated options thus I will be able to push down policy for my windows 7 client. is it windows server 2008 group policy only support up to windows xp? kindly see the picture below, I can see only windows xp.

Please advise.

thanks so much.

Regards,

Henry

Hello all,

Cross-posting by request from the security forum (http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/5e15d5d6-b76f-4939-aa9d-feb4c3f1a009?prof=required). 

I have a problem similar to the later posts in http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/3cf199a1-5f4b-4045-8394-d64e44a741a2/, but that question was marked as answered and I'm not sure anyone's looking at it.  I have found screensaver/locking settings in Win7 to be a bit glitchy, and I was hoping to get feedback on whether this was a known problem. 

My environment contains XP and Win7 workstations in a domain at 2003 functional level (there are a mix of 2003 and 2008 R2 DCs).  I am trying to set a 15 minute screensaver-and-lock-workstation timeout, so I created a GPO and set "Enabled screen saver","Password protect the screen saver", and "Screen saver timeout" (900 seconds).  I didn't force a specific screen saver.  The policy is linked to the user OU and filtered to the correct test users, and the appropriate screensaver settings show up as disabled on the clients once the policy is applied, but the Win7 computers seem to remember the settings they had before.  For instance, I set my screensaver to apply after 1 minute, then I added myself to the policy and ran gpupdate /force.  I saw the value in the "Wait X minutes" box in the screen saver dialog was now 15 (and disabled, so I couldn't change it in the UI), but my machine still locks after one minute.  I think the policy works as expected on XP, but I haven't been able to verify that yet.  Forcing a specific screen saver doesn't seem to make a difference.

Can anyone shed light on why the Win7 screensaver settings aren't behaving themselves?  Is it a problem with the GPO or with Win7?  I would appreciate any input.  And sorry if this is considered a double post; I just wanted to make sure someone saw it as a different problem, since the marked solution in the other thread is irrelevant for me.

Hello,

I´m going to install an environment with Win2K12R2-Terminalservers and want to define a default start menu. One possibility would be using the "Start Screen Layout"-Group Policy, but this one locks down any further customization which is needed. Is it possible to use that GP and make it still customizable?

Another way could be using the "Pin Apps to Start when installed"-GP. The problem here is that you have to install an application, get it´s APP-ID, include that one in that GP and reinstall that app to get it pinned. Why is that? Is there any way, you can get an application pinned, which is already installed?

Thanks in advance,

best regards.

When I start Group Policy Managment on the Domain Controler I get a error message .(The system cannot find the path specified)
when I click ok it starts the mmc
when I try to edit the Default Domain Policy I get an error (Failed to open the Group Plicy Object. You may not have appropriat rights)
When I go to Browser and type \\xxxxx.local\sysvol\
I see a file that is called xxxxx.local it is not a shortcut it is jut a LOCAL File
When I go to \\the domain controller \SYSVOL I see the same thing.
however if I go to the DC, I can go to c"\windows\sysvol\
I see 4 folders (1.Domain, 2.Staging, 3.Staging area 4.sysvol)
and yes if I expand sysvol I see the same local file again.

From DOmain controller

Log Name:      Application
Source:        Microsoft-Windows-CertificationAuthority
Date:          10/11/2014 7:33:18 PM
Event ID:      77
Task Category: None
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:      SERVER.xxxxx.local
Description:
The "Windows default" Policy Module logged the following warning: The Active Directory connection to SERVER.xxxxx.local has been reestablished to SERVER.xxxxx.local.

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          10/13/2014 9:46:28 AM
Event ID:      1058

User:          SYSTEM
Computer:      SERVER.xxxxx.local
Description:
The processing of Group Policy failed. Windows attempted to read the file \\xxxxx.local\sysvol\xxxxx.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
from a domain controller and was not successful.
\ Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

From the Workstation

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          10/13/2014 10:25:12 AM
Event ID:      1058
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:      Auditors0063.xxxxx.local
Description:
The processing of Group Policy failed. Windows attempted to read the file \\xxxxx.local\sysvol\xxxxx.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

Log Name:      System
Source:        NETLOGON
Date:          10/13/2014 10:24:09 AM
Event ID:      5719
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Auditors0063.xxxxx.local
Description:
This computer was not able to set up a secure session with a domain controller in domain xxxxx due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

I cannot find any resolutions any help is appreciated

Freddie

When I start Group Policy Managment on the Domain Controler I get a error message .(The system cannot find the path specified)
when I click ok it starts the mmc
when I try to edit the Default Domain Policy I get an error (Failed to open the Group Plicy Object. You may not have appropriat rights)
When I go to Browser and type \\xxxxx.local\sysvol\
I see a file that is called xxxxx.local it is not a shortcut it is jut a LOCAL File
When I go to \\the domain controller \SYSVOL I see the same thing.
however if I go to the DC, I can go to c"\windows\sysvol\
I see 4 folders (1.Domain, 2.Staging, 3.Staging area 4.sysvol)
and yes if I expand sysvol I see the same local file again.

From DOmain controller

Log Name:      Application
Source:        Microsoft-Windows-CertificationAuthority
Date:          10/11/2014 7:33:18 PM
Event ID:      77
Task Category: None
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:      SERVER.xxxxx.local
Description:
The "Windows default" Policy Module logged the following warning: The Active Directory connection to SERVER.xxxxx.local has been reestablished to SERVER.xxxxx.local.

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          10/13/2014 9:46:28 AM
Event ID:      1058

User:          SYSTEM
Computer:      SERVER.xxxxx.local
Description:
The processing of Group Policy failed. Windows attempted to read the file \\xxxxx.local\sysvol\xxxxx.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
from a domain controller and was not successful.
\ Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

From the Workstation

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          10/13/2014 10:25:12 AM
Event ID:      1058
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:      Auditors0063.xxxxx.local
Description:
The processing of Group Policy failed. Windows attempted to read the file \\xxxxx.local\sysvol\xxxxx.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

Log Name:      System
Source:        NETLOGON
Date:          10/13/2014 10:24:09 AM
Event ID:      5719
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Auditors0063.xxxxx.local
Description:
This computer was not able to set up a secure session with a domain controller in domain xxxxx due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

I cannot find any resolutions any help is appreciated

Freddie

Hello guys,

I´m currently working on a solution for creating and deleting shortcuts via GPP.
I - for example - have got an GPP which creates a shortcut to "cmd" and it´s configured to only work if the user is in the group of "domain-admins". The GPP is configured with "replace". When I´m now logging in with a user that is a member of that group, the shortcut is created.

Then, when the user is deleted from that group, I want that shortcut to be deleted when he´s logging on the next time - which is not working.

I´ve tried the following steps:

- "checking" that setting which says "remove this item when it´s no longer applied"
- Creating another GPP, which is the same as above but with "delete" and applies to all users who are not member of "domain-admins"
- running it under different user contexts

Anybody got an idea for me?

Thanks in advance and best regards

GoProo

/e:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/e1c35b52-3bf6-4e2e-806c-4fe83e89c520/remove-shortcut-with-gpp?forum=winserverGP

This didn´t help.

Hi

I created a GPO for Folder Redirection to store data in share1.

• Basic - Redirect to same location
• Move Contents to new location (checked)
• Redirect folder back to original location when policy is removed (checked)

I left Offline Files settings alone i.e. no additional configuration as these are enabled by default.

I had to move the share location to a new disk so I simply changed the path within the GPO. Some users logged on and starting populating the new share (share2), some didn't. I then realised I had to change the location again so I did the same change in the GPO (share3).

Is there a possibility if I made the second change too soon I will lose data i.e. I made it before full syncs to share2 occured. I have left all shares intact. Will this finally resolve after a few logoff/logons?

My worry is that User1 has data now sitting in share1, and a subset of this in share2...but nothing in share3.However I can see that in the last logon the folder structure has been created in share3 and all subfolders exist for each user, just no data.

1.  Will this resolve itself?

2. If files are removed or missing from the shares - will this act like a file deletion (and overwrite the local offline files)?

hello

need to push down printers to my users.

is it possible to give them printers based on their ip address?

most of my users travel from office to office so depending on their ip give them the printer in that office. while removing the printer from the previous office?

thank you 

Hi,

I need a gpo/policy that can be audit admin user and who install/uninstall software and can be give auditing report.

Md. Ramin Hossain

We have an Outlook 2013 Plugin (VSTO) we are trying to silent install to desktop users.  We have created an Applocker Rule for the installer's .msi file.  We allow any software by this publisher to be installed.

During the install, a second .msi file is being generated by the first and is trying to save to the C:\Windows\Installer directory.  The second .msi file's name is randomly generated per user, and the file is not signed.  

How do I create a rule that will allow the second .msi file to write to the Windows Installer Cache without prompting the user for an Administrator name and password?

Thanks!

Hi,

I want to create a new local user account called localadmin on all of our user machines which is in the loacl administrators group and also disable the built-in administrator account. I've read a few bits on doing this via GP but seems more tricky than it should be.

I can add a local user via GP preferences but do I select Update or Create? Also, how can I put it in the local admins group. I read something about doing it via Restricted Groups but can't see how I can add that newly created local user account 'localadmin' as I'm on the DC. Would I have to actually run RSAT from a widnows 7 machine with that local account on it?

I've used these guides:

http://www.dannyeckes.com/create-local-administrator-security-group-gpo/

http://www.dannyeckes.com/create-local-admin-group-policy-gpo/

Is there a more straight forward way?

Thanks,

Andrew

Hello,

Can Advanced Group Policy Management (AGPM) control/manage WMI filters a GPO uses?  In other words, is/can a WMI filter be brought under AGPM control for 'Change Management' in the same way a GPO is brought under AGPM control for 'Change Management'?  Thanks in advance.

Thanks for your help! SdeDot

I am working on deploying a piece of software via GPO and was creating a test GPO to deploy it to only a test box to ensure everything had been packaged right and that it would install the right way (this is my first time deploying software via GPO). In doing so I boneheadedly changed the permissions on the GPO and removed every group except a user account for the test box. I also, for some reason I still cannot fathom as I know better, gave this account only Read, List, and Apply permissions for the GPO. Needless to say i now cannot manage the GPO at all. The only way to see it is with the user account elevated to an admin account, and even then I cannot modify or delete the GPO as that account does not have those permissions. 

I did a lot of research and tried everything I could think of, even worked with dsacls for over an hour with everything coming back as denied. 

Is this a problem others have run into, and if so were you able to fix it and how? This really is not a huge problem at this point for me as we are going to replace our AD structure in about a month anyways with a new DC and all new accounts and GPOs, so worst case there is this hidden GPO that no longer does anything that no one can see stuck on our DC for another month or so. Any help is much appreciated 

Hello everybody,

I have a very strange error regarding backing-up my GPOs. I can backup my GPOs using WIN 7 SP1, Windows 2008 R2 Standard and powershell version 2 and 3. I successfully backed up my GPOs using powershell and the GPMC console.

The problem I have is that it does not work with 2012 and 2012 R2. I don't know yet if it is related to 2012 or if it is just a coincidence but none of the two methods worked (powershell / GPMC).

Here are the errors I got:

Backup-GPO : Object reference not set to an instance of an object.
At line:1 char:1+ Backup-GPO -Name "MyGPO" -Path "myBackupDirectory"+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : NotSpecified: (:) [Backup-GPO], NullReferenceException+ FullyQualifiedErrorId : System.NullReferenceException,Microsoft.GroupPolicy.Commands.BackupGpoCommand

or

Backup of GPO failed. Error [Invalid pointer
].
 Details -
     Source GPO:
          DisplayName: myGPO
          ID: {xxxxx}
          Domain: myDomain.me

      Backup:
         Directory: myBackupDirectory
         Instance : {xxxxxx}
         Comment  :

 

Thanks everybody!

I was learning how to configure Internet Explorer 10 with Group Policy via Windows 8 and learned that I needed to now use Group Policy Preferences instead of Internet Explorer Maintenance.

I made a GPP object for IE 10 Internet Settings and first noticed that Privacy Settings for cookies was all grayed out.  I first ignored it then began to notice issues opening pages.  I thought they were JavaScript issues but they weren't.  After digging through the registry I noticed hat somehow the grayed out cookies GPP was setting cookies Security Zone was set to "Block All Cookies."

How do I relax the cookie security zone setting?  I cannot delete the IE 10 GPP as I need it to set the proxy server.

We have an OU with a GPP that pushes autologon keys for our KIOSKS.  The gpp works by initially logging in with a kiosk user account that matches the name of the computer account and then the GPP sets the autologon keys and after a reboot or logoff the machine auto-logs on after that.  It has worked great for many months.

Since we recently increase our password security, we could no longer use the shorter password fornew kiosks without a painful work-around for our enduser support group.

To make things easy, we added an additional GPP reg key for defaultpassword and utilized “Item-Level Targeting” within the existing GPO/GPP (see images below).

Last week we tested this change successfully by adding new kiosk and rebooting both new and existing PCs.   All existing kiosk accounts were members of the PasswordComplexityDisabled group.  This group is our Fine-grained password policy that permits legacy complexity and password length.

On Monday we got flooded with calls that the autologon wasn't working.  I revert the item-level targeting entries and put the GPO back to its original state and the calls subsided.  Before doing so however, when we investigated problem machines, the strange thing we noticed was that we could login with the original shorter password if we supplied it manually and after that autologon worked fine.  We also check that the account in question was a member of the passwordcomplexitydisabled group.  We are at a loss as to why the key seems to have been blanked or set with the wrong key even though a member of the correct group and the ILT logic was correct.  Any ideas. 

David W King