Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

UAC is stopping an .EXE running....

October 14, 2014, 1:26 pm
$
0
0

I have the following GPO settings.  computer config\windows settings\security settings\local policies\security options

User Account Control: Detect application installations and prompt for elevation: Disabled

User Account Control: Only elevate UIAccess applications that are installed in secure locations:Disabled

User Account Control: Turn on Admin Approval Mode: Disabled

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode: Define=Yes.  Elevate without prompting.

So when anyone logs into any Windows 7 workstation and you type in UAC it is set to this.

Also in our GPO under USERS we run an .EXE.   user config\windows settings\scripts (logon/logoff)  

when anyone with admin rights logs into a machine the called .EXE runs.  But if a standard domain user logs in then they are prompted with a UAC windows asking them if they want to run this .EXE.    Why?  if we have UAC turned off why would it prompt them and how do you make it go away?

mqh7


Search

Password Policy - Mixed servers 2003 and 2008

October 14, 2014, 12:25 pm
$
0
0

I Need help!!!!

So this is my situation. I'm trying to enforce a Company Wide Password Policy via GPO but running into problems. We have no current Password Policy in place (This is the only one). I'm attempting to use the default global policy in Server 2008 and I'm testing the GPO on a specific security group, but does not seem to work. It will prompt to change the password, but the other requirements aren't being enforced.

This is what I'm trying to enforce.

Expire after: 90 days

Complexity: Enabled

Cant reuse last: 12 password

Lockout time: 15 minutes

Lock out after: 5 attempts

Minimum of :8 characters

Infrastructure: We have a mix of 2003 and 2008 servers. I'm using our 2008 server to enforce the GPO.

Once I apply the GPO to a specific security group, it will prompt to change the password for the users in that group, but will not enforce all the other policies. This is a major project and we cant deploy this policy all at once (Helpdesk wouldn't be able to handle the call volume) so we decided to deploy it by departments/Security groups. We also tried

We also tried using a fine-grained password policy but just like the GPO, it was only enforcing the password change aspect and not the other requirements like a minimum of 8 characters. Can any help!!!!

security filter wrongly denying computer

October 14, 2014, 4:47 pm
$
0
0

hello,

I am having a problem with security filtering with group policy wrongly denying a computer. I have a GPO attached to the same OU as the computer in question and set with "authenticated users" in the security filtering and yet when I run "gpreport /r /scope:computer" the GPO in question is listed under the GPOs that were filtered out with a "Filtering: denied (security)" as the reason.

I have confirmed that there are no groups/users/computers that are denied on the delegation tab. I have confirmed, through gpreport, that the computer is part of the authenticated users group. I even tried adding the problem computer explicitly to the security filtering box on the GPO.

I am at a loss as everything that I am finding online only talks about checking the security filtering and the delegation, any help on this would be greatly appreciated. Thank you.

GPP - Missing Mapped Drives

October 14, 2014, 7:52 am
$
0
0

Domain Functional Level: Windows Server 2003

Domain Controllers: Windows Server 2012 R2

Workstations: Windows 7 PRO, x86

I'm mapping network shares for my users using GPP, running under User Logon, and Item Level Targeting.  The missing network drives are Windows Server 2003 R2 SP2 file servers.  The network drives that DO map are Windows Server 2012 R2 file servers.  When I log in as a test user (copied from an offending user), I can browse to the 2003 shares via UNC, and I am capable of manually mapping the drives are well.  However, when I log off and log back in, the drives are missing again for the 2003 shares.  Furthermore, I'm mapping user's home folders via Profile tab in their user accounts, and that's going to the same 2003 share as well.  That isn't mapping either. 

I believe that it was working fine last week, but then SOMETHING must have changed.  I'm unsure of what though.   Perhaps someone can shed some light into this?

Roaming Profiles hiding desktop shortcuts from programs that are not installed on PC

October 14, 2014, 6:06 pm
$
0
0

Hi Technet, 

I am in the middle of a GPO review and I am making a few changes to the roaming profile policy on my network. It is currently working but I have come across an issue that I am unsure how to correct. I am trying to hide desktop shortcut that are not installed on the end users PC while roaming profiles is enabled. 

Let me explain further

Let’s say I have two PC but with different program installed (as an example one PC has Adobe Photoshop and one does not) I want the end user to be able to log into both PC and only see desktop shortcuts that match the software which is installed on that PC but while using a roaming profile. Currently when the user logs into the PC that doesn’t have Adobe Photoshop installed they are presented with a blank desktop icon as the roaming profile has cached this icon from the first PC. Is there a way to hide program icons that do not exist on another PC while still using roaming profiles.     

Any assistance would be most appreciated. 

Thanks Nick 

Advanced Audit Policy For Admin User

October 13, 2014, 8:52 pm
$
0
0

Hi,

I need a gpo/policy that can be audit admin user and who install/uninstall software and can be give auditing report.

Md. Ramin Hossain

can I deploy 2 computer GPO for 2 different Security Groups to the same machine?

October 15, 2014, 3:42 am
$
0
0

Hi

this is my scenario

I have 2 different security group ( in a domain ) and i would like to deploy 2 different Computer GPO depends by the user SG membership

this is a terminal server ( 2k12) and I would like  have the computer GPO policy/admin template/windows components/remote desktop session host/profile different for each security group.

thanks

Marco

Desktop Icon Picture size and format limit

October 15, 2014, 7:22 am
$
0
0

I'm pushing out a group policy to desktop but would like to know icon size limits and also what are acceptable formats. Currently using a 12k jpg icon that points to a URL and testing but don't get the picture.

Setting is located:

User configuration\preferences\windows settings\shortcuts\Icon file path

Search

How to best move Users home directories, and therefore redirected folders, to new server

October 15, 2014, 7:27 am
$
0
0

We currently have users using offline files with their redirected home directories, and we also redirect their Documents and Desktop to %HOMESHARE%%HOMEPATH% and %HOMESHARE%%HOMEPATH%Desktop via GPO.  We also have "Move the contents of Documents to the new location" Enabled.



We need to migrate users off their current server to a new server.  We did a robocopy of the user folders to the new server into the path we're moving them to. 

So now do we just need to change their home directory path in the AD account and everything should work fine?  Will that "Move the contents..." setting cause a long delay the first time they log on after they move?  Will offline files through an error on every file since it will have offline copies of the files from the old server but they will now be pointed to the new server?

Anyone have any tips in general?

logon screen

October 15, 2014, 5:45 am
$
0
0

Hello guys, i am using Windows Server 2008 R2 AD, how could i set logon screens to my AD PC's, that it shows AD user and local Admin user and always it stays the same screen after log off ? On log on screen now i could see only AD user, when i switch user to local i must write local-pc\Admin, it is very uncomfortable switching between users.

Thanks,

Darius

 

Editing Group Policy Preferences - Apply Once and do not reapply

February 15, 2012, 8:01 am
$
0
0

I am confused a little bit here and I am hoping someone can help clear this up --

I a GPO configured with approx 15 scheduled tasks as GPP items. All of these scheduled tasks are configured with an action of Replace.  This is because, initially, I had the "Remove this item when it no longer applies" option ticked, forced my action to be Replace. 

What I noticed about this was, (or it seemed this way) was because these GPPs were scoped to a user, if you rebooted the machine and re-logged in as this user - the tasks would get re-created.  As a result, in the windows xp task window, it looked as if they had never run before.  This makes sense, because, assuming you reboot daily, every day you would start fresh.

This created a sort of confusion for our help desk, so I unchecked the "remove this item when it no longer applies" checkbox and checked the "Apply once and do not reapply". 

Now, this morning, I found a mistake with one of the tasks - I had the start in path set incorrectly.  I would like to modify this information in the task - so I modified this individual GPP, went to the client machine, ran a gpupdate /force, rebooted the machine and logged in expecting to see the change and I did not. 

Is this because of the "apply once and do not reapply"?  Also - if GPPs refresh themselves every 90 minutes and I don't have this apply once checkbox checked, will this revert me back to looking like the task has never run after every refresh??

Thanks in advance

sb

Word default font without normal.dot

October 15, 2014, 8:49 am
$
0
0

Hey,

I try to set Microsoft Office Word 2010 X86 default font via group policy.
(So when I open word the new document opens with default font e.g. Arial and font size 11)
Currently we are doing this through 'normal.dot' file, which is copied at every logon to the path %AppData%\Microsoft\Normal.dot .
Unfortunately Normal.dot changes more than just these two settings and some users need to be able to customize some other things stored in normal.dot through their logoff/logons.

How can the default font and font size be set via group policy without using the 'normal.dot'?
I already had a look at the Microsoft Office 2010 adm/admx files but I was not able to find any setting like these.

Thank you for support.

printer Item level targeting via printer preferences

October 15, 2014, 10:10 am
$
0
0

I am trying to do item level targeting via printer preferences. I have tried numerous ways numerous times and cannot get this to work. I currently have 120 printers I am trying to assign via terminal server client ip range, workstation IP range , for different sites, and also group permissions to those printers.

I have one printer I have the following setting (all the other printers follow this example depending on location and user

this collection is true

the terminal session is Remote Desktop Services with Client TCP/IP address between 10.4.1.1 and 10.4.1.254

Or the IP address range is 10.4.1.1 - 10.41.254

AND the user is a member of the security group SKIN\grpMIllennium

OR the user is a member of the security group SKIN\grpPrtSDCPerReceipt

However when I test this I am connecting from a 10.2.2.203 address but yet still get this printer. How can I limit this to only those IP addresses?

Get-GPResultantSetofPolicy - Filtering

October 15, 2014, 11:18 am
$
0
0

I need RSOP result, only for specific settings such as below. Any way to filter it using Get-GPResultantSetofPolicy or any other way ? 

User Configuration \Administrative Templates \System \ Ctrl+Alt+Del Option  -Remove Task Manager - Enabled/Disabled/Not Configured 

User Configuration \Administrative Templates \Windows Component \Windows Explorer -Remove the Folder Options menu item from the Tools menu -Enabled/Disabled/Not Configured 

IE 10 Preferences Behavior

October 15, 2014, 12:26 pm
$
0
0

So I am working on converting some IE Maintenance policies to IE 10 GPP to support Windows 7 and Windows 8.1 clients with IE 10 and 11.

I understand that I need to use preferences but am a bit confused about how the application of these preferences work. For instance, when I create a new IE 10 preference item all of the settings for IE are included in that one item, but only the settings I have manually configured are actually applied. Any other settings seem to follow what the user has configured.

The problem is that in the interface there is no visual indicator to tell you which settings you have configured and which are defaults. Also, once I have configured a particular setting, there is no way to 'un-configure' it. I can change it to a different setting but can't reverse it to allow the user to take precedence over the GPP.

Is what I am observing accurate? Is there any guidance on how to configure these GPP items? Thanks!

Search

Administrative template GPO setting refresh reapply interval.

October 15, 2014, 1:44 am
$
0
0

I have deplyed a gpo with an administrative template to block USB Pen Drives by changing the following registry value to ( 4 ).

HKEY_Local_machine\System\CurrentControlSet\Services\USBSTOR

If someone who has administrative rights change this to ( 3 ) mannualy, will it remain ( 3 ) untill a manual gpupdate /force happens in that PC or will it be changed to ( 4 ) at the next refresh interval of GPO in that PC.

Windows 2008 R2 gp diagnostics

October 15, 2014, 5:00 am

Add more drive options to the 'Hide these specified drives in My Computer'

February 22, 2009, 2:26 pm
$
0
0
Hi,

does anyone has faced with problem to need to add more drive options in GPO "Hide these specified drives in My Computer" with 2008 server? In Windows Sevre 2003 it was very easy by editing ADM tempalte file. My question is it possible to edit ADMX files and which one and how.

Plese if you have any experiences share with me.

Thx in advance!
MP

Item-level targeting failing intermittantly

October 14, 2014, 8:00 am
$
0
0

We have an OU with a GPP that pushes autologon keys for our KIOSKS.  The gpp works by initially logging in with a kiosk user account that matches the name of the computer account and then the GPP sets the autologon keys and after a reboot or logoff the machine auto-logs on after that.  It has worked great for many months.

Since we recently increase our password security, we could no longer use the shorter password fornew kiosks without a painful work-around for our enduser support group.

To make things easy, we added an additional GPP reg key for defaultpassword and utilized “Item-Level Targeting” within the existing GPO/GPP (see images below).

Last week we tested this change successfully by adding new kiosk and rebooting both new and existing PCs.   All existing kiosk accounts were members of the PasswordComplexityDisabled group.  This group is our Fine-grained password policy that permits legacy complexity and password length.

On Monday we got flooded with calls that the autologon wasn't working.  I revert the item-level targeting entries and put the GPO back to its original state and the calls subsided.  Before doing so however, when we investigated problem machines, the strange thing we noticed was that we could login with the original shorter password if we supplied it manually and after that autologon worked fine.  We also check that the account in question was a member of the passwordcomplexitydisabled group.  We are at a loss as to why the key seems to have been blanked or set with the wrong key even though a member of the correct group and the ILT logic was correct.  Any ideas. 

David W King

Hide these specified drives in My Computer" in server 2012

October 15, 2014, 10:50 pm
$
0
0

Hi,

I would like to customize the policy setting "Hide these specified drives in My Computer" found under "User Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer", but can't figure out how.
I would like the policy setting to be "A, B, C, D and E,F  drives only" instead of"A, B, C and D drives only".

I would like to edit the Policy setting and i need to add E and F Drive In server 2012 group policy


Can anyone help? 


Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>