Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Issues With Active Directory Log on Hours and SMB Connections

October 16, 2014, 12:41 pm
$
0
0

Hello and Good Day Microsoft Community...

I am having a strange issue and I hope you can help. My organization deploys a custom application that we deliver thru Remote Desktop Host servers. Users log into our RDH server farms and use this application in a Remote Desktop Session. The application depends on several drive mappings to remote servers in order to work. Now these user accounts that log into our Remote Desktop Servers do have log on restrictions in place. A common period that we don't allow new connections to the environment is 12am-2am local time. Eventhough we don't allow NEW connections to be established at this time, we do want sessions that were established before 12am not to be interupted. That is, I don't want already established connections to lose those drive mapping settings in their session. Thats what happens today....

So, I went in and adjusted our group policy to configure the two settings that I though control this behavior. Specifically....

Default Domain Policy - Windows Settings - Security Settings - Local Policies - Security Options. I set:

Microsoft Network Server: Disconnect clients when logon hours expire set to Disabled.

Network security: Force logoff when lgon hours expires set to Disabled.

After setting these two, I let all computers in my AD forest to refresh policy overnight. I then take a test user. Modify the logon hours of that account to expire in the next hour. I log on, and then make sure my drive mappings in my session are active, and they are. I wait an hour till I know that first block of time is coming where my logon hours will expire, and I am surprised to see that my drive mappings are severed? What am I missing here? Looking at the description of these two group policy settings, I would not expect this to happen.

I did do a resultant set of policy in logging mode to make sure my test user was logging into a server that had refreshed it policy since I made the change last night, and it was refreshed. Am I expecting the wrong result from making this change? If so, then what are these two policy settings for?

The environment is all Windows 2008 R2, including the domain controllers. Active directory is Windows 2008 R2 domain level and forest level. All clients and remote servers holding the shares are also Windows 2008 R2.....

Search

gpo that pushes another default gateway and sets the matrix

January 3, 2013, 7:04 am
$
0
0

hi we have a backup circuit that is on another default gateway. is there a way to push through gpo another default gateway meaning

right click on ipv4\properties\advanced\default gateways\

currently I have the one gateway in their and the metric says automatic

is there a way to push another gateway and set the metric to 2? that way when that circuit goes it will flip to the backup one and when the circuit comes back up it goes back to the first one. please advise asap.

Permission Delegation with AGPM and GPMC

January 28, 2010, 5:14 am
$
0
0
Hi,

I want to use the AGPM and I have a user who I configured to have Admin (full control) rights in AGPM. Now, I also want to give that user the right to link GPOs every where in the domain and to add to these GPOs WMI filters and security filters. The AGPM service account is configure with least privileges.

how can I do this?

Thanks

Remove Administrative Tools in Group Policy

August 9, 2008, 5:39 am
$
0
0
Hi All,

I am configuring a Group Policy to lockdown terminal services users.  It's coming along pretty good, except when I log on as a Remote Desktop User under the Group Policy, I still see Administrative Tools in the Start Menu.  How do I remove these?

Folder redirection

October 16, 2014, 12:24 am
$
0
0

The documents folder of our users in our terminal server is has been set to default when it was first setup, now, we defined dolfer redirection for users to a network share. But for some reason when they click the documents folder on the terminal server it doesnt do anything.

This does not happen however to users that was created after the folder redirection has been defined. Any ideas?

For God, and Country.

Machines won't recognize updated drive mapping path even after gpupdate /force

October 19, 2014, 8:46 pm
$
0
0
Made a change to a drive mapping GPO to update a mapping to a different server, but over a day later, and even after a gpupdate /force, the machines are still pointing to the old server.  What should I try to do next?

Server 2003 Gpmgmt: GPOs not showing defined settings

October 19, 2014, 10:15 pm
$
0
0

Hi,

I've got a 2008 and a 2003 Server. When viewing GPOs in 2003 it doesn't show defined settings, says 'no settins defined' under computer configuration and user configuration where as when I view them on the 2008 Server it will say that there are settings defined. Even if 2003 doesn't have the correct templates, etc it should still register that there is something defined, just not be able to list what it is?

Thanks.

Unable to update Trusted Sites in IE?

October 20, 2014, 12:24 am
$
0
0

I have been referred to this forum from https://social.technet.microsoft.com/Forums/ie/en-US/544527bb-2f63-4092-9953-f7bd8f756d81/unable-to-add-ie-trusted-sites-new-entries-do-not-display?forum=ieitprocurrentver.

Any thoughts?

Search

How a Group Policy applying works?

October 20, 2014, 12:43 am
$
0
0
I can override some group policy settings when I logged in using Local Admin account. Meanwhile some of the settings cant be override. I want to know why this happens, Users policy's are applied when the user logs in. Then what about the Computer's settings? When it is applied to the computer? On the boot?

Event 1096 - Registry policies

May 6, 2014, 1:01 pm
$
0
0

Hello there,

I'm getting this event every time I run gpupdate on my server:

The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

Where is the first place to look at?

I did the GPRESULT /H GPReport.html but it only shows an error with registry policies.

Thanks.

ADFS SPN - Unable to add 2nd ADFS server

October 20, 2014, 8:25 am
$
0
0

Hi Guys,

So I have created the first federation server and all is working. When attempting to add the 2nd server - I get the following errors: "The specified service account could not be used to securely establish a connection with the primary federation server in the farm. Ensure that you are using the same service account as the account that you specified on the primary federation server. Occurs when user configure primary instance with account X and then tries to join with account Y"

I am using the same service account on both 

Having problem with Group Policy

October 13, 2014, 9:09 am
$
0
0

When I start Group Policy Managment on the Domain Controler I get a error message .(The system cannot find the path specified)
when I click ok it starts the mmc
when I try to edit the Default Domain Policy I get an error (Failed to open the Group Plicy Object. You may not have appropriat rights)
When I go to Browser and type \\xxxxx.local\sysvol\
I see a file that is called xxxxx.local it is not a shortcut it is jut a LOCAL File
When I go to \\the domain controller \SYSVOL I see the same thing.
however if I go to the DC, I can go to c"\windows\sysvol\
I see 4 folders (1.Domain, 2.Staging, 3.Staging area 4.sysvol)
and yes if I expand sysvol I see the same local file again.

From DOmain controller

Log Name:      Application
Source:        Microsoft-Windows-CertificationAuthority
Date:          10/11/2014 7:33:18 PM
Event ID:      77
Task Category: None
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:      SERVER.xxxxx.local
Description:
The "Windows default" Policy Module logged the following warning: The Active Directory connection to SERVER.xxxxx.local has been reestablished to SERVER.xxxxx.local.

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          10/13/2014 9:46:28 AM
Event ID:      1058

User:          SYSTEM
Computer:      SERVER.xxxxx.local
Description:
The processing of Group Policy failed. Windows attempted to read the file \\xxxxx.local\sysvol\xxxxx.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
from a domain controller and was not successful.
\ Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

From the Workstation

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          10/13/2014 10:25:12 AM
Event ID:      1058
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:      Auditors0063.xxxxx.local
Description:
The processing of Group Policy failed. Windows attempted to read the file \\xxxxx.local\sysvol\xxxxx.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

Log Name:      System
Source:        NETLOGON
Date:          10/13/2014 10:24:09 AM
Event ID:      5719
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Auditors0063.xxxxx.local
Description:
This computer was not able to set up a secure session with a domain controller in domain xxxxx due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. 

I cannot find any resolutions any help is appreciated

Freddie

How to best move Users home directories, and therefore redirected folders, to new server

October 15, 2014, 7:27 am
$
0
0

We currently have users using offline files with their redirected home directories, and we also redirect their Documents and Desktop to %HOMESHARE%%HOMEPATH% and %HOMESHARE%%HOMEPATH%Desktop via GPO.  We also have "Move the contents of Documents to the new location" Enabled.



We need to migrate users off their current server to a new server.  We did a robocopy of the user folders to the new server into the path we're moving them to. 

So now do we just need to change their home directory path in the AD account and everything should work fine?  Will that "Move the contents..." setting cause a long delay the first time they log on after they move?  Will offline files through an error on every file since it will have offline copies of the files from the old server but they will now be pointed to the new server?

Anyone have any tips in general?

Desktop Icon Picture size and format limit

October 15, 2014, 7:22 am
$
0
0

I'm pushing out a group policy to desktop but would like to know icon size limits and also what are acceptable formats. Currently using a 12k jpg icon that points to a URL and testing but don't get the picture.

Setting is located:

User configuration\preferences\windows settings\shortcuts\Icon file path

Previously Working Group Policies Stop Being Enforced

October 2, 2014, 8:47 am
$
0
0

Some of our group policies that have been working for years on our Server 2008 domain stopped working or only work sporadically for the last few weeks.

The settings seem to get lost at every reboot.

Two examples:

do not display last logged on user

configure wireless settings

On laptops, sometimes users cannot log in because wireless is not configured.  To fix it, we connect a network cable, log in as local admin, then run gpupdate /force and then unplug the cable.  We log out and have the user retry and now the wireless is working.

The setting to not display last user stopped working because we started seeing last users again and when a new user needs to log in, they now have to select "switch user" again.

If I log in and do gpupdate /force and log out, the last user is cleared out from the login screen.  However, if the laptop is rebooted, the previously-cleared user name is back again.

To troubleshoot this, I did Group Policy Results on that laptop from GPMC and checked for the last logged on user settings and it shows the setting configured and the "Winning Policy" as the policy that is configured to not show the user name.  So, according to this, it should work, but only works after we force it to with a gpupdate command.  The effect of setting gets lost again if we reboot the laptop.

This is not just one laptop having this issue.

What can cause this?  It had all been working on these same laptops with no issues for many months.

I know the settings are configured properly because they do into effect again immediately after a gpupdate command.  They just stopped working after a fresh reboot and these two examples happen to be policies that are important to be enforced even immediately after a fresh reboot.

Search

Network Securities

October 20, 2014, 10:09 pm
$
0
0

hi,

ours is small business company,we are using windows 2008 r2 server  we want keep some network securities in the server for specific sites only for particular  users only.

for keeping securities settings  we gone group policy settings in the sever ,in that we clicked on the user configuration ->windows settings->policy based qos

in the policy based qos we didn't find the internet explorer in that folder than how can i block some specific websites in the server for specific users only.

please help out from this problem.

sowmya.

Event ID 1085 on DC - Failed to Apply the Group Policy Local Users and Groups Settings

October 20, 2014, 1:37 pm
$
0
0

I have a domain with 2 DCs.  The primary DC is running Server 2012 and is raising Event ID 1085 every 10 minutes and 20 seconds.

Windows failed to apply the Group Policy Local Users and Groups settings. Group Policy Local Users and Groups settings might have its own log file. Please click on the "More information" link.

System

  - Provider

   [ Name]  Microsoft-Windows-GroupPolicy
   [ Guid]  {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}

   EventID 1085

   Version 0

   Level 3

   Task 0

   Opcode 1

   Keywords 0x8000000000000000

  - TimeCreated

   [ SystemTime]  2014-10-20T20:09:03.706992400Z

   EventRecordID 130087

  - Correlation

   [ ActivityID]  {FDDFB8C5-9ECF-41B9-B2B4-3AD0B345A37A}

  - Execution

   [ ProcessID]  1000
   [ ThreadID]  3280

   Channel System

   Computer SERVER.DOMAIN.NAME

  - Security

   [ UserID]  S-1-5-18


- EventData

  SupportInfo1 1
  SupportInfo2 4404
  ProcessingMode 0
  ProcessingTimeInMilliseconds 10343
  ErrorCode 183
  ErrorDescription Cannot create a file when that file already exists.
  DCName \\SERVER.DOMAIN.name
  ExtensionName Group Policy Local Users and Groups
  ExtensionId {17D89FEC-5C44-4972-B12D-241CAEF74509}

Everything I look up for Event ID 1085 seems to be about a different cause.

Any ideas?


Continue processing gpp printer if error occurs on print serer

October 20, 2014, 5:56 am
$
0
0

HI

I have problem. when print server is stuck or has no network the gpp printers policy is stuck trying to continue but stop processing all other group policy and the user cannot login.

how can i make the gpp printers policy from prevent user login ?

Running an .EXE at Logon is locking desktop

October 20, 2014, 7:18 am
$
0
0

I am trying to create a reboot utility for our company.   I'm using PowerShell Studio 2014 from Sapien to create 2 different .EXE's.

EXE #1:  Checks to see if your machine has been rebooted in the past week.  if it has been up for 7 days or more launch \\ServerName\Share\EXE2

EXE2:  Will prompt the user with 2 buttons.  Reboot Now and delay reboot for 1 hour.  If they choose delay for 1 hour it writes a key to the registry and then exits.  Once it exits control goes back to EXE #1 which has this code.

$call2 = "\\server\Scripts\Tools\MGHRebootTool\RebootNow.exe"

$GetBootValue1 = (get-ItemProperty hklm:\SOFTWARE\MGH).OneHour
if ($GetBootValue1 = '1') { remove-itemproperty -path HKLM:\Software\MGH -name OneHour; start-sleep -s 3600; &$call2 }

Here is my problem.  I run EXE #1 from GPO's at User Login.   It runs and prompts me with the 2 buttons from EXE #2.  I press "delay reboot for 1 hour" and my desktop never loads.  It is all black and the system is waiting for 1 hour (3600 seconds) before it let's go to load my desktop.

Why?  how do I make my called .EXE #1 run "after the desktop loads"?    This is a show stopper so any advice would be awesome.

mqh7

Preferences for Item-Level Targeting

October 3, 2014, 3:21 pm
$
0
0

Hey guys,

It seems like I have seen some weird issues in the past with multi item-level targeting where a condition happens that causes all items to fail.  I do not use the "Stop processing items in extension on error" option either.  I am trying to replicate it, but sometimes it seems that if an item comes back as false that others then start failing.  I read everything in the document below, but maybe I missed something.  If I put 10 conditions into Item-Level processing and 9 fail leaving a single one that targets a single computer.  Is there any other conditions that would cause that true Item-Level processing to abort?  Having trouble replicating the problem so maybe I was just imaging things.

Thanks,

Dan

http://technet.microsoft.com/en-us/library/cc733022.aspx

Dan Heim

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>