Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Issues With Active Directory Log on Hours and SMB Connections

October 16, 2014, 12:41 pm
$
0
0

Hello and Good Day Microsoft Community...

I am having a strange issue and I hope you can help. My organization deploys a custom application that we deliver thru Remote Desktop Host servers. Users log into our RDH server farms and use this application in a Remote Desktop Session. The application depends on several drive mappings to remote servers in order to work. Now these user accounts that log into our Remote Desktop Servers do have log on restrictions in place. A common period that we don't allow new connections to the environment is 12am-2am local time. Eventhough we don't allow NEW connections to be established at this time, we do want sessions that were established before 12am not to be interupted. That is, I don't want already established connections to lose those drive mapping settings in their session. Thats what happens today....

So, I went in and adjusted our group policy to configure the two settings that I though control this behavior. Specifically....

Default Domain Policy - Windows Settings - Security Settings - Local Policies - Security Options. I set:

Microsoft Network Server: Disconnect clients when logon hours expire set to Disabled.

Network security: Force logoff when lgon hours expires set to Disabled.

After setting these two, I let all computers in my AD forest to refresh policy overnight. I then take a test user. Modify the logon hours of that account to expire in the next hour. I log on, and then make sure my drive mappings in my session are active, and they are. I wait an hour till I know that first block of time is coming where my logon hours will expire, and I am surprised to see that my drive mappings are severed? What am I missing here? Looking at the description of these two group policy settings, I would not expect this to happen.

I did do a resultant set of policy in logging mode to make sure my test user was logging into a server that had refreshed it policy since I made the change last night, and it was refreshed. Am I expecting the wrong result from making this change? If so, then what are these two policy settings for?

The environment is all Windows 2008 R2, including the domain controllers. Active directory is Windows 2008 R2 domain level and forest level. All clients and remote servers holding the shares are also Windows 2008 R2.....

Search

Windows Server 2008 -> Group policy for domain client to start/stop services installed on it

October 29, 2014, 7:05 am
$
0
0

Hello Experts

I am a newbie to windows server administration , though did a Google  , but ended up with these question with my requirements

I have created a new domain and 2 client/computer (A & B namely) to domain . Now A & B has tomcat server running with port 8080 , 9090 which i have installed
domain ADMIN account .

&& now i am want to start/stop/restart services enabled for domain users  !! How do i achieve this !!

basic question : How can i access A & B tomcat services on DOMAIN CONTROLLER server to create a GPO and that are on (A & B)

what is the easiest way to achieve the same , (if not using GPO)???

similarly I am looking for many features : where I want to control the permission to user on (A & B ) like : If the binaries of tomcat is available on machine say : A , if the user can install (now it ask for ADMIN credentials) 

Thanks
Mike~Ed

 


Server 2008 Policy, hide Security Tab from Non-Administrators

October 28, 2014, 10:56 am
$
0
0

Hello,

I got asked to use the policy to hide the Security tab on folder for non-administrator, administrators need to see it to adjust folder auditing.

Checking Server 2008 R2, GPO, User Configurations, Policies, Administrative Template, Windows Components, Remove Security Tab "Enabled option, this either turns all on or all off.  Is there a way to hide the Security Tab for all users except Administrators?  I did a few google search and did not find anything.Thanks,  b.

Slow Powershell and IE

October 29, 2014, 11:44 am
$
0
0

This has plagued me for the last few years. Domain computers (Win 7/8) and Servers (2008/2012) seem really slow to open PS, CMD, and IE. I've had people tell me it has something to do with GPO.... but I am not doing anything super fancy. After they open once, they open immediately until maybe a day, week, or month later. We're talking maybe a minute to open.

I can log in to the machine locally and it works immediately 100% of the time, this is what pointed me toward a domain issue.

Ideas? Please and thank you.

Applying local user policy

October 29, 2014, 12:11 pm
$
0
0
I have created a kiosk computer, which is also a domain member, by applying a very restrictive local user policy and auto logging on with a local account.  When I deploy a new kiosk, I configure the software, copy the registry.pol file to it and run gpupdate /target:user /force while logged in as the local user that the kiosk will use. The local user policy does not get applied to the local user, even after multiple gpupdate commands and reboots. The only way I can get the policy applied to the local user is to edit one of the policy settings, say active desktop.  I can set active desktop enabled and click apply and presto, the local user policy is immediately applied. Am I doing something incorrectly or is this truly the only way to get the local user policy to apply to the local user account I'm using?

Printers not mapping consistently.

October 29, 2014, 12:31 pm
$
0
0

Hello,

We have been experiencing an issue with our printers randomly not mapping for users in our computer lab. GPUpdate is a quickfix and applies all GPOs/maps the printers that should have been applied earlier at logon/restart.

 the printers fail to map with some variation of a 4098 error being logged in the event viewer has persisted through (In no particular order):

-Using a script to map printers instead of GPO GPP.  This proves it’s not directly a GPO/GPP issue but could still be some obscure, unrelated GPO setting that’s having bizarre side effects.

-Upgrading from Win 7 to Win 8.1

-Replacing the print server

-Pointing printer maps to a completely different print server(VM)

-Mapping by IPv4 address rather than DNS name or NetBIOS name, presumably eliminating anything IPv6 related.

-Cleansing the clients and server of what was believed to be a bad version of the HP Universal Print Driver

-Replacing client hardware with of course a fresh OS build

-Replacing the printers (as part of normal lifespan/replacement cycle) from HP to Dell.

GPresult shows that the Printer GPO is being applied without error

We are currently running Server 2012R2, win 8.1

error log shows:

The user 'ACSA-103' preference item in the 'ACSA Printers and Drives {16947C31-557B-4BC7-B717-E58A0C7B41C7}' Group Policy Object did not apply because it failed with error code '0x80070057 The parameter is incorrect.' This error was suppressed.


GPO Presedence

October 29, 2014, 9:51 am
$
0
0

2012R2

So, following the order Local, Site, Domain, OU I created a new GPO at the root domain level, so why does it have a Precedence of 7 on my targeted OU? My Default Domain Policy is 1.

Summary - I'm trying to deny logon at the domain level and then allow logon at the OU level. However the new domain level GPO precedence has the Domain policy applying last (7), what gives?

I'd just through it in my default domain GPO but I have that set to enforce for other reasons.

OMG, so for grins I non enforced my default domain and added the deny logon accounts and now its precedence 7!

I guess deny always supercedes like in NTFS permissions.

So, bottom line, I want to restrict an account to only be able to logon to a specific OU, any ideas.

Easy enough to restrict who can logon to this groups of computers but at the same time I don't want this account to be able to log onto any other computers outside this OU.


How to prevent users from modifying Security settings of folder and files

October 30, 2014, 3:24 am
$
0
0

Hi All,

I have a user who change the security settings of a parent folder and will affect also child folders and files due to inherited permissions.

The user has a standard domain user account.

When trying to modify security settings of the parent folder, it shows the error:


But, when trying to change the inheritable permissions, it was allowed. (Kindly see attached file)

Is there any workaround in group policy in which I can block the checkbox: Include inheritable permissions from this objects' parent (like the image above)not to be configurable by a standard domain user account. 

Thanks for the help.

Search

Internet explorer maintenance gpo

October 30, 2014, 4:50 am
$
0
0

Hi,

      In our office they previously configured Internet explorer maintenance gp in windows server 2012. but they didnt installed IEAK and all. if i open the policy to edit means i cant find IEM in user config<windows settings. now i want do some changes with GP.. 

    

Apply Internet Access Policy for users using USB Internet devices/Dongle

October 30, 2014, 1:57 am
$
0
0

Hi

Please someone help me to apply internet access security policies for users using USB internet devices in the office premises.

Internet access policy on LAN and wireless network is done through Cyberoam at our office. Please suggest a way to block websites for users using USB internet devices/dongles at work.

Please respond soon or email at saurabhbapna7@gmail.com

Thanks

Logon script not working

July 30, 2012, 6:32 am
$
0
0

Hi

I have a .bat script that creates network drives, copies word templates, copies Normal.dotm, copies desktop wallpaper to local machine, and other things.  When I add this to group policy (User Configuration\Windows Settings\Scripts\Logon), it does not work. 

AD is on Windows 2003. When I manually run this script on my local Win 7 machine, the script works as expected.  The script used to work but as far as I can see, nothing has changed.  All other Groupy Policy settings are still working.   GPResult shows the script. 

I forgot to mention that the script is stored somewhere on the network  (\\servername\scripts)

Any idea why this script isn't working?

Marc Collins www.QGate.co.uk


Screensaver GPO not working

October 30, 2014, 8:35 am
$
0
0

Hi all,

I did not found answer for my problem in the topics discussed for ScreenSaver GPO for Windows 7.

I have to create e GPO for Windows 7 SP1 machines which enables screen saver after certain amount of inactivity. Domain controllers are Windows 2008R2. So I go to

User\Administrative Templates\Control Panel\Personalization and I set the following things here:

Enabled ScreenSaver

Password Protect the ScreenSaver

ScreenSaver time out

Force specific screen saver - I put Ribon.scr

The GPO is applied correctly. I check it via GPresult and rsop.msc. I see that there is a configured screensaver which I cannot change because of the policy but after the configured time out of inactivity the screen saver does not start!!!

If I set the screensaver localy it starts after the time out.

What could be the reason the screensaver not to start when it applied via a GPO!? Any help would greatly appreciated!

general recycle bin size via GPO

October 30, 2014, 8:52 am
$
0
0

Hi,

I need to manage Recycle bin settings.

Some articles provice GPO path:

USERS-Admin Templ-Windows Components-Windows Explorer

DCs are 2008. Access from Windows 8.1 GPMC.

There are no Windows Explorer node.

How to deal with managing Recycle Bin. Let say I need to set max 10MB.

How?

Thx.

--- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

Unable to register Windows Shutdown Script via GPO using Powershell

July 9, 2014, 2:30 pm
$
0
0

Hi,

I'm trying to register a Windows 2012 Server shutdown powershell script using  powershell to modify the registry & create the psscripts.ini file, but the shutdown script does not run. The script below is called during booting of an AWS instance. The $scriptPath parameter contains the name of another powershell script file that contains the actual shutdown script and the $parameters parameter contains a string the shutdown script expects. 

If I manually register the shutdown script using gpedit.msc and then shutdown the instance then the shutdown script executes as expected. I did a visual comparision of the register when I run my register code and when I use gpedit and they look the same at least in the scripts path. I also found that unless I created the psscripts.ini file the entry would not appear in the gpedit. Just to be clear, after I run my register code, if I open gpedit.msc, I see the same entry as if I entered in gpedit directly, yet the script does not run. 

If there's a way to register the script using powershell using some GPO object, please let me know where to find info on it as I'd rather not be writing to the registry directly. This is  running on an AWS virtual machine I control, so I know there will not be any other scripts registered (that I would be clobbering with the code below)

function RegisterWindowsShutdownScript([string]$regionName, [string]$scriptPath, [string]$parameters)
{
	Write-Debug "RegisterWindowsShutdownScript([string]$regionName, [string]$scriptPath, [string]$parameters)"

	Set-DefaultAWSRegion $regionName

	$key = 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0'
	New-Item -Path $key -Force
	New-ItemProperty -Path $key -Name GPO-ID -Value LocalGPO -Force
	New-ItemProperty -Path $key -Name SOM-ID -Value Local -Force
	New-ItemProperty -Path $key -Name FileSysPath -Value "C:\Windows\System32\GroupPolicy\Machine" -Force
	New-ItemProperty -Path $key -Name DisplayName -Value "Local Group Policy" -Force
	New-ItemProperty -Path $key -Name GPOName -Value "Local Group Policy" -Force
	New-ItemProperty -Path $key -Name PSScriptOrder -Value 1 -PropertyType "DWord" -Force

	$key = "$key\0"
	New-Item -Path $key -Force
	New-ItemProperty -Path $key -Name "Script" -Value $scriptPath -Force
	New-ItemProperty -Path $key -Name "Parameters" -Value $parameters -Force
	New-ItemProperty -Path $key -Name "IsPowershell" -Value 1 -PropertyType "DWord" -Force
	New-ItemProperty -Path $key -Name "ExecTime" -Value 0 -PropertyType "QWord" -Force

	$psScriptsFile = "C:\Windows\System32\GroupPolicy\Machine\Scripts\psscripts.ini"
	New-Item $psScriptsFile -type file -force"[Shutdown]" | Out-File $psScriptsFile"0CmdLine=$scriptPath" | Out-File $psScriptsFile -Append"0Parameters=$parameters" | Out-File $psScriptsFile -Append

}

Shutdown Powershell script:

param([string]$regionName, [string]$stackName)"param([string]$regionName, [string]$stackName)" | Add-Content 'c:\cfn\log\remove.txt'
Write-S3Object -BucketName MyCompany.CFTemplates-RDS/1.2/Database -Key remove.txt -File 'c:\cfn\log\remove.txt'

Set-DefaultAWSRegion $regionName

$stackInfo = Get-CFNStack -StackName $stackName

$stackInfo | Add-Content 'c:\cfn\log\remove.txt'
$stackInfo.StackStatus | Add-Content 'c:\cfn\log\remove.txt'

Write-S3Object -BucketName MyCompany.CFTemplates-RDS/1.2/Database -Key remove.txt -File 'c:\cfn\log\remove.txt'

if ($stackName.StackStatus -ieq 'DELETE_IN_PROGRESS')
{
	$optionGroupName = $stackName+"-OptionGroup"
	Write-Output "Stack deletion detected; deleting $optionGroupName""Stack deletion detected; deleting $optionGroupName" | Add-Content 'c:\cfn\log\remove.txt'
	Write-S3Object -BucketName MyCompany.CFTemplates-RDS/1.2/Database -Key remove.txt -File 'c:\cfn\log\remove.txt'

	try {
		Remove-RDSOptionGroup `
		-Region $regionName `
		-OptionGroupName $optionGroupName `
		-Force
	} catch [Exception] {
		Write-Output $_.Exception.GetType().FullName;
		Write-Output $_.Exception.Message;
	}
}
else
{
	Write-Output 'Instance terminating without stack'
	'Instance terminating without stack'| Add-Content 'c:\cfn\log\remove.txt'
	Write-S3Object -BucketName MyCompany.CFTemplates-RDS/1.2/Database -Key remove.txt -File 'c:\cfn\log\remove.txt'
}




GPO Internet Explorer Maintenance missing in WS 2008 R2

March 26, 2013, 5:27 am
$
0
0

Hi all

suddenly I missed the  Internet Explorer Maintenance in WS 2008 R2, when I show the settings tab on the GPO it self its showing properly, but I cant find it when I try to edit.

any assistance on that ?


Search

Group Policy error ?

October 29, 2014, 2:18 pm
$
0
0

We're using GP to push out printers. On random machines and for random users sometimes the printers do not map. The error in the App log on the PC is this Group Policy Object did not apply because it failed with error code '0x80070057 The parameter is incorrect.' This error was suppressed.

I have been unable to tell what parameter it means. One user could get this, another logs into the same machine and the printers work fine. I can't find the commonality. 

Jason

GPO overriding local policy SQL service credentials

October 30, 2014, 11:22 am
$
0
0
I have several networked domain pc's (Win 7) running a proprietary application that requires the use of SQL Express instances to communicate with the central database.  I have the local SQL services (SQL Server (SQLEXPRESS)) logging on as account: NT SERVICE\MSSQL$SQLEXPRESS with secure credentials for the particular database.  When I freshly enter the credentials into the service, start the service and then start the application, everything works fine.  I can reboot, shut down (for a short period, say 30 minutes), log off etc.no problem  But when I leave the pc alone overnight (without the use of the application) or the application freezes forcing the pc to be shut down (for com port resets), the user gets an error due to the service not starting.  When I check the event viewer, it says service failed to start due to logon failure.  When I open the services to start the service, I get an error that the service could not start due to incorrect credentials.  I then have to re-enter the credentials at which time the service has a popup that says "The account NT SERVICE\MSSQL$SQLEXPRESS has been granted the Log ON As A Service right." and everything is fine (for a while).  I've come to the conclusion that there is a GPO setting changing the credentials (for reasons yet unknown) that is overriding the local policy settings and either obliterating the password (because that is all I have to change) or corrupting it.  HELP!!!  I have no idea where to look for such a policy change or what to do with it when I see it.

GRB

Group Policy Startup/Logon Script Parameter

October 29, 2014, 7:48 pm
$
0
0

I am trying to deploy SSTP VPN configuration to Windowns 7 computers through Group Policy.

Our domain is Windows 2008 R2 Domain and Forest level

I downloaded the powershell script and configuration xml file from Microosft.

All our machine is set Ececution Policy by group policy so that all signed scripts can run. I verified by running get-ExecutionPolicy commandlet.


I configured startup script setting PowerShell.exe as the Script name and -noninteractive -file "\\corpserver.contoso.com\scripts\Create-Conn.ps1" "\\corpserver.contoso.com\scripts\VPNSettings.xml" as the Parameter.

I gave the read&excute permission to the computer.

After the GP was complete, I run gpupdate and gpresult to make sure the newly created GP was applied.

I tested running powershell.exe with the above parameter from the PowerShell console.
It worked however when I reboot the machine, nothing happened.


Eventviewer shows PowerShell was running at that time.


I added to the same GP configuration to the user configuration portion of the GP.
Same thing, PowerShell run but no VPN setting was made.

I am wondering if I run PowerShell as startup or logon script I have to set different parameter? I tried -command but the result was the same.

Please help!

IT Systems Administrator

October 30, 2014, 12:23 pm
$
0
0
I was attempting to speedup login and logout by redirecting certain files to a ( SAMBA ) network drive which appeared to work but shortly after that programs tried to update and failed it appears that windows insist on installing as windows administrator and  that won't work on the samba network drive. I have even tried to reverse the redirect to no effect. I need to be able to force the install and update as the user not windows administrator any ideas out there?

Windows 7 Local Security Policy - Audit Policy not auditing

October 30, 2014, 12:59 pm
$
0
0

Hi there,

I have a older Server 2008 R2 Standard (SP-1) 64 and 25 desktops that are Windows 7 64,

At the server I have Group Policy Management, Default Domain Policy, Computer Config, Windows Setting, Security Settings, Local Policies, Audit Policy, all set to Success/Fail (account, directory, logon, object, prov, etc, etc, etc) this audits fine at the server.  GPMC looks good, RSOP is good with Default Domain Policy across the board.

The 25 desktops are getting the sevrer GPO settings for Policy Password History/Password Age, Etc, and all other settings.

The 25 desktops are not getting local Audit Policy Success/Fail like the server, all "No Auditing" and not able to enable to either set mauaually or get updates from server GPO, did the gpupdate /force,

Where does desktops get their information for Auditing from Server 2008 GPO, I thought this came from the DC default GPO for auditing

Thanks

B.

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>