So now I am starting to use windows 8.1 and Windows 2012 R2.  DCs are 2012R2, Forest Level 2012 R2, Domain Level 2012 R2. Folder Redirection works for Windows 7, Windows 8, 2008, 2008 R2, 2012. Does not work for Windows 8.1/2012R2. No errors are logged in event viewer, says completed successfully. GPResult /v only says:

 Folder Redirection
------------------
    N/A

Group Policy Results Wizard says:

I have tried disabling all other policies (computer and User) except the one that has the folder redirection with no luck. I have tried putting Folder redirection in its own GPO, no luck.

NONE of the following are checked in the Folder redirection (but I have tried it both ways for each):

1. Grant the User exclusive rights to ....
2. Move the contents of ....... to the new location
3. Also apply redirection policy to windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems.

DCDiag returns no errors. Sysvol is replicating properly between both DCs

Everything else EXCEPT Folder redirection applies properly.

Thanks!

Hi guys! This has been giving me a hard time the last day or so.  I've got some Win8 machines in our 2003 domain. I've got some GPO's applying with WMI filtering for win8 machines. Mostly these are ok, but i'm having a huge problem with Desktop Folder Redirection. 

After a fresh build and first login, everything works fine. Drive mappings are all there and the Desktop is redirected to to users home drive on the file server. This is being done with Advanced settings using group membership and set to "Create a folder for each user under the root path" \\dfs1\users. This location is correct and permissions are fine of course as everything works for a while.

After a little while or some unknown event, this redirection stops working.

check these two screengrabs. These are different users on different machines. The machines are identical, are in the same OU and have the same image. The users are different but have the same group memberships and are in the same OU. 

This is a working machine. Not the Folder Redirection component was processed and the Policy exists.

This machine is not working. Folder Redirection is processed, but the Policy is missing. Running a gpresult /v on this machine yields: 

 Folder Redirection
 ------------------
     N/A

It was working fine yesterday and this morning. Now at some point a policy refresh stopped it from working. Just trying to figure out what! These are the exact settings currently in place for our win 7 machines which all work just fine. Going a bit crazy tbh and usually when i post questions i figure it out shortly afterwards anyway huhu. Any help is appreciated! 

h 

Using Server 2012R2 and all updates downloaded/installed. Though this problem existed before running updates, it continues to persist. In GPO, if I open any policy and select Administrative Templates in either computer or user configuration, I get a popup that reads as follows: Resource '$(string.VerMgmt.Audit.Mode.Enable)' referenced in attribute displayName could not be found. File C:\Windows\PolicyDefinitions\Inetres.admx, line 1495, column 249.

It 'appears" I can still set policies and they work. But I'm concerned that something is missing in the referenced ADMX file. I have the Server 2012R2 installation CD. Is there a cab file on the CD where I can get a new copy of the inetres.admx file? If not, where can I get it online? I am of course, assuming the file is corrupt. Thanks.

I am trying to specify a proxy server that I want users to connect to. I have created a group in Active Directory for the users that I want to restrict / forbid access to certain URLs then added the group to the GPO. After running gpupdate /force the Automatically detect settings checkbox is checked and proxy server Address is specified in grey.

I then need to manually check the Proxy server "Use a proxy server for your LAN" checkbox in order to connect to the proxy server. Is there a way to force enable this checkbox using an Administrative Templates setting or similar using Windows Server 2003?

I have a win2008r2 domain that was upgraded from win2003. I added the admx files to the policydefinitions folder but I don't see them available when editing gpos.

Am I missing something? I have this problem on my DC and on my local Win7 workstation.

Hi,

Windows Server 2008 R2, forest and domain level 2008 R2 - GPO applied to Windows Server 2008 R2 RDS servers.

I get this error when using a GPO to hide, and deny access, to the Libraries menu in Windows Explorer:

The computer 'Attributes' preference item in the 'Group Policy 1 {SID}' Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.

The GPO:

Computer Configuration (Enabled)

Policies -> Windows Settings -> Security Settings -> Registry

CLASSES_ROOT\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolderhide
Configure this key then: Propagate inheritable permissions to all subkeysOwner 
PermissionsType Name Permission Apply To
Allow CREATOR OWNER Full control Subkeys only
Allow NT AUTHORITY\SYSTEM Full control This key and subkeys
Allow BUILTIN\Administrators Full control This key and subkeys
Allow CAMPHOSTING\hostadm Full control This key and subkeys
Allow BUILTIN\Users Read This key and subkeys
Allow inheritable permissions from the parent to propagate to this object and all child objects Disabled
Auditing
No auditing specified

MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolderhide
Configure this key then: Propagate inheritable permissions to all subkeysOwner 
PermissionsType Name Permission Apply To
Allow CREATOR OWNER Full control Subkeys only
Allow NT AUTHORITY\SYSTEM Full control This key and subkeys
Allow BUILTIN\Administrators Full control This key and subkeys
Allow CAMPHOSTING\hostadm Full control This key and subkeys
Allow BUILTIN\Users Read This key and subkeys
Allow inheritable permissions from the parent to propagate to this object and all child objects Disabled
Auditing
No auditing specified

Preferences -> Windows Settings -> Registry

Attributes (Order: 1)
General
Action Update
PropertiesHive HKEY_CLASSES_ROOT
Key path CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder
Value name Attributes
Value type REG_DWORD
Value data 0xB090010D (2962227469)

Common
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No

Attributes (Order: 2)
General
Action Update
PropertiesHive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Wow6432Node\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder
Value name Attributes
Value type REG_DWORD
Value data 0xB090010D (2962227469)

Common
OptionsStop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No

User Configuration (Disabled)
No settings defined.

If I remove the policy settings marked with bold, the policy doesn't generate the Application eventlog error:

Log Name: Application
Source: Group Policy Registry
Event ID: 4098
Task Category: (2)
Level: Warning
Keywords: Classic
User: System

What am I missing - what is generating this access denied error?

KL_Dane

I am going to create a GPO to disable SSL 3.0 using the following:

• DisableSSL 3.0 andenableTLS1.0,TLS1.1,andTLS1.2forInternet ExplorerinGroupPolicy

YoucandisablesupportfortheSSL3.0protocolinInternetExplorerviaGroupPolicybymodifyingtheTurnOffEncryptionSupportGroupPolicyObject.

1. OpenGroupPolicyManagement.
2. Selectthegrouppolicyobjecttomodify,rightclickandselectEdit.
3. IntheGroupPolicyManagementEditor,browsetothefollowingsetting:

ComputerConfiguration->AdministrativeTemplates->WindowsComponents->InternetExplorer->InternetControlPanel->AdvancedPage->Turnoffencryptionsupport

1. Double-clicktheTurnoffEncryptionSupportsettingtoeditthesetting.
2. ClickEnabled.
3. IntheOptionswindow,changetheSecureProtocolcombinationssettingto"UseTLS1.0,TLS1.1,andTLS1.2".
   1. NoteItisimportanttocheckconsecutiveversions.Notselectingconsecutiveversions(e.g.checkingTLS1.0and1.2,butnotchecking1.1)couldresultinconnectionerrors.
4. Click OK.

I am going to link the GPO to the OU where my computers are located.  My question is should I also link this GPO to the domain controllers OU?  Thanks.

I have few User/computer group policies (with loopback) which are not getting applied after servers are rebooted, if I run gpupdate/ force it will apply those policies right away or it will apply on its own if I let it sit for 90 mins. I am not able to find error in eventlogs. What is the next step I can try to figure out the root cause?

I do not have any filtering for this policies.

Other policies in that OU works fine.

    Few days ago,I found administrative plateform missing which supposed to be listed under GPO.Meanwhile, GPO reports correctly. I did attempt to registy 'gptext.dll' and success following the suggestion, but it didn't work.And it seems the 'gptext.dll' could be registy repeatly without error. What exactly happened?What real actions i need to do?

   (Based on Windows Server2012 R2 Domain Controller)

Hi, me again!

I am currently working hard to get Applocker to work with my legacy logonscripts from NETLOGON share.

I would like to use a path rule to allow the start of a BAT file.

What I've tried so far:

• \\domain.name\netlogon
• \\domain.name\netlogon\*
• \\domain\netlogon
• \\domain\netlogon\*
• \\everysingleDC\netlogon
• \\everysingleDC\netlogon\*

I have also tried %logonserver% variable (which obviously doesn't work, as Applocker doesn't support that variable).

Can anyone help me with this? I don't seem to get it to work. Has anyone got a solution?

Thanks in advance, any help is much appreciated.

David

Hello there,

I'm getting this event every time I run gpupdate on my server:

The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

Where is the first place to look at?

I did the GPRESULT /H GPReport.html but it only shows an error with registry policies.

Thanks.

Well, this is another fun day with Microsoft crapware.  I am trying to do something that appears to have worked in the past (the tasks were succesfully deployed): run a task that requires Administrator privileges from the SYSTEM account on the local computer.  Trying to use the wizard from RSAT on Windows 7 x86, it always references BUILTIN\SYSTEM as the name of the principal.  It is quite clear that is now working.  I get the same error over and over.

Log Name:      Application
Source:        Group Policy Scheduled Tasks
Date:          3/15/2011 1:00:46 PM
Event ID:      4098
Task Category: (2)
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:     hostname.addomain.adparent.domain.tld
Description:
The computer 'Daily Profile Cleanup' preference item in the 'OU Policies {3182C8BC-024A-48B4-B856-BE2446DFF53A}' Group Policy object did not apply because it failed with error code '0x80041316 The task XML contains an unexpected node.' This error was suppressed.

I noticed by looking at the raw XML the first time the runAs parameter had NT AUTHORITY unquoted.  I obviously was not so careful, and just wrote in NT AUTHORITY\SYSTEM, assuming it would work like before.  Unforunately, using the change User or Group functionality no longer allows me to pick the proper principal, or at least using a name that gives me the right SID.  I used the wizard, and it will only let me use BUILTIN\SYSTEM; it says NT AUTHORITY\SYSTEM is unknown.  However, the client now has a different type of error.

Log Name:      Application
Source:        Group Policy Scheduled Tasks
Date:          3/15/2011 2:04:23 PM
Event ID:      4098
Task Category: (2)
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:     hostname.addomain.adparent.domain.tld
Description:
The computer 'Daily Profile Cleanup' preference item in the 'OU Policies {3182C8BC-024A-48B4-B856-BE2446DFF53A}' Group Policy object did not apply because it failed with error code '0x80070534 No mapping between account names and security IDs was done.' This error was suppressed.

So, I used Sysinternals PsGetSID.  Not surprisingly, BUILTIN\SYSTEM does not return a SID.  What I really need is NT AUTHORITY\SYSTEM, which does (S-1-5-18). When I try adding this through the wizard "the old way" (opening up the Select User or Group wizard, changing the location from the domain to the technician workstation I use, input NT AUTHORITY\SYSTEM, and confirm with Check Names), this worked.  Now, it fails. If I just put in SYSTEM, it retrieves BUILTIN\SYSTEM, which obvious is not correctly translating to the proper SID.  Good thing this program allows me to input the desired user by SID.  Oh wait!  It doesn't.  I have now tried BUILTIN\SYSTEM, BUILTIN\Local Service, BUILTIN\Network Service (even though it is a local WMIC command in batch and does not need network access, theoretically).  None of them work.  I made a backup copy of the XML, then tried manually editing it to use NT AUTHORITY\SYSTEM.  The end result, yet another dead end.

So I reverted back to the original, and lo and behold the same old error.  Does anyone know how to achieve what I want to accomplish, or is the ability to do that long gone.  Below is the XML as it is now, which generates the SID mapping error.

I found the permissions I needed to use to restrict access to the local c: drive in the Default domain policy gpo.

I have read that it is not a good practice to edit it directly so a copied it and created a gpo called copy of default domain policy gpo.

I enabled the following under userconfiguration\policies\administrativetemplates\windows explorer

Hide the specified drives in windows explorer

enabled c:

also prevent access to drives on my computer c:

I right clicked the gpo with the user linked it and enforced it and it still won't work.

I did both edit in copy of default domain policy and that is the gpo I linked.

Why isn't it working? its been over a week

I also enabled prevent adding dragging dropping closing desktop toolbar and don'tsave changes on exit under desktop.

It also isn't working.

I don't see any block inheritance set on the ou.

Maybe the default domain policy being inherited overides the directly linked one?

I just enabled block inheritance directly on the gpo with the user accounts i want it to apply to.

Will that work?

Droid Hacker

Hi guys,

I have some problem with updating regional setting via group policy.

On the windows server 2008 r2.  

User Configuration\Preferences\Control Panel Settings\Regional option.

On the Regional option, I clicked add and i set the short date formal dd-MMM-yy. But after clicking apply and ok again if i right click the same regional setting , the short date used to change to M/d/yyyy again to the default. 

Therefore please anyone who has the solution for this issue , please help me..

Hi,

I have configured the following setting on my GPP IE setting on gpo.

Temporary Internet files - Every time I visit to the page

Proxy Setting

so everything was successfully deployed and setting have been changed base on the GPO.

but here is the weird thing, when I generate out the GPresult on my win 7 machine its showing IE 5 & 6 and not showing temporary internet file setting in the report.

and my gpresult from the server is IE 8 & 9 with all the configuration I have done shown.

as such, please advise if this is a bug or is there a fix for this to show the proper description.

my machine configuration as followed.

Server 2012 R2

Windows 7, IE 8

Using Server 2012R2 and all updates downloaded/installed. Though this problem existed before running updates, it continues to persist. In GPO, if I open any policy and select Administrative Templates in either computer or user configuration, I get a popup that reads as follows: Resource '$(string.VerMgmt.Audit.Mode.Enable)' referenced in attribute displayName could not be found. File C:\Windows\PolicyDefinitions\Inetres.admx, line 1495, column 249.

It 'appears" I can still set policies and they work. But I'm concerned that something is missing in the referenced ADMX file. I have the Server 2012R2 installation CD. Is there a cab file on the CD where I can get a new copy of the inetres.admx file? If not, where can I get it online? I am of course, assuming the file is corrupt. Thanks.

I am hoping someone will be able to help me with a problem that is causing our users a headache

We have a Windows 2008 SP2 terminal server farm ( 1 gateway, 2 Terminal servers TS1 and TS2 ), we also use Group Policy Preferences to deliver app shortcuts to different AD user groups.

TS1 and TS2 were built from the same image.  On TS1 users logon and get all the icons they are entitled to, on TS2 it is random to whether they get their shortcuts or not.   

Both TS are rebooted daily and I have scripted removing any local profiles incase it was something left behind.

Checking the event Logs on TS2 I see several errors that appear to relate to Group Policy and correspond to when users have connected in.

any help with this issue would be appreciated.

Here is the information from the System log:

Log Name:      System

Source:        Microsoft-Windows-GroupPolicy

Date:          05/12/2014 15:32:26

Event ID:      1085

Task Category: None

Level:         Warning

Keywords:      

User:          Username

Computer:      TerminalServer

Description:

Windows failed to apply the Group Policy Shortcuts settings. Group Policy Shortcuts settings might have its own log file. Please click on the "More information" link.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />

 <EventID>1085</EventID>

    <Version>0</Version>

    <Level>3</Level>

    <Task>0</Task>

    <Opcode>1</Opcode>

    <Keywords>0x8000000000000000</Keywords>

    <TimeCreated SystemTime="2014-12-05T15:32:26.450Z" />

    <EventRecordID>478778</EventRecordID>

    <Correlation ActivityID="{CCB45268-E6F8-4127-97C8-A8544829F2DE}" />

    <Execution ProcessID="344" ThreadID="11212" />

    <Channel>System</Channel>

    <Computer>TerminalServer</Computer>

    <Security UserID="S-1-5-21" />

  </System>

  <EventData>

    <Data Name="SupportInfo1">1</Data>

    <Data Name="SupportInfo2">3892</Data>

    <Data Name="ProcessingMode">1</Data>

    <Data Name="ProcessingTimeInMilliseconds">6047</Data>

    <Data Name="ErrorCode">2147942413</Data>

    <Data Name="ErrorDescription">The data is invalid. </Data>

    <Data Name="DCName”>\\OurDomain</Data>

    <Data Name="ExtensionName">Group Policy Shortcuts</Data>

    <Data Name="ExtensionId">{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}</Data>

  </EventData>

</Event>