Hello. I've got AppLocker set up and mostly working on my lab. Before we start a test group. I was curious to know is there a way to block all unsigned executables using AppLocker? I found this articlehttp://technet.microsoft.com/en-us/library/dd723683(v=WS.10).aspx. There are some errors that were found in these instructions. Anyone get this to work
in their environment? Thanks for any help.
↧
AppLocker block unsigned EXEs
↧
Somehow denied everyone from a group policy via delegation tab
Hello
We are using AD 2003 native and will be going to 2012 soon.
Today I was changing the permissions on a group policy and I just wanted to go to the delgations tab in the GPO manager for this plicy and deny the user so he didn't get the group policy.
When I hit reply it looks like I did everyone. When I went back to GPO manager it said access denied on the policy and the name. When I hit refresh it doesn't even show up now.
How can I relocate it and fix the permissions?
Thanks
↧
↧
Block Microsoft accounts in 2008 R2 domain
We have 2008 R2 domain. some users are getting microsoft surface devices. I want to know if they can use or link their microsoft accounts to the domain?. If they can how can i block that (since there are no microsoft accounts policy in 2008 GPO)
Thanks
↧
FGPP created but PSO seems like it is not applied
I am running a native 2012R2 domain and forest with the forest and domain level being that of 2012 R2. I have created a Fine-Grained Password Policy via the AD Admin center and have it applied to a single test user. There is only one PSO applied to this user and this is the only PSO in the directory. When querying the user via "dsget user <User-DN> -effectivepso" the correct PSO is applied for that user. When looking at the user attribute of msDS-ResultantPSO it also shows the correct PSO is being applied. The PSO disables password complexity, however whenever I try and reset the test user account via aduc or the as admin center tools the operation fails stating "Failed to reset the password for test user. The password does not meet the length, complexity or history requirements of the domain". I have removed all other requirements in the PSO for length, history, etc in a basic attempt to confirm that the PSO is being applied, but I am unable to reset the user password to anything less than what is specified in the default domain policy (which includes complexity). I have waited for replication (within this one site only) and also rebooted the domain controllers with no change to this behavior.
Is the PSO only read and applied when the user is actually logged in within their context and when changing a password? Is the failure of being able to administratively reset the account in question to a password that complies with the PSO attached to that user operating by design?
I will be logging in with that test user account to see if this interpretation is true, but I would appreciate any insight for anyone with experience with this situation can give.
Thanks,
Brian
↧
2012 R2 based AD GPO to control IE Settings
We are in the process of revamping our network and have deployed a new Windows 2012R2 based AD Domain.
We have a mix of Win XP, Win7 & Win 8 Clients. Although the process of discarding the XP systems is in the pipeline, it will take time.
The Internet Explorer version on the client system varies from IE8 to IE11 and we wish to control IE setting such as Connection Seetings, Proxy address, Restricted Sites, also restrict users from making changes to these settings etc.
We can see a lot of change to the New Win2012R2 GPO. The IE Maintenance is gone. In place we have GP Preference, but we some how cant get this configured correctly.
Please guide us to get this setting done.
↧
↧
acess limited removable media by gpo
I am running Server 2008 R2 as a domain controller with active directory. I wish to deny access to any removable media for all computers (mostly win 7) in the domain except for administrators. Can I do this through group policy and if so, how.
↧
Software Distribution error 1612
Server 2008 R2 with Windows 7 clients
Trying to deploy Cisco Anyconnect Secure Mobility Client
I'm pointing the GP to a specific OU for testing purposes. The error captured states, "The installation source for this product is not available. Verify that the source exists and that you can access it."
I've verified that the share permissions include Domain Computers & Authenticated Users with Full Control, and NTFS permissions include Domain Computers & Authenticated Users with Read access. The GP security settings include Domain Computers. I made sure I created the policy with the full UNC path. I also removed any "." from the file name and even shortened the name of the file to just "anyconnect.msi" I can browse to the file location without fail. I can manually run the msi file without fail.
Save my hair and help me out :)
↧
Allow users to install from a specific location
Hi,
I was wondering if there was anyway that you could give a user permissions to install software from a specific location, in this case a network drive? We have a folder on one of our file stores that holds in house program installers. It is sometimes beneficial for a user to install from this location themselves, but without admin this is not possible.
Does anyone know if this is possible?
Thanks for the help.
David
↧
Redirected and offline folders move to a new domain
Hi
We're in a process of merging one local domain do a new (existing) one, that is on a different network (different LAN).
Since all users in existing domain have GPO applied to do redirected folders (it redirects my documents) to a server and have also offline files feature enabled (my documents are cached localy on a comptuer and than sinchronized to server when users log-on and log-off).
In a process of joining computers to a new domain, we'll connect all existing computers from DOMAIN A to a new LAN (switch) that is only accessed by DOMAIN B.
Can someone please explain me what is the best procedure to re-establish redirected/offline files (my documents) on all computers that well be joined to a new domain ?
My guess will be :
- configure same GPO policy settings for redirected folders on a new domain and assign it to computers that will be joined to a new domain
- create the same shared folder and permissions on a server in a new domain (domain B) and copy all users subfolders from server in old domain (A) to a server in a new domain (B).
- remove all computers from old domain and join them to a new domain (B)
- GPO will apply and synchronize all users documents from server back to their computer 'cache'.
Are these right steps or are we doing something wrong ?
Thank you all in advance for suggestions.
Mike
↧
↧
How to add trusted sites to group policy?
I found this:
Trusted sites policies can be set at the computer or user level and are located at the relative path of administrative templates: \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone.
But in the right side of the Trusted Sites Zone, I did not see any option to enter the sites. I'm using IE7.
Help is appreciated.
↧
Offline Files Sync Failing, access denied to incorrect folder location
Hi,
We have our users setup with Folder Redirection and Offline Files Syncronisation on Windows 7 Enterprise clients (x64). Server Side is 2008 R2.
The problem we have is that users Offline files sync is failing, but it looks like the machine is trying to Sync another users directory. For example, assumign I am 'userY' in my Sync Centre, the current status is 'Failed - Access Denied' and the folder states is "\\server\share\userX" where X is a completely different user to my account. This happens across the board and there is no consistancy for the username that appears to be being synced.
A couple of other points;
1. This particular user has not logged on to this PC so there is no profile loaded for them
2. I have Read/Write access to the Share AND the users Folder that Sync Centre complains about
3. While other users DO NOT have this level of access to the users folder, they do have Read/List access to the top level of the share and Full Control of their own folders.
Let me know if you need any more information
Thanks in Advance.
Tom
↧
Windows 7 Clients screensaver not working when enabled via GPO
I have a Windows server 2008 R2 server running as a single domain controller in a small school environment with maybe 20 computers are so. The majority of these computers are lab machines for the students, so they're heavily locked down with GPO settings. Everything has been working fine except for one issue.
The screensaver is not activating like we have set in the GPO. The issue is not on all the lab machines but it is on most of them. I have double and triple checked my GPO settings and i do not see an issue. I ran a gpresult /X to output a file to see active GPO settings and my screen saver settings on indeed activated and running according to the outputted file! I tried unplugging the mouse and keyboard but that did not work either. I also logged into the admin account and set the screen saver to a short period of time and it activates without an issue. So it doenst seem to be a hardware issue.
My diagnosing abilities with these computers is limited from my test student accounts because they're so heavily locked down so take that into account, but i have enabled CMD for my own sanity!
This is a picture of the GPO settings that should be applied to the computer, this report was generated by running a Group Policy Results wizard from the DC.
This is the report that was generated on the computer using the same test account. Only way i could get it off the computer was to take a photo with my phone so sorry about
the quality.
What could be causing this issue? We have been having this issue for some time now and im even having this issue on two computers that i just re-imaged as well.
Any help is appreciated!
↧
The Group Policy Client Side Extension Group Policy Shortcuts may have caused th e Group Policy Service to terminate unexpectedly.
Hi all,
Having an issue with the shortcuts Group Policy extension applying to our Windows 7 machines. It was working until last Wednesday and since then users get a Group Policy Client service error when logging in.
We have narrowed it down to the shortcuts extension, if the extension is disabled then a user can log in, if enabled and empty then the following error comes up. With all the investigation we have done so far it seems as though something on the client is making this happen.
We have –
Copied the original policy
Exported and imported the policy
Deleted all the shortcuts
Deleted all the shortcuts and created a brand new shortcut
And the same thing happens. Only if you right click on the Shortcut Extension and select disable then the user can log in
When running Gpupdate /force we get the following error
The Group Policy Client Side Extension Group Policy Shortcuts may have caused the Group Policy Service to terminate unexpectedly. To prevent further failures inthe Group Policy Service, this extension has been temporarily disabled until after the next system restart. Group Policy settings managed by this extension may no longer be enforced until the system is restarted. The vendor of this extension should be contacted if this issue recurs.
The Group Policy Client Side Extension Group Policy Internet Settings may have caused the Group Polcy Service to terminate unexpectedly. To prevent further failures in the Group Policy Service, this extension has been temporarily disabled until after the next system restart. Group Policy settings managed by this extension may no longer be enforced until the system is restarted. The vendor of this extension should be contacted if this issue recurs.
Has anyone come across this before?
Thanks
↧
↧
Ports require for Remote GPO Update
Hello,
I have my AD and servers in different networks separated by ACL rules.
I can manually do my GP Update, but when I use GPMC, I am getting an RPC error
"
1. My RPC ports are custom range (so I can setup ACL's) and they work fine (PortQuery tested)
2. Referring to : http://technet.microsoft.com/en-au/library/jj572986.aspx : All expect the "TCP all ports, Winmgmt "
Now, on Windows firewall I can find these, but from a Network Perspective, what does : "TCP all ports, Winmgmt " mean? What are the actual ports being used or can ACL rules be setup for this?
Regards,
Ramu
Ramu V Ramanan
↧
Poweshell Logon Script not working
Hi All,
I just add the following User logon Script to Powershell Script and set the Run Windows Powershell script last.
No Parameters.
When i run this onWorkstation i have to run "Set-ExecutionPolicy RemoteSigned" on PS to execute this.
What i did wrong?
$ArgumentsStandard =" /quiet "
$ArgumentsStandard +="/norestart"
$App = Get-Content "\\server\Softwareshare\un-installApp.txt"
#gwmi gets the list of applications
# where selects just the apps im interested in removing
# start-process removes each app using msiexec with quiet and norestart options
Write-Host "start un-installing software from list"
gwmi win32_product |
where { $App -contains $_.Name } |
ForEach-Object {
Write-Host "start un-installing $_.name"
$Arguments = "/uninstall "
$Arguments += $_.IdentifyingNumber
$arguments += $ArgumentsStandard
Start-Process "MSIExec" -ArgumentList $Arguments -wait
}↧
User Configuration options error: System.Runtime.InteropServices.COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.
I get this message when trying to edit any User Configuration options on one of my group policies.
The Computer Configuration options do not produce these errors.
See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.
************** Exception Text **************
System.Runtime.InteropServices.COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.
at Microsoft.GroupPolicy.AdmTmplEditor.IGPMAdmTmplEditorCallback.ApplyChanges()
at Microsoft.GroupPolicy.AdmTmplEditor.Editor.SaveChanges()
at Microsoft.GroupPolicy.AdmTmplEditor.Editor.buttonOK_Click(Object sender, EventArgs e)
at System.Windows.Forms.Control.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ButtonBase.WndProc(Message& m)
at System.Windows.Forms.Button.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
************** Loaded Assemblies **************
mscorlib
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.5485 (Win7SP1GDR.050727-5400)
CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v2.0.50727/mscorlib.dll
----------------------------------------
Microsoft.GroupPolicy.AdmTmplEditor
Assembly Version: 6.1.0.0
Win32 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
CodeBase: file:///C:/Windows/assembly/GAC_64/Microsoft.GroupPolicy.AdmTmplEditor/6.1.0.0__31bf3856ad364e35/Microsoft.GroupPolicy.AdmTmplEditor.dll
----------------------------------------
System
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.5485 (Win7SP1GDR.050727-5400)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Windows.Forms
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Xml
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.5485 (Win7SP1GDR.050727-5400)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
Accessibility
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/Accessibility/2.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
----------------------------------------
************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.
For example:
<configuration><system.windows.forms jitDebugging="true" /></configuration>
When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.↧
query regarding password policy!
Hello everyone,
I have a query, we are running a single AD domain.
We have a PowerShell script integrated with web browser to reset user password.
Is there any way to implement a GPO to disable any user from changing password even when it expires? Its not disabling CTRL+ALT+DEL, I want it permanently so that Users would have to use the portal to change their passwords.
Users should not be able to reset expired passwords or change them.
What ever changes happen, should happen from the portal.
Thank you.
Regards,
Venu
↧
↧
notification setting
I am preventing notification popups due to constant annoying Adobe, Java updates but it also prevents the password change notification.
Is there a way to block software or action center notifications but not the change password notification?
↧
The processing of Group Policy failed. Windows attempted to read the file...
The processing of Group Policy failed. Windows attempted to read the file...while doing a gpupdate /force. Can anyone help? we replicate our DC to another site, and this is where the problem occurs.
↧
Urgent Group Policy Issue - not applying despite saying it does
Thank you for this urgent help. Auditors checking this out tomorrow morning.
We have a GPO that sets the eventlog audit settings for success or failure security events. The scope is set to Authenticated Users.
When I run the group policy wizard in GPMC it shows the settings applying to one of our servers in that OU.
When I run gpresult/z from that server it shows the policy applying to that server.
But when I go into gpedit.msc the security audit settings are all set to "not defined" and they are grayed out so I can't edit them manually.
As a test I set the GPO to deny applying to that server. I ran gpudpate/force on the system and then gpresult and it shows the GPO now not applying. But the settings are still set to not defined and still not editable. they are not being set by any other GPO.
In the event logs I only see three GPO errors but they are unrelated. A separate GPO is having issues creating user accounts. No other GPOs apply.
Quick help would be fantastic.
Server runs on Windows Server 2008 R2 (I can edit GPO but not the domain ones and I don't have access to the domain controllers).
We have a GPO that sets the eventlog audit settings for success or failure security events. The scope is set to Authenticated Users.
When I run the group policy wizard in GPMC it shows the settings applying to one of our servers in that OU.
When I run gpresult/z from that server it shows the policy applying to that server.
But when I go into gpedit.msc the security audit settings are all set to "not defined" and they are grayed out so I can't edit them manually.
As a test I set the GPO to deny applying to that server. I ran gpudpate/force on the system and then gpresult and it shows the GPO now not applying. But the settings are still set to not defined and still not editable. they are not being set by any other GPO.
In the event logs I only see three GPO errors but they are unrelated. A separate GPO is having issues creating user accounts. No other GPOs apply.
Quick help would be fantastic.
Server runs on Windows Server 2008 R2 (I can edit GPO but not the domain ones and I don't have access to the domain controllers).
↧