Hello

We recently switched subscription from 365 Pro Plus to Business Premium.  Prior to installing the new version on every user PC, we tested our existing GPOs with the new version.  Everything worked normally.  Following the change to the actual plan, the GPOs have stopped applying.  We were assured over the telephone by a MS representative that everything would continue working.  Can anyone shed any light on whether GPOs should be applied for Business Premium?

Thanks

Paul

So I have a Server 2012 set up with a few different user groups and each of them has a separate folder than needs to be mapped only for them. For example group A has access to FolderA, B to FolderB and C to FolderC. The Administrator account shouldn't have any mapped drives. What happens though is the Administrator gets all of the maps, displaying only 1 in FileExplorer but all the other ones can be accessed by typing(guessing) a letter in the address bar. Another thing is the users from group C get access to FolderA. Everything is messed up basically. I double, triple, quadruple checked all of the settings and have absolutely no clue what I might be doing wrong.

Here is the log of the drive mapping, though I doubt that can be of any use:

https://docs.google.com/document/d/1du18-OS50ZcDbwIwfkk5iTUUOGiMWWdZWsi3eC9eC5Y/edit?usp=sharing

(too big to post it here)

Any help is appreciated.

I am new to Software Restriction Policies and I'm sure i am just missing something.  When I run mstsc.exe with the admin flag everything works correctly.  When I run it without the admin flag I get the following error:

The remote session was disconnected because license store creation failed with access denied.  Please run remote desktop client with elevated privileges.

This was working correctly before we started testing Software Restriction Policies.

This is a windows 7 32 bit machine. 

Below is the policy in question..  Any help you can provide would be great.  Thanks in advance!

Computer Configuration (Enabled)hide
Policieshide
Windows Settingshide
Security Settingshide
Public Key Policies/Trusted Root Certification Authoritieshide
Propertieshide
Policy Setting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only

Software Restriction Policieshide
Enforcement
Policy Setting
Apply software restriction policies to the following All software files
Apply software restriction policies to the following users All users except local administrators
When applying software restriction policies Ignore certificate rules
 
Designated File Types
File Extension File Type
ADE ADE File
ADP ADP File
BAS BAS File
BAT Windows Batch File
CHM Compiled HTML Help file
CMD Windows Command Script
COM MS-DOS Application
CPL Control Panel Item
CRT Security Certificate
EXE Application
HLP Help File
HTA HTML Application
INF Setup Information
INS INS File
ISP ISP File
MDB MDB File
MDE MDE File
MSC Microsoft Common Console Document
MSI Windows Installer Package
MSP Windows Installer Patch
MST MST File
OCX ActiveX Control
PCD PCD File
PIF Shortcut to MS-DOS Program
REG Registration Entries
SCR Screen Saver
SHS SHS File
URL Internet Shortcut
VB Visual Basic Source file
WSC Windows Script Component
ZIP Compressed (zipped) Folder
 
Trusted Publishers
Trusted publisher management Allow all administrators and users to manage user's own Trusted Publishers
Certificate verification None
 

Software Restriction Policies/Security Levelshide
Policy Setting
Default Security Level Disallowed

Software Restriction Policies/Additional Ruleshide
Hash Ruleshide
mstsc.exe (6.0.6002.18005); mstsc.exe; Remote Desktop Connection; Microsoft® Windows® Operating System; Microsoft Corporation
Security Level Unrestricted
Description  
Date last modified 1/20/2015 12:38:43 PM
 

Internet Zone Ruleshide
Local computer
Security Level Unrestricted
Description This zone contains Web sites that are on your local computer.
Date last modified 1/20/2015 10:46:33 AM
 
Local intranet
Security Level Unrestricted
Description This zone contains all Web sites that are on your organization's intranet.
Date last modified 1/20/2015 11:59:51 AM
 
Trusted sites
Security Level Unrestricted
Description This zone contains Web sites that you trust not to damage your computer or data.
Date last modified 1/20/2015 12:02:23 PM
 

Path Ruleshide
%localappdata%\temp\*.tmp\centricity.bat
Security Level Unrestricted
Description  
Date last modified 1/20/2015 12:08:17 PM
 
%localappdata%\Temp\*.tmp\dentrix.bat
Security Level Unrestricted
Description  
Date last modified 1/20/2015 12:07:45 PM
 
%localappdata%\temp\*\centricity.bat
Security Level Unrestricted
Description  
Date last modified 1/20/2015 12:08:34 PM
 
%localappdata%\temp\*\dentrix.bat
Security Level Unrestricted
Description  
Date last modified 1/20/2015 12:08:52 PM
 
\\hotcfs1.otc.local\Jop_dentrontdesk\*.bat
Security Level Unrestricted
Description  
Date last modified 1/20/2015 12:29:05 PM
 
\\hotcfs1\thinapp\*\msi\adobe*.exe
Security Level Unrestricted
Description  
Date last modified 1/20/2015 12:28:09 PM
 
c:\Program Files
Security Level Unrestricted
Description  
Date last modified 12/12/2014 1:42:08 PM
 
c:\Program Files (x86)
Security Level Unrestricted
Description  
Date last modified 12/12/2014 1:40:26 PM
 
c:\users\public\desktop\centricity.exe
Security Level Unrestricted
Description  
Date last modified 12/12/2014 2:26:46 PM
 
c:\users\public\desktop\dentrix.exe
Security Level Unrestricted
Description  
Date last modified 12/12/2014 2:26:54 PM
 
c:\windows\
Security Level Unrestricted
Description  
Date last modified 1/20/2015 12:42:05 PM
 
c:\windows\system32
Security Level Unrestricted
Description  
Date last modified 1/20/2015 12:42:17 PM
 

Administrative Templateshide
Policy definitions (ADMX files) retrieved from the central store.System/Group Policyhide
Policy Setting Comment
User Group Policy loopback processing mode Enabled  
Mode: Merge
 

User Configuration (Enabled)hide
Preferenceshide
Windows Settingshide
Registryhide
Registry item: LogFileNamehide
Generalhide
Action Update
PropertiesHive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers
Value name LogFileName
Value type REG_SZ
Value data c:\restriction.txt

Commonhide
OptionsStop processing items on this extension if an error occurs on this item No
Run in logged-on user's security context (user policy option) No
Remove this item when it is no longer applied No
Apply once and do not reapply No

We have been using Logon script. Now we want to map drives via gpo.

I first create an OU (A). Inside that OU I create another 2 Test OU (A1 and A2), then in them i create 2 test users respectively. in these 2 separate OU, I create each a Global security group and add those users into it.

On my GPM, I created a single Group Policy and Link it to my OU (A). I have 2 seperate mapped drives.

I applied Target Group Policy Preference to those Security Groups.

Now it all works fine, perfectly well with the filtering, Logged of and log back in, drives are mapped accordingly

Now I want to make a test with one of my old user who uses logon script before because I will soon roll out that policy on our domain,

With that old user, I remove the default logon script on the AD user profile tab.

Then i add the old user to one of my Security group in either of them A1 OU or A2 OU group. Run gpupdate/force on the server. Then sign in with that old user.

Now , No drives are mapped with that old user

I have checked my default domain Policy that no script is enable on log on and even all other policy that have been implemented with no logonscript enable

If there is any configuration i still need to add..

Very much appreciated for solution

----- bsl

Case

Windows 2012 Machine Computer account = "Comp A"
Group name = "Group A"
OU name = "OU A"

Comp A is created in OU A and is a part of Group A.
A Group policy "GP A" is created with Scope as "OU A" & Security filtering is set to "Group A".
Now when I run gpresult /r on the Comp A, I do see "GP A" name under applied group policies but I don't see "Group A" under computer account is part of.

Any reasons why it'll do so ?
I already have rebooted the Comp A, ran gpupdate /force, waited for long still doesn't show group name when running gpresult /r

Hi Experts.

I have approx 200 servers. There are user1, user2 and user3 which I have added in Local Administrators Group using GP Restricted Group in all 200 servers. This works fine. In Add Group option I added "Administrator" and Added user1, user2 and user3 in "Members of this Group". Now all 3 users are reflected as a Local Administrators member.

Now there is a need that user 4 should be in Local Administrators Group using GP Restricted Group for certain servers only. Lets say 50.

In Add Group option I added "Administrator" and Added user4 in "Members of this Group". BUT it doesn't work.

Any idea?

Regards Suman B. Singh

With successful hacking attacks more often employing valid Active Directory user credentials, it is quite helpful when administrators caneasily poll user logon events. Rather than queryevery domain computer for its logon events, one can alter the Default Domain Controller Policy GPO to enable "Audit user account logons" (Success and Failure) then merely pollonly the domain controller -- quite efficient. PowerShell helpfully has its Group Policy Module, including the following two cmdlets.

1) Get-GPO "Default Domain Controllers Policy" will retrieve the top-level GPO object, but how do I enable that specific setting?

2) Set-GPRegistryValue might be the right tool, but I cannot find any documentation on the values I need to supply to its parameters (-Name -Key -ValueName -Type -Value) to enable "Audit user account logons" -- both Successes and Failures.

One can manually modify this setting using the Group Policy Management console GUI on the domain controller, but I am trying to upgrade my professional work habits to use stored scripts, rather than unrecorded point & clicks, so that my actions are repeatable and documented.

Any pointers to documentation or an example would be welcome. I originally posted this question in the TechNet PowerShell Forum this afternoon, but someone recommended I copy it to the TechNet Group Policy Forum.

Jeffrey - New Orleans MCITP Enterprise Administrator, Virtualization Administrator

Hi All,

  I have create user logoff script to uninstall software. Now i have two issues.

 1. Take long to logoff

 2. How do i allow only once? 

$ArgumentsStandard =" /quiet "
$ArgumentsStandard +="/norestart"
$App = Get-Content "\\server\share\un-installApp.txt"

#gwmi gets the list of applications
# where selects just the apps im interested in removing
# start-process removes each app using msiexec with quiet and norestart options

Write-Host "start un-installing software from list"
gwmi win32_product |
where { $App -contains $_.Name } |
ForEach-Object {
	Write-Host "start un-installing $_.name"
	$Arguments =  "/uninstall "
	$Arguments += $_.IdentifyingNumber
	$arguments += $ArgumentsStandard
	Start-Process "MSIExec" -ArgumentList $Arguments -wait
}

 Event details are as follows (replaced domain name):

 The processing of Group Policy failed. Windows attempted to read the file\\localdomain.domain.com\SysVol\ localdomain.domain.com \Policies\{761C5A63-77D4-4999-8C60-9B46FFA1F4A1}\gpt.inifrom a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

 a) Name Resolution/Network Connectivity to the current domain controller.

b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

c) The Distributed File System (DFS) client has been disabled.

 The issue I found but am unable to resolve:

I confirmed name resolution, replication, DFS and connectivity. I have a 2008 32bit AD controller and a 2012 R2 AD controller. I noticed the Events on the 2012 server and ran dcdiag /c /v. After looking at the event itself I attempted to check the actual path (UNC from the server: \\domain.domain.com\SysVol\ localdomain.domain.com \Policies\{761C5A63-77D4-4999-8C60-9B46FFA1F4A1}\gpt.ini) and see if it truly existed on the target 2008 32bit AD server, it didn’t at that path. I logged into the 2008 AD server, searched and found it was at another location. I am unable to find anyone with this issue and not sure why. I figured try copying the folder there, that didn’t work.

 What I found when manually going to the server and going to c:\windows\sysvol – I have the following folders:

-Domain             - this is where it’s located.

-Staging

-Staging areas

-Sysvol (share)   – this is where it’s looking…

 I found the file under c:\Windows\Sysvol\Domian\Policies\{761C5A63-77D4-4999-8C60-9B46FFA1F4A1}\gpt.ini, the 2012 server is wanting it at:c:\Windows\Sysvol\Sysvol\ localdomain.domian.com \Policies\{761C5A63-77D4-4999-8C60-9B46FFA1F4A1}\gpt.ini

~ “I have not failed. I've just found 10,000 ways that won't work.” ~Thomas Edison

Hi, my domain is at the 2008R2 functional level, and I have a group policy which configures the "offer remote assistance" setting (Computer Configuration>admin templates>System>Remote Assistance).  I have noticed some interesting behavior, and I'd like to know if there's a more efficient way to do this:   Whenever this policy gets applied, it seems as if it removes all individuals from the "Offer Remote Assistance" group, then re-adds them.  I notice this because when I update the group policies on the clients, I see security log event 4733 (removing the account from the "offer remote assistance group") for each defined helper, then see security log event 4732 (adding the account to the "offer remote assistance group") for each helper.

Is there a better way to accomplish this without adding and removing the accounts from the "offer remote assistance" group every time the policy is refreshed?

I ask because I'm using a SIEM for logging privileged account usage or membership changes, and the hundreds of events per day are a bit noisy.

As always, any recommendations are greatly appreciated!


Thanks,

Kevin

Hi

I have been trying to make automatic log-in for my shares on MAC client when i login a AD user into the MAC client.In short i am searching for alternative of the functionality called 'logon' GPO which AD gives while logging into Windows client joined.

AD keeps the logon script with it and while logging in at the Windows clients with AD user credentials ,the share gets mapped automatically.But is it poosible to do same for the MAC clients that are part of the AD domain.

Let me know if there are any ways to do automatic mapping of my share while logging in into the MAC client(that is joined to AD domain) with AD user.

Appreciate your help in advance,

Thanks,

Manu

• AutoAdminLogon
• DefaultDomainName
• DefaultPassword
• DefaultUserName

Hello Everyone,

I would like to know if f it is possible to determine  what Executable applications are being ran by end user using Windows 7 PC. The workstations are on a Domain with 2008 DC functional level. Is there some registry key or Group Policy that can be set.

For example if Tom logged into PC: WRAD4005, he ran MS Word, IE, Google Chrome Etc. 

I have a Windows server 2008 R2 server running as a single domain controller in a small school environment with maybe 20 computers are so. The majority of these computers are lab machines for the students, so they're heavily locked down with GPO settings. Everything has been working fine except for one issue.

The screensaver is not activating like we have set in the GPO. The issue is not on all the lab machines but it is on most of them. I have double and triple checked my GPO settings and i do not see an issue. I ran a gpresult /X to output a file to see active GPO settings and my screen saver settings on indeed activated and running according to the outputted file! I tried unplugging the mouse and keyboard but that did not work either. I also logged into the admin account and set the screen saver to a short period of time and it activates without an issue. So it doenst seem to be a hardware issue.

My diagnosing abilities with these computers is limited from my test student accounts because they're so heavily locked down so take that into account, but i have enabled CMD for my own sanity!

This is a picture of the GPO settings that should be applied to the computer, this report was generated by running a Group Policy Results wizard from the DC.

 This is the report that was generated on the computer using the same test account. Only way i could get it off the computer was to take a photo with my phone so sorry about the quality.

What could be causing this issue? We have been having this issue for some time now and im even having this issue on two computers that i just re-imaged as well.

Any help is appreciated!

Recently we hired a Technician to assist in supporting our attached Network Computers.  However, after just a couple of months the Technician decided to move on.  We have noticed that while employed the Technician logged on many Computers with his IT Assigned Network Account.  This left behind the Technicians Profile on many of the attached Network Computers.

We would like to know if there is a process where we can use Group Policy or AD to scan all the attached Network Computers and remove the Technicians profile.

Thank you.

This problem occurs when i enter this in the local Policy or in a Domain Policy.

The Problem also occurs, when i enter syntactic incorrect values in this Entry.

In a Domain Network this is fairly fatal !!!!

All Domain Computers have Connection Problems and we must reboot all Domain-Controllers after we found the Problem.

I have tested the isuue in Server2012,Server 2012 R2,Windows 8,Windows 8.1.

How can i enter an IPv6-Address in this GPO-Setting ?

Jens Nitschke

I was wondering if there is a way to change the following message..."Unable to update the password.  The value provided for the new password does not meet the length, complexity, or history requirements of the domain" when trying to change our network passwords.  I would like for it to be more specific (ie: your password needs to be at least 7 characters long OR the password you tried as already been used within the last four changes). We use Windows Server 2008 R2 to handle Active Directory and Group Policy and the workstations are all Windows 7.

Hello

I have an active directory on windows 2012 datacenter. there is a domain on it. it works well.

Also there is a another AD on another location.  there is another  domain on it. also it works too. 

there is a trust relationship between 2 domains.

I disabled an account on first AD server 4 days ago. and then my colleague who manages second AD, notified that started to recieve some errors from eventviewer and have an issue about their group policy.

the issue event as below;

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller

(LDAP Bind function call failed). Look in the details tab for error code and description.

Event ID 1006

Event Source Group Policy

I think the concerning account was built on the second AD for a service. But we don't know how we can find the account on the second AD server in order to change it.

How can I fix the issue?

Thanks