Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Firewall exception Office 365

March 10, 2015, 8:21 am
$
0
0

Here's the issue.

Office 365 Lync has a download that needs access through the Windows firewall OR users get a message stating "Some features may be blocked". Since my users do not have admin rights they cannot allow the app. So they have to contact me

I created a rule that allows the plugin the access it needs BUT, when I created the rule I noticed an issue that I knew would become an issue.

The path to the plugin is

%LocalAppData%\Microsoft\lwaplugin\15.8.20017.342\pluginhost.exe

Bad enough they put the plugin in the localappdata folder which I was trying to block due to virus issues BUT, they put the plugin version in the path.

I pointed out to the app guys that while I could open this it would become an issue down the road if the version changes. 3 days later... It changed. The new path is

%LocalAppData%\Microsoft\lwaplugin\15.8.20018.735\pluginhost.exe

Because this is Office 365 it's controlled by Microsoft thus I can't change the path (I don't think)... Is there anything I can do as far as GPO rules here?

Thanks

RS

Search

Any way to require a minimum 4 character change in AD password settings?

March 10, 2015, 9:18 am
$
0
0

We are being asked if there is a way to require users to change a minimum of 4 characters in their passwords upon expiration.  So if we have a password of PassWORD999, we would force a change to something like PassTIME999. This requirement is above and beyond just the GP enforce password history.

We would like to accomplish this via AD group policy, but are open to a third party solution if necessary.

Thanks

Folder Redirection fails user at remote site, usually

February 3, 2015, 1:29 pm
$
0
0

2008 Servers with folder redirection in group policy, drive maps in group policy, profile hard-coded in AD user record.  Windows 7 clients.

We have a main site with 10GB MPLS, 1 remot site with T1 MPLS, 1 remote site with 2 bound(?) T1's.  Domain controller at each site.  The issue is:  a user with redirect folders on main site server visits a remote site (the one with single T1), tries to logon.  Profile loads successfully, the gp-mapped drives are good; but the folder redirections get error "'path' refers to a location that is unavailable.  It could be on a hard drive on this computer, or on a network.  Check to make sure that the disk is properly inserted, or tht you are connected..."  Event ID is 502, Folder Redirection - "failed to apply policy and redirect folder... Access is denied"  And those folders that should have been redirected remain inaccessible - can't browse to them.  You can map them, but can't access contents of the mapped drive.  This same user redirects these same folders successfully at the main site, and tests aren't getting errors at the other remote site.  It doesn't eem to pick on certain pc's, occasionallly someone signs on without errors.  It doesn't error the other way.  User with remote site folders logs on at main site, no problem.  Any ideas?     

Mike Murphy

How to Configure Remote Powershell Setting using GPO on Clients

February 23, 2015, 6:57 am
$
0
0

Hi Experts

There are number of cases where our IT team needs to perform operation on remote Desktop using PowerShell. So, we want to configure Remote PowerShell (Enable-PSremoting or winrm ) on all Client machines using GPO.

1. Could you please suggest Steps to perform on GPO

2. What will be the drawbacks if we enable this on Client machine (Like IIS / Vulnerability ).

Thanks

Cannot Re-enable Writes to USB and Optical

March 1, 2015, 9:17 pm
$
0
0

Created a policy on a small domain to restrict writing to external media.  Used a GPO (with security filtering set to a specific User Group) to enable the settings found in User Config/Policies/Admin Templates/System/Removable Storage Access - specifically:

CD and DVD: Deny write access: Enabled
Floppy Drives: Deny write access: Enabled
Removable Disks: Deny write access: Enabled
Tape Drives: Deny write access: Enabled
WPD Devices: Deny Write access: Enabled

and also:

Windows Components/Windows Explorer

Remove CD Burning features: Enabled

Now I need to remove these restrictions for ONE user.  Not having much luck.  To troubleshoot, I've tried removing for ALL users, STILL won't work.  More specifically, I've tried:

1. Creating a new policy that has the opposite settings and applying to a new group (I removed the user from the old group and added them to this one.  Rebooted.  This did not work.

2. Reset the policy settings to DISABLE those restrictions. Rebooted. That has not worked.

3. Removed both policies and deleted the contents of HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices (after backing up, of course).  Rebooted.  That did not work.

4. Tried creating a local user account with the policies disabled but that reports access denied as well when attempting to copy files to a USB flash drive.

These should be USER settings.  Why are they NOT removing themselves and more importantly, how do I get them removed?

what group policies are there on a user profile

March 10, 2015, 1:32 pm
$
0
0

Hi ,

How can we know what the group policies are there on a user profile when he log's in and out ( like home folder, shares, password policies etc ) from domain controller ?

Thanks in advance

Getting logs of files copied away from a laptop

March 11, 2015, 1:16 am
$
0
0
Is there a group policy setting to monitor external storage usage rather than outright blocking the use. we want to be able to know which files are being copied away from the system.

Liyide, A.G.

Sudden slow domain log in from "all Win 7" workstations in a Server 2012 R2 domain.

March 10, 2015, 5:16 pm
$
0
0

We had a 2 domain controllers in a small network [2 servers running codomain function, 4 work staations]. We retired the Win 2003 DC and did a DC promo to the Win 2012 R2 DC. There was some initial issues with the DNS and DHCP initially. It was all sorted out [I think].<o:p></o:p>

The network was working fine for about a week to 10 days. Now for the past 2 days all the workstations [we have only 4] which run Win 7 are taking longer than usual to domain log in users. If the previous log in time was 30 seconds now it takes 1 minute. After Ct-Alt-Dlt, enter user name and password, you see a circle for almost 1 minute before you are able to log in to the desktop.<o:p></o:p>

Also when I log in to the Server 2012 R2 machine it takes a little longer for the user profile to load up [when the machine was initially set up, log in to the server will be fast, now it may have slowed down by 15 seconds, still faster than it takes to log in to the workstations.<o:p></o:p>

Any suggestions how to resolve this? Is it DHCP related? [I have checked all the work stations NIC and have pointed them with fixed IP address to the DNS/DHCP server [I have only 4 work stations]. Despite this there is sudden slowness for all users in all work stations.<o:p></o:p>

Thanks for your help.<o:p></o:p>


Search

Best way to clean up GPO & PolicyDefinitions central store

March 10, 2015, 4:38 pm
$
0
0

Here is my dilemma I am doing a migration from SBS 2008 (Windows 2008, not R2) to Windows 2012R2. I have a few questions about the central policy store. Right now depending on which files are placed in the Policies\PolicyDefinitions folder it allows me to see certain GPO items. I have some Citrix & Outlook ADMX items I have implemented which require ADMX files to be placed in the store. What is the best way for me to administer this? I want to be able to view all GPO items from any of my DC's without having to move files around or getting the "Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management" message.

Should I download the Administrative Templates (ADMX) for Windows Server 2008 R2 and Windows 7 & Administrative Templates (ADMX) for Windows Server 2012 R2 and Windows 8, placing these along side the Citrix & Outlook admx files? How can I have all work together? I removed a ton of the items that were there from the previous admin and placed them in a folder called subdirectory called "_old" and everything is working with no issues.

I have also been going through and cleaning up a ton of the old GPO items along with removing all of the SBS stuff. Is there a way to see what ADMX files a certain GPO requires?

Blocking an application during a set time period on a terminal server

March 10, 2015, 9:31 pm
$
0
0

Hi,

Is it possible to set up a group policy to temporarily block an application (Outlook) during a set time of the working day? This would be on a terminal server (2008 R2 Enterprise x64 SP1). 

Any suggestions or advice would be greatly appreciated.

Thanks,

restrict the user to access one folder only and deny all other folder in D: drive

March 10, 2015, 11:10 pm
$
0
0

Hi,

I am running windows server 2008.

I have a user to which I need to set permission so that he can access only one particular folder and deny access to all other folder.How can i set the permission.

Its very urgent Please help me .


WMI Filters Folder NOT Found in Group Policy Management Console.

March 1, 2015, 3:58 pm
$
0
0

We have a Small Business Server 2011 Standard Edition install that is Hosting a Domain that was migrated to it from Windows Server 2003 Standard Edition. All seems to be working. We have a few problems that we are trying to work on one at a time when this issue was brought to light.

We were trying to push the installation of a client software via group policy and in the process to have it pushed by the server, we had to configure several wmi filters in the group policy management in the SBS 2011.  We opened the console and found that the WMI Filters Folder is nowhere to be found.

We would like to find out what can be the cause and resolution of this problem.  I would like to find out how to get the WMI Filters folder back in the Management Console and be able to create the filters that will help us deploy the client software we need to provide to our users using the group policies.

Has anyone experienced this problem.  Can we just go into the group policy management console and create the object and then import the default filters into that object we created.  The filters were exported from another sbs 2011 standard edition install that has the wmi filters folder in the GPMC.

Need help on this situation.  Have very little experience in troubleshooting GPO's and GPMC's issues.

Thank you

JFM

Windows Update settings revert to default overtime when applied using GPO

July 10, 2013, 2:06 pm
$
0
0

Hi,

I have a Group Policy Object that specifies all the required WSUS and Automatic Update settings, which is applied to my Servers OU.

All of my servers honour the GPO policy settings, which is set to Automatically download and to notify when to install patches.

However, some servers, both Server 2003 r2 and Server 2008 R2, decide that after a few weeks of running, they revert to Automatically download and install patches at 3am. (which causes unscheduled reboots in the middle of the night)

When the server reboots I can see in the Computer Properties > Automatic Update settings, the setting to automatically install,  however when I run gpupdate /force /target:computer, the Automatic Update settings correct themselves back to Notify.

I have checked for any conflicting GPOs and there are none.

Any ideas why the Group Policy engine isn't refreshing the Windows Update settings?

Regards 

Steven Wells

Delegation

March 11, 2015, 6:12 am
$
0
0

How to check which user has the right to what if the user has been given specific permission through delegation tab in AD?

Thanks

GPMC looks for old domain name after rename

March 11, 2015, 8:29 am
$
0
0

Greetings!

I've renamed my domain after reading white papers on the subject. The process went well except when I try to open the Group Policy Management Console it says the domain doesn't exist. It offers to let me select a different domain controller but it's looking in the old domain. I can't change anything in the dialog to point it to the new domain name. I've tried from my Win 7 work station and from the domain controller with the PDC role. I moved that role to a different DC and get the same results. The domain is at Server 2008 functionality level but all DCs are Server 2012R2. I did run gpfixup for both the DNS name and NB name. The only errors it produces relate to old software group policies that no longer are used and the file path has been removed. I need to get this fixed. I'd even be willing to start fresh with just default polices but blowing up the domain and starting over isn't an option. Thanks for any suggestions offered.

Search

Copy GPO settings only to new empty GPO - same domain (Windows Server 2008 R2)

March 11, 2015, 6:25 am
$
0
0

Hi, I just want to confirm whether I have done the right thing. The main goal was to create new GPO which would have almost the same settings as the existing one with exception of settings related to one windows service. In order to accomplish this I backed up existing GPO, created new empty GPO and imported settings from the backup of existing GPO into the new GPO. Then I made some adjustments in new GPO by modifying settings which differ from the settings in the "original" GPO.

I know there is also a copy gpo feature and probably I would have accomplished the same result but I opted for backup - import settings variant. Restore from backup would probably work for me too.

Which of these ways is preferred way to solve this task - copy only settings from existing GPO to the new one in the same domain.

Software Restriction Policy not blocking MSI files

March 11, 2015, 9:01 am
$
0
0
Hello, we have one SRP in place on our domain that includes MSI files in the Designated File Types, however it is not blocking users from running them.  Has any one else had this issue?  What are some things I should look out for?  Thanks.

Hardened UNC Access-Prevent scripts in GPOs from running from Sysvol, that do not have UNC in them?

March 11, 2015, 9:08 am
$
0
0

I have read about the Windows Server update that is blocking GPOs that run scripts from UNCs by default. I read about the way to create a policy to add Sysvol into those paths.

http://support.microsoft.com/kb/3000483

http://support.microsoft.com/kb/3004361

Those (2)Updates sound like that will block UNC paths in a script, until you configure UNC hardened access.  The problem is the updates have not applied on my production domain controllers yet, so I do not have the options to configure UNC hardened access.

Will one of these updates block scripts from running from Sysvol, even if they do NOT contain a UNC path in them?  Just want to double-check because I have scripts that are running from sysvol(which is across a network path), and they reference things in sysvol, without using  a UNC, and not sure if that will break.

Thanks,

Dave



Denied users to see hidden file

June 9, 2014, 10:40 am
$
0
0

Hello,

I have some hidden file on a TS Server. The enduser must not see this file because it contain some information for a program (licence,etc.)

How can I disabled for the user the option to show hidden file ?

In my user GPO, I have set in Folder Options -> Do not show hidden files and folder. I can set with this setting the default, but the user can change when he want this setting.

How can I block the right to defin this setting by the enduser ?

Thanks

Folder Redirection move changes NTFS permissions

March 4, 2015, 10:29 am
$
0
0

I am in the process of migrating my users to a new file server. The folder structure of the new file server is wildly different, so to simplify the move, I am letting Group Policy move each redirected folder to the new location when the user logs on (by checking the "Move the contents of <FolderName> to the new location" option).

The move works fine, however during the process, the NTFS permissions are changing. The original location has the user account itself granted Full Control of the root folder, and inheritance propagates that permission to all subfolders and files. The new folder created by Group Policy on the destination server is different. The user has Full Control, but only for "This object only"... on all subfolders and files. The net result is effectively the same.

The problem occurs when it comes to scanning. Our scanners are configured with a service account that has permission to save files directly into the user's Documents folder. In this case, the service account owns the file. Since the user has been granted"This object only" access to all objects, they don't have access to the newly created file.

Is there any way to change this behavior so I don't have to touch each and every redirected folder for each and every user after they have been migrated?

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>