What are ways to get administrator access via GPO second question is it possible to get administrator access just creating security group like machine name administrator e.g. machine1 Administrators I mean if any policy is available
↧
ways to get administrator access via GPO
↧
GPO policy is applied or linked to security group meaning
How to check if GPO policy is applied or linked to security group meaning e.g. some policy linked to security groups so how to know if any policy linked to security group just by seeing
security group in AD since not sure about policy just scenario
↧
↧
AD site and services having multiple sites
AD site and services having multiple sites and from each site some OU’s for e.g. computer and users so how to create parent OU e.g. ALL workstations and link OU’s from AD site and services just I am looking steps
↧
AD site and services troubleshooting steps
AD site and services how to troubleshoot either GPO is applied or not meaning some troubleshooting steps
↧
et administrator access on set of machines.
Requirement is need to get administrator access on set of machines. So I have created a security group and added some users again created parent OU –child OU placed few machines on child OU
so how to administrator access on child OU machines for specific set of users (security group members) again
↧
↧
offer delegation for multiple GPO so I need to go each GPO delegation tab
How to offer Delegation like while creating GPO need to add list of security group and mention rights? In case if I want to offer delegation for multiple GPO so I need to go each GPO delegation tab and add necessary security groups?
↧
trusted site, active X, folder redirection, map drive, map printer, favorites, short cut
Can I have sample GPO settings for trusted site, active X, folder redirection, map drive, map printer, favorites, short cut example of each
↧
Copy GPO settings only to new empty GPO - same domain (Windows Server 2008 R2)
Hi, I just want to confirm whether I have done the right thing. The main goal was to create new GPO which would have almost the same settings as the existing one with exception of settings related to one windows service. In order to accomplish this I backed up existing GPO, created new empty GPO and imported settings from the backup of existing GPO into the new GPO. Then I made some adjustments in new GPO by modifying settings which differ from the settings in the "original" GPO.
I know there is also a copy gpo feature and probably I would have accomplished the same result but I opted for backup - import settings variant. Restore from backup would probably work for me too.
Which of these ways is preferred way to solve this task - copy only settings from existing GPO to the new one in the same domain.
↧
Glitches in Windows 7 screensaver timeout settings
Hello all,
Cross-posting by request from the security forum (http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/5e15d5d6-b76f-4939-aa9d-feb4c3f1a009?prof=required).
I have a problem similar to the later posts in http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/3cf199a1-5f4b-4045-8394-d64e44a741a2/, but that question was marked as answered and I'm not sure anyone's looking at it. I have found screensaver/locking settings in Win7 to be a bit glitchy, and I was hoping to get feedback on whether this was a known problem.
My environment contains XP and Win7 workstations in a domain at 2003 functional level (there are a mix of 2003 and 2008 R2 DCs). I am trying to set a 15 minute screensaver-and-lock-workstation timeout, so I created a GPO and set "Enabled screen saver","Password protect the screen saver", and "Screen saver timeout" (900 seconds). I didn't force a specific screen saver. The policy is linked to the user OU and filtered to the correct test users, and the appropriate screensaver settings show up as disabled on the clients once the policy is applied, but the Win7 computers seem to remember the settings they had before. For instance, I set my screensaver to apply after 1 minute, then I added myself to the policy and ran gpupdate /force. I saw the value in the "Wait X minutes" box in the screen saver dialog was now 15 (and disabled, so I couldn't change it in the UI), but my machine still locks after one minute. I think the policy works as expected on XP, but I haven't been able to verify that yet. Forcing a specific screen saver doesn't seem to make a difference.
Can anyone shed light on why the Win7 screensaver settings aren't behaving themselves? Is it a problem with the GPO or with Win7? I would appreciate any input. And sorry if this is considered a double post; I just wanted to make sure someone saw it as a different problem, since the marked solution in the other thread is irrelevant for me.
↧
↧
GP problems with legacy WSUS implecations
I'm struggling with this issue that has come about as a result of moving my Wsus services to a newer server in my lab. At first things went smoothly, and updates were collected and distributed to most of the clients. Those not behaving were a Windows 8.1 client, and windows 2012 server. After digging I found the WSUS update/patch that allowed WSUS to service these machines.
Then a new issue cropped up, where the old legacy WSUS server would become the one being used by most of the clients. I have used WSUS for many years, and used Group policy to distribute/control those settings, and I recall early on I struggled to get all the machines to accept the default Domain policy, but don't recall where that might have been in GP.
Anyway, I have 15 machines, all in the same forest and even in the same OU (Computers) the only exception of course are the DC's for which I have two. When I run gpupdate /force on each machine the two DC's and WSUS server all receive the proper expected group policy settings, where all the rest show the old WSUS server and settings.
The most strange behaviors are that all except the WSUS server and the DC's are receiving the old WSUS server name and settings where the DC's and WSUS server (it's not a DC and in the same OU as the other "Computers" OU) Are receiving the correct GP settings I have set.
I have Searched (so far in vein) for the obvious other GP that is still pointing to the old WSUS server, and am looking for advice on how to search for and find the obvious errant Group policy object that is pushing the old WSUS servers settings.
I believe I only have only the one Group Policy "Default Domain Policy" but have also double checked the Built in "Default Domain Controllers policy" and I find nothing including the old WSUS server settings for windows Update.
My domain has been upgraded from windows 2000, then 2003, and currently on windows 2008 R2.
Can someone offer a suggestion to weed out any legacy or possibly orphaned GP objects I might be missing?
Thanks.
↧
GPP shortcut
can anyone tell me why this isn't working?
| Target type | File system object |
| Shortcut path | %DesktopDir%\Company Documents |
| Target path | \\serverfs |
| Icon path | %SystemRoot%\system32\SHELL32.dll |
| Icon index | 126 |
| Shortcut key | None |
| Run | Normal window |
Thanks
↧
A few questions about Group Policy development
This post was originally in the Windows Development forum. Please note the following:
- This question is not about the application and management of GPOs. It's about how to develop a group policy.
- I know about Group Policy Preferences, please do not provide this as an answer.
I create a custom group policy for an application.
Recently the application developers allowed settings to be controlled via policy registry keys, in order to make these settings easier to set for Systems Administrators I have created a GPO. Unfortunately, there aren't that many resources I can find that help with Group Policy creation, so:
- Is there an easier way to create and edit admx/adml files rather than just a xml editor? Like a GUI front end?
- The vast majority of this applications settings are just a simple Boolean, is there any way to just use one base presentation element for multiple policies? or do I really have to create a presentation element for every single policy? :/
- As mentioned above, most settings are a simple Boolean, but with an additional enforce parameter. If you "enforce" the setting the user is blocked from changing the value. I was going to peg the setting Boolean to whether the policy wasEnabled or Disabled and have an enforce check box in the policy itself (this would make it easier to just glance at the configured settings and get an idea). Unfortunately, when you disable a policy you cannot interact
with its contents, so the enforce check box cannot be toggled. So I have two options:
- Have two policies for each setting eg: Disabled: Load printer settings with the document andEnabled: ENFORCE Load printer settings with the document
- OR what I have elected to do is just have the one policy with 2 check-boxes in it, one for the setting and one for the enforcement
The former is both more complex to write for me and more time consuming to configure for the Administrator, the later is easier for me to write but still annoying to use. So my final question is: can I make it so, even though a policy is disabled, you can still toggle settings within the policy?
↧
Issue with GPO for file security permissions
Hi All!
I need help with the following situation. I'm trying to set security settings for computers with windows 7 x64 - the targeted folder is in C:\Program Files (x86)\Example. When I do it with a GPO (Computer Configuration > Policies > Windows Settings> Security Settings > File System > Add Files) and I pick up the location from my workstation, the object name gets translated by the group policy to %ProgramFiles%\Exmaple and not to %ProgramFiles(x86)%\Example. I suspect this is because the domain controller is 32 bit server 2003. I did a test by picking up folder from C:\Program Files\Test, again the location gets translated to %programfiles%\test - but the security settings do apply!.
What I tried as workaround is to add a system variable on the domain controller, %programfiles(x86)%=c:\program files (x86), but the group policy doesn't translate it as I wish. Also, I came along to this - https://technet.microsoft.com/en-us/library/cc753580.aspx - and tried setting location, which will be translated by the hosts themselves, not by the group policy - %<programfiles(x86)>%\exmaple, but the GPO didn't apply.
Any Ideas?
Thanks,
DH
↧
↧
tools are used for GPO troubleshooting at server and client side with domain diffrent domains enviorment
If any tools are used for GPO troubleshooting like GPO is applied to enterprise with different environment etc
↧
I have a problem in the distribution of an application via GPO.
Hi all,
I have a problem in the distribution of an application via GPO.
Actually the problem is due to non-implementation of the changes of the MST transformation file.
I have an installer in .MSI format, during installation the program requires the following parameters:
- DatabaseInstance "SRVAPPXXXX"
- DatabaseName "AAAAA_BBBBB"
- DatabaseUser "dbuser"
- DatabasePassword "password"
- SharedComponentsPath "\\SRVAPPXXXX\PATH"
Then through ORCA I prepared a .MST tranform file that in the Property section corroborates the above parameters
The installation is successful, but when the program is launched it faults as if the parameters supplied were empty.
So I made a further step, I tried to run the installer from the command line:
msiexec /qn /l*v c:\log.txt /i "\\SrvappXXXX\Share\Setup.msi" TRANSFORMS=\\SrvappXXXX\Share\Setup.mst
and also:
msiexec /qn /l*v c:\log.txt /i "\\SrvappXXXX\Share\Setup.msi" DatabaseInstance="SRVAPPXXXX" DatabaseName="AAAAA_BBBBB" DatabaseUser="dbuser" DatabasePassword="password" SharedComponentsPath=\\SRVAPPXXXX\PATH
In both case installations ends without any error.
In the first case it does not work, in the second one it doesBefore relaunching the installation I have always previously totally removed the program.
Any suggestion is very welcome
Ruggiero Lauria
MCT-MCITP-MCSA-MCSE-MS SQL DBA
↧
Software Installation fails via GPO
GP SERVER:
Windows Server 2008 R2 Standard 64 Bit
CLIENT PC's:
Windows 7 Professional 64 Bit
DEPLOYMENT INFORMATION:
General:Deployment
type - Assigned
Deployment source - \\SERVER\FOLDER\MSI.mis
Uninstall this application when it falls out of the scope of management - Disabled
Advanced Deployment Options:
Ignore language when deploying this package - Disabled
Make this 32-bit x86 application available to Win64 machines - Enabled
Include OLE class and product information - Enabled
Permissions:
Allow | XXXXXXXX\Domain Admins | Full control | No |
Allow | NT AUTHORITY\Authenticated Users | Read | No |
Allow | NT AUTHORITY\SYSTEM | Full control | No |
Allow | XXXXXXXX\Domain Admins | Read, Write | Yes |
Allow | XXXXXXXX\Enterprise Admins | Read, Write | Yes |
Allow | NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS | Read | Yes |
Allow | NT AUTHORITY\Authenticated Users | Read | Yes |
Allow | NT AUTHORITY\SYSTEM | Read, Write | Yes |
Allow | CREATOR OWNER | Read, Write | Yes |
Administrative Templates:
Startup policy processing time – Enabled 30 seconds
Always wait for the network at computer startup and logon - Enabled
Error(s) on test client OC:
Sourced from Windows Logs > System
Error 1 - "The install of application XXXXXX from policy XXXXXX install failed. The error was: %%1612"
Error 2- "Failed to apply changes to software installation settings. Software changes could not be applied. A previous log entry with details should exist. The error was: %%1612"
Based on the information above, is anyone able to advise if there is anything I have overlooked?
Jeet S
↧
Network Drive disapear in Explorer (2012R2, Citrix XenApp 7.5)
We have some crazy bevavior on our Windows Server 2012 R2 infrastructur.
SERVERS
+ 3 HP ProLiant DL380 G8 Server with Windows Server 2012 R2, thereof 2 with Hyper-V Role
+ 13 Virtual Windows Server 2012 R2
On those virtual Server running the following roles:
+ 2 Domaincontroller with AD and DNS
+ 1 Exchange Server 2013
+ 1 Server with Citrix XenApp 7.5 Delivery Controller und Studio
+ 2 Server with Citrix XenApp 7.5 Delovery Controller Agent (Worker Server), one is inactiv
+ 1 Server with Citrix XenApp 7.5 NetScaler WebInterface
CLIENTS
+ ca 20 Windows 7 Pro
+ ca 25 Windows 8.1 Pro
ABOUT THE BEHAVIOR:
Users Login to their Citrix session from Intranet or Internet. Connection to their sessions works god and users can work normal. About 2-5 times a day every most of the users have Problems with the Network drives. in Windows Explorer the drives disapear.
about 30 seconds later most of the Network drives are available again. we were connected with some users to watch it an we can see in Explorer that de Network drives disapear one after the other on de left side in the Navigation tree. after that most of the
drives came back and are visible again. normally one drive is missing. not the same drive, every time another one. all Network drives are mounted by GPO Policies (GPP). If this happens a user had to Close his Citrix session and start a new one, until the drives
disapear netx time.
Someone of you ever see somithing like this? we didnt understand the Situation and need some help to find a solution. Thanks to all of you.
↧
↧
Windows Updater Not Installing and Troubleshooter Wizard Is Not Working???
I am in need help desperately!
I have tried to install the Windows 7 latest update since late October 2014 and every time that I have tried it has failed, this is messing with certain programs to either not run such as my Troubleshooter, leaving me unable to fix the issue, and making my computer to run poorly as well as when I am on Firefox unable to load pages, do downloads, watch movies & TV, or watch videos on You Tube without having to move the mouse around to keep it running and just freeze the picture on the You Tube and Xfinity but the sound keeps playing though. I am unable to run the Troubleshooter Wizard at all; gives me an error code 0x80131018. I have gone to the forums to find a solution I tried everything possible. Such as trying to do all the maintenance; disc clean ups, compressing files to save on space, checking the disc drives for errors, defragmenting the drives, try to use the Fix It (MicrosoftFixit.malware.RNP.1343648269423620.1.1.Run, as well as: MicrosoftFixit.ProgramInstallUninstall.RNP.1343648269423620.2.1.Run, as well as: MicrosoftFixit.wu.FISC.1341772369343897.1.1.Run, and: MicrosoftFixit50123) all the these would not help.
I also tried to run what information I received from viewing options from the Error Code 0x80131018 and all the HP Support Assistant and Windows Help and Support. These are some of them; SCUDownloader, Windows6.1-KB947821-v34-x64, HPSupportSolutionsFramework-en-11.51.0048, HPSupportSolutionsFramework-11.51.0048, HP CoolSense Technology - sp65424, HP Notebook System BIOS Update (Intel Processors) - sp55068, HP Power Manager Utility Software - sp55151, HP On-Screen Display Utility - sp55152, HP System Diagnostics UEFI - sp52407, and Intel Rapid Storage Technology Driver - sp55101. All these with running the maintenance, I also installed Boost, also ran the scans through my Norton Security, and so much more to try and fix this problem, I just can't remember everything that I tried I have been working so hard at solving this problem since of the effect of how this Windows Updater failing at updating and Troubleshooter not working to leaving me unable to find and fix these issues.
I am a Graphic Design Artist and I am pretty computer savvy but I am at a loss on this . If anyone has any advise on these issues please help me ASAP, I use my HP everyday and it is important for me to have it for work purposes, concepts and so much more. My Mother got this computer for me when I graduated from college in 2012 for my graduation gift so I can do what I do.
Thank you so much for your help in trying to get this resolved without having to take it into somewhere and pay $$ that I do not have.
↧
GPMC looks for old domain name after rename
Greetings!
I've renamed my domain after reading white papers on the subject. The process went well except when I try to open the Group Policy Management Console it says the domain doesn't exist. It offers to let me select a different domain controller but it's looking in the old domain. I can't change anything in the dialog to point it to the new domain name. I've tried from my Win 7 work station and from the domain controller with the PDC role. I moved that role to a different DC and get the same results. The domain is at Server 2008 functionality level but all DCs are Server 2012R2. I did run gpfixup for both the DNS name and NB name. The only errors it produces relate to old software group policies that no longer are used and the file path has been removed. I need to get this fixed. I'd even be willing to start fresh with just default polices but blowing up the domain and starting over isn't an option. Thanks for any suggestions offered.
↧
Unable to add service account to GPO so that SEPM can start
We recently moved our Symantec Endpoint Protection Manager to another server and I cannot for the life of me figure out how to add these three accounts to the Default Domain Policy:
NT SERVICE\semsrvNT SERVICE\semwebsrv, and
NT SERVICE\SQLANYs_sem5
I need to add them to the Log on as a Service policy but when I go to add them I get this error:
Please help.
↧