Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

WSUS GPO for security group

March 5, 2015, 9:41 am
$
0
0

Hello Everyone,

I am not sure if a post is out there but I am having trouble applying my WSUS GPO to my security group in my virtual environment.

Below is what I have in Active Directory:
Domain: NMVMTEST.local
Organization Unit: TEST-WSUS_OU
Security Group: TEST-WSUS-GRP
Computer Accounts: COM1, COM2, COM3,COM4

Below is what I have in my WSUS:
Name of WSUS: WSUS
Computer Group: TEST-WSUS

Below is what I have for my WSUS GPO:
Name: WSUS-COM

Enable client-side targeting                
Target group name for this computer: TEST-WSUS

Specify intranet Microsoft update service location                
Set the intranet update service for detecting updates: http://wsus.NMVMTEST.local                
Set the intranet statistics server: http://wsus.NMVMTEST.local

Below are the steps that I did.

  1. Create a OU (TEST-WSUS_OU)
  2. Create a security group (TEST-WSUS-GRP)
  3. Add Computer account(s) to security group (COM1 and COM2)
  4. Create a new GPO (WSUS-COM-GPO) with the following:
    Enable client-side targeting                
    Target group name for this computer: TEST-WSUS

    Specify intranet Microsoft update service location                
    Set the intranet update service for detecting updates: http://wsus.NMVMTEST.local                
    Set the intranet statistics server: http://wsus.NMVMTEST.local
  5. Linked the GPO (WSUS-COM-GPO) to the OU (TEST-WSUS_OU) and enforced
  6. Go to GPO (WSUS-COM-GPO) and in the Delegation tab, Advanced, and remove “Apply group policy” on Authenicated Users but leave “Read” check.
  7. Add the new security group (TEST-WSUS-GRP) and check on “Apply group policy” and“Read”
  8. Apply the settings with gpupdate /force on my domain controller and on COM1 and COM2.

After applying the settings and restarting COM1 and COM2. I ran the command gpresult /r /scope:computer.  In the “Applied Group Policy Objects” I did not see my WSUS-COM GPO listed but I did see that my machines were part of the security group (TEST-WSUS-GRP).

A second test that I’ve tried was if I removed the linked GPO on the OU and moved them to the domain level, the machines denied the both of the GPO.

A third test that I’ve tried was that if I removed the computers from the security group and move the two computer accounts (COM1 and COM2) to the OU where the GPO is linked, COM1 and COM2 will see the GPO. But I do not want to put those computers into a separate OU, I just want to leave them in the Computers OU. So this is not an option for me.

Am I doing something wrong? Can someone explain to me on what to do?

Thank you

Search

Printer GPOs fail on some computers but work on others - error code 0x80070034

March 5, 2015, 9:43 am
$
0
0

Hello, I have a couple of GPOs that roll our printers. They have been running smoothly for quite some time, then suddenly started giving our errors on our newer machines. Meaning, the GPOs will work fine on some clients but will not work on others. Also all other GPOs work fine on all clients. The clients are similar Lenovo Windows 7 64-bit machines.

This is the error: Event ID: 4098, Group Policy Printers. The computer '123.123.123.123' preference item in the 'Deploy printers - {3F6DE6D0-86DC-4D1F-AB99-81BC07F23F3C}' Group Policy object did not apply because it failed with error code '0x80070034 You were not connected because a duplicate name exists on the network. If joining a domain, go to System in Control Panel to change the computer name and try again. If joining a workgroup, choose another workgroup name.' This error was suppressed.

I turned every stone I could think of on the problematic machines but cannot find out a reason. I disabled anti-virus/firewall, I logged in as domain admin and I tried both user & computer GPOs. No luck. Notice that I can successfully connect manually to the Printer shares (the ones used to distribute the drivers).

Domain is Win2008 R2. The printers "live" on a Win2012 machine and the drivers come from there. I am using Group Policy Preferences. Ideas are welcome.

Thanks

Christos

Error on Event Viewer: Event ID 1058 - Server 2003

March 18, 2013, 2:56 pm
$
0
0

Windows cannot access the file gpt.ini for GPO cn={9F20CAF4-3C64-4251-B23C-9261B1BC5A58},
cn=policies,cn=system,DC=FCSMG,DC=LAN. The file must be present at the location <\\FCSMG.LAN\SysVol\FCSMG.LAN\Policies\{9F20CAF4-3C64-4251-B23C-9261B1BC5A58}\gpt.ini>.
(Access is denied. ). Group Policy processing aborted.

Verified folder do exist on the policies folder.

Folder redirection still in place after moving user accoun out of OU

March 12, 2015, 12:52 pm
$
0
0

One of our customer companies was using folder redirection for Documents and Favorites. They decided to put files in the cloud and get away from folder redirection. Their servers are running Windows Server 2012 and all clients are Windows 7 SP1 x64.

So after they copied all their data to the cloud I moved the user accounts from the OU with the folder redirection GPO to another OU that did not have the GPO linked. I then instructed them to reboot their computers twice.

For most of them it worked, however there is a small number that when they look at the Documents library it still shows "My Documents" is redirected to the server.

What do I need to do with this small number of clients to get redirection removed and the Documents folder local again? The GPO was set to redirect the folder back to the local userprofile location when the policy is removed.

Jonathan

Program Shortcuts are not reflecting in Program Menu

March 14, 2015, 1:08 am
$
0
0

Hi Team,

In my organisation we are unser Windows Server 2008R2 as DC and Windows XP SP3 as Client machines. Issue is with the program shortcuts not getting replicated for client machines having Windows XP 

Please help.

Item level targeting not hitting nested security group

March 13, 2015, 6:56 pm
$
0
0

Hi guys,

Got two security groups (A & B). Group B is a member of A.

We've applied item level targeting with security groups. We've chose a bunch of drive maps to apply to Group A (which I was hoping would apply to Group B also.

The drive maps appear for the users of Group A but not Group B. Is this expected behaviour?

Any help appreciated. Thanks

how to create and link if there any difference? domain and OU level

March 14, 2015, 8:18 am
$
0
0

I guys i am new to GPO just want to what is difference between Domain level and OU level GPO for e.g. i want to create all user\workstation  policy that applies for all machines so how to create GPO and link the same. if GPO needs to create and link to specific AD site for e.g. site A (OU A) so how to create and link if there any difference?  domain and OU level

Group policy items missing from Windows 7 RSAT

March 14, 2015, 8:19 am
$
0
0

Hello again,

I am running AD DS on Win 2012 R2 and trying to set up policies for desktop wallpapers and lock screens.

For Win 8 clients, lock screens are configured via Computer Configuration > Policies > Administrative Templates > Control Panel > Personalization but when I access the Group Policy Management from a Win 7 PC with RSAT, the Personalization option is missing, only Regional and Language Options, and User Accounts is there. On the Win2012R2 server itself, the options are present, so this really isn't too big of a deal, but I would prefer to be able to access everything from the Win7 client rather than having to remote into the 2012 server to make changes.

So, question is, is there a patch or update that I am missing from the Win 7 RSAT to add the functionality? Or are these items missing by design?

Thanks.

Search

Issue with ActiveX filtering

March 14, 2015, 11:40 pm
$
0
0

Hello,

My computer (Windows 7) belongs to a domain. The GPOs are provides by a domain controller under Windows 2008 R2. I have an issue with the registry and group policy settings applied for IE10.

I use a Silverlight web application :
Case 1 : When I don't apply the registry and group policy settings for IE10, I can display the Silverlight part of my application.
Case 2 : When I apply the settings for IE10, I can't (Silverlight is blocked and  a blank page is displayed).

I noticed that when no settings are applied, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2702 is set to 3 (the Zone 3 is the Internet zone). If I change 3 to 0, the application doesn't work.

So I thought it should work in case 2 if I add the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2702 with the value 3. But it doesn't work ! I suppose there are some others GPO or registry keys to modify but I can't manage to find which ones.

Thanks for your help !

Note : The Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2702 key enable or disable ActiveX filtering.

(Site to Zone Assignment List)

March 15, 2015, 3:49 am
$
0
0
after adding trusted site (Site to Zone Assignment List) how to set values i mean intranet site and internet site values

Windows Update settings revert to default overtime when applied using GPO

July 10, 2013, 2:06 pm
$
0
0

Hi,

I have a Group Policy Object that specifies all the required WSUS and Automatic Update settings, which is applied to my Servers OU.

All of my servers honour the GPO policy settings, which is set to Automatically download and to notify when to install patches.

However, some servers, both Server 2003 r2 and Server 2008 R2, decide that after a few weeks of running, they revert to Automatically download and install patches at 3am. (which causes unscheduled reboots in the middle of the night)

When the server reboots I can see in the Computer Properties > Automatic Update settings, the setting to automatically install,  however when I run gpupdate /force /target:computer, the Automatic Update settings correct themselves back to Notify.

I have checked for any conflicting GPOs and there are none.

Any ideas why the Group Policy engine isn't refreshing the Windows Update settings?

Regards 

Steven Wells

Can't run gpupdate /force

March 15, 2015, 12:54 am
$
0
0

Hi All ,

I enconutered with a problem with Group policy ,

No matter where I try to run the command "gpupdate /force" i got error :"

Updating Policy...
User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were enc
ountered:
The processing of Group Policy failed because of an internal system error. Pleas
e see the Group Policy operational log for the specific error message. An attemp
t will be made to process Group Policy again at the next refresh cycle.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.

I tried to read Event Viewer and just exist 1 error below :

Completed Registry Extension Processing in 546 milliseconds.


If I open the event viewer GPO and then under "Operation" i chose on "details" tab   i saw this information :

+System
-Provider
[ Name]Microsoft-Windows-GroupPolicy
[ Guid]{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
EventID7016
Version0
Level2
Task0
Opcode2
Keywords0x4000000000000000
-TimeCreated
[ SystemTime]2015-03-15T07:44:25.487518200Z
EventRecordID10111769
-Correlation
[ ActivityID]{A827D809-845C-4287-99F8-9D744DFFF4FD}
-Execution
[ ProcessID]896
[ ThreadID]3444
ChannelMicrosoft-Windows-GroupPolicy/Operational
ComputerXXX-DC01.XXXX.COM
-Security
[ UserID]S-1-5-18
-EventData
CSEElaspedTimeInMilliSeconds547
ErrorCode2147500037
CSEExtensionNameRegistry
CSEExtensionId{35378EAC-683F-11D2-A89A-00C04FBBCFA2}

as for now i can't to applied new GPO ,can't run gpupdate can't rejoin new computer to my domain , one big mess 

another vital information :

even DCDIAG it not success and failed :

 The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Gr
again at the next refresh cycle.
 error event occurred.  EventID: 0x00000465
 Time Generated: 03/15/2015   09:33:07

somebody know what can i do ?

Thank you .

My Website:www.Pelegit.co.il Mcitp /Mcsa 2012



i am looking some sample of loop back processing policy

March 15, 2015, 3:52 am
$
0
0
what is meant by looping back processing policy which scenario  using it will enabled by default? it is used only conflict between computer and user policy conflict? i am looking some sample of loop back processing policy

nested OU GPO logic

March 15, 2015, 8:15 am
$
0
0
please help me to understand nested OU GPO logic for e.g parent OU having 10 GPO so it will apply for child OU by default? parent OU GPO will take precedence or child OU? again if parent OU GPO is enforced it will apply for child OU?

Windows Time Server setting not following group policy

March 15, 2015, 10:44 am
$
0
0

I hardly use group policy, except for two settings:

  • User Configuration\Administrative Templates\System\User Profiles\Exclude directories in roaming profile
  • Computer Configuration\Administrative Templates\System\Windows Time Service\Configure Windows NTP Client & Enable Windows NTP Client

The first setting has worked perfectly for years, but the second one seems to have stopped working, in that the time on client PCs has become out by several minutes. The client PCs are running Windows 7 and Windows 8.1.

Following is the result under [TimeProviders] when I run W32TM /query /configuration:

On the server:

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 0 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NTP (Policy)
NtpServer: time.windows.com,0x9 (Policy)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

On the Windows 8.1 client PC:

NtpClient (Local)
DllName: C:\Windows\system32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NT5DS (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
NtpServer (Local)
DllName: C:\Windows\system32\w32time.DLL (Local)
Enabled: 0 (Local)
InputProvider: 0 (Local)

Can anyone help me to fix this please so that the client PCs sync their time correctly with an NTP server?

Search

GPO for Generating popup message during Shut down

March 15, 2015, 9:08 pm
$
0
0

Hello,

I want to apply a GPO in my Active Directory which generate a warning message in the popup window during shut down of system .

For which I create a batch file with the script              

"@echo off
msg * switch off the UPS before Leaving the system "                                                      

And apply it to the  computer configuration >> shutdown of the GPMC. but it does not work as well in GPMC setting of this GPO it will show not configure. Can any body suggest what else I have to do.                            

Thanks

Sunny


Windows Components/ActiveX Installer Service

March 15, 2015, 10:18 pm
$
0
0
Windows Components/ActiveX Installer Service what is this use which scenario it can be used? need to add trusted site?

Group policy Issue @ Site level

March 11, 2015, 10:57 am
$
0
0

Hi Team,

I have 2 domain controller on different sites namely Bangalore and Chennai. I applied a GPO at Bangalore site level. The GPO is getting applied to the Domain controller which located on the bangalore site. I have a client which used domain controller from bangalore site for authentication. Unfortunately the GPO is not getting applied to client.

Client computer is part of computer group and user is part of user group. No inheritance applied.

Can anyone suggest me to fix this issue ?

Regards

Sajin P S

preferences-registry

March 15, 2015, 10:33 pm
$
0
0
computer configuration -administrative Templates policy definitions -preferences-registry which scenarios it can be used can i know one sample example

applocker dilema

March 3, 2015, 11:06 am
$
0
0
I came across a question: If in applocker Domains admins are allowed to run iexplorer.exe , and then there is deny rule for domain users. Will domain admins be able to run iexplorer.exe ? Are domain admins part of domain users group ?

Glenn Camilleri

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>