Hello everyone,

I'm on this subject for now 3 weeks and i need help.

I'm trainee in a company where i have to analyze and optimize their GPO as simple as that, I so learn in detail how does this tool work ect and other useful things about Active Directory.

I learned their 60 gpos (Some rules up to 600 settings...) and their thousands parameters which is essential for me and during my searches i found many many many softwares to detect parameters conflicts or duplicated settings, but after all my tries i'm not satisfied today by what i found.

I used a trial version of GPOAdmin, the GPO Reporting pack from SDM, probably all the Microsoft tools, ActiveAdministrator ect ... I mean all these tools are very powerful and allow many features but i just need something that will find and tell me where are all my conflicts on my domain and by this I will correct these settings to have a full capable domain optimized and users won't complain anymore because they'll have a faster logon ect...

Maybe I don't use the products as i should or maybe it doesn't even exist but it seems very long to analyze all by my self and write every parameter on each object that will be applied and check if there won't be conflict or another GPO for this setting. Maybe Powershell can help me on this but I don't know how to use it to.

So here I am and if you have any idea to help me on the best practice or someone had to do the same job as I have tell me I'll be very happy to receive your information.

Thanks and sorry for my English.

I was almost certain that I have posted about this before - I have read plenty on the topic.

Problem - On Windows XP SP3, when using GPP to create Scheduled Tasks on a machine, when Daylight Savings time hits, the schedule is off by 1 hour.  This is because the GPP schedules the task based on UTC time, which is unchanged by DST.

That being said - all of my machines are now Windows 7 Embedded.  I thought for sure that I had read somewhere that this issue was resolved in Windows 7 OR throught a patch / hotfix had been released to resolve this issue.  

I am seeing some of my machines report correct times, and some are reporting incorrect times.  The incorrect times are bumped ahead by 1 hour.

Can someone point me in the right direction for any KB or documentation on this?  I have read over KB2738974 and also installed this hotfix on these machines.  I am pretty confused why my results are not consistent.

Any direction is greatly appreciated.

Thanks, 

sb

I have enabled preferences logging and tracing for some of the preferences I have set up - specifically, scheduledtasks.  In the GPO, I enabled it and changed the default log file name to UserTasks.log.

My question is -  how often should this log file be updated?  Should it be updated everytime the scheduled tasks GPP refreshes?  The reason I ask is just took a look at these files on my machines, and I have some that have a date modified of 3/8.  If they are supposed to log each gp refresh, wouldn't my log file say sometime within the last few hours from today?

Thanks, 

sb

I created a GPO,  instead of applying the GPO to an OU.   I want to apply it to a Security Group that contains Computer Objects

I did the following;

1) created the GPO, for Audit Logon:  Success

2) Changed Authenticated User:  removed "Allow:  Apply Group Policy"

3) Added my Security Group, that contains "Computer Objects" ,  

Gave it:  "Allow:  Read Access"  and  "Allow: Apply Group Policy"

Should this work ?

Thank you for your help...

Hi,

Can anyone please let me know what is the System centre operation manager 2012 exam paper code?

Regards,

We have recently introduced a couple of Windows 8 computers in our network, and we are having issues applying the Internet Explorer Proxy Server settings.

We use a Microsoft TMG 2010 server as our proxy server for accessing the internet. We have been using a GPO with the following settings to automatically configure our Windows 7 computers running IE9 with the appropriate Proxy settings:

User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Connection/Proxy Settings

• “Enable Proxy Settings” : Checked
• “Address of proxy” : server.domain.local
• “Port” : 8080
• “Use the same proxy server for all addresses” : Checked
• “Exceptions” : Here we have a list of several internal or partner sites that should not be proxied.

This GPO has worked beautifully for our Windows XP and Windows 7 users with IE 7, 8 and 9. Now with Windows 8 and IE10, this no longer works. I’ve therefore added a Windows Server 2012 Domain Controller to the network, and using GPMC on that new DC, I created a new GPO with the following settings:

User Configuration\Preferences\Control Panel Settings\Internet Settings\Internet Explorer 10

Now, seeing as these are preferences, it’s a little different.  But, I’ve “checked off” the option “Use a proxy server for your LAN” as well as “Bypass proxy server for local addresses”. Then I click on “Advanced” and setup all my proxy settings the way I would like them, including the proxy server name, port and exceptions list.

When this new group policy gets applied to my Windows 8 PC, the only setting that gets applied is the “Use a proxy server for your LAN”. It does not configure the name or port of the proxy server nor does it configure the exceptions list. If I go back to the GPMC, and edit the new GPO, the settings are all there. However, if I just view the settings from the main GPMC screen (without opening the GPO itself), I don’t see all of those settings (again, only the one “Use a proxy server…”)

What am I missing???

I'm encountering strange behaviour on an RDS server where I have IE trusted site zone’s site
list not showing filled for some of the connected users.

The issue is that for a trusted site URL, users keep getting popped up with a login/password popup
    
- I’ve verified the GPO side and nothing strange found
- comparing gpresult /Z of a ‘OK’ user session with a ‘KO’ user session shows that the below GPO settings are getting applied
- under IE trusted site zone settings, userA has sites listed and userB don’t have them !!

tried to enable/disable again IEESC -> with no effect
the only way I found to let it ‘work’ for the users facing the issue is to force their session’s IE settings
to reset once.  But as the below link shows, this isn’t a viable solution as (and I tested it) if a user’s profile gets deleted by the Admin, the issue appears again…

Is this a known issue, is there a fix ?
Any help would be much apreciated.

Thanks.


Configuration :
- a 2012 R2 RDS Server / IE11
- a GPO applying IE trusted zone site list+Logon Options
- IEESC is disabled at the VM template for users and disabled manually/script post VM deployment..

  (site to zone assignment list setting path :
   *Computer Configuration>Administrative templates>Windows components>
    Internet Explorer>Internet Control Panel>Security Page)
*.somedomain.net  assigned to zone 2 
  (Logon options setting path :
   *Computer Configuration>Administrative templates>Windows components>
    Internet Explorer>Internet Control Panel>Security Page> Trusted Sites Zone)
    set to value : automatic logon with current username and password

Quite Similar situation :

https://social.technet.microsoft.com/Forums/windowsserver/en-US/70b2dd7e-833c-4240-92e0-9b865e917307/trusted-sites-and-internet-zone-security-level-gpo-is-not-applying-in-windows-server-2008-r2?forum=winserverGP

MCTS Windows Server Virtualization, Configuration

A vendor sent us this email below. 

“Your pop-up blocker was enabled.  This needs to be disabled to ensure reading/writing of student data to our database.  I understand that you may not want to disable the pop-up blocker globally so if it’s possible, please disable the popup blocker via group policy for: 

•    *.site1.com
•    *.site2.com
•    *.site3.com

Is that possible to do and if so how? 

mqh7

I have a Windows 2012 Essentials server that is currently hosting Windows XP machines where Folder Redirection and Roaming policies is working. I now have been asked to start upgrading the machines to Windows 8.1, I now find that that the Windows 8.1 machines Folder redirection is not working and Roaming profiles is fine however when I run RSOP.msc it reports Folder Redirection policy has applied successfully.

Regards

Maurice

Hello All,

There is probably a very easy way to do this, but how do I ensure that a GPO object executes before another? In my case, I have a "Servers" OU and within this, various sub OUs e..g SQL Server, Sharepoint, Infrastructure, etc.

All my GPOs (for now) execute at the top of the OU chain (Servers) but I need one to execute before the other. 

Thanks

I've run up against something that I've never heard of before: I have 3 GPOs (all with only user settings) linked to an OU containing user objects and the GPO applies fine in site "Main" and site "Secondary" (both in the USA) but not site "Tertiary" in the UK.

If I log onto a domain controller located in site "Tertiary" the GPOs apply, but if I log onto any member servers (Win 2008 R2) or workstations (Win7), the GPOs don't apply.

GPO debug logging was enabled and I combed the logs on a test PC and it looks like the following is happening:

Win 7 Computer in Site "Secondary" GP service wants to target the user SID and looks for DC and where to start. It seems to do this successfully as the first thing it hits is the OU that the user account is located in as below:

GPSVC(1f8.7f8) 11:14:05:059 GetDomainControllerConnectionInfo: Getting Ldap Handles.
GPSVC(1f8.7f8) 11:14:05:059 GetLdapHandle:  Getting ldap handle for host: GCM-DC-S2.mydomain.com in domain: mydomain.com.
GPSVC(1f8.7f8) 11:14:05:059 GetLdapHandle:  Server connection established.
GPSVC(1f8.7f8) 11:14:05:059 GetLdapHandle:  Bound successfully.
GPSVC(1f8.7f8) 11:14:05:059 ProcessGPOs: Computer's domain is same as user's domain so using user's domain DC
GPSVC(1f8.7f8) 11:14:05:059 GetLdapHandle:  Getting ldap handle for host: GCM-DC-S2.mydomain.com in domain: <Unspecified>.
GPSVC(1f8.7f8) 11:14:05:059 GetLdapHandle:  Server connection established.
GPSVC(1f8.7f8) 11:14:05:074 GetLdapHandle:  Bound successfully.
GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\dskquota.dll.
GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for gptext.dll.
GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll.
GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\iedkcs32.dll.
GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\srchadmin.dll.
GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\iedkcs32.dll.
GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\cscobj.dll.
GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for gptext.dll.
GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\iedkcs32.dll.
GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for gptext.dll.
GPSVC(1f8.7f8) 11:14:05:074 ReadGPExtensions: Rsop entry point not found for gptext.dll.
GPSVC(1f8.7f8) 11:14:05:074 GetGPOInfo:  ********************************
GPSVC(1f8.7f8) 11:14:05:074 GetGPOInfo:  Entering...
GPSVC(1f8.7f8) 11:14:05:074 SearchDSObject:  Searching <OU=Users,OU=Technology,OU=Primary,DC=mydomain,DC=com>

The problem PC located in the tertiary site looks a bit different. It gets a DC right away and doesn't say anything about the user's DC being same as machine's DC. Then it starts searching in the OU of the PC and works back up the LDAP org to the root domain/forest, meaning it never tries to locate the OU where the user object is, so it never discovers the GPOs linked to that OU:

GPSVC(268.1114) 17:40:51:457 GetDomainControllerConnectionInfo: Getting Ldap Handles.
GPSVC(268.1114) 17:40:51:457 GetLdapHandle:  Getting ldap handle for host: GCM-DC-L1.mydomain.com in domain: mydomain.com.
GPSVC(268.1114) 17:40:51:457 GetLdapHandle:  Server connection established.
GPSVC(268.1114) 17:40:51:457 GetLdapHandle:  Bound successfully.
GPSVC(268.1114) 17:40:51:457 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\dskquota.dll.
GPSVC(268.1114) 17:40:51:457 ReadGPExtensions: Rsop entry point not found for gptext.dll.
GPSVC(268.1114) 17:40:51:457 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll.
GPSVC(268.1114) 17:40:51:457 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\iedkcs32.dll.
GPSVC(268.1114) 17:40:51:475 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\srchadmin.dll.
GPSVC(268.1114) 17:40:51:475 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\iedkcs32.dll.
GPSVC(268.1114) 17:40:51:475 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\cscobj.dll.
GPSVC(268.1114) 17:40:51:475 ReadGPExtensions: Rsop entry point not found for gptext.dll.
GPSVC(268.1114) 17:40:51:475 ReadGPExtensions: Rsop entry point not found for C:\Windows\System32\iedkcs32.dll.
GPSVC(268.1114) 17:40:51:475 ReadGPExtensions: Rsop entry point not found for gptext.dll.
GPSVC(268.1114) 17:40:51:475 ReadGPExtensions: Rsop entry point not found for gptext.dll.
GPSVC(268.1114) 17:40:51:475 ProcessGPOs: Using computer name CN=SPARE3,OU=Workstations,OU=Tertiary,DC=mydomain,DC=com for query.
GPSVC(268.1114) 17:40:51:475 GetGPOInfo:  ********************************
GPSVC(268.1114) 17:40:51:475 GetGPOInfo:  Entering...
GPSVC(268.1114) 17:40:51:475 SearchDSObject:  Searching <OU=Workstations,OU=Tertiary,DC=mydomain,DC=com>

Any ideas why this tertiary site is behaving differently than the secondary site would be greatly appreciated.

It seems user GPOs apply to the problem PC but only if they are linked to the OU the workstation is in or its parents, including site and domain root. So I could conceivably work around the issue by linking the problem GPOs to the root or site OU, but I'd really like to know why it's not finding the user OU and checking it for GPOs.

Thanks

Pete

Edit: I should note that I looked pretty closely at permissions, presence of the GPO files in the sysvol folder etc. All of that looks good and is replicating fine across all sites.

Hi Team,

  Help me to schedule a Group Policy to roll out or apply on specific date. Is there a way/tool/script whatever that we can schedule the GPO to update at a certain time.

Thanks in Advance..

Enable  snipping tool via registry on local computer as it is restricted by gpo.

Mukesh Saini

I have a 2008 R2 domain. The Removable Storage Device Settings will work fine if I define them under computer configuration but not under User Settings.

Is it a normal shortcoming of GPO?

Please refer the gpresult output below.

----------------------------------------------------------------------------------------------

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 2/11/2015 at 1:55:14 PM
RSOP data for MYDOMAIN\ADMIN on 2008-CLIENT : Logging Mode
-----------------------------------------------------------

OS Configuration:            Member Server
OS Version:                  6.1.7601
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\ADMIN.MYDOMAIN
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=2008-CLIENT,OU=PAS-Windows 2008,OU=MYOFFICE,DC=MYDOMAIN,DC=NET
    Last time Group Policy was applied: 2/11/2015 at 12:25:43 PM
    Group Policy was applied from:      DC-1.MYDOMAIN.NET
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        MYDOMAIN
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Local Group Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        MYDOMAIN Removable Device Policy Users
            Filtering:  Disabled (GPO)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        2008-CLIENT$
        Domain Computers
        System Mandatory Level
        

USER SETTINGS
--------------
    CN=ADMIN,CN=Users,DC=MYDOMAIN,DC=NET
    Last time Group Policy was applied: 2/11/2015 at 1:53:11 PM
    Group Policy was applied from:      DC-1.MYDOMAIN.NET
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        MYDOMAIN
    Domain Type:                        Windows 2000
    
    Applied Group Policy Objects
    -----------------------------
        MYDOMAIN Removable Device Policy Users

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        
    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone

I need a firewall rule that allows all protocols to and from a specific IP address,

What would that look like?

This did not work

*:*:10.10.1.45:enabled:CDA