Hello,
We are trying to apply a Wallpaper GPO with an image on desktop workstations .
In some workstations image appears correctly , but in most computer after we apply the GPO only changes to a black screen .
We AD2012 and workstations are Windows 7.
We have done several tests, eg changing the image format from BPM to JPG, we made tests with permissions on folders and also with registry keys .
I would appreciate any advice.
Thanks.
Manuel
Manuel´s Microsoft Forums Threads
Hi all;
Suppose I want to add a computer account to Event Log Reader on local computers by using Group Policy Preferences. Look at the following figure:
But after selecting the desired computer account and clicking OK, the following error message appears:
Any ideas?
Thanks
Please VOTE as HELPFUL if the post helps you and remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Hello,
I want to deploy multiple folders and some files in GPO with UAC enabled in Program Files (x86).
my files must be updated when i change this.
My files ares saved in this folder :
\\SHAREDFOLDER\APPSNAME\PRODUCT1\FILE1.dat
\\SHAREDFOLDER\APPSNAME\PRODUCT1\FILE2.dat
\\SHAREDFOLDER\APPSNAME\PRODUCT2\FILE1.dat
\\SHAREDFOLDER\APPSNAME\PRODUCT3\FILE1.dat
\\SHAREDFOLDER\APPSNAME\PRODUCTxx\FILExx.dat
Destination folder are :
%HOMEDRIVE%\ProgramFiles (x86)\APPSNAME\PRODUCT1
%HOMEDRIVE%\ProgramFiles (x86)\APPSNAME\PRODUCT2
%HOMEDRIVE%\ProgramFiles (x86)\APPSNAME\PRODUCT3
%HOMEDRIVE%\ProgramFiles (x86)\APPSNAME\PRODUCTxx
i have make a script with robocopy and it works, but computer with UAC enable it doesn't works.
robocopy command : robocopy \\SHAREDFOLDER\APPSNAME %HOMEDRIVE%\ProgramFiles (x86)\APPSNAME /S /R:1 /W:1
I have check GPPreferences but i can't copy folder with files, i must create each line in GPP for each file and each folder.
thanks for your help
Morning,
I'm working through an issue we've discovered whilst trialing Windows 7. Our environment is setup as follows.
Domain Controllers are Windows Server 2003
Clients are Windows XP and Windows 7
Windows XP and Windows 7 Clients are in seperate OU's
All Windows XP Group Policies apply to Windows XP And Windows 7 clients, Windows 7 policies are then applied to Windows 7 clients after
Windows 7 policies are setup such that any setting defined in a Windows XP Group policy is left unconfigured in the Windows 7 Group policy and only new Windows 7 settings have been set in Windows 7 Group Policies.
We have users home folders mapped in their Account Directory account setting and set to H:\ to connect to\\domainname\dfs\home\username
In addition we also as a fail safe map the drive via a login script using net use
This has worked fine for years in windows XP, if Active Directory failed to map the drive for any reason then the login script would then map the home drive.
In Windows 7 we have noticed a curious error. We found after a period of a couple of weeks we suddenly started getting a new drive mapped. This was identical to the H:\ drive mapping but was instead under drive Z:\. In other words, the users home folder is mapped twice on h:\ and z:\. This is not affecting any of the Windows XP users.
I have gone through several logic reasons to ascertain why this has happened with the following findings.
1. Originally we thought the error appeared when we tried out mapping the home drive using the mapped drives functionality new in Windows 7 group policy under preferences > windows settings > drive maps. However, after forcing it to delete the Z:\ drive using this functionality we only succeeded in removing it with a group policy present to do it. As soon as we removed that group policy the Z:\ drive came back
2. Secondly i thought the reason we would be getting a z:\ drive when we haven't specified it anywhere is because active directory is trying to map to the H:\ Drive but it is already present therefore in Windows 7 it tries to map to a different drive. Using Windows logic it tries the highest letter first which is unlikely to be in use i.e. z:\. This makes sense because our logon script uses a net use h:\ command to map the drive and i believe by default these are set to perisistent. Therefore the next time the user logs on H:\ is already mapped so the logic in Active Directory accounts maps the drive to Z:\ instead hence we end up with two mapped home drives. To test this i altered the login script to set the drive maps to non persistent using persistent:no. The logic here was that when the user logged off the drive would become unmapped so that when Active Directory tried to map the drive it would be able to use H:\. Unfortunately this was not the case and Z:\ remains.
3. Here is where i resolve the issue but i don't know why and is the bit i need answering. If i go into my account on Active Directory and go to Profile and set the home folder drive letter to another letter i.e. change from H:\ to U:\, i get prompted to set full control etc and apply. I then set the drive back from U:\ to H:\, again i am prompted for setting full control which i accept.
NOW when i login i no longer receive a Z:\ drive and only get an H:\ drive. YAY, thats what i want, however, i do not understand why this is the case. At first i thought it might be something in the active directory logic when i login to an XP machine and then login to a windows 7 machine. IF you bear in mind that although i get a new profile in Windows 7 i still retain the same home folder setting. However, after logging on an XP machine logging off then logging on a Windows 7 machine i still didn't get the Z:\ drive back.
I have tried creating a new user that ONLY receives our Windows 7 Group Policies and still they receive both an H:\ and a Z:\ drive which rules out the Windows XP policies conflicting with the Windows 7 policies.
Does anyone have any ideas why i would get a second drive mapped to Z:\ logging into Windows 7 on a Windows Server 2003 domain?
Can anyone explain in more detail exactly how the Active Directory functionality works when you specify a connect to Drive letter for a users home folder?
My current workaround is simply to add a net use command to remove the Z:\ drive. I do not want to use Mapped Network drives using the new policy settings in Windows 7 RSAT because we have already found issues with it.
I need to have a password policy with maximum password age set to 30 days. I want to apply this policy on some OUs that contain user accounts not computer accounts. but when running rsop i cant find the policy unless the computer account is a member of the OU with the GPO.
Is there a way to make this policy based on the user accounts only??
Hi,
We use the GPP to deploy a local user account which is then made a member of the local administrators group, as IT admins we use this account for local activities such as first prep work of the machine, rather than logging in using a domain admin account (yes most of it is still manual for us) but also for times when the domain isn't available to authenticate a domain account (laptops off site). We also deploy another local admin account specifically for remote users to use in case of troubleshooting, for instance to get into the Windows Recovery Environment to perform a system restore, start up repair or other commands (this is a phone support scenario we talk the user through). In this case, we must provide the user with the password. The beauty of GPP is that we can change that password centrally, and the next time their GP refreshes the local account gets an updated password and this helps us to ensure that users aren't getting access to the local admin privileges during normal operation.
However, this has changed since the introduction of MS14-025 and now we can’t update passwords or create new local accounts, the web link at https://support.microsoft.com/en-us/kb/2962486 shows a script for settingrandom passwords, but we need to know what the password is in order to use for ourselves.
What I am looking for, is a logon script that can do the following:
I don’t know where to start with this because the script MS has provided in the above link is fairly useless for our scenario. Even if we did automate the system builds (which I did at a previous company) we still don’t have a means of updating passwords should they change afterwards. This wouldn't be a problem if machines could always authenticate to the domain, but what can we do if a director’s laptop can’t boot and he’s not in the office for a week? This is exactly what happened yesterday due to Windows updates installation, it corrupted a key file dwmapi.dll I had no choice but to provide him with the password and talk him through the system restore steps over the phone.
has anyone got any ideas or solutions to work around this, are there any 3rd party products (preferably free) that could do this same thing?
many thanks
Steve
Windows 2012 R1. Server 2008 DFL.
I've created a GPO linked to the domain root to setup certificate auto-enrollment. It works for anyone who logs in interactively. My service accounts aren't applying the policy. GPMC says it should get the policy on the specified computer. I enabled detailed
logging for certificate services (AEEventLogLevel = 0) but I don't see it ever apply the policy, nor do I see an issued cert or failed request on my certificate management console. For my own account, all of this including the logging works fine.
Do service accounts get GPOs?
Thanks,
Rob
Hi,
I have been having an issue where I tried to rename a group policy using a small letter p. I opened up group policy on my other DC and it worked fine. I went back to the original DC (which is the PDC).... this works fine also now. Could this have been some sort of weird replication issue?
hello
I would like to make a backup of the policies folder using the windows OS I keep getting the prompt that the policies folder already exists. to a file share
why?
Hello, I'm having trouble finding a clear way to do this. I need to hide the E: drive in addition to the other options in Group policy. Ultimately I need to hide A,B,C,D and E for my terminal server users through a group policy.
When I made what seemed like good changes in the ADMX file I got an error which I searched and found that the ADMX file was out of sync with the ADML file.
Do I need to add the same reference in both the ADMX and ADML files?
Is notepad a good way to accomplish this?
Should I use the ADMX Migrator tool as some site suggest? There is very little instruction that I can find how to use this tool.
Thank you in advance for your help.
Scott
Hi all,
I'm configuring a GPO as part of a test environment in which I create a custom GPO for within an OU, it configures fine and I can RDP (using the settings in the GPO) to the domain controller. However, when I add a computer to the AD domain, I cannot RDP using the user, I can log on locally though. After looking into it further I've found that the setting I have applied to my Restricted Group is not being brought across properly. The group I need is in the restricted group but it is not appearing as a member of Administrators (in the "Member of") column. I have an 'X' in red next to the group giving the usual check win logon log file. The content of which is:
*************************
Make a local copy of \\shire6.vce\sysvol\shire6.vce\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkDomain
Make a local copy of \\shire6.vce\SysVol\shire6.vce\Policies\{6D41C716-CDD9-457E-AB89-02C4192226FF}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
Monday, April 27, 2015 3:36:03 PM
Copy undo values to the merged policy.
----Un-initialize configuration engine...
Process GP template gpt00001.inf.
-------------------------------------------
Monday, April 27, 2015 3:36:03 PM
----Configuration engine was initialized successfully.----
----Reading Configuration Template info...
----Configure User Rights...
Configure S-1-5-32-545.
remove SeInteractiveLogonRight.
Configure S-1-5-32-551.
remove SeInteractiveLogonRight.
Configure S-1-5-32-555.
remove SeRemoteInteractiveLogonRight.
Configure S-1-5-21-330840483-2018858548-1314766947-1104.
add SeInteractiveLogonRight.
add SeRemoteInteractiveLogonRight.
Configure S-1-5-32-544.
User Rights configuration was completed successfully.
----Configure Group Membership...
Configure SHIRE6\System_Admins.
successfully added object to Administrators.
new memberof tattoo list: *S-1-5-32-544,
Group Membership configuration was completed successfully.
----Configure Security Policy...
0
Undo value for group policy setting <MinimumPasswordLength> was saved.
0
Undo value for group policy setting <PasswordHistorySize> was saved.
42
Undo value for group policy setting <MaximumPasswordAge> was saved.
0
Undo value for group policy setting <MinimumPasswordAge> was saved.
1
Undo value for group policy setting <PasswordComplexity> was saved.
0
Undo value for group policy setting <RequireLogonToChangePassword> was saved.
0
Undo value for group policy setting <ClearTextPassword> was saved.
Configure password information.
0
Undo value for group policy setting <LockoutBadCount> was saved.
0
Undo value for group policy setting <ForceLogoffWhenHourExpire> was saved.
Configure account force logoff information.
System Access configuration was completed successfully.
LSA anonymous lookup names setting : existing SD = D:(D;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS)(A;;0x1000;;;S-1-5-17)(A;;0x801;;;AC).
0
Undo value for group policy setting <LSAAnonymousNameLookup> was saved.
Configure LSA anonymous lookup setting.
Configure machine\system\currentcontrolset\control\lsa\nolmhash.
Mismatch - machine\system\currentcontrolset\control\lsa\nolmhash.
Undo value for group policy setting <machine\system\currentcontrolset\control\lsa\nolmhash> was saved.
Configuration of Registry Values was completed successfully.
Configure event audit settings.
0
Undo value for group policy setting <AuditPrivilegeUse> was saved.
0
Undo value for group policy setting <AuditAccountLogon> was saved.
Audit/Log configuration was completed successfully.
----Configure available attachment engines...
Configuration of attachment engines was completed successfully.
----Un-initialize configuration engine...
this is the last GPO.
**************************
Make a local copy of \\shire6.vce\sysvol\shire6.vce\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of \\shire6.vce\SysVol\shire6.vce\Policies\{6D41C716-CDD9-457E-AB89-02C4192226FF}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.dom.
This is not the last GPO.
-------------------------------------------
Monday, April 27, 2015 3:42:06 PM
Copy undo values to the merged policy.
----Un-initialize configuration engine...
Process GP template gpt00001.inf.
-------------------------------------------
Monday, April 27, 2015 3:42:06 PM
----Configuration engine was initialized successfully.----
----Reading Configuration Template info...
----Configure User Rights...
Configure S-1-5-21-330840483-2018858548-1314766947-1104.
Configure S-1-5-32-544.
User Rights configuration was completed successfully.
----Configure Group Membership...
Configure SHIRE6\System_Admins.
old memberof tattoo list: *S-1-5-32-544,
object already member of Administrators.
new memberof tattoo list: *S-1-5-32-544,
Group Membership configuration was completed successfully.
----Configure Security Policy...
Configure password information.
Configure account force logoff information.
System Access configuration was completed successfully.
LSA anonymous lookup names setting : existing SD = D:(D;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS)(A;;0x1000;;;S-1-5-17)(A;;0x801;;;AC).
Configure LSA anonymous lookup setting.
Configure machine\system\currentcontrolset\control\lsa\nolmhash.
Configuration of Registry Values was completed successfully.
Audit/Log configuration was completed successfully.
----Configure available attachment engines...
Configuration of attachment engines was completed successfully.
----Un-initialize configuration engine...
this is the last GPO.
Any help would be much appreciated.
Thanks,
Adrian
Dear ,
i have a problem in Active directory in OS windows server 2008 R2 x64
the problem is when reset password i got message for " windows cannot complete the password change for ....
I did not change any settings or group policy. I face this issue after update the windows.
can any one help me ????
please communicate to my email ((mohd611@hotmail.com))
Thank you
Regards,
Mohammed
Hi,
I'm aware of the group policy refresh intervals which apply only if the policy has changed. If I remember correctly, Server 2003 applied policies every 16 hours even if they hadnt changed. A sort of "to be sure, to be sure" setting. Does this exist on Server 2012 R2 and is there a link with some doco that states this please?
Thanks
David Z
Hi,
I have an AD on windows server 2012 and I have 20 users. User tries to install some software it will ask for admin credentials because they are not a member of administrators. I dont want to give them admin access but i need to give software installation access.
PLEASE HELP ME TO SET UP THIS
Thanks,
Dev
Hello,
I am looking to automate cleanup of these folders on our domain.
First the
%temp%
I would like to completely empty this folder on each login. We are not using roaming profiles or terminal services. each user has their own machine and the profile is stored locally on the windows 7 box
Second, I would like to cleanup internet explorer temp files
WHILE RETAINING SAVED PASSWORDS
Any suggestions would be helpful
hi
i have a domain server 2008
i need create a policy to remove tick Validate Server Certificate in win7 and xp
please help me
Hi All,
I have configured the following settings on my main group policy (user policy) and it has linked to my domain.
All Removable Storage classes: Deny all access Enabled
WPD Devices: Deny read access Enabled
WPD Devices: Deny write access Enabled
and in one of my sub ou GPO I have configured as "WPD Devices: Deny read access Enabled" (computer policy). when I checked with one user I found found that this user can access USB. there is no other configuration I made on this OU. as per above domain policy I have disabled All Removable Storage classes (mentioned above). then how it comes open ?. I just tried one more thing that is when I change WPD Devices: Deny read access in sub OU as Not-configured then USB will be denied.
I coudnt find any referrals in online regarding this.. can anyone suggest why it is happening ??
Hello all,
DC: 2008R2 w SP1
Client: W7 SP1
Objective: Disable Removable Storage
I can filter by individual user but not a security group (global). (linked to both users and computers OU). I check and make sure the user (me) belong to the group using the command whoami /groups. I check the Delegation setting and make sure that the security group has the read and "apply" gpo checked. Also the Authenticated Users group has "read" allow.
Any clues?
Thanks
I'm attempting to troubleshoot an issue with an Amazon Web Services hosted Server 2012 R2 enviro.
It is used as a terminal server by multiple users.
This server is also running Active Directory.
An application that the users run via RemoteApp is being affected by IE Enhanced Security in IE11.
The application runs fine for Administrator accounts with ESC disabled.
With ESC enabled part of it is blocked and fails to display.
Attempts have been made to disable ESC and according to the GUI and registry keys it should be disabled.
However logging in as a regular user accounts IE11 still reports ESC as being
ENABLED.
I have searched through many potential fixes via Google and have yet to discover why this is occurring.
90% of the articles just point to the settings in Local Server and advise to turn off the settings for Administrators and Users.
This is what I see on the server:
GUI settings in Local Server: Enhanced Security Configuration: Off
In the pop up window -
Administrators: Off
Users: Off
When launching IE11:
IE11 for Domain Admin users: Caution: Internet Explorer Enhanced Security Configuration is not enabled
IE11 for Domain Users: Internet Explorer Enhanced Security Configuration is enabled
I have checked the following registry entries which both show a value of 0 as expected from what you see set in the GUI options. I also found a support thread for Server2012 (not R2) where it was suggested to delete the user key forIsInstalled completely which seemed to make no difference in my case.
HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}\IsInstalled
HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}\IsInstalled.
I've also tried manually setting the security zone values via gpedit for both computer or user section, again no difference.
It's as if something is overriding the local policy for domain users.
I believe if the embedded site address is added as a trusted site it may also accomplish the same goal here, however as NONE of the policy changes I have attempted have had any impact in my testing I have no idea how to set this for the domain users group either.
Can anyone offer any suggestions on how to proceed with solving this issue?
EDIT: I was able to test adding the location as a trusted site and still no dice, it appears ESC is still blocking something that is necessary and need to be disabled.
Cheers,
Mark.
Now that the Internet Explorer Maintenance policy is gone what do you recommend for a User based policy that blocks Internet but not Intranet traffic?
I suppose I could use GPP but then I 'd have to make 1 for 8 and 9 and one for 10 and that leave 11 open, kinda messy.
Thanks!