I am attempting to create a scheduled task to run on both Vista and 7 systems. The task simply runs an executable on both login and unlock of a computer if the user is a member of a certain OU. For troubleshooting purposes I've created a new GPO containing only this setting. The task is not being created, while all other settings are applied. When I run GPResults on a Vista machine, I can see all of the settings, and under scheduled tasks I get the following error:

An error has occurred while collecting data for Scheduled Tasks.
The following errors were encountered:
An unknown error occurred while data was gathered for this extension. Details: Invalid class

I've enabled GPMC logging and see the following error in gpmgmtManaged.log:
Reporting(5124.4)12:59:48 ScheduledTasksTemplate::SetExtensionData:PolicyMaker extensions error

It may be a separate issue, but when I run GPResults on a 7 machine, both the summary and settings column show the following:
An error occurred while generating report:
Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index

The logs aren't giving me much to go on, really. Does anyone have any other ideas to try?

The server is 2003 R2 and it passes all of the dcdiag tests.

Thanks!

Dear All,

Wish you a very great day ahead!

My department server has been recently added to the Domain as a member of Domain.

Before adding the server, I disabled the Automatic Updates. But after adding the server to the Domain the Automatic Updates got enabled and we see that the multiple updates are being installed in the back end and I am unable to change those settings.

I get the error "some settings are managed by your system administrator"

I checked with the Domain Admin and I have checked the OU in which my server was added. And on this OU there is no any GP applied.

Now kindly if anyone can let me know how to solve this.

Besides this, Is there any method using scripts or something else to disable the automatic updates.

Best Regards,

Ahmed.

Hi all,

I'm getting a very strange issue. about a week ago one users printers disappeared, I checked the print spooler on the server and it was running, i rebooted the users PC and they came back and didn't think much of it. now a week on more and more people are getting the issue and is getting worse and worse, I have checked event viewer on the print server and am getting this warning message for all three printers which is just one printer MFU, we have 2 colour settings and 1 B/W setting hence the 3 printers (printers are applied via GPO)

The user 'Printer Name' preference item in the 'Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}' Group Policy Object did not apply because it failed with error code '0x8007007b The filename, directory name, or volume label syntax is incorrect.' This error was suppressed.

There is one printer that doesn't appear in event viewer, I have checked the GP settings, the only difference is item level targeting as a secuirty group, so I changed the other printers to target domain users but it hasn't fixed the issue, in fact seems like it has made it worse.

weird thing is not all users get the issue, its all over the place, I have check ad settings, GP settings everything seems to be fine.

I've done heaps of googleing and cant find any solution to this specific issue. 

Any help would be great,

Hello everyone

I tried to apply the GPO in my pendrive so that nobody can read and write in this pendrive when inserted to the other machine .

I encrypt with bitlock policy it encrypt successfully but any body can read and write when inserted into other PC .

Although it is password protected bit I want even after open the pendrive with password nobody can have the write access .

Is it possible via GPo.

Thanks

Sunny

Hi,

I saw that Microsoft grey out the option of mapping drive with a password.
However, I need to map a drive with password.

I don't care if the user will logon to his computer, and the drive map will be disconnected, and only after he will click on it,
a windows authentication popup will appear.

I have a group policy with regular drive (without credential) that works fine.
but the drive map which need to be map with password, does not appear in the user's computer.

In the group policy result I recevice on this specific drive map: 0x80070056
And in the event viewer of the computer I receive the following error:
The user 'Y:' preference item in the 'DriveMap - FileTransfer {DED67FCA-5FE1-4DC8-AC76-A3E8BABD4267}' Group Policy object did not apply because it failed with error code '0x80070056 The specified network password is not correct.' This error was suppressed

When I try to access to the path which I try to map from the user's computer, a windows authentication popup appears, and it works fine.

any ideas?

Thanks.

Hi All,

I have a large domain and a long list of websites that are trusted using the following group policy setting:

On all (XP/vista/win7) workstations across the domain I'm getting the following error:

Log Name:  System
Source:  Microsoft-Windows-GroupPolicy
Event ID: 1085
Task Category: None
Level: Warning
Keywords:   Description: Windows failed to apply the Internet Explorer Zonemapping settings. Internet Explorer Zonemapping settings might have its own log file.

There's nothing either side of this error in the log that shines any more light on the issue.

I know which group policy object its applying these settings but cant find which of the entries in the site to zone assignment list is causing this issue. I looked in theGroup Policy/Operational log but all I see is the following entry which says "completed" but is logged as an error:

After some research I'm guessing that the issue is an incorrect wild-card. This is what my trusted sites list looks like (with names removed of course):

http://servername.*  

*.internaldomain.com.au  

*.domain.com.au  

*.domain.*  

*.externaldomain.com  
 
*.domain.inernaldomain.com.au  

*.domain.*  

*.domain/name.*  

*.domain.inernaldomain.au*  

*.domain.com

Is there something obviously incorrect here?
Does anyone know where I could find an article that clearly outlines the acceptable wildcard syntax for the"Security page\ site to zone assignment list" group policy?  Ive read every forum post, website and blog I could find on the internet but nothing is clear and I wasn't able to find an MS document that steps it out. I've also changed the existing list a number of times based on blog posts etc but had no luck.

**Please Note**
I dont want to change to a different method or have an intellectual debate re why I would have these sites/wildacrd/policy set. I'm really looking to see what entry is invalid and where the documentation is for this policy setting so i can make sure they are always correct in the future. 

thanks in advance for your time and assistance
Simone

PS: I've already read the following posts a number of times:

• I get no data but have identified the GP that is causing the issue:
  A test case for troubleshooting group policy application – Event ID 1085 and 7016 - http://blogs.technet.com/b/askds/archive/2008/08/21/a-test-case-for-troubleshooting-group-policy-application-event-id-1085-and-7016.aspx 
  
• I dont have any 2 letter domain names:
  Problems Adding Top-Level Domains to Zone Sites List - http://support.microsoft.com/kb/259493
  
  
• I tried formatting the list per this article:
  [Solved] The Group Policy client-side extension Internet Explorer Zonemapping failed to execute  - http://daily-it.blogspot.com.au/2008/09/solved-group-policy-client-side.html
  
  
• Has no domain wildcard format info:
  Behavior of Site to Zone Assignment List  - http://blogcastrepository.com/blogs/mattbro/archive/2006/09/07/2183.aspx
  
  
• Great article, no wildcard data:
  Internet Explorer Policy Settings  - http://technet.microsoft.com/en-us/library/bb457144.aspx
  
  

• Internet zonemapping problem: http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/a8756a27-b562-42ad-8782-87d284e6bcfb/
• Spiceworks Event 1085 (Warning) - http://community.spiceworks.com/windows_event/show/1582-microsoft-windows-grouppolicy-1085
• Event ID 1085 — Application of Group Policy - http://technet.microsoft.com/en-us/library/cc727303%28v=ws.10%29.aspx
  Application of group policy - http://technet.microsoft.com/en-us/library/cc727312%28v=ws.10%29.aspx
• Evt ID 1085 GP client-side extension IE ZoneMapping failed to exec  - http://www.winvistatips.com/evt-id-1085-gp-client-side-extension-ie-zonemapping-failed-exec-t706399.html
• Event 1085 - Internet Explorer Zonemapping - http://www.minasi.com/forum/topic.asp?TOPIC_ID=29206
• EventID.net - http://www.eventid.net/display.asp?eventid=1085&eventno=1412&source=Userenv&phase=1
• Event ID 1085 - Internet Explorer Zonemapping failed to execute - http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24897522.html

.

.

.

UPDATE:

I disabled the original policy and created a new one with only one trusted site address in it. Then I logged into a clean test machine did some testing.What I found after a few hours of testing was; regardless of the site that I have listed in group policy -

• The HKCU\Software\Policies\Microsoft\Current version\Internet Settings\Zone Map Key registry entry isalways updated with that entry on the workstation. So the workstation's registry always updates the key with*.sitename.com per the site that I have set in GP
• If I run GPUPDATE /FORCE over and over again, on the same machine, under the same user account, using the same DC I get:Failure, Failure, Failure, Success, Success, Success, Failure etc

I wasn't able to determine any pattern to the failures, I tried stopping some of the processes on that machine but didn't find anything that would make it fail/succeed reliably.
There is no AV or firewalls installed on my test machine

Anyone have any more ideas?  I think I might install filemon and try to capture some more data unless there's a better tool?

1. I create a new Group Policy called All Users and Computers and apply it to the All Users and Computers OU, which contains exactly what it says (all users and computers in the domain).
2. I verify that a new folder was created in \\<FQDN>\sysvol\<FQDN>\Policies.  The new folder created is named {6479C8E0-3134-4B4F-B047-7ADD51684684}
3. I change the GPO Enforced setting to Enforced.
4. I attempt to use the gpupdate command to see if the group policy can be updated successfully.  In a command prompt, I type gpupdate <enter>.  I receive the message 'Updating Policy...' then after about 15 seconds the message 'User Policy update has completed successfully.'
5. I keep the cmd window open.  After about 10 seconds another message apperas which says "Computer policy could not be updated successfully.  The following errors were encountered: The processing of Group Policy failed.  Windows attempted to read the file \\<FQDN>\sysvol\<FQDN>\Policies\{6AC1786C-016F-11D2-945F-00C04Fb984F9}\gpt.ini from a domain controller and was not successful.  Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
   
   a) Name Resolution/Network Connectivity to the current domain controller.
   b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
   c) The Distributed File System (DFS) client has been disabled.
   
   To diagnose the failure, review the event log or invoke gpmc.msc to access information about Group Policy results."
6. I confirm that the error code is #3 using the Event Log, "The system cannot find the file specificed"

I had no idea what to put this in.....

I have been tasked with writing a windows batch file to alter the theme to windows classic for all users on a domain.

It will be preferred if I use a registry change key to achieve this.

I have identified the root of the registry key: HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\THEMES and then alternate between the folders DefaultVisualStyleOff and DefaultVisualStyleOn.

And that's as far as I've got. I can use command prompt to look up my IP or browse a directory, but I have never used it for something as complex as.... anything to do with the registry.

I don't even know how to start!

What's more, I get bonus points if I can also get the batch file to switch windows visual effects to 'Adjust for Best Performance' and Double Bonus points if I can make the visual effects a custom setting with nothing but 'Smooth Edges of Screen Fonts' ticked.

Can anyone help?!

I have windows 2012 domain. how I restrict user to save their data to particular path, say d:\data.

Hello,

I have Forest A and Forest B.  If Forest B has an outgoing Trust (one-way) to Forest A, and a user account authenticates to Forest A while on a Forest B server (Forest A user account included in local admin group of Forest B server), does Group Policy from Forest A 'process' or 'follow' the user account on Forest B?  I don't think so cause don't we specifically have to enable 'Cross Forest Group Policy Processing' for this to occur?

Thanks for your help! SdeDot

Dear All,

we require to over write services file in all pc using gpo

pls help

SUNIL PATEL SYSTEM ADMINISTRATOR

Anyone out there who is able to prohibit users of a server 2008 r2 terminal server to create new taks?

I have tried to use the GPO Administrative Templates - Windows Components - Task Scheduler - Prohibit New Task Creation, but it has no effect. I tried it under the computer settings as well as under the user settings. I see the registry values are being made:

HKLM(or HKCU) \Software\Policies\Microsoft\Windows\Task Scheduler5.0\Task Creation (DWORD: 1)

My users are still able to make new tasks. Probably it doesn't work because in the requirements information it says Server 2003, XP and Windows 2000 OS only.

Is there a way to prohibit the creation of tasks by non-admins on a 2008 r2 server?

Hi Team,

I have created Desktop wallpaper GPO for our environment and the Desktop wallpaper is applying on XP machines not windows 7 professional, so could you  please help me with this issue ?

Hi, can someone please confirm if the only way to deploy a computer cert to the Personal store under the Computer branch (Not User branch) is to use an auto-enrollment template & corresponding GPO?

I can see that in group policy you can deploy other types of certs such as intermediate & Root certs etc without using Auto-enrolment, but no option under the Public Key Policies section to deploy a cert to the personal store within the Computer branch. 

Thanks

Hi,

In my environment i have seen an intermittent behaviour where some of computers get an certificate enrolled automatically through GPO but on some systems it does not happen.

There is not change in policy.

Does any one has come across in such issue, if so please help if any.

Regards,

Deepak S

Hi,

We have a requirement from project team to change the one of the security setting on default domain policy for all computers in domain. Below are the security setting which we need to modify.

computer configuration-->windows settings-->security settings-->local policies-->security options-->

Network security: LAN manager authentication level 

this setting need to be changed to - Send LM & NTLM - use NTLMv2 session security if negotiated.

The project team facing issue with Apache web server and they found the solution on below link.(we have tested this  by changing local group policy and this solution works as expected)

https://www.sysaid.com/Sysforums/posts/list/9065.page 

We need to know what is the impact after enabling this on domain computers.

Need help on this to go-head on this.

We have been auditing what systems users have been logging into via SIEM reports on AD activity. These reports were working fine until we enabled more AD auditing with the below setting changes and from the link listed. The changes from the directions below and in the web site link gave us exactly what we wanted, almost. For some reason the user account auditing alerts have stopped. In the Default Domain Policy the settings for the Audit are set (see image below). But I do not see any Events in Event Viewer under Security for Account logon success or failure on the domain controllers. When I look at the Default Domain Controller Policy I see just the opposite (see 2nd image below). It seems to me that by enabling these other settings that these changes disabled the User Account Logon Auditing settings. Possible?

My question is, should I enable the settings for Account Auditing under the Default Domain Controller Policy or is there something else that needs to be enabled or setting changes made?

http://blogs.technet.com/b/askpfeplat/archive/2012/04/22/who-moved-the-ad-cheese.aspx

Run GPMC.msc (url2open.com/gpmc) → Right-click “Default Domain Policy” and chose “Edit” → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:

2.

Return to the Security Settings level → Event Log:

3.

Run “gpupdate /force” command.

4.

Open ADSI Edit (url2open.com/adsi) → Right-click ADSI Edit → Connect to Default naming context → Right-click DomainDNS object with the name of your domain → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal “Everyone” → Type “Success” → Applies to “This object and Descendant objects” → Permissions → Select all check boxes by clicking on “Full Control”, except the following: Full Control, List Contents, Read all properties, Read permissions → Click “OK”.

5.

Open Event viewer and filter Security log to find event id’s (Windows Server 2003/2008-2012):

Default Domain Policy

Default Domain Controller Policy

Leonard Hoffman

Hi,

I have been having an issue where I tried to rename a group policy using a small letter p. I opened up group policy on my other DC and it worked fine. I went back to the original DC (which is the PDC).... this works fine also now. Could this have been some sort of weird replication issue?