Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Run a VBS script to create a local admin account and change password through Configuration Manager 2012

May 5, 2015, 2:30 pm
$
0
0

Hi,

We are running CM2012 and I was looking for some direction how to get the following task configured. We have a vbs script that will complete the following tasks:

1.) Delete an existing local account named USER1

2.) Create a new local account and set the password

3.) Promote the account to be local administrator

We wanted to get this configured through configuration manager since we can't use group policy preferences anymore. Has anyone run into this before or has any suggestions on how to get this efficiently accomplished?

Thank you.

Search

Question Regarding Group Policy 2008 R2

May 5, 2015, 6:18 pm
$
0
0

Hello,

I am trying to work on a GPO to harden Windows 2008 R2 and 2012 R2 Systems, and need help with following:

1. I want to restrict software installation on Windows Servers for everyone except a particular security group. I tried looking into Software Restriction Policy and AppLocker, but they both are complicated. I just want to restrict installation of software. Due to complex nature of our environment I can't restrict anyone from executing files like .exe, it would be very difficult to whitelist applications since its been around from 4-5 years.

2. If something isn't working - how can I trace back the issue to a particular setting within the GPO that I have implemented?

Please advice.

Aaron

creating exceptions for a specific USB stick brand

May 5, 2015, 6:56 pm
$
0
0

Hello;

as far as I know, the "removable storage access" policies would work based on the "class GUID" of the removable storage device rather than the "Hardware ID".

I want to setup a/some GPO so that the USB flash drives of brand A get read-only access while the USB flash drives of brand B get the full read/write access. lets say the corporate policy just approves a few "secure" USB sticks to have corporate data written to them, while considers the rest as "unsecure", good enough only to bring data into the corporate.

if I go with class GUID, both brand A and B , which will have the same class GUID (DiskDrive ,{4....1036 or 1038 I don't remember}), will get the same policy.

I want to somehow differentiate between the two based on Hardware ID. is this possible? I was kind a thinking of setting the read-only policy for the whole class, but create some exceptions for

DNS suffix search list GPO not overriding Default Domain Policy

May 5, 2015, 7:48 pm
$
0
0

Hi All,

In the last hours I have been fighting with this issue

In our domain we have a configuration to set DNS suffix for the search in the Default Domain Policy, I have been trying to override this setting for a few specific clients for testing purposes. Although the default domain policy is not enforced the OU specific policy is not overriding the settings, the specific policy only has as setting

Computer Configuration\Policies\Administrative Templates\Network\DNS Client

DNS Suffix search list - Disabled

I also tried to move the client to a specific OU that has inheritance disabled and only that policy but running a gpresult /h I see that winning policy is Default Domain Policy, weird since that policy is not even applied being the inheritance blocked

Also, the options in the Advance TCP/IP setting, DNS tab are greyed out and I can see selected "Append these DNS suffixes" and a list of suffixes

The final outcome I would like to achieve is:

- no dns suffix for the search

- Append primary and connection specific DNS suffixes - enabled

Any suggestion?

Thanks


PowerShell script not running

May 5, 2015, 9:06 pm
$
0
0

I've got a GPO which is applied to all of our users and I recently configured a PowerShell script in it to run at logon and logoff. On the vast majority it runs without issue but on some it's not running at all. When I look at the gp results there is no logon/logoff script specified and in particular I notice that the scripts CSE last processed time seems to be a significant time in the past.

Client machines at Win7 SP1 with PS 3. Does anyone have any thoughts?

convert DHCP to STATIC IP centrally

May 5, 2015, 11:19 pm
$
0
0

How can I convert DHCP IP to STATIC IP from centrally through windows server 2003 AD.


How to create a local administrator account and manage the password via GPO or similar

May 5, 2015, 2:18 pm
$
0
0

Hi, 

We are trying to manage the local administrator accounts that we have out there (desktop/servers). We need to create a new local administrator account and set a password. We would like to be able to be able to change the password on a regular basis.  

I the past you could use GPO preferences to get this done but that is no longer possible. 

Any suggestions?

Device Installation Restrictions - Not working as expected

May 5, 2015, 12:41 pm
$
0
0

I'm trying to conduct a simple test of Device Installation Restrictions.  I've created a GPO and only enabled Prevent installation of removable devices.  I created a new test OU, blocking inheritance, put a test computer in the OU (tested putting the user in the OU also, to block any user GPOs).  I've confirmed that the GPO is being applied to the computer via a dummy environment variable and these registry keys are getting added (all are included here, but I've tried just deny removable and then just deny specific IDs):

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions]"DenyRemovableDevices"=dword:00000001"DenyDeviceIDs"=dword:00000001"DenyDeviceIDsRetroactive"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs]
"1"="USBSTOR\\DiskVerbatimSTORE_N_GO______PMAP"

Even with the GPO applied and the reg keys present, USB drives can be plugged in and used.  I've also tried setting Prevent installation of devices that match any of these Device IDs, but that doesn't work either. 

Clients are Windows 7 Professional 64 bit SP1.  Servers are 2008 R2.

I've reviewed the following with no help
Allow Administrators to Override Device Installation Restriction Policies
http://technet.microsoft.com/en-us/library/cc753015(v=ws.10).aspx

Step-By-Step Guide to Controlling Device Installation Using Group Policy
http://msdn.microsoft.com/en-us/library/bb530324.aspx


Search

creating exceptions for a specific USB stick brand

May 5, 2015, 6:57 pm
$
0
0

Hello;

as far as I know, the "removable storage access" policies would work based on the "class GUID" of the removable storage device rather than the "Hardware ID".

I want to setup a/some GPO so that the USB flash drives of brand A get read-only access while the USB flash drives of brand B get the full read/write access. lets say the corporate policy just approves a few "secure" USB sticks to have corporate data written to them, while considers the rest as "unsecure", good enough only to bring data into the corporate.

if I go with class GUID, both brand A and B , which will have the same class GUID (DiskDrive ,{4....1036 or 1038 I don't remember}), will get the same policy.

I want to somehow differentiate between the two based on Hardware ID. is this possible? I was kind a thinking of setting the read-only policy for the whole class, but create some exceptions for devices of the same class but with some specific Hardware ID; but don't know if this is supported.

I'd appreciate any creative idea on this as well.

The network name cannot be found

May 6, 2015, 2:00 am
$
0
0

Hi,

We have 2 Domain controllers, old and new. Both running Windows Server 2012 R2. I have migrated FSMO roles from old DC to new DC and confirmed. But after migration, I am getting an error "the network name cannot be found" when opening Group Policy Management console.

I tried to edit Burflags registry keys, but I could not find Backup/Restore(Which contains Burflags registry) container under Parameters in registry editor.

Kindly help me with the better solution.

Configuring Printer Driver Isolation Mode Using Group Policy not working

May 5, 2015, 12:49 am
$
0
0

i have gpo for change  Printer Driver Isolation

Computer Configuration\Policies\Administrative Templates\Printers\Execute Print Drivers In Isolated Processes-Enable

Computer Configuration\Policies\Administrative Templates\Printers\Override Print Driver Compatibility Execution Setting Reported By Print Driver-enable

but when i open the Print Management i see printer is share mode

the gpo not working  

please your help

אם תגובתי פתרה את בעייתך - לחץ/י, על "סמן כתשובה" ליד סימן ה V הירוק.

"certain user policies are enabled that can only run during logon"

April 17, 2015, 9:08 am
$
0
0

I have created a GPP for mapping a drive. Is there any way to NOT prompt for a logoff on first logon?

"certain user policies are enabled that can only run during logon"

OK to logoff?. (Y/N)

Password expires early, despite GPO settings

May 6, 2015, 7:16 am
$
0
0

Hi everyone,

I've got a question, I just can't figure out.
When I set up this specific Server 2012 environment for a customer, I set the password policy to 365 days.
However, the password is no longer valid after 42 days. I checked the RSoP, and all that comes back is that the policy I set to 365 days is active.
Is there anyone that could help me figure out why the password expires after this short period?

Thank you in advance.

With kind regard,

Mike Rozeboom

running gpresult returns "ERROR: Not found."

January 26, 2012, 6:55 am
$
0
0

I asked this in the Direcotry Services forum as well, but thought it might also be appropriate here.

I have one desktop in our domain that is having some problems (drives not being mapped, program shortcuts missing, etc).  This is only happening when one user logs into the system.  If another user logs into the same computer, everything appears normally as it should. 

My first inclination was to look at the users account and check policy. The user is in the same OU as the other user whose login works fine.  The computer is a laptop, and is taken out of the office every morning before I get into work, so I cannot run a GP results wizard as the computer is not on the corporate LAN when I am at work.  So I got a tech on site (this computer is in another city) to run "gpresult > result.txt" and email me the results. When the tech runs gpresult, he gets the following: "ERROR: Not found."

I've checked google (of course) and there really isn't much on this error.  The computer joins the domain fine when the user logs on, but it certainly appears that GP is not being applied to his specific logon.  Any ideas?

Prevent creating folders on via group policy

May 6, 2015, 9:53 am
$
0
0

Hi Guys!

Quick question, like to the know path to enable the desktop restriction for windows 2003 clients machines, i'm unable to find the exact path in GP.

My goal is to prevent users from creating folders on desktops

Search

Windows 7 PCs not prompting for password expiration (Default Domain Policy)

May 6, 2015, 10:10 am
$
0
0

We have our Default Domain Policy GPO linked to our top level domain.

Within the Default Domain Policy we have a computer policy for password expiration (Computer>Policies>Windows Settings>Security Settings>Account Policies/Password Policy). This GPO seems to push fine to all Windows XP machines and servers that are in any sub OU in our domain.

We have an OU titled Workstations where we move computer objects added to the domain. We then have sub-OUs inside Workstations to further organize and control our computers. (Domain>Workstations>Workstations - Woodbury)

In our migration from Windows XP to Windows 7 any new W7 machine that is added to the domain is moved from the default Computers OU (not listed in GPM, only in AD) to Domain>Workstations>Workstations - Woodbury.

Any W7 machine that is added to that sub-ou (workstations - woodbury) is not prompting for password expiration. When I go to the Workstations - Woodbury OU and choose Group Policy Inheritance I see that Default Domain Policy location is our domain, GPO status is enabled and WMI filter is none. This leads me to believe that my OU I have created is successfully inheriting the default domain policy and any machine should be prompted for password expiration however they are not. 

Please note that ALL other computer objects in ANY other OU are prompting for password changes just NOT the machines in my sub-OU (all windows 7 computers).

I am new to group policy management so I apologize if my analysis/description of the issue is not as detailed as it might need to be. I can provide logs and further information if needed. 

Please help!

Windows 7 clients not honoring screen saver timeout group policy setting

May 6, 2015, 1:07 pm
$
0
0

I searched around to see if this had been posted already but no luck. Others seem to have this problem but I have yet to find a workable solution. I believe this post provides one but have only had the opportunity to test on a small number of Windows 7 machines.

Today I was tasked with creating a GPO that would lock a workstation after 10 minutes of inactivity and require authentication to return access to the Desktop. So I enabled and configured the following policies under "User Configuration\Policies\Administrative Templates\Control Panel\Personalization"

"Enable Screen saver" to Enabled
"Prevent changing screen saver" to Enabled
"Password protect the screen saver" to Enabled
"Screen saver timeout" to Enabled
"Force specific screen saver" to Enabled with the executable name "Mystify.scr"

After running "gpupdate /force" I found that almost all of these settings had been honored except for the timeout. I used the group policy results wizard to confirm that the policy was being applied to the machine but still no dice. After some testing I discovered that it was still using the timeout value that had been configured before I had configured the group policy. So it seemed to be holding on to the old timeout value.

After some more research I found that there actually two registry keys that set the screen saver timeout value. "HKCU\Control Panel\Desktop\ScreenSaveTimeOut" is the registry entry that's created when a user configures a timeout value manually. "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut" is the registry entry that the group policy sets. When both values are present, the user configured setting seems to take precedence. This seems to only be true for the timeout value (i.e. when I make the values for "SCRNSAVE.EXE" conflict, the group policy configured value takes precedence).

So my solution to the problem was to simply create a group policy that deletes HKCU\Control Panel\Desktop\ScreenSaveTimeOut. After the workstation is rebooted, the timeout value set by group policy is honored. Again my testing of this solution is limited to handful of Windows 7 workstations, but so far I have not found any adverse effects.

Need force IE9 document mode in Group Policy for specified users

May 6, 2015, 6:24 pm
$
0
0
Since we had problems for IE 10 - can't render table data properly sometimes in IE10 standard Document Mode. We'd like to force some users to view in Document Mode IE9 for only few web sites. It looks like we can't do that, the group policy->Compatibility View, only show "Use Policy List of Internet Explorer 7 sites". Any solutions on it?

Group Policy Client service does not start

November 10, 2012, 1:48 am
$
0
0

Hi,

As soon as I (administrator on my PC) logon to Windows 7, I get a message saying that the Group Policy Client service failed to start. I'm not sure why I'm getting this error even though the dependencies are very much up and running..

Below is the error message I get in the notification area as soon as I logon

Failed to connect to a windows service
Windows could not connect to the Group Policy Client service. This problem prevents stndard users from logging on to the system.
As an administrative user, you can review the System Event Log for details about why the service didn't respond.

Account Lockout Threshold not working

May 6, 2015, 12:48 pm
$
0
0
I have a default domain GPO linked to the root of my domain, and any changes I make to this GPO work as expected on the computers in my domain, from IE settings to virtually anything. My lockout policy within this same GPO, however, is an exception to this. I have changed the account lockout threshold from 3 to 5, and if I run gpresult and save the command output to a file I can see that indeed the policy is applying to that computer with 5 as the max limit. But if I proceed to type in a bad password the account still locks out at 3 tries.   Account lockout duration is 500 minutes and Reset counter is 500 minutes.  Users are getting locked out pretty frequently, which is why we're moving from 3 to 5.  Any ideas?
Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>