Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Group Policy setting different after changing from Local file to Central Store

May 7, 2015, 12:06 am
$
0
0

Hello,

we have created a Central Store and added the latest Windows Server 2012 R2 Update and Windows 8.1 Update .admx/l files from Administrative Templates (.admx) for Windows 8.1 Update and Windows Server 2012 R2 Update.

When opening and checking a GPO setting we could see, that with the before used local .admx files from Windows Server 2008 R2, the setting is set to "Enabled".

When using the Central Store with the new OS version .admx files we see now that the exact same setting according to the GPO path is set to "Not configured":

Is that maybe because the new .admx file has another registry key below this setting and we have to reconfigure it?

I know that this specific GPO setting is already mentioned as not usable in Group Policy to disable DFSS is not functional and it has to be set manual within the registry.

Removing the Central Store and using the local .admx files will bring back the "Enabled" GPO setting as before.

Best regards

Meinolf Weber

MVP, MCP, MCTS

Microsoft MVP - Directory Services

My Blog:http://blogs.msmvps.com/MWeber

Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Twitter: 


Search

Network Access Protection Related Issue

May 4, 2015, 8:24 am
$
0
0

Hello Guys,

I am working on NAP exercise . I used DHCP enforcement & also I changed system health validator setting in firewall.

When I OFF the client firewall DHCP isolate the IP & subnet mask 255.255.255.255 but when I turn ON the firewall DHCP still keep the same subnet mask 255.255.255.255 , hence I am not able to resolve this issue. kindly help ..

Thanks in advance !! 

Manage auditing and security event

May 7, 2015, 4:40 am
$
0
0
I want to list out the users which are available in gpedit.msc -> User Right Assignment ->Manage auditing and security event . Help me with the powershell or commandline command.

Can i use GPResult for getting the list, if so what is the syntax of it?


Outlook 2013 Administrative Template

May 7, 2015, 7:19 am
$
0
0

Good morning, 

If the location for the archived PST file is set to \\server\pst\%username% will this setting create a folder for Outlook clients based on their username and archive their e-mails to archive.pst?  

I want to confirm before going forward, so no e-mails are accidentally archived and delete with all the same filename archive.pst. 

These are Windows 7 clients, Server 2012, and Exchange 2010 with Outlook 2013.

Thanks.

Password Complexity GPO

May 7, 2015, 8:02 am
$
0
0

Need to implement password complexity GPO. I understand this can only be implemented at the domain level.

Will users get prompt to change as soon as the GPO takes effect or when they change their password next?

Cannot see Office 2013 settings in Group Policy console after Office 2013 template imported.

May 7, 2015, 11:06 am
$
0
0

Hello all,

I want to disable Office 2013 automatic updates using group policy. I imported all office 2013 template in both central store and C:\windows\Policydefinitions but still cannot see office 2013 settings.


Please give me some advices.

Thanks,

Long


Multiple 'Policy Definitions' folders created in my Central Store

May 7, 2015, 8:55 am
$
0
0

Hi All,

So I have inherited a domain, and it seems that the previous admin created a central store, but there are multiple 'PolicyDefinitions' and 'Policies' folders created all over the place and things just look crazy. I am trying to add the Windows 8 and Server 2k12 .admx files to my 2k8 DCs (of which there are 4 spread across 2 sites) but want clean up this SYSVOL share. If I blow out what's in there now, will kill a whole bunch of GPOs that are already in place? Should I add to the mayhem and pick a new random location to save these to? Any advice would be appreciated.

Thanks

home page

May 7, 2015, 7:17 am
$
0
0
is there a way to set users IE home page without preventing them from adding additional home pages?
Search

Shortcut GPO Not Applying

May 7, 2015, 1:13 pm
$
0
0

Setup:

Windows Server 2012 R2 Domain Controllers

Clients: Windows 7/8.1 Laptops

I created a GPO with shortcuts to our DFS namespace instead of using Mapped Drives for security purposes but for new employees logging in for the first time the shortcuts do not appear on their Desktops or File Explorer. I have ran GPUpdate /sync /boot /force switches, still nothing. I have rebooted several times to see if it was slow applying the policy, nope.

GPO Info:
Applied to Users OU
Security Filtering: GPO Name security Group with Domain Users in the security group.
Shortcuts were created in "User Configuration>Preferences>Windows Settings>Shortcuts>Shortcut

GPO Results shows the GPO was a success. I am at a loss on why the shortcuts do not appear.

compatibility view

May 7, 2015, 3:17 pm
$
0
0
is there a way to add a server name or site to the compatibility view  without affecting anything already in there or the users ability to add additional entries?

Software Restriction Policy - Issues with Windows Defender

May 7, 2015, 4:07 pm
$
0
0

Hi

Last year we got hit with Cryptoware and since have implemented the "Cryptolocker prevention kit" which consists on blocking installation of software via Software Restriction Policy in GPO.

We had to allow a 'whitelist" of allowable installation (ie Microsoft Office, etc) but we are struggling for Windows Defender as it cannot longer update itself.

For example we get the following errors:

C:\Users\tester\AppData\Local\Temp\mpam-c0e3fae5.exe 
C:\Users\tester\AppData\Local\Temp\mpam-1fe8253d.exe

The issue is that Windows Defender update mpam-xxxx changes all the time.

We tried to use wildcards such as mpam-*.exe but it would not work.

Is there a way to use wild cards? 

Or a way to order the preferences as the rule that disallow the installation in \Local\Temp\*.exe seems to take preference on anything else

Thanks in advance

Documents changes to My Documents when applied

May 7, 2015, 6:45 pm
$
0
0

Hi All,

I have an unusual one: one of our clients uses a third party application that requires a sub-folder within their roaming profile to be defined in HKCU. We have created a GPO to map this folder to \\server\share\%username%\Documents\<application>.

This is how it should work. However, when the users log on, the application cannot see the folder despite it existing in the correct location. After further investigation, it seems that when the GPO is applied, the folder defined in HKCU is actually \\server\share\%username%\My Documents\<application>. I have double and tripple checked that the GPO definitely says "Documents" but for some reason when I check the registry on the machine after a user has logged in, it's saying "My Documents".

Any help is much appreciated.

Thanks

Import Certificates GPO not working

May 7, 2015, 7:13 pm
$
0
0

Hi All,

I configured a policy to import on each client some self-signed certificates

Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities

6 certificates in that

The problem is that the policy doesn't import the certificates when rebooting the client, however if I run gpresult I can see the policy correctly in the report, also if running gpupdate /force then the certificates are imported

Any suggestion?

Computer Configuration Not Working

May 7, 2015, 11:11 am
$
0
0

My "Computer Confis" GP settings won't take effect on my "Workstation Test" OU. I'm trying to make GP's for workstations so that every user that logs into that specific computer has the same setup. However; I don't want to make user GP's for those users because their work is different at different work stations. Any ideas? I'd consider myself a self-learner/novice so I'm not 100% on tech lingo. I have successfully setup the "Medicaid Computer" OU with working "User Configs" so I know that it works on User Configs just can't seem to get Computer Configs to work. WIll post picture of Active Directory once Account has been verified!

THanks

A GPO Setting isn't applied on Windows 8 and 7 clients

May 5, 2015, 7:23 am
$
0
0

Hello,

I have windows server 2003 SP2 domain controllers and just configured a GPO setting on one of them. The setting is to disable the TCP/IP properties on users. Windows 8, 8.1 and 7 clients are not affected by the policy and users still can open the properties.

Don't these clients support GPOs pushed from server 2003?

Thanks

Search

"User Profile Service failed the logon" - GP

May 8, 2015, 2:56 am
$
0
0

Hello, I have a strange issue with random machines getting the "User Profile Service failed the logon". Now there is a fix below, but what we are doing is giving the users temp local admin rights to log in, then removing this access, resolves the issue.

https://support.microsoft.com/en-us/kb/947215?wa=wsignin1.0

We are looking at GP to resolve this but do not want to edit the registry and we dont know which machines have the issue and would like to attach the fix at the top level of the OU.

Has anyone come across this issue, and use GP to resolve this?

2008 R2

Thanks

WPD Devices: Deny read access user policy

April 28, 2015, 9:13 am
$
0
0

Hi All,

I have configured the following settings on my main group policy (user policy) and it has linked to my domain. 

All Removable Storage classes: Deny all access Enabled  
WPD Devices: Deny read access Enabled  
WPD Devices: Deny write access Enabled 

and in one of my sub ou GPO I have configured as "WPD Devices: Deny read access Enabled" (computer policy). when I checked with one user I found found that this user can access USB. there is no other configuration I made on this OU. as per above domain policy I have disabled All Removable Storage classes (mentioned above). then how it comes open ?. I just tried one more thing that is when I change WPD Devices: Deny read access in sub OU as Not-configured then USB will be denied. 

I coudnt find any referrals in online regarding this.. can anyone suggest why it is happening ??

Password expires early, despite GPO settings

May 6, 2015, 7:16 am
$
0
0

Hi everyone,

I've got a question, I just can't figure out.
When I set up this specific Server 2012 environment for a customer, I set the password policy to 365 days.
However, the password is no longer valid after 42 days. I checked the RSoP, and all that comes back is that the policy I set to 365 days is active.
Is there anyone that could help me figure out why the password expires after this short period?

Thank you in advance.

With kind regard,

Mike Rozeboom

Device Installation Restrictions - Not working as expected

May 5, 2015, 12:41 pm
$
0
0

I'm trying to conduct a simple test of Device Installation Restrictions.  I've created a GPO and only enabled Prevent installation of removable devices.  I created a new test OU, blocking inheritance, put a test computer in the OU (tested putting the user in the OU also, to block any user GPOs).  I've confirmed that the GPO is being applied to the computer via a dummy environment variable and these registry keys are getting added (all are included here, but I've tried just deny removable and then just deny specific IDs):

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions]"DenyRemovableDevices"=dword:00000001"DenyDeviceIDs"=dword:00000001"DenyDeviceIDsRetroactive"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs]
"1"="USBSTOR\\DiskVerbatimSTORE_N_GO______PMAP"

Even with the GPO applied and the reg keys present, USB drives can be plugged in and used.  I've also tried setting Prevent installation of devices that match any of these Device IDs, but that doesn't work either. 

Clients are Windows 7 Professional 64 bit SP1.  Servers are 2008 R2.

I've reviewed the following with no help
Allow Administrators to Override Device Installation Restriction Policies
http://technet.microsoft.com/en-us/library/cc753015(v=ws.10).aspx

Step-By-Step Guide to Controlling Device Installation Using Group Policy
http://msdn.microsoft.com/en-us/library/bb530324.aspx


How to add trusted sites to group policy?

August 10, 2010, 10:49 am
$
0
0

I found this:

 

Trusted sites policies can be set at the computer or user level and are located at the relative path of administrative templates: \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone.

 

But in the right side of the Trusted Sites Zone, I did not see any option to enter the sites. I'm using IE7.

Help is appreciated.

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>