Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Windows Server 2012 R2 Hosts Ignoring Windows Update GPO Settings

September 15, 2015, 6:07 am
$
0
0

Architectural Overview

I have a development environment that is comprised of five (5) physical machines. Three (3) of these machines (dacloud-vh01, dacloud-vh02, dacloud-vh03) are VMM (2012R2) host servers set up as a failover cluster. One (1) of these machines (dacloud-ss01) is configured as a NAS (iSCSI) server which is used as the required shared file system for the cluster. The last machine (dacloud-cs01)--included here just for completeness--is a utility server that handles a variety of services including being one (1) of the four (4) domain controllers for the environment. The first four (4) systems are in an AD OU called "DACLOUD Cluster Hosts".

Methodology Background

Since it feel like it is probably not the best of ideas for the filesystem upon which the majority of the virtual machines as well as the shared volumes used for a few SQL instances exist to suddenly disappear as a result of dacloud-ss01 being rebooted following an automated update, I have created a GPO policy specifically for the DACLOUD Cluster Hosts OU (called "Default DACLOUD Cluster Hosts") that modifies the Windows Update settings for the rest of the domain. The non-default settings for this OU specify that the server should check for updates but not download or install them, as I would like to install these updates myself, manually.

What's Actually Happening

As demonstrated by the below screenshot taken from a GP Results report within Group Policy Management, the non-default WU settings are being applied by the DACLOUD Cluster Hosts policy. Moreover, in the second screenshot taken from the Registry Editor on dacloud-ss01, we can see that the WU settings are being pushed into the registry as expected.

That said, every Sunday morning @ 3AM, dacloud-ss01 checks for updates and, if found (let's face it, they're always found), installs the updates and, if required (let's face it, a reboot is always required), reboots the server. This, of course, causes pretty much the entire world to come crashing down in the environment as the filesystem that pretty much everything relies upon vanishes for about 3 minutes as the server reboots.

I'm entirely stumped by this problem, so I would be grateful if someone could point me in the right direction before I lose (another) (critical) virtual machine or corrupt (another) (critical) database. Thank you.

Search

Finding DNS Forwarders and DNS Conditional Forwarders in Forest

September 15, 2015, 6:30 am
$
0
0

Hi Techies,

Please give me simple solution where i can find all my DNS Forwarders and DNS Conditional Forwarders in Forest. 

I do not want to login each DNS server ---> Navigate the forwarders and Conditional forwarder to check details.

Instead want some script or powershell command  to find all details in one server with exporting in csv or txt format.

I have tried powershell script

$NS = Resolve-DnsName -Name domain.tld -Type NS | `
    Where {$_.Type -eq 'NS'} | `
    Select-Object -ExpandProperty NameHost

$output = foreach ($server in $NS) {
    $forwarders = Get-DNSServer -ComputerName $server | `
                  Select-Object -ExpandProperty ServerForwarder | `
                  Select-Object -ExpandProperty IPAddress | `
                  Select-Object -ExpandProperty IPAddressToString

    foreach ($forwarder in $forwarders) {
        $props = @{'DNSServer' = (Resolve-DNSName -Name $server).Name ; 
                   'Forwarder' = $forwarder}
        $obj = New-Object -TypeName PSObject -Property $props
        Write-Output $obj
    }
}

BUT IT REQUIRE WINDOWS 2012 OR WINDOWS 8.  Where as i m using only windows 2008 server.


With Regards, Raviraj Nagenhatti - System Administrator

Old Group policy applying settings i cannot find

September 15, 2015, 6:07 am
$
0
0

Hi There

First post so go easy please :)

I have an old domain policy that has been configured but I now need to edit, however when I go to edit the policy and change the User Configuration tab so that I can force Internet Explorer to open the Intranet I get options that are no longer there.

the path for the old policy is User Configuration-Policies-Windows Settings-Remote Installation Service and User Configuration-Policies-Windows Settings-Internet Explorer Maintenance.

These 2 old areas I want to edit but when I choose edit I cannot navigate to this path, it seems that Internet Explorer settings are under the Administrative Templates.

How can I edit the paths above?

This has been driving me mad so any ideas would be greatly appreciated.

Mark

Change Password balloon notification

September 15, 2015, 6:40 am
$
0
0

Our Win7 env has a requirement to incorporate the following policy:

User Config > Admin Templates > System > Ctrl+Alt+Del Options > Remove Change Password = Enabled

We use a separate web based mechanism to change passwords.

This policy is effective in that the user can no longer see the Change Password option at the Windows Security dialog, however when the password is getting close to expiration they will still get the balloon notification, directing them to press Ctrl+Alt+Del to change their password.  I realize I could suppress all balloon notifications via policy, but there are other notifications we still need to make available.  Is there any way around this?  Shouldn't MS have automatically suppressed this balloon tip once the above policy is enabled?

Client side on (windows 2008 r2 server) GPO version sysvol version showing (65535)

September 15, 2015, 5:26 am
$
0
0

Hi 

I have one post in AD forum for group policy solution.. can anybody help me on this below forum ?

https://social.technet.microsoft.com/Forums/windowsserver/en-US/9a51e49c-02ca-42c3-8057-e6f04fb77efc/client-side-on-windows-2008-r2-server-gpo-version-sysvol-version-showing-65535?forum=winserverDS

GPO setting for OneDrive For Business?

June 12, 2014, 8:13 am
$
0
0

Here's the situation:

  • 6000 users already have Lync 2013 (Office 365)
  • 6000 users already have Office 2013 ProPlus
  • Some of these users have OneDrive For Biz installed, but not configured.
  • We are now to the point where we want to give OneDrive to everyone and sync it to their Office 365 account

When someone launches OneDrive for the first time, they are required to click the sync button. When they click this it activates and adds a "OneDrive @ CompanyName" folder in Windows Explorer.  How do I deploy OneDrive with it pre-configured so the user doesn't have to click "Sync?"  Is there a GPO?  Can I add something to a deployment package?

2012 domain GPO inconsistancy between GPO's and SYSVOL/Policies folder - access denied

September 15, 2015, 7:43 am
$
0
0

Hi all,

Need some help as a bit stuck with this. I have a 2012 domain with several DCs on different sites. 
I can create new GPO's and they are created and replicated with a problem ( it appears) 
Ive run DCDIAG and repladmin and they dont come back with any errors. 

The FSMO roles are all running on windc01. 
The baseline DC is windc02. 
I have 47 GPO's but 55 folders in the polices folder of the sysvol. This is consistent with all DC's.

Today I tested the deletion of a GPO after deleting from the GPMT the corresponding police wasn't deleted. 

When drilling into the orphaned policy folder on windc01 I get policy->machine->scripts which is empty. If I do the same on any other DC i get an access denied message when clicking into the scripts folder.

If I click on 2 subsequent polices that have been deleted I can see the polices are still there. I get an access denied when trying click into.

I have found 4 polices folders that still exist in the sysvol/polices folder of all DC's

The four folders arent matched to any exisint SID of my GPO's because they have been deleted at some point, however they have failed to be removed from the SYSVOL. 

If I try and select navigate into any of these on WINDC01 I get an access denied. 
If try the same on any other DC I can navigate into them all of which are empty or have remnants of a GPO. 

Looks to me like there is an issue with the permission of the GPOs on WINDC01 as this holds the FSMO roles.

matt barnes

Restart computers via GPO

December 29, 2008, 3:25 pm
$
0
0
Hello all,

I would like to do restart all our lab computers (joined into domain) daily at 23:59. Is there anyway I can schedule the script via GPO ? My domain controller in on windows 2003 ent server.


Throw your ideas or point me in right direction how to achieve this.

Madal

Search

Manage Add-Ons using GPOs

July 16, 2015, 7:36 pm
$
0
0

I need some help managing add-ons using GPOs.  I've been reading some threads but I still have not been able to figure out the problem.  The OS i'm working with is Windows Server 2008 R2.  The servers are setup with Citrix 6.5, the profiles on the servers are deleted when users log off.  Once the users log back on and launch an application two add-on pop-ups come up.  I need to be able have the user logon with out the add-on pop-ups coming up because it causes problems for the users.  I have already added the CLSIDs to a GPO but the pop-ups are still coming up.  What am i missing, or what is the best way to fix this issue?  Any help would be greatly appreciated. 

-Hector

Create Local Admin User on Domain Computers through GPO

September 15, 2015, 1:16 am
$
0
0

Hello Everyone.

I want to create a local admin user account on every client computer of my domain through GPO. I mean a local user account (not a domain user account) added to the Administrators group of each and every computer of my domain. We have Windows Server 2008 R2 DC.

I am able create a local user account on every domain computer, but this local user account is not getting added to the Administrators Group.

I have tried the following methods but none is fulfilling my requirement:

http://blogs.technet.com/b/canitpro/archive/2014/12/10/group-policy-creating-a-standard-local-admin-account.aspx

http://blog.korteksolutions.com/how-to-create-local-accounts-via-group-policy/

http://www.dannyeckes.com/create-local-admin-group-policy-gpo/

http://www.dannyeckes.com/create-local-administrator-security-group-gpo/

https://community.spiceworks.com/how_to/907-gpo-to-push-out-local-administrators-across-a-domain

Please guide and help me.

Many thanks.

Regards,

Hasan Bin Hasib


Hijacked Computer - Help!

September 15, 2015, 4:24 pm
$
0
0

I have a small business and am the one and only person who does everything here.  I used to have someone who worked here that has an extensive knowledge of computers.  Well, they have me as a local computer on part of a domain now, and control what sections of the computer I can get to, and such. I cannot change anything that I want to and now I cannot even print without saving to my computer first.   I personally do not have a great knowledge of computers, and have taken my computer in several times to get it fixed, but the companies that I am taking it to obviously know as little as I do!  I am hoping for some instruction as to what it is I need to do so I can have my computer back.  I know it is them because of the comments I have received from their friends pertaining to a couple of pictures they saw on my computer.  Any advise would be great.  If there is a way I can show who it is that is doing this to me would be incredible and a dream come true.  I just want them to stop but they will not.  Thank you for reading this.  Adgenie

PS  I am running Windows 7.  I just typed in tpm.msc and my computer said loading of the management console failed.  Access denied.


Enterprise mode not applying for MS Edge

September 16, 2015, 2:43 am
$
0
0

I´m probably doing something wrong, not sure what it is. I´ve been working with this article

https://technet.microsoft.com/en-us/library/mt270205.aspx and I´m trying to set Configuration Manager Application Catalog page to automatically launch/change to IE11, but Edge still launches the page and it doesn´t work there.

1. This is how my LABSEMSL.xml looks like:

<rules version="1">
  <docMode>
    <domain docMode="edge">sccm<path docMode="edge">/CMApplicationCatalog/</path></domain>
  </docMode>
</rules> 

(the desired adress is http://sccm/ApplicationCatalog/)

2. I set the policy "Allows you to configure the Enterprise Site list" point to \\filesrv\DATA\IE_EDGE\LABSEMSL.xml

3. The config is set on user configuration and I see new registry appearing HKEY_CURRENT_USER\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode fine

Any ideas?
- is user config supported too?
- is unc path supported too?




how to create a GPO to save security event logs when it filled with max size of 2gb so that my logs will not over written to. on windows server 2012 R2

September 14, 2015, 9:53 pm
$
0
0

Hi Team,

I have win 2012 r2 AD, I want to implement a GPO that will save my security event log when it is filled with the max size of 2 GB.

Note: I dont want to overwrite the logs, want them to be saved for auditing.

Regards

Soma.

Scanner Not Detected On Deployed Printer Via GPO

September 14, 2015, 5:50 pm
$
0
0
Hi, I just deployed HP7500A Wide Format Printer that includes everything (printer, scanner, copy, fax), when I installed it manually on the client computers with Add Printer Wizard and specifying the Printer IP Address, the computer can detect the Scanner but when I used Group Policy (GPO Deployment), it is only detected as Printer and not Scanner/Fax. How to make user able to use the Scanner/Fax feature of this printer? I'm using "Windows Fax And Scan" software on the client computers and is it possible to audit the usage of the Fax and Scanner features?

gpsvc service stopped

January 6, 2012, 6:17 am
$
0
0

Recently i have installed server 2008 enterprise edition(x64). It is a only an active directory with DNS in my organization. but the problem i'm facing is the group policy client service "gpsvc"failed to start. when i checked event viewer i got following errors:

 

-The Group Policy Client service failed to start due to the following error: 

The service did not respond to the start or control request in a timely fashion.

 

event viewer details:

System 

  - Provider 

   [ Name]  Service Control Manager 

   [ Guid]  {555908D1-A6D7-4695-8E1E-26931D2012F4} 

   [ EventSourceName]  Service Control Manager 

   - EventID 7000 

   [ Qualifiers]  49152 

    Version 0 

    Level 2 

    Task 0 

    Opcode 0 

    Keywords 0x80000000000000 

   - TimeCreated 

   [ SystemTime]  2012-01-06T10:52:10.000Z 

    EventRecordID 38629 

    Correlation 

   - Execution 

   [ ProcessID]  0 

   [ ThreadID]  0 

    Channel System 

    Computer ad.norvic.com 

    Security 

 - EventData 

  param1 Group Policy Client 

  param2 %%1053 

I tried to start service manually using service.msc but all the keys were disabled.Also i tried net start gpsvc in command prompt.Now another error message is prompted.this time error is "system error 5 has occured - Access is denied"
So it would be helpful if any one has solution to this problem.

Search

Disable Security tab settings in GPO Preferences for Internet Explorer 10 settings.

June 25, 2013, 2:11 am
$
0
0
Hi 

In Group Policy Preferences for Internet Explorer 8 & 9 Settings, I could disable the settings in the Security tab.

So I only set the homepage option and the GPO result page will show only that setting is enabled.





In Group Policy Preferences for Internet Explorer 10 Settings, I cannot disable anything in the Security tab.

So when I try to accomplish the same result as above (only setting the homepage option), the GPO result page shows that Security tab settings are set for zones, and Protected mode.



Is it not possible to disable the security tab settings in GPO Preference for Internet Explorer 10 settings?

Folder redirection issues

September 16, 2015, 11:04 am
$
0
0

We have a CIFS/SMB 2TB share presented from a netapp filer that we use for folder redirection. We redirect the following folders to this share for each user Start Menu, Downloads, Appdata (Roaming), Desktop, Favorites, links, there is around 8000 user folders within the root share and around 1.5TB of data within the above redirected folders . On a standard day we have around 3000 concurrent Citrix users.  The setting move content's to new location is not ticked on any of the redirected folders. We have issues on random days where it hangs on logging in via both via Citrix and RDP at applying folder redirection settings for 30+ mins for all users.  When i deny the apply group policy permission on the GPO that sets the folder redirection i get straight in to my Desktop. When these issues occur the latency on the storage goes as high as 80ms when working fine it sits around 3-5ms when the latency goes down you eventually get your Desktop and the Citrix/RDP session completes. The version of Netapp ontap we use only allows single thread access across the CPU/cores on the storage controller there is plans to upgrade this to allow multi threading. I have ran procmon and i can see there is a read (pointer) at the storage layer for each redirected folder and each file/folder within the redirected folder. Due to the large amount of data which sits within the redirected folders for each user 1.8 million files within Appdata, 600k with the Desktop am i right in thinking this issue is purely a issue with the storage where it cant cope with the amount of Read's at user logons and down to user bad practice ?. There is no quota's or file screen's in place so users have free reign to store as much data as they want on the redirected folders.  I have inherited this environment and apart from having a mass cleanup of data within the redirected folders or removing folder redirection for the Desktop/Appdata folders am i right in thinking there isnt much i can do ? 

opinion's please!!

regkeys for IE and proxy

September 16, 2015, 11:09 am
$
0
0

I currently have these 4 keys populated.

ProxyEnable (Order: 1)
ProxyServer (Order: 2)
ProxyOverride (Order: 3)
AutoConfigURL (Order: 4)

any others and if the order okay?

thanks

Group Policy Management in Mixed Environment Windows 7/8

September 16, 2015, 1:00 pm
$
0
0

I have inherited a Group Policy environment that was originally built for Windows 7. A couple years ago they started deploying Windows 8 but used most of the Windows 7 objects that already existed. As you can imagine the Windows 8 workstations have many issues caused by UAC, desktop backgrounds etc. This lead to poor user acceptance with Windows 8.

Sooner rather than later we will be rolling out Windows 10 and I want to make sure Group Policy is prepared correctly. Is their any information regarding best practices for Group Policy in a mixed environment? So far from the videos and documentation I have read for W10 they recommend you have separate objects/admx templates for each OS but not how to implement and restructure your current environment.

Windows Server 2008 R2 Reboots when applying group policy registry policy

September 16, 2015, 2:48 pm
$
0
0

Hi,

I'm having issues with a citrix server that wont boot up. its gets to applying group policy registry policy and then boots again.

It wont boot in safe mode either.

If anyone has any ideas it would be much appreciated.

Cheers

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>