I am trying to find where certain group policy settings are configured in Windows, so I can create some configuration items/baselines in SCCM 2012.

For example, Computer Configuration\Windows Settings\Local Policies\User Rights Assignment - Act as part of the operating system

Where does this appear as a setting in Windows 7?

I downloaded the Group Policy Settings Reference (https://www.microsoft.com/en-us/download/details.aspx?id=25250), which helped me find the settings that in registry. But, for the above GP setting, the document says, "User Rights security settings are not registry keys." I also looked at http://gpsearch.azurewebsites.net/ but this too seems to list only registry entries.

Where are the User Rights and other settings (like the ones in Computer Configuration\Windows Settings\Local Policies\Audit Policy) configured? WMI?

Thanks.

I see lots of posts on how to revert a user from folder redirection back to the default location, by either changing the current GPO or by moving the user to a new GPO that uses basic and default profile location.  However this keeps the user "managed" and does not allow the user to change the default location.   I need to remove users from being managed as I want to move some users to OneDrive or to WorkFolders.  Both of which include changing the document location from %profile%\documents to a folder within the workfolders or onedrive for business folder.   Also, I have some users with a small SSD c drive and a larger second drive.  In those cases the onedrive or work folders location is set to the second location. 

Once we have determined what will work best for each department, we can standardize a file location and manage the users document location but for the moment, I am looking for a way to remove a user from being managed.   Note:  I have tried excluding them from the GPO, but this does not cause them to be "unmanaged"  and they do not have the ability to change their document location locally.   I would be happy if I can do this as an admin changing a registry setting or similar, ideally remotely.

Fred Zilz

Hi All,

We've run into a problem where a file that was created a few months ago in a subfolder of the NETLOGON share cannot be deleted. I've tried resetting permissions on the parent folder and all sub items, but it fails on this file. I've tried seizing ownership from the GUI and from takeown on the file itself and recursive on the folder. I've tried ICACLS and CACLS on the file to reset permissions or add myself. I can delete the file on the other domain controllers, but not on this specific one. The file then reappears in the folder on the other DCs after it's been deleted because I can't remove this copy.

Has anyone run into this problem before? My account for reference is in the Domain Admins and Enterprise Admins group.

Thanks in advance!

Allen

I've been trying to figure out the SDDL String for the event log access.

I have created a group in AD for several administrators that would have event log access.

Now, I would like to restrict it to this group only. thoughts?

thanks!

The District has software that will only will only interface with Fire Fox smoothly rather than IE.  So we are trying to figure out how to turn IE off as the default browser and set Fire Fox as the default browser with no success in GPO.

Any help will be greatly appreciated.

Thank you.

Hello,

I have been asked to add a Legal logon banner to our users PCs.

I have the text to copy into it, but it contains 4 paragraphs and the group policy removes these, is there are way to format the text properly with paragraphs.

Thanks

Good Morning,

We are a school district and starting to get requests for individual student needs dues to disabilities.  They are wondering how can we accomplish this.  Is there anywhere in Group Policy to change accessibility options for individual students.  We may have to create quite a few GPO's for individual needs.  One thing we need to do is just plain old magnify but at 400% and another needs to be 200%.

How can we do this with GPO, is there a place to set this or do we have to do registry keys (which I would like to avoid if possible).  Is there a good site that has all this info (registry keys or gpo locations)?  Is there an ADM?

It seems most sites I see want to disable these options overall.

Thank You,

I created a Group Policy to map a network drive when users log in to terminal server (2012 server).  I used group policy preferences to map the drive.  The terminal server is in a separate ou. The gpo is on the terminal sever ou. I have the terminal server name in item level targeting. I have loop back processing (merge)  on the group policy. Users are in a separate ou.

The drive is does not map when I log in to the terminal server. Any help would be appreciated. Thank you.

Hello,

We are having massive problems with computers that are hanging at startup. They keep hanging at "Applying computer settings".

Not all of the computers are doing this, but about 20 out of a 100. We tried many things like: Changes to group policy,logging, network. But all seem to fail, and seem to return the problem one way or another. Maybe not today or this week, but next week it will return at random.

Right now we have turned om the GPSVC logging, and got a logfile, but I don't understand where it is failing. I tried to make it understandable with Policy Reporter, but still no succes.

When the computer is hanging it get the following line in the log file which a computer that boots correctly does not have. Can someone please help me with this?

GPSVC(3e0.8c4) 08:22:07:186 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x5b8
GPSVC(3e0.8c4) 08:22:07:186 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(80.804) 08:22:07:186 Target = Machine
GPSVC(3e0.8c4) 08:22:07:186 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(3e0.8c4) 08:22:07:186 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(80.514) 08:22:07:186 Target = Machine, ChangeNumber 0
GPSVC(2c0.2d0) 08:25:04:504 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x29c
GPSVC(2c0.2d0) 08:25:04:519 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(2c0.2d0) 08:25:04:519 Client_RegisterForNotification: CheckRegisterForNotification returned error 0x6ba
GPSVC(2c0.2d0) 08:25:04:519 CGPNotify::RegisterForNotification: Service not RUNNING. waiting
GPSVC(2c0.2d0) 08:25:04:519 CGPNotify::RegisterForNotification: Trying to recover from error 1722
GPSVC(2c0.2d0) 08:25:04:519 CGPNotify::RegisterNotificationAsynchronously: Starting async registration
GPSVC(2c0.2d0) 08:25:04:519 CGPNotify::RegisterNotificationAsynchronously: Created thread 728
GPSVC(2c0.2d8) 08:25:04:519 CGPNotify::RegisterNotificationAsynchronously: Waiting for service to start
GPSVC(2c0.2d0) 08:25:04:519 CGPNotify::RegisterNotificationAsynchronously: Exiting with status = 0
GPSVC(2c0.2d0) 08:25:04:519 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(2c0.2e8) 08:25:04:550 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x3b0
GPSVC(2c0.2e8) 08:25:04:550 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(2c0.2e8) 08:25:04:550 Client_RegisterForNotification: CheckRegisterForNotification returned error 0x6ba
GPSVC(2c0.2e8) 08:25:04:550 CGPNotify::RegisterForNotification: Service not RUNNING. waiting
GPSVC(2c0.2e8) 08:25:04:550 CGPNotify::RegisterForNotification: Trying to recover from error 1722
GPSVC(2c0.2e8) 08:25:04:550 CGPNotify::RegisterNotificationAsynchronously: Starting async registration
GPSVC(2c0.2e8) 08:25:04:550 CGPNotify::RegisterNotificationAsynchronously: Async registration thread already created
GPSVC(2c0.2e8) 08:25:04:550 CGPNotify::RegisterNotificationAsynchronously: Exiting with status = 0
GPSVC(2c0.2e8) 08:25:04:550 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(74.130) 08:25:05:003 -------------------------------------------
GPSVC(74.130) 08:25:05:003 Use the Event Viewer to analyze the Group Policy operational log for details on Group Policy service activity.
GPSVC(74.130) 08:25:05:003 -------------------------------------------
GPSVC(74.130) 08:25:05:003
GPSVC(74.130) 08:25:05:003 InitializeProductType: Product Type: 1
GPSVC(74.130) 08:25:05:003 Register for connectivity notification is Enabled.
GPSVC(74.130) 08:25:05:003 Connectivity manager class initialized with for IntranetAuth connectivity
GPSVC(2c0.2d8) 08:25:05:003 CGPNotify::RegisterNotificationAsynchronously: Service started successfully
GPSVC(2c0.2d8) 08:25:05:003 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(2c0.2d8) 08:25:05:003 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(74.134) 08:25:05:003 Target = Machine, ChangeNumber 0
GPSVC(74.314) 08:25:05:003 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x1d4
GPSVC(74.314) 08:25:05:003 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(74.130) 08:25:05:003 Target = Machine, ChangeNumber 0
GPSVC(74.130) 08:25:05:003 Target = Machine, ChangeNumber 0
GPSVC(74.130) 08:25:05:003 Target = Machine
GPSVC(74.314) 08:25:05:003 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(74.130) 08:25:05:003 Target = Machine, ChangeNumber 0
GPSVC(74.314) 08:25:05:003 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(3ec.384) 08:25:05:018 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x38c
GPSVC(3ec.384) 08:25:05:018 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(74.130) 08:25:05:018 Target = Machine
GPSVC(3ec.384) 08:25:05:018 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(3ec.384) 08:25:05:018 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(74.130) 08:25:05:018 Target = Machine, ChangeNumber 0
GPSVC(3ec.440) 08:25:05:018 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x3bc
GPSVC(3ec.440) 08:25:05:018 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(74.130) 08:25:05:018 Target = Machine
GPSVC(3ec.43c) 08:25:05:018 Client_LockPolicySection: Making Aync RPC LockPolicySection call
GPSVC(3ec.440) 08:25:05:018 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(74.130) 08:25:05:018 Sid = (null), dwTimeout = 600000, dwFlags = 268435456
GPSVC(3ec.440) 08:25:05:018 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(74.130) 08:25:05:018 LockPolicySection called for user <Machine>
GPSVC(74.130) 08:25:05:018 bMachine = 1
GPSVC(74.130) 08:25:05:018 Async Lock called
GPSVC(74.130) 08:25:05:018 Reader Lock got immediately. m_cReadersInLock : 1
GPSVC(3ec.43c) 08:25:05:018 Client_LockPolicySection: Machine critical section has been claimed.  Handle = 0x2b6510
GPSVC(3ec.43c) 08:25:05:018 Client_LockPolicySection: Leaving successfully.
GPSVC(3ec.43c) 08:25:05:018 Client_UnLockPolicySection: Starting UnLock Call
GPSVC(74.134) 08:25:05:018 Sid = (null)
GPSVC(74.134) 08:25:05:018 UnLockPolicySection called for user <Machine>
GPSVC(74.134) 08:25:05:018 Found the caller in the ReaderHavingLock List. Removing it...
GPSVC(74.134) 08:25:05:018 Setting lock state as notLocked
GPSVC(74.134) 08:25:05:018 Deleting critical section for UserSid <(null)>
GPSVC(74.134) 08:25:05:018 Deleting machine
GPSVC(74.134) 08:25:05:018 UnLocked successfully
GPSVC(3ec.43c) 08:25:05:018 Client_UnLockPolicySection: Unlocked successfully
GPSVC(3ec.43c) 08:25:05:018 LeaveCriticalPolicySectionInternal: Critical section 0x2b6510 has been released.
GPSVC(74.134) 08:25:05:083 Target = Machine
GPSVC(74.134) 08:25:05:083 Target = Machine, ChangeNumber 0
GPSVC(74.134) 08:25:05:153 bMachine = 1
GPSVC(74.134) 08:25:05:153 Setting GPsession state = 1
GPSVC(74.134) 08:25:05:153 Message Status = <Applying computer settings...>
GPSVC(74.4e8) 08:25:05:153 Waiting for connectivity before applying policies
GPSVC(74.4e8) 08:25:05:153 Waiting for SamSs with timeout 120000
GPSVC(74.4e8) 08:25:05:153 Waiting for NTDS.IndexRecreateEvent with timeout 120000
GPSVC(74.4e8) 08:25:05:153 Waiting for NlaSvc with timeout 120000
GPSVC(74.130) 08:25:05:343 Target = Machine
GPSVC(74.130) 08:25:05:343 Target = Machine, ChangeNumber 0
GPSVC(74.130) 08:25:05:403 Sid = (null), dwTimeout = 1, dwFlags = 268435459
GPSVC(74.130) 08:25:05:403 LockPolicySection called for user <Machine>
GPSVC(74.130) 08:25:05:403 Async Lock called
GPSVC(74.130) 08:25:05:403 Reader Lock got immediately. m_cReadersInLock : 1
GPSVC(74.130) 08:25:05:403 Sid = (null), dwTimeout = 1, dwFlags = 268435459
GPSVC(74.130) 08:25:05:403 LockPolicySection called for user <Machine>
GPSVC(74.130) 08:25:05:403 Async Lock called
GPSVC(74.130) 08:25:05:403 Reader Lock got immediately. m_cReadersInLock : 2
GPSVC(74.130) 08:25:05:413 Sid = (null), dwTimeout = 1, dwFlags = 268435459
GPSVC(74.130) 08:25:05:413 LockPolicySection called for user <Machine>
GPSVC(74.130) 08:25:05:413 Async Lock called
GPSVC(74.130) 08:25:05:413 Reader Lock got immediately. m_cReadersInLock : 3
GPSVC(74.130) 08:25:05:413 Sid = (null)
GPSVC(74.130) 08:25:05:413 UnLockPolicySection called for user <Machine>
GPSVC(74.130) 08:25:05:413 Found the caller in the ReaderHavingLock List. Removing it...
GPSVC(74.130) 08:25:05:413 UnLocked successfully

Hi.  I'm getting parsing errors after adding the Windows 10 GPO object to the Policy Definitions folder.

Please see screenshots:

Hi,

I have a script which uses TZUTIL (tzutil /s "Cen. Australia Standard Time") to change the time zone.

When I run it manually, it works exactly as intended.

When I set it as a Startup Script via GPO, the script runs however TZUTIL fails to update the time zone.

I am using Powershell, but the same issue occurs using .cmd, .bat.

When troubleshooting, I added a line to test if TZUTIL would retrieve the current time zone (tzutil /g) and it retrieved the current time zone fine.

Has anyone run into this problem?

Any advice would be greatly appreciated.

This morning, a customer sent a RAR file to one of our staff members via email.  We don't routinely handle these files, so that person didn't know how to open it.  However, we do pre-install 7-zip on all of our machines specifically to handle numerous types of compressed/archive files.  I showed the staff member how to use 7-zip to open the file.  The problem is we don't configure 7-zip to take over all the compressed/archive file associations during install.

Since I'd prefer not to do this manually after the fact, I figured I could use Group Policy to update the file associations for all our client computers (and users).  I did my research and found the Computer Configuration > Control Panel Settings> Preferences > Folder Options > File Type setting should achieve the desired result:

https://technet.microsoft.com/en-us/library/cc754587.aspx

I then remoted into one of our Windows 2008 R2 servers and opened Group Policy Management to modify our "standard setup" policy.  This server already had 7-Zip (x64) installed and I had previously used the 7-Zip File Manager to take over the RAR file type *before* I added this new preference to our policy.  I note that because I've seen Group Policy Preferences pull information from the local machine that is used to create/modify the policy.  If the machine didn't have the right settings or software, the policy would be much more challenging to configure.

That said, I configured the settings below:

I compared these settings with the ones from the registry (HKEY_CLASSES_ROOT) and everything looks right to me:

I finished modifying the policy and closed out the editor and GPMC, then I forced a GP update from each of our domain controllers (PDC emulator first).  I then did the same with my test machines (1 Windows 8.1 Enterprise 64-bit, 1 Windows 7 SP1 Enterprise 64-bit, and 1 Windows 7 SP1 Enterprise 32-bit) , but saw no change.  I logged out of each machine and logged back in (after running gpupdate /force), but that didn't work.  I rebooted each test machine, but still the policy did not apply.

I looked in the event log and I'm seeing this warning on each machine, no matter the OS or bitness:

Event ID:  4098 - Source:  Group Policy Folder Options

Description:

"The computer 'rar' preference item in the 'Standard-Setup {8AAEFE4E-7904-4BA1-9A44-67805BA91700}' Group Policy Object did not apply because it failed with error code '0x80004002 No such interface supported' This error was suppressed."

I researched that warning but my searches came up empty...

What am I missing here??

One final note:

Since the "File Type" setting isn't applying, I'm temporarily using the "Open With" preference in the user context to achieve a similar result (although that's not really how I want the policy to be configured).  The "Open With" preference is working:

https://technet.microsoft.com/en-us/library/cc732272.aspx

On my every computer with windows7 on my domain, doesn't work  elevation prompt for admin credentials when is needed to install something, or deinstall something, I have only information that Must be an administrator to install this software.

I have configure as follow:

in GPO  - Computer Configuration/Policies/Windows Settings/Local Policies/Security Options/User Account Control:
- User Account Control: Detect application installations and prompt for elevation (enabled)
-User Account Control: Behavior of the elevation prompt for standard users (Prompt for credentials)
-User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode (Prompt for credentials)

but still no works, any thoughts?

In windows 7 you can change the user account picture just replacing the user.bmp image in folder %programdata%\microsoft\use\account pictures. I did the same replacement in Windows 10 but it didn't work. It doesn't change the picture showed when the Start Bar is pressed.

Is there any way in Windows 10 to do this?

I am working in a Domain environment.

Best Regards.

Hello Everyone!

So I am having an issue with a GPO that im testing which is supposed to set the audit policy on workstations machines. I ran an RSOP on my machine to see if it was being applied and it is! Except that when I look at my local security policy, the values still say "No Auditing". Has anyone seen this before? Is it perhaps I am not supposed to see what the values are set to locally? Any help would be great! Thanks!

**Forgot to mention, I am running a Windows 10 machine on a Windows Server 2012 functional domain level. This issue is occurring for Windows 7 work stations as well.

I mapped drive and create sub directores to allow  managers store and share some pdf files and others, them i been ask to add more users to this drive to look up documents..

And was ok until i been ask to protect insite this map drive some folders , that only Manager can see files or only other manager can modify files , but other can not

I had some problem to restrict this issues

Any help please ?

Thnaks i advance

OS -Win 2008 R2 64 bit DC

I have installed WSUS in server 2012, most of updates are installed but 51 update failed to installed on clients, so I would like to know that why these update are failed to installed and how I can delete those failed update, as I tried to run Clean wizard which didn’t work. for more information please check the attached link

Thanks in advance of your support.

https://social.technet.microsoft.com/Forums/getfile/717456