Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

What is Auditing by default for SysVol folder in multiple domain and How to find who deleted files and folders from sysvol \ group policy \ folder redirection \ desktop

September 10, 2015, 10:57 am
$
0
0

Hi Techies,

I have strange issue with my one of my domain group policy users.

1) Users complained saying desktop items are not there .

2) When i checked it desktop items were not there in %logonserver%\netlogon\GP_Fld_Redirection\abc\desktop\

3) There was no issue with the GP setting.

4) After restoring desktop items from backup, Desktop Items were visible

Now the question are as folllows

  • How to check who has deleted or removed desktop items from that location.
  • How to see the audit logs for sysvol folder. When i checked in event viewer with 4660 event id nothing found.
  • Is sysvold folder will have by default delete object audit policy enabled
  • In DC default domain policy enable for Failure and Success for Object access.
  • I even checked with Event 5143 ID. but no luck  
  • Now i have to submit Root cause analysis report. Please help me.

With Regards, Raviraj Nagenhatti - System Administrator


Search

powershell msiexec: unable to install the .msi package on a remote machine via jenkins

October 15, 2015, 4:22 am
$
0
0

I am trying to install a msi package via Jenkins on a remote computer. Both the msi file and the powershell script are on the remote machine. From jenkins (which is another machine), using a powershell plugin trying to use the command

Invoke-Command -ComputerName $env:client -ScriptBlock { param($mach,$u,$p) c:\install\scripts\Install_msi.ps1 -database $mach -username $u -password $p } -Credential $cred -Authentication CredSSP -Args $env:database,$env:username,$env:password

This is a company created application, packaged in an msi format. The msi package has an application and also launches a dbsetup.exe which installs the databases. The purpose of the dbsetup.exe is to install databases.

When I run the powershell script install_msi.ps1 from a powershell command window as administrator directly on the remote machine, it installs the application including the dbsetup.exe launched and installs the databases.

The problem is when I try to do the run the same script from jenkins, it installs only the application part but doesn't run dbsetup.exe and databases aren't installed. However I can see from the task manager that dbsetup.exe is launched and status showing as running but none of the databases are installed.

Using Powershell v4, Windows Server 2012 standard R2. Jenkins v1.612

Jenkins server is on one domain and remote machine is on another domain.

I am out of ideas. Any suggestions how to resolve this issue would be great.

Login script not starting automatically

October 20, 2015, 4:16 am
$
0
0
Hi Everyone,

We are having an increasing amount of users complaining that the logon script isn't running automatically when they logon. If we browse to the relevant sites path$\loginscript and run the Logon.VBS script the script runs successfully and the relevant drives mappings and printers are added.
This is happening for desktop and laptop users -

This is just a few examples for you. I did wonder if the PC's were logging in before the network was being found, however even if they logout & login after they've initially logged in the script still fails to launch but runs successfully if launched manually.

Please help

Haroon Khan IT Consultant Enfo Sweden

Roaming Profile and Temp profile

October 20, 2015, 1:06 am
$
0
0

Hi,

I have Windows 7 users who have a Roaming profile configured on their user account in AD. A few of these users then use this account to logon to a citrix server to access certain applications and their profile is then redirected using folder redirection and is configured using a loopback polcy which works fine and their profile folders are all redirected properly. The citrix farm is windows 2008 r2. Once they logon to citrix xenapp, they are presented with some applications, and one of those is to rdp onto a Windows 2012 server. When they logon to the Windows 2012 server, they are presented with a temporary profile.

How can I make sure that when they logon to the w2k12 server that they have an actual profile created? In the registry for their accounts (HKLM\software\Microsoft\Windows NT\CurrentVersion\ProfileList), it points to a Central profile path and that is the same path as when they logon to the domain normally, but they can't access that path from the citrix farm (and I don't want them to since the folders are now redirected). If I remove their AD roaming profile, then they get a normal profile when they logon to citrix and then the w2k12 server), and the registry does not contain the Central profile path. The users need to have their roaming profile for normal operations (i.e. when they are not using citrix)

Is there any GPO that I can configure to remove the Central Profile reg entry when they logon to the W2k12 server?

Thxs

Jaz



AppLocker - How to re-run "Reduce the number of rules created by grouping similar files"?

October 19, 2015, 2:10 pm
$
0
0

When using GPMC to create an initial set of rules for an AppLocker policy, we are presented with an option to:

Reduce the number of rules created by grouping similar files

As the life of the policy evolves, new rules need to be added, though without manual review of every previous entry, how can we keep the rule count to a minimum by grouping "similar items"? Can this feature be run again and forced to consider rules added after the initial configuration? Is this grouping logic available through PowerShell or another API?

NOTE: I am not talking about Set-AppLockerPolicy's -Merge parameter, which " will remove rules with duplicate rule IDs, and the enforcement setting specified by the AppLocker policy" but apparently not group similiar files into one rule?

Mike Crowley | MVP
My Blog -- Baseline Technologies

GPMC on 2008 An error has occurred while collecting data for administrative templates

September 16, 2010, 10:45 am
$
0
0

Hello I currently have an issue when working with gpo's with administrative templates. I get the following issues viewing settings or attempting to edit policy.

An error has occurred while collecting data for Administrative Templates.

The following errors were encountered:

Expected one of the following possible element(s), <text>, <decimalTextBox>, <textBox>, <checkBox>, <comboBox>, <dropdownList>, <listBox>, but found <multiTextBox> instead. File \\<path_to_sysvol>\Policies\PolicyDefinitions\en-US\TerminalServer-Server.adml, line 198, column 60
Encountered an unknown error while parsing (error = 0x87400001): -2025848831 (0x87400001) File\\<path_to_sysvol>\Policies\PolicyDefinitions\TerminalServer-Server.admx, line 9, column 41

This error occurs with all admx/adml files being referenced.  The error above is just an example of one of the errors I'm seeing.

I have serveral other machines where I can successfully modify and view gpo settings.  Currently there is only 1 server, a 2008 std (non-R2) and is fully patched with all of the latest and greatest security fixes.  I've attempted to remove gpmc and reinstall which did not help.  The ADMX file repository seems to be fine as other server/computers which manage GPO do not experience this issue.  So there has to be something incorrectly configured on this system locally.  This did work correctly without issue in the past but has recently come up as an issue.  I don't believe there where any changes to this system other than routine hotfixes.  The only change in the environment I can think of was we moved our PDC emulator to a different machine, but once again other systems would be effected by this change if that was the cause.


GPO decimaltextbox error

October 20, 2015, 8:39 am
$
0
0

By mistake I copied GPO’s from a Windows 2008 R2 server to a Windows 2008 Standard. And now I get the error message below on all my GPO’s.

> /Expected one of the following possible element(s), <text>,

> <decimalTextBox>, <textBox>, <checkBox>, <comboBox>, <dropdownList>,

> <listBox>, but found <multiTextBox> instead.

What is the fix?

Note: Please do not reference this article as I do not see any fix in it.

http://blogs.technet.com/b/askds/archive/2009/12/09/windows-7-windows-server-2008-r2-and-the-group-policy-central-store.aspx

Raymond W. Rio

No Windows 10 Option in Group Policy Preferences - Operating System

October 20, 2015, 2:48 am
$
0
0

Hi,

I have downloaded and applied the windows 10 admx files, applied them, and i still cannot see windows 10 within the Group Policy Preference Targeting Editor for Operating System 

See below. Am i Missing something? Or is this a bug or non release item from Msoft?


Search

AppLocker on Server 2012 R2 causing memory spike in depedent processes

September 14, 2015, 5:19 am
$
0
0

Hello,

I am running AppLocker on my Windows Server 2012 R2 machines, and after several hours of run time, two of the Application Identity service's dependent services using SVCHOST will spike their memory utilization, in some cases to over 2-3 GB each.  The processes "families" as they are grouped in the task manager are the "Service Host: Remote Procedure Call" and "Service Host: DCOM Server Process Launcher" - as I said, these are the dependencies of the Application Identity service that AppLocker uses to enforce the defined application control policies.

Has anyone seen this before or have any ideas what could be causing this?  I have used AppLocker in the same manner with the same number of rules in Server 2008 R2 with no issues like this.  The problem also doesn't occur on the Windows 7 workstations which also run AppLocker.

Is there a memory leak in the Application Identify service somewhere?

Many thanks in advance.

Location-aware printing settings

October 20, 2015, 11:54 am
$
0
0

Hi,

Couldn't decide whether to put this in the printing forum or here, but I figured this was the best option!

Is there anyway that the location-aware default printer settings (as described in this article: http://windows.microsoft.com/en-gb/windows7/automatically-switch-default-printers-between-home-work-or-school) can be controlled via Group Policy?

Thanks in advance

Adam

Advanced Auditing

October 20, 2015, 1:18 pm
$
0
0
First things first.  I am NOT trying to go back to category level auditing. I am trying to get my Advanced Auditing polices to apply.

I am attempting to get this Advance Auditing policy to apply to a Windows 2008 R2 member server.  

I have a group policy configured which has Advanced Auditing enabled (Success and Failure) for various policies.  I have the group policy applied to the appropriate users group and I have the policy linked to the correct OU.  running "gpresult /scope computer /R" on the server shows that the policy is applied to the computer, but when I run "auditpol /get category:*" all policies come back as NO AUDITING.  I know sometimes these tools do not return proper auditing results so I have also checked the security event log.  Which has not auditing entries.  

gpresult/h result.html shows the auditing policy is applied.  
RSOP does not show the advanced auditing 

I have no other polices that have Legacy or category auditing enabled.  (other than domain controller policies, but the server I am attemptint to apply this advanced auditing policy to is not a domain controller so it shouldn't matter).

I have "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" set to ENABLED.

I have a test folder on this server  that has auditing enabled for my specific group (Folder properties > Security Tab > Advanced > Auditing Tab > "everyone" list for Full control for Success and Failures).  

The server has been rebooted.

The audit.csv file on the local member server at c:\windows\Security\Audit only shows headers but no policies.  I deleted this file, ran a gpupdate and the file comes back but same as before.
The audit.csv file in SYSVOl (%systemroot%\SYSVOL\domain\Policies[GUID OF POLICY]\Machine\Microsoft\Windows NT\Audit) shows the correct policies.

What am I missing?  Why isnt the audit.csv from SYSVOL being applied to this member server?

I haver reviewed the other "Advanced Auditing not applying" technet articles but none address my situation.

Thank you for your help

Joshua



restricted groups issue

October 19, 2015, 5:55 am
$
0
0

hello!

I've came a cross a problem that i cannot explain.

Here is the scenario: 

The goal is to enforce policy that will control local administrators group on a windows 2008r2 sp1 server by GPO. only one group will be assigned administrator rights, and no other administrator can modify local administrators group directly on a server.

Steps to accomplish that:

1) created AD group called domain\groupA and added various members to it.

2) created GPO with below setting:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups -> Group: Builtin\Administrators , Members : domain\groupA

3) Applied GPO to new Organizational Unit

4) moved desired computer accounts into newly created OU

5) run gpupdate /force on windows server which computer account was moved into new OU

6) confirmed that local administrators group indeed had all individual users removed and that only domain\groupA group was present in administrators list.

Now... i asked users that are members of domain\groupA to login to a server and to my surprise they received below message:

"Connection is denied because the user account is not authorized for remote login".

In security log i was able to see Event ID 4825 with following message:

age=AuserwasdeniedtheaccesstoRemoteDesktop.Bydefault, usersareallowedtoconnectonlyiftheyaremembersoftheRemoteDesktopUsersgrouporAdministratorsgroup.

What am i missing here? I've confirmed that computer accounts have "read members" right on domain\groupA and that domain\groupA was added by GPO to local administrators group.

would appreciate your input!

Turn off OneDrive domain wide

October 2, 2015, 4:00 am
$
0
0

Hi,

I am trying to turn off OneDrive domain wide. This looked dead easy. I have set the group policy and the laptop has the policy, but OneDrive still appears. The domain is Windows 2012 fully function domain and the laptop in Windows 8.1 Pro.

Explorer still sees OneDrive and it is in the system tray. This is an o365 OneDrive account.

I have attached the policy. Interestingly, the local group policy has two more entries in that section. I'm not sure if the Domain Group Policy Editor should have them.

remote passeord reset

October 21, 2015, 1:32 am
$
0
0

hello  i have a qusteion , how can i give someone permission to remotly reset passwords for an ou in my active directory , for exemple how can danny from it depertment do it from its own computer?

Gpupdate /force

October 20, 2015, 11:53 pm
$
0
0
During the trouble shooting, We found that some of the workstation are not getting Menu/shortcut then I use the Gpupdate /force command on the windows 2003 server DC by this time all user are reported to getting shortcut on the workstation. Anyone has any experience such. I need to validate this command is pushing GPO from Server to wks. Thanks.
Search

Microsoft Edge Home Page - Cant change it through GPO or GPP?

October 21, 2015, 2:48 am
$
0
0

Hi All,

I work in a corporation that generally sets the home page for microsoft browsers.

From everything I had read this is not possible with microsoft edge using group policy or group policy preference
(using registry settings).

I wanted to know has any one found a solution for this and is there an official answer/statement from microsoft before I log a job?

Any help greatly appreciated.

Cheers

Hide drive E in My Computer

October 21, 2015, 3:07 am
$
0
0

In GPO found is only able restrict A,B,C and D drives only, anyway to restrict for more drive like E drive in Windows Server 2012?

Thank you.


WMI Filtering when namespace does not exisit on GPMC compluter

May 17, 2013, 7:53 am
$
0
0

GPMC WMI filter wizard takes its namespaces from teh machine on which the GPMC console is running.  In a WS2008 or later domain running GPMC on the server makes many target anmespaces for workstations unavailable event though the policies can be created and run. 

Does anyone know how to best handle this issue.

Assume namespace required is: root\cimv2\Applications\MicrosoftIE

This is how MS has filtered for IE in the past.  This namespace was available on WS2003 but is not on WS2008 and later but we need it to filter for IE versions on XP, WS2003 and other workstations.

What is the best or recommended way to handle this situation?

¯\_(ツ)_/¯


GPO WMI filters are failing

February 22, 2014, 5:23 am
$
0
0

In Group Policy Manager when a WMI filter is created an error message is displayed:

Either the namespace entered is not a valid namespace on the local computer or you do not have access to this namespace on this computer.  It is possible this is a valid namespace on the remote computer)s).  If you wish to use this namespace, press OK.  Press cancel to choose another namespace.

I am signed on as the domain administrator.  This domain is Server 2012 R2.

The namespace is the common root\cimv2.  When the browse button is pressed many namespaces are listed.  The error occurs no mater what namespace is selected.

Even if the error message is ignored and the wmi filter is created.  For windows 8 clients, wmi filters fail even though they should pass.

Select * from win32_operatingsystem where version like "6.%" will evaluate to false.

This is happening on two Server 2012 R2 domains.

Has anyone seen this?  Is there a fix?

Software installation and using GP and WMI filtering-- is our filtering correct?

February 15, 2011, 8:31 am
$
0
0

Hello, maybe someone can take a look at an issue we're having

We're trying to deploy an Outlook add-in using Group Policy, installing the correct version of the add-in using a couple WMI filters.  Unfortunately, itappears that the filters may not be working correctly as the add-in is not installing at all.

We shooting for this: the WMI filter will determine if the installed version of Office is x86 or x64 and then install the x86 or x64 versions of the Outlook add-in.

We'd like someone to review these WMI filter settings  to see if these are causing the installation issues-- if they check out fine, then we can concentrate on the portion of the group policy that installs the add-in.

WMI Filter:  Windows XP Desktop and Later and 32but Office 2003 through 2010

root\CIMv2     select * from Win32_OperatingSystem where Version >= "5.1%" and ProductType = "1"

root\CIMv2     SELECT * FROM Win32_Product WHERE (Caption LIKE "Microsoft Office%2003%") OR (Caption LIKE "Microsoft Office Outlook%2007%") OR  (Caption LIKE "Microsoft Office Outlook%2010%")

root\CIMv2     select * from Win32_Service where Name = "ose"

WMI Filter:  Win2000 Desktop or Newer and 64-bit Outlook 2010

root\CIMv2     select * from Win32_OperatingSystem where Version >= "5.%" and ProductType = "1"

root\CIMv2     select * from Win32_Service where Name = "ose64"

root\CIMv2    SELECT * FROM Win32_Product WHERE (Caption LIKE "Microsoft Office Outlook%2010%")



Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>