Hi

I wish to change the default permissions on GPOs, specifically to revoke write permissions for Domain Admins.

The article https://support.microsoft.com/en-us/kb/321476 does not appear to apply to Windows 2012R2, is there a version that does?:

The SDDL suggested by the article for DA is (A;CI;RPLCLOLORC;;;DA)

This should work, but the OS appears to ignore it and you end up with what I think is this (A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;DA), which is the default.

Even setting it to this (A;CI;LCRPLORC;;;DA) has no apparent effect (as does leaving it out altogether).

Suggestions would be appreciated. Advice on how to educate my client's DAs or telling me it's pointless because DAs can't truly be limited would not.

TIA

JamesDS

Hi,

I have Windows 7 users who have a Roaming profile configured on their user account in AD. A few of these users then use this account to logon to a citrix server to access certain applications and their profile is then redirected using folder redirection and is configured using a loopback polcy which works fine and their profile folders are all redirected properly. The citrix farm is windows 2008 r2. Once they logon to citrix xenapp, they are presented with some applications, and one of those is to rdp onto a Windows 2012 server. When they logon to the Windows 2012 server, they are presented with a temporary profile.

How can I make sure that when they logon to the w2k12 server that they have an actual profile created? In the registry for their accounts (HKLM\software\Microsoft\Windows NT\CurrentVersion\ProfileList), it points to a Central profile path and that is the same path as when they logon to the domain normally, but they can't access that path from the citrix farm (and I don't want them to since the folders are now redirected). If I remove their AD roaming profile, then they get a normal profile when they logon to citrix and then the w2k12 server), and the registry does not contain the Central profile path. The users need to have their roaming profile for normal operations (i.e. when they are not using citrix)

Is there any GPO that I can configure to remove the Central Profile reg entry when they logon to the W2k12 server?

Thxs

Jaz

I have added drive mapping item to a group policy.  Some of the machines are already using the drive letter.  Outside of logon script, is there a way to configure group policy to replace mapping?  I tried using action update and replace.  Neither seem to work. 

Thanks in advance

hello  i have a qusteion , how can i give someone permission to remotly reset passwords for an ou in my active directory , for exemple how can danny from it depertment do it from its own computer?

Dear Technet,

Our customer has a huge problem right now. They use Windows 2012 R2 servers as their Terminal Servers, which works great. However, the printer deployment doesn't.

At this moment one particular user receives duplicated printer connections ( see attachment/image ), which causes printing issues. Because of the duplicated printer sessions, the user cannot print documents through this printer.

So the question is, why does the user see duplicated printer connections?

The configuration:
We made a GPO called "Printers", it has multiple Preference policies in it. One policy deletes all the current printer connections, and the other one's creates shared printers.

Could someone help me out? :/

Attachmen: prntscr.c0m/8vw4ak

Hello,

We have recently implemented LAPS which appeared to work fine but we noticed that when Group Policy updates on schedule or forced the listed password will no longer work. If we reset the password using the LAPS UI then force a GP update that new password will work until GP updates again.

The PW retention is currently set for 42 days. We have isolated a single server in an OU that inherits no other Group Policies and only the LAPS GPO and this issue still occurs. Thank you.

Hi all,

I am working on publishing an application on RDS and in some parts of the application it requries using IE to access some site, which is in internal site, so not problems.

what I'd like to do is make IE opens without any tools or anything that can change IE settings, and also no frame at all that could show the address of the site it's opening to.

This way we make sure that users cannot use IE to access anything site or even attempt. also they'll not have access to make any changes to IE by any means.

so I looked up all the GPOs that we can use to lockdown IE and so far the best one is Enforce Full Screen, which is great, but it still shows the URL being accessed and it show the title bar.

any other ideas are much apprciated.

MJ

My Domain had the Downloads folder, among other redirected to the local servers when I started here.  I don't really need people's downloads taking up my server and backups space, so I moved it back in a Test OU using the "Redirect to local user profile path" option in the GPO.

It mostly works fine, in that it removes the Downloads folder from the server, and creates it in the local user profile on the C: drive, but in Windows Explorer under Favorites in the left pain, the Downloads folder keeps the old path on the Server as the target, so it does not work.  I assume this is how my users access most downloads, so that probably won't go over well.

I searched for the target path on the server in the registry, but that path did not come up, so could not find a registry setting that I could change.

Any idea how I can fix this so I can make the change go live?

Thanks,

Lon

Edit:  I just figured out that when I click on Downloads under Favorites, it is actually pointing to c:\users\%userprofile%\Downloads.  However, when I right click the favorite Downloads and go to properties, it still shows the old redirected to the server path.  So actually my users might not notice.  I would still prefer to be able to change that path also, as it could cause confusion in the future.

When i am trying to edit the any GPO settings showing the error message and the settings still remaining old. Please help??

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
   at Microsoft.GroupPolicy.AdmTmplEditor.IGPMAdmTmplEditorCallback.ApplyChanges()
   at Microsoft.GroupPolicy.AdmTmplEditor.Editor.SaveChanges()
   at Microsoft.GroupPolicy.AdmTmplEditor.Editor.buttonApply_Click(Object sender, EventArgs e)
   at System.Windows.Forms.Control.OnClick(EventArgs e)
   at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
   at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.ButtonBase.WndProc(Message& m)
   at System.Windows.Forms.Button.WndProc(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Loaded Assemblies **************
mscorlib
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900)
    CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v2.0.50727/mscorlib.dll
----------------------------------------
Microsoft.GroupPolicy.AdmTmplEditor
    Assembly Version: 6.1.0.0
    Win32 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
    CodeBase: file:///C:/Windows/assembly/GAC_64/Microsoft.GroupPolicy.AdmTmplEditor/6.1.0.0__31bf3856ad364e35/Microsoft.GroupPolicy.AdmTmplEditor.dll
----------------------------------------
System
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Windows.Forms
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Xml
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
Accessibility
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/Accessibility/2.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
    <system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.

Hello ,

im working on WS2003 ... i am a domain admin and have all rights ... but when i try to make changes to a specific policy it gives me this error " The Group Policy Snap in was unable to save your changes due to the following error : access is denied" with no additional details ... and when i change in another policy no problems occur ... i tried doing it from a remote gpmc it gave me this error " Unhandled exception has occured in a component in your application. if you click continue . the application will ignore this error and attempt to continue .

Access is denied ( exception from HRESULT:0x80070005 (E_ACCESSDENIED))"

when i click Details

"See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
   at Microsoft.GroupPolicy.AdmTmplEditor.IGPMAdmTmplEditorCallback.ApplyChanges()
   at Microsoft.GroupPolicy.AdmTmplEditor.Editor.SaveChanges()
   at Microsoft.GroupPolicy.AdmTmplEditor.Editor.buttonApply_Click(Object sender, EventArgs e)
   at System.Windows.Forms.Control.OnClick(EventArgs e)
   at System.Windows.Forms.Button.OnClick(EventArgs e)
   at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
   at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.ButtonBase.WndProc(Message& m)
   at System.Windows.Forms.Button.WndProc(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Loaded Assemblies **************
mscorlib
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.5477 (Win7SP1GDR.050727-5400)
    CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
----------------------------------------
Microsoft.GroupPolicy.AdmTmplEditor
    Assembly Version: 6.1.0.0
    Win32 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
    CodeBase: file:///C:/Windows/assembly/GAC_32/Microsoft.GroupPolicy.AdmTmplEditor/6.1.0.0__31bf3856ad364e35/Microsoft.GroupPolicy.AdmTmplEditor.dll
----------------------------------------
System
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.5467 (Win7SP1GDR.050727-5400)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Windows.Forms
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.5468 (Win7SP1GDR.050727-5400)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.5467 (Win7SP1GDR.050727-5400)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Xml
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.5476 (Win7SP1GDR.050727-5400)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
Accessibility
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900)
    CodeBase: file:///C:/Windows/assembly/GAC_MSIL/Accessibility/2.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
    <system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.

"

Anyone Help Please

RM

The domain functional level is 2008.

I have set a Fine Grained Password Policy with maximum password age of 30 days along with other settings that are similar to existing password policies.  I set the precedence number to a lower number so it would have higher precedence than any other pso.

It is applied to a security group.  I have checked each member of the security group effectivepso using the dsquery command and each group member shows the effecitvepso as the one configured with the new password policy maximum password age set as 30:00:00:00.

However, when I run the command net user username /domain on any of those users, the "Password expires" field still shows a date that is more than 30 days in the future.  This indicates that the policy is not being enforced.

What could be causing this issue?

I have tried doing gpupdate /force and it has not changed the output of the net user command.

We have Delegated a group of remote users the right to reset other users password.

The users will be using a custom MMC. 

It does allow them to have the user changed the password on next logon.

I want to force them to make this decision take away the ability to un-check the box. 

Any ideas on how? 

screenshot to come once my account is verified. 

Hello, I'm trying to find a way to delete a registry key with multiple similar values using a wildcard. The cause of the issue is GoToMeeting leaving multiple startup items when only one version of it's installed on the computer, resulting in the registry values below. I know how to delete registry key values in group policy if you specify the exact value name, but is there a way to delete them using wildcards? I tried tried using "GoToMeeting****" but [unsurprisingly] it didn't work.

We have a GP that is currently deploying printers via user - preferences - printers. Other than not deploying any printers going forward, will disabling this policy have any effect on the printers that the GPO has already deployed?

TIA!

I am using the Software restriction policies at a user level to prevent exe's from running in select areas. Since we have found an application which must be installable, I am trying to use a Certificate Rule to allow this to run.

However, the rule does not work, because I cannot select the dot box {Enforce Certificate Rules} under Software Restriction Policies\Enforcement. It is greyed out and unselected. Under the Group Policy Results it is reported as {Ignore certificate rules}.

I have enabled {System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies} which I note is under Computer Policies not User Polices. (There does not seem to be an equivalent under user.)

Any help would be appreciated.

Geoff.

Hi All

we have a folder which contains many files and folder and I have a full Control permission.

when a user asked me to give him a modify access and clicked apply after doing some progress this window poped up

when I click cancel , it will give access only to the folders and files before this file ... and notice that the files and folders which located after this file didn't take effect.

how to solve this ?

regards

Issue:

I'm encountering issues with group policy processing where startup scripts seem to instantly fail with Event 1030 and an ErrorDescription of "The system cannot find the file specified." The client event log just gets a string of 10 or so red errors on this event type. As far as I've been able to tell, this is only happening on our Windows 10 wireless Surfaces.Windows 7 and Window 10 desktops do not seem to be affected.

Preceding the slew of Event 1030 events are typically 1 to 2 events of ID 1058: Network access is denied. The event message typically looks like:

The processing of Group Policy failed. Windows attempted to read the file \\domain\SysVol\domain\Policies\{42ECCD9C-764E-4A3D-8596-A974851F7183}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

Notes and Troubleshooting:

• The permissions are fine and the paths are accessible
  
• DCDiag tests are clean on the 2 2008R2 domain controllers
• TheFRS, DFSR, DNS, and Directory Service event logs are clean
  

Other Observations:

If I disable the policies generating the 1058 errors, different policies take their place. These policies appear to be the first in the order of inheritance. That is to say that it seems like the first policies that should be processed are the ones that fail. If I unlink those policies then the failures arise from the next policy(s) down the line.

It seems to me that group policy is being processed before its completely ready to do so. Like the networking on the device is not yet ready to go out and communicate with a DC.

I already have "Always wait for the network at computer startup and logon" enabled. I also have tried putting a value of 100 seconds for"Specify startup policy processing wait time". The issue persists.

Any ideas? I'm not sure what else to try.

All,

I would like to know what is the baseline or recommended configurations for each advance audit policy category for server 2012 R2 servers running the following server roles.

ADDS / File server

Is there a specific guide from Microsoft ? 

Please feel free to share your experience and implementations.

Thanks,

Dhanushka

Hi,

I want to distribute the same task (in task scheduler) on all client machine in a domain environment via group policy.

We are currently using "nfront security" application to provide  password policy of (8 alpha numeric characters) in our domain. nfront policy is created in domain controllers OU. the default domain policy in our domain is not set yet.

what we want is to use the default domain policy instead of the nfront one.

now if I configure the default policy and disable nfront one will this affect the users current credentials (as these conditions cant be offered by default policy) or will they be working normally until the next password change?