Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

GPO to set wallpaper on Remote Desktop host servers??

November 5, 2015, 6:58 am
$
0
0

I looked at the Desktop Wallpaper policy and MS says it does not apply to remote desktop server sessions.

Are there any other GPO settings I can use to set the desktop wallpaper centered on our Remote Desktop host servers??

I have tried working with BGInfo and it's a waste of time b/c i can NOT find anything that explains what KEY is required to be changed/changeable to have BGInfo set the background when the user logs in (running batch file at login time).

I prefer to use User settings and Computer settings are the 2nd choice.

Thank you, Tom

Search

Permission issues with Sysvol when editing a GPO from a DC?

November 2, 2015, 11:44 am
$
0
0

This is a weird one on a 2008R2 domain.  I login to the domain with a normal user account. I can elevate to launch gpmc.msc as a domain admin, but I get permission issues when trying to add a something to sysvol.  For these reasons, it is usually just easier to remote into a DC and run gpmc.msc as a domain admin.

I have noticed that if I remote into a DC and launch gpmc.msc(while pointing gpmc to the local DC that I am also logged into) that I get permission denied when trying to copy scripts into the startup folder, etc.  The weird thing is if I point gpmc.msc to any other DC(does not have to be the PDC emulator) and do the exact same thing, it will allow me to copy the file in.  I have seen this on multiple DCs and have disabled AV, etc.  Anyone have any ideas on why gpmc.msc must be pointed to a different DC to give me the permissions to copy some files into the sysvol location of a GPO?  At first I thought I had some sysvol permission issues, but now it seems to be something else.

Thanks,

Dave





Internet Explorer - IE Maintenance Vs. Administrative Templates Vs. Group Policy Preferences

April 23, 2013, 4:58 am
$
0
0

We're looking to define a suitable approach for moving forward and would be interested to hear any recommendations.

At present we have a mix of configuration across device types; generally "Administrative Templates" are used to define each zone's configuration, however for a select batch of servers this is configured through Internet Explorer Maintenance. We predominantly use Internet Explorer 8 but we'd like an approach which caters for IE9 and IE10. The clients we're concerned with are Windows 7, Windows 8 , Server 2008 R2 and Server 2012. A few points which will factor the solution:

  • I believe using "Administrative Templates" enforces the zone configuration, i.e. an end user, no matter what privileges, will be unable to change the settings. What we'd like to have (appears to work using IE Maintenance) is that standard baseline settings are applied for each zone and administrators can add sites or reconfigure the settings but standard users are not. This is achieved using a "lockdown policy" for standard users whereby the security tab is hidden.
  • However I understand for IE10, the "IE Maintenance" option has been retired, in which case is GPP the way forward?

Many thanks

How to apply Date and Time Restriction

November 5, 2015, 11:35 am
$
0
0

I create a Domain and I greate some groups now I have greate also a policy in Network Server Policy 

but how to I add this Policy to a group in AD user and computers ?

"advance group policy management" "could not enable.net for windows activation service". "enable manually"

August 21, 2015, 7:28 am
$
0
0

I was getting below error.

"advance group policy management" "could not enable.net for windows activation service". "enable manually"

If you get this error message just install the .net 3.5 from server manager and it will work.

sometime it will just not install it by checking on server manager.

So provide alternate path for Windows OS disk. eg: d:/source/sxs

OS: windows server 2012 R2

AGPM 4.0 SP3 Server and client component.

On installation you will not see the change control.

Now you will see the change control after installing the client.

Hope this helps you.


Folder Redirection and Desktop Background Issues

November 6, 2015, 3:39 am
$
0
0

Hi guys,

I am currently trying out a windows server test environment. The scenario I am working to is a school. Students and teachers both have a central store where they can store their own files. To create the users own folders in the relevant location I have set the users home folder to \\WINSRV-2012-R2\StudentStore\%username%.

To make sure they have access StudentStore is shared with the Students group (which all students are a member of). I have set it so the permissions to this folder are not passed onto the subfolders (the students individual file stores). I have then mapped the students drive to their home directory. The result is that each student has a mapped drive to their storage location. The students can access the StudentStore folder, however the only thing they can see within is there own folder, none of the other students show.

What I want to do next is folder redirection for the users documents. I have tried to use the GPO folder redirection. I set it to basic and the pointed the folder to redirect to, to \\WINSRV-2012-R2\StudentStore\$username% which is there home folder that was set up using the steps above. However this doesn't seem to be working. The documents in the students documents are not redirecting to their StudentStore folder. The users have full permissions over their individual files within StudentStore.

As well I have implemented separate desktop backgrounds for teachers and students. This is working fine. However when I create a new user the desktop background is not applied upon the first logon. The first logon uses the default Windows 7 wallpaper, after logging off of and back in again its still the default, after another logoff the wallpaper is then applied. Is there any reason behind this? I have manually set the registry changes for the wallpaper to \\WINSVR-2012-R2\StudentStore\students.jpg for the wallpaper background.

Thanks in advance for the assistance.

Cheers 


How to Disable Sharing Folder to All Users/Computers

November 6, 2015, 4:04 am
$
0
0

Hello,

 I need to disable Folder Sharing to all users/computers of my Domain. I have more then 40.000 users and ALL of them are Administrators in theis computers. The GPO "Enable or disable File Sharing with Group Policy" does not work in my case. All computers are Vista or newer version. My AD is 2008. I think I´ll aply this using Script Logon and changing register key. Any ideia?

Thank you.

 

Fine Grain Policy not working

November 6, 2015, 5:23 am
$
0
0

Hello, I have created a FGP to our administrative accounts. I have the FGP setup and attached to the admin accounts. If i do a dsget it shows my fpo being applied

  effectivepso
  "CN=IT-Admin-PSO,CN=Password Settings Container,CN=System,DC=domain,DC=com"
dsget succeeded

which is set for 30 days but if i do a net user on my account its still showing for 3 months

Full Name                    Chris Mowers - Elevated
Comment
User's comment
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            11/4/2015 11:18:21 AM
Password expires             2/2/2016 11:18:21 AM
Password changeable          11/4/2015 11:18:21 AM

Any ideas of what could be causing this? Domain is set to 2008

Search

Group Policy Replication Server 2008 R2

November 6, 2015, 4:35 am
$
0
0

Hi All,

I am reviewing and recreating the group policies which we currently use. I have just noticed that they are not being replicated in between the domain controllers. I did some troubleshooting and thought that it might be useful to ask you guys.

We have two domain controllers on site, which run Server 2008 R2 Standard. Let's name them DC1 and DC2.

All group policy changes have been carried out on DC1 and I am now at the testing phase. I have multiple machines for testing and they will switch in between  two DC's on every single restart which seems to be normal. What I found was that when user authenticates against DC1, policies are applied successfully. When user authenticates against DC2, policies will fail to apply, at least most of them. It will also fail when I issue gpupdate /force.

I have logged on to DC2 and I can see that my policy objects have replicated, however when I click on any of the new policies which I have just created I get an error pop up message saying 'The system cannot find the file specified' and then computer configuration and user configuration says 'No settings defined' although there is a lot on DC1.

When I force manual replication in Active Directory Sites and Services, noting happens. No changes.

When I look into Active Directory Sites and Services default-first-site-name NTDS Site Settings configuration (2 DC's are in this one) it says that Server is DC2 under Inter-Site Topology Generator. Should it not be DC1?

I checked replication configuration for each server and it seems to be correct, one per hour, dc1 from dc2, dc from dc1.

Does anybody know on how to fix this issue?

All the best!

3rd Party Application Conflicting with Group Policy

November 6, 2015, 4:53 pm
$
0
0

OS: Microsoft Server 2012 R2
Domain Environment: 2012 R2 Functional Level
Test Server: Virtual Machine running on Hyper-V

We have been struggling to solve a problem that a 3rd party tool has been causing in many of our domain environments for the last 6 months, and I am hoping there are some GP experts here that can help us to improve our debugging to flush out the root cause. 

Overview: We are a software company, and we are using another company's application for our reporting module. This 3rd party company's tool (Pentaho) is utilizing PostgreSQL and Tomcat Apache - both are managed via a Windows Service we created. The application works well, but we have seen that when installed on domain joined machines with GPO's applied, there is a conflict with Group Policy client which causes major delays during reboots and problems running gpupdate/rsop.msc while the PostgresQL and Tomcat Apache services are actively running.

Behavior: If we have the PostgreSQL/Tomcat services running, we find that a reboot will cause a delay of upwards of one hour, and running gpupdate /force will hang indefinitely. If gpupdate /force is run while the PostgreSQL/Tomcat services are running, it puts gpclient into a bad state, requiring a reboot to resolve. Simply disabling the services and rebooting brings the system back into a healthy state and allows group policy to operate normally until we re-enable the PostgreSQL/Tomcat services. 

We have enabled all available debug logging in Group Policy, PostgreSQL, and Tomcat, performed xBootMgr traces, performed Process Monitor analysis, and Packet Captures, but we have been unable to pinpoint the cause of the conflict with GroupPolicy. We have also opened tickets with all other involved vendors to see if we can solve the problem from their side, but I would like to see if we can get a Group Policy expert to review our gpsvc logs to see if anything is obvious, or see if there is anything else we can enable to get more details in regards to what is causing this.

I have collected a series of logs and network captures - descriptions and links below:

1. Normal login with PostgreSQL/Tomcat fully stopped/disabled: Group Policy processes normally with no extended delays - https://www.dropbox.com/s/0yrkcky34pdnljb/normal_gp.txt?dl=0

2. Normal login with PostgreSQL/Tomcat running: Group Policy completely hangs for multiple minutes at various points with no explanation, and eventually completes - https://www.dropbox.com/s/kzzjewmuj5ga9y5/essence_gp.log?dl=0

3. 'gpupdate /force' run after login with PostgreSQL/Tomcat services enabled: https://www.dropbox.com/s/n4sobuaabs1f1li/gpupdate_fail.log?dl=0

4. Packet capture while the gpupdate /force from above was running - https://www.dropbox.com/s/xa1032bcgq9bmib/gpupdate_fail_trace.pcapng?dl=0

Is there anything obvious in these logs/captures that I am missing? Is there any additional debugging/tracing that we can enable to get further details about what is causing gpsvc to fail while PostgreSQL/Tomcat services are running?

Please let me know if there is any additional information that I can provide.

Nick






Special administrators group or fixing sharing permission - Whats better solution...

November 7, 2015, 5:16 am
$
0
0

Hello All!

I have one problem and I need sugestion what is better solution.

At my company there are a group of workers (called local administrators) which job is to administrating all Windows client computers. With GPO, I managed their permission on every Windows client computers to add them in built-in group Administrators to have ability to work localy. The problem is that everyone from that group can connect to client computer throe Shared Administrative folders (C$) which isnt allowed.

How to manage that these people can work with client computers as administrators disabling access via C$?

Disable C$ or to make some special local administrators group?

Thanx for advice.

Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain

February 18, 2013, 12:45 am
$
0
0

When i tried to change password then got this message"Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain"

But i fulfill all requirements and try to change policy.But not work.

Thanks, Limon Dhaka,Bangladesh

computer policy's appying takes long

November 7, 2015, 9:47 am
$
0
0

guys,

when computers(W7, x64 pro) need a lot of time applying computer settings(about 30 minutes) at boot, what could be causing this problem or how should i troubleshoot that?

regards,



USB DVD policy

November 7, 2015, 2:34 pm
$
0
0
I created i policy to deny access for any kind of USB storage and DVD but if i disable the link for any group of users USB become accessible but the  DVD still inaccessible even after updating the group policy i tried to delete the policy for the whole group and updating the GPO still facing the same problem DVD inaccessible any help? (windows server 2012) 

gpedit.msc command not recognized

November 7, 2015, 1:28 pm
$
0
0
I am trying to open local group policy editor. I have tried running gpedit, gpedit.msc from command line and from powershell. I've also looked in Control Panel as well as done the search for it there. I am getting the message, "gpedit" is not recognized as an internal or external command. When I do the search within the control panel I get the message that it can not be found. It has to be there but why can't I find it now? I've opened it before.
Search

Only apply a registry setting if the parent key exists.

November 8, 2015, 1:33 pm
$
0
0
I would like to update an existing registry setting via GPO so if the parent key does not exist at the time, I do not want the key created. If the parent key exists, then either add or modify the current value. Is this possible?

Best practice for using Security groups with Group Policy Restricted

November 8, 2015, 5:18 pm
$
0
0
I want to be sure our environment keeps AD clean and organized. Can anyone recommend a best practice for setting up Group Policy restricted and the associated Security groups?

ms

How to assign Policies to a server local group within a domain GPO?

November 4, 2015, 11:28 pm
$
0
0

Hi.

let me quickly draw the scenario. I have 10 servers. Each of them is a domain member and has a server local group (not a domain group!) called "technical users". Within this group I assign those domain service accounts that run services on that specific server.

How can I assign policies to this local group using a domain GPO?

Thanks for input

Sven

Drive Mapping Preferences - allow drives to remap if user "disconnects" during session

June 28, 2015, 4:31 pm
$
0
0

Hi Everyone,

I'm looking into a solution to an issue I currently have with utilising Group Policy Drive Mapping Preferences.

Currently, if a user logs on, has the preference applied, and runs a GPUpdate /force, they need to logout/logon for the drive mapping to be successful. To my understanding and from what I have been reading, this is standard behaviour.

I have the following questions:

  1. If a user is connected to a VPN (i.e. external to your network) and they run a GPUpdate /force, they'll be required to logoff/logon in order to have the drive mapped. If they logoff/logon again while they're not on LAN, will the drive still map?
  2. The person who owns the direct relationship with the business and ICT wanted to know if there was a way using preferences (currently we're using Logon Scripts, with the view to shift to drive mapping preferences in the not too distant future) to reconnect the network drives in the event of the drives being disconnected either from logoff/logon (i.e. due to the drives not being persistent), or if the user accidently disconnects the drive while in their session on their computer. Currently, they would have to run a GPUpdate /force, then logoff/logon. I would like to know if we can eliminate the need to logoff/logon in order to get the drives remapped. This question/requirement is also applicable with my first question (for users off the network connecting via VPN).

I've read through a few articles which discuss changing registry settings for Back Ground Processing for Drive Mapping Preferences, and wether it should be done or not. Please see below links:

http://techibee.com/group-policies/all-about-drive-mapping-in-group-policy-preferences/202

http://social.technet.microsoft.com/wiki/contents/articles/12221.troubleshooting-the-drive-maps-preference-extension-in-group-policy-replace-mode-only-maps-the-drive-every-other-logon.aspx?wa=wsignin1.0#Set_the_NoBackgroundPolicy

I have tested the first URL, but I'm not getting the result I was after (i.e. if the Drive has been disconnected/unmapped during the user session, if I run a gpupdate /force, the drive should remap).

Any insight into this issue and how I could overcome this would be greatly appreciated.

Thanks in Advance.

Simon.

Logon routine based on office and group

October 30, 2015, 7:53 am
$
0
0

Sorry in advance if this isn't the right place. I was told I needed to post this here.

I want to overhaul my logon.bat file process that is currently using KIXTART, group membership and IP addresses to map drives.  Over time the script has become more complicated and with Windows 8.1 and 10 it has become less reliable and a lot of users have to click the logon.bat shortcut we put on their desktops.  I also have a cheesy printer install script, so I would like to use GPOs to map drives and load printers.

My AD is broken out by office (8).  Users within each office are then part of different security groups which gives them access to different parts of the domain.  The main office is broken down even further into divisions.  The majority of my data is currently being moved to the cloud, and we have cloud caching devices at each office (why we need location mapping). 

User Example
When in Office1
P: \\OFFICE1\PROJECTS
M:\\OFFICE1\MARKETING
X:\\OFFICE1\PROGRAMS
U:\\OFFICE1\USER\%username%

Printers
\\OFFICE1\PRINTER1
\\OFFICE1\PRINTER2
\\OFFICE1\PRINTER3

When in Office2
P: \\OFFICE2\PROJECTS
M:\\OFFICE2\MARKETING
X:\\OFFICE2\PROGRAMS
U:\\OFFICE2\USER\%username%

Printers
\\OFFICE2\PRINTER1
\\OFFICE2\PRINTER2
\\OFFICE2\PRINTER3

In addition to the location mappings, I also have mappings regardless of location to data that won't be in the cloud - accounting, etc.  So when a user is in Office1 and the local data is in Office2, they will need to map to Office2 based on their group membership (Accounting).

Because I have the location and group membership requirements, don't see any way to use the ADMX GPO drive mapping option.  Please fill me in if I am missing something!  I think I will still have to run some sort of script to get everything mapped and loaded.  So, if that's the case, what is the big advantage of using a GPO?

Thanks in advance!

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>