I am trying to block .cab files in selected paths, but the path rule doesn't work. I have several other restrictions for exe,scr and also a test one of xlsx.

These are all blocking successfully. However the cab rule which sits next to the all the others rules, does not block cabs.

At first I thought maybe cab file are not affected because they are data files of the Explorer.exe program. (Meaning you feed the CAB file to the Explorer.exe to process. The file itself doesn't seem to execute).

So as a test I added the .xlsx ext as a test. As this is a data file of the Excel.exe program. However it does block successfully.

Information:

-The rules are running under a computer GPO.

-I have tried removing and re-adding the rule.

-Every other rule works as expected.

-I have added CAB files types in the "Designated File Types".

Examples of the rules are:

%UserProfile%\Desktop\*.exe    Blocks Successfully

%UserProfile%\Desktop\*.cab    Ignores entry

%UserProfile%\Desktop\*.scr     Blocks Successfully

%UserProfile%\Desktop\*.xlsx    Blocks Successfully

Anyone know why?

Geoff.

I have a server that had a GPO apply to it, This GPO applied a incompatible security rule, now no other computer or server (domain joined or otherwise) can connect to it. Unfortunately the GPO has since been deleted  so the Security Rule is still in place and cannot be removed.

How do i go about deleting this security rule when the GPO is no longer present?

Also so you know, the server is the CA and as such cannot be just removed and rejoined to the domain, hope you can help.

Update:

things iv tryed:

Moved Server to new OU, removed membership of server to all groups, other than its primary group.

Deleted:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History

HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec

Shawn

Hello

We have a TS environment and deploy the printers through group policy. Every now and then, during a user logon, we get the following error message in the event log:

The user 'PrinterName' preference item in the 'GroupPolicyName' Group Policy object did not apply because it failed with error code '0x8007007a The data area passed to a system call is too small.' This error was suppressed.

After this error happens, we need to restart the spooler service so that printing would work again.

Domain: 2003

TS Servers: 2008

We just use two different printer drivers: HP Universal Printing PCL5 (Version: 5.0.3.37) and a Canon UFR II (Version: 2.70)

I have read http://social.technet.microsoft.com/Forums/en/winserverGP/thread/39f72c7c-c91e-4cf0-b976-332b9683983c and the problem sounds very similar. Except that we have “The data area passed to a system call is too small” instead of “The print processor is unknown“ in the event log.

Does anyone have any ideas as to what this could be?

Many thanks,

Hi all,

I hope someone can help me. I am an IT technician working in a school. We had some machines that were on the domain updated to windows 10. 

We have a server, windows server 2008 R2 (DC) running but I am having trouble with stopping programs being used like candy crush, xbox and such services. Kids are over the moon but from an IT and educational point of view this isn't great. So the question is. Can I stop these apps from being downloaded and being used and if not does anybody have a script that I could use in a group policy to disable this feature?

Many Thanks in advance.

I have made a buggy WMI filter in a domain GPO about Windows Update and thus it didn't apply anymore on our servers.

Some servers then started to install automatically missing updates from the Microsoft web site.

What is strange is that the local policy don't have any settings about Windows Update.

Where can I find the Windows update default parameters when the domain GPO is missing?

We are starting to role out Windows 10 Enterprise to some staff laptops.  We have a single 2012R2 DirectAccess server running with a Single NIC.  

When I apply the GPO's for DirectAccess to the Windows 10 laptops the boot time increases by a full minute.  All of these laptops are running SSD's.  The laptops are currently in the "Corporate Network".

I managed to find that Group Policy is causing the additional delay.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

 <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />

 <EventID>5332</EventID>

 <Version>0</Version>

 <Level>4</Level>

 <Task>0</Task>

 <Opcode>0</Opcode>

 <Keywords>0x4000000000000000</Keywords>

 <TimeCreated SystemTime="2015-11-19T15:15:57.926369300Z" />

 <EventRecordID>1693</EventRecordID>

 <Correlation />

 <Execution ProcessID="416" ThreadID="1348" />

 <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel>

 <Computer>Removed</Computer>

 <Security UserID="S-1-5-18" />

 </System>

- <EventData>

 <Data Name="IsPolicyConfigured">false</Data>

 <Data Name="MaxTimeToWait">60000</Data>

 <Data Name="TimeWaitedAtStartup">60016</Data>

 <Data Name="DidWaitTimeout">true</Data>

 </EventData>

 </Event>

I have not noticed the same event on either Windows 7 or Windows 8.  I cannot find any settings to change the MaxTimeToWait or disable this altogether.  Is this something that can be configurable?  Has anyone else seen this issue?  I used the DirectAccess Server wizard to configure everything and have not manually adjusted the GPO's associated with DA.  If the DA GPO's are not applied to the laptop the boot time is under 20s.

We do have "Wait for the network" turned on within a GPO.  I tried turning that off but that did not seem to help.  I have also set the "Require use of Fast Startup" GPO setting and that did not resolve the issue. 

Thank you for your help.

Hi Everyone,

We need our user to be able to logon to any client or workstation but once login in one PC, they shouldn't be capable of logging into another PC.  We have a Windows 2012 R2 Domain Controller. We can't use the account properties i.e Log On To in this situation. Please help. Thanks.

AJ Luistro

Anthony JD Luistro

We have currently been using the older version of LAPS (POP SLAM) in our Windows 7 environment and seems to be working fine. We just moved to Windows 7 Enterprise and are using language packs as we're a global company.  In our previous images, we have always manually added the account in the local admins group in our reference image.  We're now using MDT and not adding the account and letting popslam add the account instead.

ISSUE: Application seems to not put in the local admin account since the name of the local administrator group is different based on the language of the computer.

Is there a way for the application to check the language and add the account to the right local group?  I'm passing a transform against the MSI to add our custom local account admin name and removing some shortcuts.  Noticed the product language property table and as wondering if that would do it.  Anyone run into this issue?

Hi

I have 2x 2003 Standard R2 SP2 branch domain controllers which are both having the following issue:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date:  13/06/11
Time:  2:01:55 p.m.
User:  GABNZ\clai
Computer: NZTRG01
Description:
Windows cannot access the file gpt.ini for GPO cn={4E1C755B-38D2-40B8-9EB2-DE3F0533F15E},cn=policies,cn=system,DC=wan,DC=gabrobins,DC=co,DC=nz. The file must be present at the location <\\wan.gabrobins.co.nz\SysVol\wan.gabrobins.co.nz\Policies\{4E1C755B-38D2-40B8-9EB2-DE3F0533F15E}\gpt.ini>. (The system cannot find the path specified. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Both are running DFS which seems to be replicating ok. Initially I had an issue with GPOs not replicating through to these 2 DCs and so found these logs on both server. I've browsed to the namespace indicated and noticed the path where the gpt.ini is suppose to be is missing completely!

I've only recently taken over this network so am not sure how this might have happened.

Any help will be appreciated.

Thanks

Chris

hi, 

i am applying a group policy to run the Power shell Script, at one domain its working and another domain that is on cloud is not working showing the error:-

The answer will be appreciated.

thanks,

Roshan

Hello everybody,

I would need to get things clearer regarding GPO Loopback Processing modes (Merge & Replace), since I am experiencing a quite tricky issue in my lab environment.

I actually 2 OUs: UsersUO (which contains all my users) and "Windows Computers" (which contains all my computers). I have configured a specific wallpaper and network drive for every users in UsersUO, which are working as expected.

What I wanna configure is blocking the control panel when users from UsersUO connect to a specific computer in "Windows Computers", by using loopback processing Merge mode. As a result I expect the user to keep its drive/wallpaper and prevent him from accessing the control panel on this specific PC.

However, when the Loopback GPO is configured (Windows Computers), I always get the control panel blocked BUT the drive and the wallpaper have both disappeared, no matter the GPO is configured as Merge or Replace. The replace behavior is always applied at the end, but GPResult on the client explicitly tells me that the Loopback mode is the one I configured.

I didn't configured any filtering/WMI filters etc... I am missing something?

Thank you in advance for help! :)

Network:

• Multi-site domain.  
• Each site has 2 local (on-site, same subnet) Windows Server 2012 R2 Domain controllers.  
• Sites are correctly defined in Windows Sites and Services. 
• DNS records for each site ONLY have the two local DNS servers defined. 
• ALL clients are Windows 10 Pro 64-bit with all updates. 
• Both networks are fully gigabit running on Cisco switches with certified CAT6 cabling.  
• Each site has a local (on-site, same subnet) Synology storage server. 
• As part of Group Policy, two network drives are mapped to shares on the Synology server. 

Connectivity Diagnostics:

• dcdiag /test:dns /v /c /e reports PASS for ALL servers and ALL tests
• echo %logonserver%always returns a local DC
• nltest /dsgetdc always shows a local DC and correct local IP
• On Site A, both network drives show up, with maybe a 0.5% chance of failure (I have experienced a few boots where the drives don't show up correctly).

Issue:

At Site B, network drives fail to show up perhaps 30% of the time.  Sometimes it is both drives, sometimes it is one or the other.  The problem is mostly random, and does not seem to follow any particular user or Workstation.

Symptoms:

Of the 30% of the time where a problem presents itself: 

• 5% of the time a gpupdate or gpupdate /force will fix the problem and the drives will immediately appear.  If the gpupdate doesn't work on the first attempt, it will pretty much never work after that (for that boot)
• 5% of the time a gpupdate or gpupdate /force will cause just one drive to appear
• 20% of the time, a gpupdate will not fix the problema, but the next boot will be fine
• 50% of the time, a gpupdate will not fix the problem, but after one boot and *another*gpupdate, the drives will appear
• 20% of the time, it will take *multiple* reboots (and gpupdate for each boot) before the drives appear.  Sometimes it is 2 boots, but I have had to rarely reboot a computer sometimes 6 or 7 times before the drives appear.
• For this last 20% of the time, I will sometimes get errors from the gpupdate process.

Drive Map Diagnostics:

1.gpresult /h gpresult.html shows: 

    Drive Map (Drive: X)
     The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.
       X:
        Winning GPO  DriveMaps
         General Settings
          Result: Success


2. I have enabled group policy environment debug logging (per  http://social.technet.microsoft.com/wiki/contents/articles/4506.group-policy-debug-log-settings.aspx  created registry entry[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics]
"GPSvcDebugLevel"=dword:00030002).  The log file in c:\Windows\debug\UserMode\gpsvc.log has not shown me any clear errors, nor have I been able to find much help through google.  Here are some interesting messages I have received:

GPSVC(158.33c) 23:33:24:921 CheckGPOs: No GPO changes but extension Group Policy Drive Maps's returned error status 183 earlier. 
GPSVC(158.c24) 23:38:12:203 ProcessGPOs(Machine): Extension Group Policy Drive Maps skipped with flags 0x110057.
GPSVC(158.157c) 23:08:08:216 ProcessGPOs(User): Extension Group Policy Drive Maps ProcessGroupPolicy

3. I have enabled group policy preferences debugging for Drive Maps (as per http://blogs.technet.com/b/askds/archive/2008/07/18/enabling-group-policy-preferences-debug-logging-using-the-rsat.aspx setDrive Map Policy Processing to Enabled and turned on Event Logging in properties of \Computer Configuration\Policies\Administrative Templates\System\Group Policy\Logging and tracing).  The log file inC:\ProgramData\GroupPolicy\Preference\Trace\User.log has not returned any errors.

2015-11-21 17:47:38.849 [pid=0x22c,tid=0xcd0] Starting class <Drive> - X:.
2015-11-21 17:47:38.864 [pid=0x22c,tid=0xcd0] Adding child elements to RSOP.
2015-11-21 17:47:38.880 [pid=0x22c,tid=0xcd0] Beginning drive mapping.
2015-11-21 17:47:38.896 [pid=0x22c,tid=0xcd0] Set user security context.
2015-11-21 17:47:38.927 [pid=0x22c,tid=0xcd0] User does not have a split token.
2015-11-21 17:47:38.927 [pid=0x22c,tid=0xcd0] Drive doesn't exist (full token).
2015-11-21 17:47:39.114 [pid=0x22c,tid=0xcd0] Connected with access name x:.
2015-11-21 17:47:39.146 [pid=0x22c,tid=0xcd0] SendNotification Session ID is 2.
2015-11-21 17:47:39.146 [pid=0x22c,tid=0xcd0] SendNotification discovered drive mask of 8388608.
2015-11-21 17:47:39.161 [pid=0x22c,tid=0xcd0] Set system security context.
2015-11-21 17:47:39.161 [pid=0x22c,tid=0xcd0] SendNotification drive event broadcast sent.
2015-11-21 17:47:39.161 [pid=0x22c,tid=0xcd0] Set user security context.
2015-11-21 17:47:39.177 [pid=0x22c,tid=0xcd0] SendNotification to Shell.
2015-11-21 17:47:39.177 [pid=0x22c,tid=0xcd0] Set system security context.
2015-11-21 17:47:39.177 [pid=0x22c,tid=0xcd0] Properties handled.
2015-11-21 17:47:39.177 [pid=0x22c,tid=0xcd0] Handle Children.
2015-11-21 17:47:39.192 [pid=0x22c,tid=0xcd0] EVENT : The element of user preferences 'X:' of the group policy object 'DriveMaps {06FEB8B9-632C-4A1C-A7C9-5A05E1041BEE}' was applied correctly.
2015-11-21 17:47:39.192 [pid=0x22c,tid=0xcd0] Completed class <Drive> - X:.


4. I also have several netmon captures of a login with drives failing to load, but the capture has so much information I'm not sure where to begin.

5. If, after a failed login, I try to browse directly to \\SynologyServer\ShareName\, the share always loads immediately without any errors.  There are no signs of connection or permission problems.

Question: 

Why is this problem happening so frequently at one site, but almost never at the other site, when both are on the same domain, have the same policy, and are running the same software?

The only software difference I can think of is that at Site A, all the computers were running Windows 8.1 Pro and were upgraded to Windows 10 Pro, whereas at Site B, all computers have fresh installs of Windows 10 Pro.

Hi

I want to enable remote GPO update but cant find Group Policy Remote Update Firewall Ports starter gpo

any idea how to restore them ?

Hi all;

While looking at a GPO details in GPMC, the following error message appears inScheduled Tasks section of the Preferences section: 

An error has occurred while collecting data for Scheduled Tasks.

Look at the following figure, please:

The actioned I have taken so far:

• Checked the replication between the two DCs and everything works as expected.
• checked the mentioned path and find no folder with the name of Scheduled Task.
• The domain is based on Windows Server 2008 R2 and all domain controllers are fully patched.

Any ideas?

Thanks

Please VOTE as HELPFUL if the post helps you and remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hello Team,

We have a group policy that is implemented in many locations but we have started getting issues only from the location that have low bandwidth available. This GPO is created that replace the provided script all the time and then create a schedule task job and run it....

We are getting the below error on the same...

Not sure how to fix this issue. Please assist us on the same.

Regards,

Suman Rout

Dear Experts,

We are looking to bring the Notification Dialog box to stay more than 5 Seconds in my Environment. As of now we identified that we can do the changes from:

After doing the Changes can see the Display Notification as Expected:

I Was searching to Make the Changes without using registry (GPO - For 17K Users). Any help about the steps for using this GPO is required. Please guide me.

Thank you

Veera

Can anyone helps me on this matter?

Hi,

I have set Folder Option in Group Policy Preference, as per the company policy i only want to ' uncheck - Hide extensions for known file types' and i don't want to configure other options ( means except this configuration i want to leave all other option as 'not configured' or upto the user choice ).

But what happens that as soon as i configured and apply this policy all other option in folder option get applied to all users. Even if the user changed folder option in his computer, it get re-apply.

I want to fine grained to only one option in folder option.

Do you have any idea how to configure only one option in this GPS - Control Panel settings - Folder option.

( Please see the print-screen for more detail )

Thanks & Regards,
Param
www.paramgupta.blogspot.com