I'm making some new GPOs and I noticed that on my computer/user most of the GPOs are being denied because they're "inaccessible". I went through and added Domain Admins to the path "domain\sysvol\domain\policies" and they show up now and I can navigate to them from my computer, but they're still not applying according to the Group Policy Results report. I ran the report on another domain admin's computer and they're getting similar results but with different GPOs.

I ran the report on a couple other computers and they're getting several denied as well, but their given reason is "Empty".

How do I go about solving this?

Thanks

Hi

I have a policy with "Extra Registry Settings" that I need to remove.

This is not an ADM and I cant find a way to remove this, is there a way?

 GPO "Extra Registry Settings":

Thanks, Maelito

Hello,

We want to use RADIUS for the wireless laptops, but we are running into the following issue.

Situation:

Client ->  RADIUS client: Cisco WLC (Wireless Lan Controller) -> RADIUS server: Smoothwall
We'v created a GPO on Windows Server 2012 R2 with the right Wifi settings (as far as i know)

Problem:

When i logon to the client, i'm not able to load the profile. I get the famous RoamingProfile message.
I am using the following GPO settings:

Comp.. Config -> Policies -> Windows Settings -> Security Settings -> Wireless Network (IEE 802.11) Policies
Authentication Method:
Microsoft: Protected EAP (PEAP)
Authentication Mode:
User Authentication

I'v been talking to Smoothwall, but they confirm all the settings are right on the Smoothwall.
On the Cisco WLC i'v got the following settings:
Authentication Servers:
Smoothwall's IP adress Port: 1812
Accounting Servers:
Smoothwall's IP adress Port: 1813

The moment i logon to the laptop, it's going to make a wifi connection, but it looks like its not ready intime.
I also tried a delay (AD connection ready before logging on), but that didn't work either.

I'm out of options...

Please i need help with this.

Kind regards,

Niels

Hi all,

I have a funny problem -  I have win 2008 R2 as my DC

Group Policy set for all clients to open default homepage - https://myportal/default.aspx

this works fine but for user's with windows 8.1 enterprise and IE 11 when the PC boots up IE opens in startup with MSN as homepage.

On closing IE again the default homepage set through GP appears.

Can't understand why MSN pops up while we haven't set it anywhere in GP.

Is there anyway to block MSN totally from IE in startup / homepage.

tfernandes

We have been blocking access to the Windows store through Group Policy, however since we applied the latest November update to Windows 10, that policy is no longer working.  We ran into the problem described here https://support.microsoft.com/en-us/kb/3077013 but have corrected that.  I had hoped that after fixing that the policy would start working but so far no dice.  Gpresult shows the policy as though it's been implemented but it still shows as Not Configured in the local group policy editor and of course the users can still access the store.  Anyone else seen this or something similar?

Thanks

EDIT:  Okay, so I still can't get the GP to kick in but I went ahead and manually changed the settings in the local Group Policy editor and it's still not being enforced, am I missing something?  I'm inclined to think that this is a bug, but I'd love to hear suggestions if anyone has any.  Thanks

Dear  all,

I did not setup the group policy in my domain controller. But when I press "Ctrl + Alt + Del" and change my password, the system shows me "Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain". I've tried to disable the Password complexity in domain controller but the problem still persist. Can anyone helps me in this matter?

Hello!

I am in the process of hardening our Windows 7 image and decided to use USGCB Baseline GPO as a starter, modifying it to our needs.

I imported “USGCB Windows 7 Computer Settings” GPO backup (can be found here) into SCM and started reviewing each setting.

But, when editing the GPO settings through SCM I am not able to edit the first section in the settings list called“Additional Settings”. All other sections I am able to modify without issues, but in this one all settings are greyed out.

Can someone please exlain to me why is this happening?

Also when opening the GPO backup using Group Policy Management snap-in I do not see these settings at all, yet for some reason they appear in SCM.

Here is a screenshot.

We are starting to role out Windows 10 Enterprise to some staff laptops.  We have a single 2012R2 DirectAccess server running with a Single NIC.  

When I apply the GPO's for DirectAccess to the Windows 10 laptops the boot time increases by a full minute.  All of these laptops are running SSD's.  The laptops are currently in the "Corporate Network".

I managed to find that Group Policy is causing the additional delay.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

 <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />

 <EventID>5332</EventID>

 <Version>0</Version>

 <Level>4</Level>

 <Task>0</Task>

 <Opcode>0</Opcode>

 <Keywords>0x4000000000000000</Keywords>

 <TimeCreated SystemTime="2015-11-19T15:15:57.926369300Z" />

 <EventRecordID>1693</EventRecordID>

 <Correlation />

 <Execution ProcessID="416" ThreadID="1348" />

 <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel>

 <Computer>Removed</Computer>

 <Security UserID="S-1-5-18" />

 </System>

- <EventData>

 <Data Name="IsPolicyConfigured">false</Data>

 <Data Name="MaxTimeToWait">60000</Data>

 <Data Name="TimeWaitedAtStartup">60016</Data>

 <Data Name="DidWaitTimeout">true</Data>

 </EventData>

 </Event>

I have not noticed the same event on either Windows 7 or Windows 8.  I cannot find any settings to change the MaxTimeToWait or disable this altogether.  Is this something that can be configurable?  Has anyone else seen this issue?  I used the DirectAccess Server wizard to configure everything and have not manually adjusted the GPO's associated with DA.  If the DA GPO's are not applied to the laptop the boot time is under 20s.

We do have "Wait for the network" turned on within a GPO.  I tried turning that off but that did not seem to help.  I have also set the "Require use of Fast Startup" GPO setting and that did not resolve the issue. 

Thank you for your help.

Hi All

I need help with the following issue

We have two domains Harris Scarfe & Best & Less with a Trust Type of Forest (Two way Trust)

In the Best & Less Domain, they can target harris scarfe security groups in group policy.

In the Harris Scarfe domain  we cant target Best & Less Security groups

Why cant we target their security groups but they can target ours?

What do I need to do to troubleshoot this

Please note with file permissions on a file server, I dont have any problems targeting remote users or security groups 

Hi all,

Is there any local group policy for force logging off an idle users?

Regards,

Hemanth

Regards, Hemanth The Trusted Admin

Hi, this has been discussed before but i still cant find any concrete info on this. I would like to block users from saving to C drive, so that all docs are saved on their home drive/shared drive. Is this possible with GPO?

GPO - 2008 R2

OS - Windows 7 SP1

Cheers

HI, I'm trying to deploy a scheduled task with GP Preferences. I'm trying to set it with "Run whether user is logged on or not". My scheduled task wont LOAD to the PC, getting access denied error.

My setting:

I trying to run a batch file to reboot the machine once a week. No matter if the user is logged on or not.

I set the option "Run whether user is logged on or not", but when I do that, the "Do not store password. ext." option is automatically greyed out. I tried using a batch file from a share and from the local machine.

Hello,

I have a domain with a number of clients however they are not using the DNS Suffix Search List which i have applied using group policy.

I can see that the policy has applied and the DNS Suffix Search List shows up correctly when i look using ipconfig /all.

for EG:

I have a search list of 3. domain1.local, domain2.local and domain3.local.

My primary dns suffix is domain1.local.

I ping a server who's record is in domain2.local DNS zone however after a pretty long pause it does not resolve and errors out with "ping request could not find...". If i ping using FQDN then it works fine.

The DNS Suffix Search List of the client has all of the domains listed so should look through this list before throwing the 'cannot find' error.

What is going on here?

We have a computer policy in place that sets the local power options.   Only users who have Local Admin rights can change this.   Is there a way to make standard users be able to change this computer setting?   Or must you have admin rights to change power settings?

mqh7

Trying to force replication of the SysVol share across my DCs. Entered:

repadmin /syncall /verbose

and that returned this:

PS C:\Users\administrator.<DOMAIN>> repadmin /syncall /verbose
CALLBACK MESSAGE: The following replication is in progress:
    From: 1bb57800-440a-4992-a5cc-1a37a4fed2fe._msdcs.<DOMAIN>
    To  : 984b5c3a-1537-4961-b229-a0764b292116._msdcs.<DOMAIN>
CALLBACK MESSAGE: Replication suppressed by user request:
    From: 1bb57800-440a-4992-a5cc-1a37a4fed2fe._msdcs.<DOMAIN>
    To  : 984b5c3a-1537-4961-b229-a0764b292116._msdcs.<DOMAIN>
CALLBACK MESSAGE: The following replication is in progress:
    From: 984b5c3a-1537-4961-b229-a0764b292116._msdcs.<DOMAIN>
    To  : e83fa9f6-424b-49ba-b8b5-9744594ce8fb._msdcs.<DOMAIN>
CALLBACK MESSAGE: Replication suppressed by user request:
    From: 984b5c3a-1537-4961-b229-a0764b292116._msdcs.<DOMAIN>
    To  : e83fa9f6-424b-49ba-b8b5-9744594ce8fb._msdcs.<DOMAIN>
CALLBACK MESSAGE: The following replication is in progress:
    From: bf8463b8-d400-47cf-b596-2547ca57da04._msdcs.<DOMAIN>
    To  : e83fa9f6-424b-49ba-b8b5-9744594ce8fb._msdcs.<DOMAIN>
CALLBACK MESSAGE: Replication suppressed by user request:
    From: bf8463b8-d400-47cf-b596-2547ca57da04._msdcs.<DOMAIN>
    To  : e83fa9f6-424b-49ba-b8b5-9744594ce8fb._msdcs.<DOMAIN>
CALLBACK MESSAGE: The following replication is in progress:
    From: d74a0dc9-845f-4bdd-9122-86e2e1feaf4a._msdcs.<DOMAIN>
    To  : e83fa9f6-424b-49ba-b8b5-9744594ce8fb._msdcs.<DOMAIN>
CALLBACK MESSAGE: Replication suppressed by user request:
    From: d74a0dc9-845f-4bdd-9122-86e2e1feaf4a._msdcs.<DOMAIN>
    To  : e83fa9f6-424b-49ba-b8b5-9744594ce8fb._msdcs.<DOMAIN>
CALLBACK MESSAGE: SyncAll Finished.

SyncAll reported the following errors:
Replication suppressed by user request:
    From: 1bb57800-440a-4992-a5cc-1a37a4fed2fe._msdcs.<DOMAIN>
    To  : 984b5c3a-1537-4961-b229-a0764b292116._msdcs.<DOMAIN>
Replication suppressed by user request:
    From: 984b5c3a-1537-4961-b229-a0764b292116._msdcs.<DOMAIN>
    To  : e83fa9f6-424b-49ba-b8b5-9744594ce8fb._msdcs.<DOMAIN>
Replication suppressed by user request:
    From: bf8463b8-d400-47cf-b596-2547ca57da04._msdcs.<DOMAIN>
    To  : e83fa9f6-424b-49ba-b8b5-9744594ce8fb._msdcs.<DOMAIN>
Replication suppressed by user request:
    From: d74a0dc9-845f-4bdd-9122-86e2e1feaf4a._msdcs.<DOMAIN>
    To  : e83fa9f6-424b-49ba-b8b5-9744594ce8fb._msdcs.<DOMAIN>

Don't even know what to make of this.

Any help would be appreciated, thanks in advance!

OS: Microsoft Server 2012 R2
Domain Environment: 2012 R2 Functional Level
Test Server: Virtual Machine running on Hyper-V

We have been struggling to solve a problem that a 3rd party tool has been causing in many of our domain environments for the last 6 months, and I am hoping there are some GP experts here that can help us to improve our debugging to flush out the root cause. 

Overview: We are a software company, and we are using another company's application for our reporting module. This 3rd party company's tool (Pentaho) is utilizing PostgreSQL and Tomcat Apache - both are managed via a Windows Service we created. The application works well, but we have seen that when installed on domain joined machines with GPO's applied, there is a conflict with Group Policy client which causes major delays during reboots and problems running gpupdate/rsop.msc while the PostgresQL and Tomcat Apache services are actively running.

Behavior: If we have the PostgreSQL/Tomcat services running, we find that a reboot will cause a delay of upwards of one hour, and running gpupdate /force will hang indefinitely. If gpupdate /force is run while the PostgreSQL/Tomcat services are running, it puts gpclient into a bad state, requiring a reboot to resolve. Simply disabling the services and rebooting brings the system back into a healthy state and allows group policy to operate normally until we re-enable the PostgreSQL/Tomcat services. 

We have enabled all available debug logging in Group Policy, PostgreSQL, and Tomcat, performed xBootMgr traces, performed Process Monitor analysis, and Packet Captures, but we have been unable to pinpoint the cause of the conflict with GroupPolicy. We have also opened tickets with all other involved vendors to see if we can solve the problem from their side, but I would like to see if we can get a Group Policy expert to review our gpsvc logs to see if anything is obvious, or see if there is anything else we can enable to get more details in regards to what is causing this.

I have collected a series of logs and network captures - descriptions and links below:

1. Normal login with PostgreSQL/Tomcat fully stopped/disabled: Group Policy processes normally with no extended delays - https://www.dropbox.com/s/0yrkcky34pdnljb/normal_gp.txt?dl=0

2. Normal login with PostgreSQL/Tomcat running: Group Policy completely hangs for multiple minutes at various points with no explanation, and eventually completes - https://www.dropbox.com/s/kzzjewmuj5ga9y5/essence_gp.log?dl=0

3. 'gpupdate /force' run after login with PostgreSQL/Tomcat services enabled: https://www.dropbox.com/s/n4sobuaabs1f1li/gpupdate_fail.log?dl=0

4. Packet capture while the gpupdate /force from above was running - https://www.dropbox.com/s/xa1032bcgq9bmib/gpupdate_fail_trace.pcapng?dl=0

Is there anything obvious in these logs/captures that I am missing? Is there any additional debugging/tracing that we can enable to get further details about what is causing gpsvc to fail while PostgreSQL/Tomcat services are running?

Please let me know if there is any additional information that I can provide.

Nick

Hello,

I successfully deployed certificate with private key to 'LocalMachine\Trusted People' store and UI showing that I have private key for certificate. 

If I get properties of this certificate it's showing that it has PrivateKey, yet not returning actual Private Key object. Importing the same certificate directly into machine through MMC works fine and provides access to PrivateKey

PSPath                   : Microsoft.PowerShell.Security\Certificate::Localmachine\TrustedPeople\E098AE75AA72D21A586A4A
                           BC1B586491FF141841
PSParentPath             : Microsoft.PowerShell.Security\Certificate::Localmachine\TrustedPeople
PSChildName              : E098AE75AA72D21A586A4ABC1B586491FF141841
PSDrive                  : Cert
PSProvider               : Microsoft.PowerShell.Security\Certificate
PSIsContainer            : False
EnhancedKeyUsageList     : {Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)}
DnsNameList              : {Company.Automation}
SendAsTrustedIssuer      : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId                 :
Archived                 : False
Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                           System.Security.Cryptography.Oid}
FriendlyName             : GPO Provided
IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter                 : 11/23/2025 2:02:56 PM
NotBefore                : 11/23/2015 1:52:57 PM
HasPrivateKey            : True
PrivateKey               :
PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
RawData                  : {48, 130, 3, 18...}
SerialNumber             : 1D898F6A29528AA848C5901BB3E0FF4F
SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm       : System.Security.Cryptography.Oid
Thumbprint               : E098AE75AA72D21A586A4ABC1B586491FF141841
Version                  : 3
Handle                   : 730070565744
Issuer                   : CN=Company.Automation
Subject                  : CN=Company.Automation

CAPI2 has following error

+ System

  - Provider

   [ Name]  Microsoft-Windows-CAPI2
   [ Guid]  {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}

   EventID 70

   Version 0

   Level 2

   Task 70

   Opcode 0

   Keywords 0x4000000000000080

  - TimeCreated

   [ SystemTime]  2015-11-25T01:47:21.608944100Z

   EventRecordID 2

   Correlation

  - Execution

   [ ProcessID]  15432
   [ ThreadID]  12064

   Channel Microsoft-Windows-CAPI2/Operational

   Computer DNVWEBSCOM1.prod.company.com

  - Security

   [ UserID]  S-1-5-21-246108663-1456017983-1738939233-1190


- UserData

  - CryptAcquireCertificatePrivateKey

  - Certificate

   [ fileRef]  E098AE75AA72D21A586A4ABC1B586491FF141841.cer
   [ subjectName]  Company.Automation

  - Flags

   [ value]  10080
   [ CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG]  true

  - EventAuxInfo

   [ ProcessName]  certutil.exe

  - CorrelationAuxInfo

   [ TaskId]  {7554D442-0639-4823-9DAB-23A277D5CA81}
   [ SeqNumber]  2

  + Result Keyset does not exist

   [ value]  80090016

 

Hello Team,

We have a group policy that is implemented in many locations but we have started getting issues only from the location that have low bandwidth available. This GPO is created that replace the provided script all the time and then create a schedule task job and run it....

We are getting the below error on the same...

Not sure how to fix this issue. Please assist us on the same.

Regards,

Suman Rout