Hi,
I have a requirement where I need to give access to set of users in 10000+ windows machines.The access required for the user is localadmin permission on those machines.
Can anyone suggest me an idea how to do this mass implementation ?
↧
Query giving access to multiple users on all windows machines
↧
Grouppolicy Sys Volume (fails to replicated)
Good Day,
I am having issues with group policy replications. I checked my PDC and noticed
c:\windows\sysvol\domain\policies is full of Guids, but on my other dc servers its only got 1 GUID. When I GPUPDATE I get this error
omputer policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows attempted to read the file \\INLOCAL\sysvol\IN.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this
event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
User Policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows attempted to read the file \\IN.LOCAL\SysVol\IN.LOCAL\Policies\{81A13F49-FF66-42A6-89CA-E73407116718}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this
event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
I tried lots of different things I found on these forums. NOne have worked
.I tried BurFlags technique
Even tried this
http://jackstromberg.com/2014/07/sysvol-and-group-policy-out-of-sync-on-server-2012-r2-dcs-using-dfsr/
None worked for me.
↧
↧
Group Policies on OneDrive for Business
Hi,
I was hoping someone could help me out regarding Group Policies on OneDrive for Business.
Is it possible to implement AD Group Policies to OneDrive for Business, if so, how?? A step by step guide would be very helpful.
Thanks!
↧
Server Group Policy to Disable Credential Manager Question
We have a large domain environment with Desktops and laptops that have recently been migrated everyone over to Windows 7 Enterprise. Furthermore every computer has either Micrososft Office 2010 or 2013 with Micrososft Lync 2010/2013. We have the usual security policy that forces everyone to change their passwords every so often. When the users change their passwords , the helpdesk gets calls about continous lockouts. Looking over logs we have found a lot of the locks orignate from the PC. If you remote into the users PC you will usually find a lot of credentials stored in Windows Credential manager. The ongoing fix is to disable the service for credential manager and that usually fixes the problem. I would like to disable Credential Manager using GPO on the server level. I found a few threads that stated you can enable the following GPO:
enable “Network access: Do not allow storage of passwords and credentials for network authentication”.
If I push this out, will this prevent laptop users from having their credentials cached locally so that they can sign in away from the domain?
↧
Server SPN target name validation level and using dns alias to access SMB share
My client has recently decided to roll out an updated GPO in the domain, and one particular new setting:
Computer Configuration\Windows Settings\Local policies\Security Options\Microsoft network server: Server SPN target name validation level
This previously was not defined, it is now "accept if provided by client". This has resulted in a file share, which previously was accessible by using both a DNS alias as well as the real computer name eg:
\\DNSALIAS\share$
\\COMPUTERNAME\share$
After the GPO change, only the \\COMPUTERNAME\share$ works. Any attempt to use \\DNSALIAS\share$ results in a Username/password prompt, which does not actually accept my credentials (domain admin), it instead comes back with the same prompt again saying "Access is denied".
Googling around I have found two suggestions:
1) One must use setspn to add the HOST SPN for the alias. I have done so and the following were added:
HOST/DNSALIAS
HOST/DNSALIAS.domainname.com
This still didn't work, same problem as before
Upon suggestion I also then added:
CIFS/DNSALIAS
CIFS/DNSALIAS.domainname.com
Still did not work, same problem as before
2) I then instead tried the method of creating a registry entry called SrvAllowedServerNames which would contain the DNS alias name as values. This method DID work. This method also works even if the SPNs in 1) have not been set.
I have implemented the registry method in 2) via a Group Policy Preference, however there are questions being asked at my end as to why the setspn method didn't work. I don't know the answer to this myself, can anyone shed some light?
↧
↧
Issue with Group Policy to create Home Folder and Map Network Drive
I am running into a strange issue trying to implement group policies to create a home folder for a user on the server and then mapping that folder to a drive on their PC.
I setup one policy that creates a folder on the server and then I have another policy that maps the user's H drive to this folder.
I am following this guide: http://www.alexcomputerbubble.com/using-group-policy-preferences-gpp-to-map-user-home-drive
The problem is that the drive map does not work until the user logs off and logs back in 2 more times. I have confirmed the folder is created on first logon and can be manually mapped (no permissions issues) yet the drive is not mapped and instead an error
is posted in event viewer.
The event id is 4098 with the error code 0x800704d0 - "The network location cannot be reached."
The 2nd time the user logs in there is no more error logged but the drive still doesn't show up.
The 3rd time user logs on the drive is mapped and working correctly
Home Folder Policy:
Drive Map Policy:
This is what I have tried so far (unsuccessfully)
- Changing the variable from %LogOnUser% to %username%
- Mapping directly to the FQDN of the server directly as opposed to DFS namespace
- Enabling/disabling both the drive map reconnect option and "run in logged-on user's context" option
- Changing the link order of of the policies so that the folder creation policy is processed before the map drive policy
- Enabling "Always wait for the network at computer startup and logon"
↧
Strange Desktop / Start Menu redirection issue
Hi all I have a very strange issue on a Server 2012 domain using Windows 7 desktops.
When a user logs on for the first time the desktop and start menu do not get redirected and I receive the following error
Failed to apply policy and redirect folder "Desktop" to "\\SVR\Desktops$".
Redirection options=0x1000.
The following error occurred: "Failed to build the list of known sub folders".
Error details: "The system cannot find the file specified.
".
However on the 2nd logon the desktop and start menu are redirected correctly.
Description:
Successfully applied policy and redirected folder "Desktop" to "\\SVR\Desktops$".
Redirection options=0x1000.
This also only seems to affect the newer HP Prodesk computers we have started to use.
The desktops and startmenu redirects are setup for a group of users and permissions are as follows
Share permissions - Everyone Full Control
Folder permissions - UserGRP Read and Execute only
Any help would be appreciated
↧
Local Administrator password change through group policy for windows xp only
I need to change the password of local administrator of all the domain joined computers in my organization. I have tried the following:
Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups - > Action -Update ..Change new password.
But nothing seems to be working . I have Windows xp SP2 deployed in my organisation as client computers.
I have also tried startup scripts but nothing seems to be working.
Can someone provide me the detailed steps for the same.
Also can anyone let me know whether for using Group Policy Preferences , what is the prerequisite for xp machines?
Any help will be greatly appreciated!
↧
Windows 10 Enterprise LTSB 2015, which ADMX?
I'm aware that there are RTM and 1511 versions of the Windows 10 ADMX. We are about to deploy a Windows 10 Enterprise LTSB 2015 machine for a VIP, but foresee using regular Windows 10 Enterprise (1511 or newer) in the future once we upgrade from SCCM 2007 R3 to a newer version.
Which ADMX files should we install? The RTM or 1511 version?
↧
↧
Group Policy Error and DHCP with Active Directory?
Hi,
I was wondering if someone could shed some light on howcome every week or two the windows server DHCP blocks out then the active directory then everything else Besides the DNS. So recently users tell me that they cant print or they dont get DHCP because of this error. Whats odd i have installed other servers with the same ISO and never encountered this problem. The solution is a restart and everything works but its around every week or so this happens. Also when I connect to the RDP I get that the server certificate expired which is odd even after the restart. Im attaching some photos sorry that its in Spanish :( I also want to note that I installed it around less then a month and its giving these issues
Thank you
↧
Processing of Computer branch of GPO on W10 clients
My understanding is that W10 (and I guess, 8.1) fast boot does not process shutdown or startup scripts, push installs etc in GPOs: a restart or shift-shutdown is required before a full boot runs the scripts. Testing on my one W10 client confirms that repeated restarts do not apply changed policies in GPO Computer Configuration nodes that require foreground processing.
While fast-boot can be disabled by GPO, I find it strange that MS would not provide the ability to retain the benefits both of the W10 fast start "user experience" and the management capability of computer GPO processing. Is the W10 client GPO not able to set a flag to force a full reboot when background GPO processing notes a change that require foreground processing? From https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/22/group-policy-basics-part-3-how-clients-process-gpos/ it seems that the GPO client knows that foreground processing is needed.
Happy for my ignorance to be pointed out if I'm missing something. Thanks in advance.
↧
Set values to Current User registry to a specific group of computers
Hi there,
I have a problem that I cant solve...
I need to deploy a GPO that change values of some keys in the Windows Registry, that are inside of the HKCU tree. But I need to only apply it to a group of computers. So...
I have created a GPO that acomplish the changes, but when I want to set a security filter for the computer group, the GPO wont work. The GPO is inside the OU where the computers resides, and I set the loopback policy as well.
I dont want to create a new OU and move the computers inside.
Can you help me!??
Regards
↧
Force default search engine Windows 10 / IE11
Hi all,
I have a GPO that forces the default IE search engine.
This GPO works on all our Windows XP/7 workstations but does not work on a Windows 10 PC.
What could I do ?
Thank you.
Regards,
FXE
↧
↧
Windows 2008R2 Domain Group Policy for CD/Removable Disk Writing
Following several forum pages for setting up a group policy to restrict writing to CD/DVD and removable drives to a specified Group, I find myself stuck as to why it is not working.
I have a 2008R2 AD server with a special group just for writing to CD/DVD and removable drives. I have two group policies: the first , default policy, restricts all users from writing to removable media (among all the other default group policy settings) and the second policy allows certain people in the specified group and Admins to write.
I modified the following policies:
User Configuration->Administrative Templates->System->Removable Storage Access
- Deny write * = Enabled (Base Policy)/Disabled (sub policy)
User Configuration->Administrative Templates->Windows Components->Windows Explorer
- Remove CD Burning Features = Enabled (Base policy)/Disabled (Sub policy)
I have run the gpupdate /force command, logged off, rebooted numerous time. I uninstalled the CD/DVD drivers and reinstalled but each iteration prevents the admin and approved user from writing to the media. Both policies are enabled and linked as I have changed policies on other fields and had them apply on the workstation computers. The policies are linked as Default is the first (1) policy and then the sub policy (2).
Please help!
↧
GPO to change outlook 2010 default Autoarchive Location.
Hi,
We are current experienced outlook problems with Autoarchive for the office 2010. I understand that Autoarchive file(pst) should not put on network location which caused to have big performance problem. However, we have policies to redirect users' Desktop and Documents folder to the file server. In Outlook 2007 and 2003, the default locations for Autoarchive is still stay on the local drive even though we set these ploicies; but for 2010, the location change to \\fileserver\user\documents\which cause users' outlook freezed. We used the Office Resource Kit template to set policies, such as the archive period, but we cannot find the options to change the location back to local. Is anyone know how to change the default location forAutoarchive on Outlook 2010 for all users?
↧
Deny access to network share via GPO
I've got a simple problem, but I cannot found any answer yet. I hope you can help me !
I manage a network in a school and I have some specials accounts called 'exams' for doing student's tests. During there tests, my students should not be able to access network shares, except one, to return the test file back to the teacher. All my PC are on Windows 7.
I try a to do that by GPO (like "disable the command prompt" or "Remove 'map network drive'" ...) but the result is not satisfying. The best solution I find is to configure the firewall with an outgoing rule that block all the traffic TCP:445 / SMB to the whole range of my network, except to the DC and to the server that store the test files.
But now, I want to publish the rule for the user (firewall rule activation on logon, disable on logout) and I cannot find how !!! I try GPO, powershell script... Nothing works ! If anyone has an idea to help me, I greatly appreciate.
Thanks in advanced, pem
↧
Servers having extra members in local administrator group
We have a restricted group policy on a parent OU. There are servers in a Sub-OU. When I check the servers in the Sub-OU then extra users and groups are part of local admin.. group on the server than what is defined in the GPO.
The GPO on parent on OU, has the AD group names under the group name column and Builtin\administrators in the member of tab. There is no block policy inheritance. The restricted group GPO is listed and Enabled in the group policy inheritance tab on the Sub-OU. There are no errors on the server. How come these extra users and groups are there in the local admin group on the server.. also they are not getting removed after some time.
↧
↧
Windows 10 Folder Redirection Using Next Gen Onedrive Sync Client
I am trying to set up folder redirection for my Windows 10 users to redirect their folders using Group Policy to OneDrive using the next generation sync client. Basically I am using the instructions found at http://social.technet.microsoft.com/wiki/contents/articles/25220.onedrive-for-business-folder-redirection-gpo.aspx to redirect Documents, Desktop, Pictures and the Favorites folders to their OneDrive accounts on Office365.
I have the policy applied to our Windows 7 users and it seems to be working fine.. However my test clients seem to have issues. When a test client logs on, we'll get sync errors on the redirected folders and the OneDrive client is indicating that the folder already exists and that the copy found in the local OneDrive folder needs to be deleted and then it'll be synced down to the computer. Deleting the folder from the local file system doesn't cause the online copy to sync down to the computer.
Any help would be appreciated.
Thanks in advance!
John Nash
↧
How can I implement screen saver for 1500 computers in a domain
we have a domain contains around 1500 computers, which is scattered around the country(WAN). How can I implement screen saver for all computers.
↧
Exclude account from "Audit account logon event" GPO policy
We have GPO with the following setting in place: Windows Settings \ Security Settings \ Local Policies \ Audit Policy \ Audit account logon events
We need to exclude from this policy (actually from creating events in event log) one domain account which is used to run some task on each domain computer every one week. Is it possible to exclude this account in GPO? I believe not as I cannot find such option.
Another option for us will be to remove every event from security event log which contains this domain account name. But is it possible to remove singe events from event log? As I can see there is a way to clear the whole log only (https://www.google.pl/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjY5vv16NHLAhXn73IKHS3JBPYQFggbMAA&url=http%3A%2F%2Fserverfault.com%2Fquestions%2F8339%2Fhow-can-i-remove-specific-events-from-the-event-log-in-windows-server-2008&usg=AFQjCNFzSzY40mIEYWgVKHl1p2mn659CWQ&sig2=DEKkXpUNO81n2Y3edcY1tA)
↧