Hello, this might be a bit of an odd question..

 However on one of our application servers I need to be able to set Internet Explorer as the default photo viewer for JPEG files  users. Can anybody suggest the best method of doing this? We are using Windows Server 2008 R2.

 I've tried to create a new association under User Config, Preferences, Folder Options and set the file extension JPEG to open with C:\Program Files\Internet Explorer\iexplore.exe , however, this doesn't seem to work. 

 If anybody has any suggestions they would be much appreciated. Thank you.

I have client machines in domain A, and User accounts from Domain B logging into those machines.

Domain A trusts Domain B. (its a one way trust. Both domains run at 2008 R2 function level and clients are all windows 7)

I have group policies in both domains. The machines get their GP settings from Domain A and that works fine. The user accounts get their settings from B. However, all of a sudden, I've having problems with Office 2010 policies. Client machines have office 2010, and Skype for Business 2013, so pick up policies for both versions of office.

The office 2013 policies in Domain B for the users work fine. Office 2010 policies for users just aren't applying, and I cant figure out why.

The policies aren't filtered, and are set for all authenticated users. I've tried enforcing the 2010 policy too.

if I run a GP results, it shows both policies applying in the summary - but none of the office 2010 settings are being picked up.

Other 'none office' related policies for the user accounts are running fine. Can anyone think of something i'm missing please?

Thanks.

Hi,

I got a Active Directory with domain and forest in Windows Server 2012 R2 level.

I'm starting to restructure the GPOs that we have and I started with a backup of the existing ones.

In five of them I got the following error:

"

The overall error was: Invalid pointer
Additional details follow.

"

I've edited the gpos and it doesn't seem to have any errors. I've accessed the policy server on the DC and I got no errors.

The AD Replication Status Tool shows no errors or delays in the forest.

What could be the problem and how can I solve it?

Thanks in advance...

With the best regards,

dmsousa

I need to set a screen lockout time for most computers in my domain. This is a User Config setting.  There is a subset of computers that should not get this setting. However any user could potentially log into any computer & I want them to get the correct setting for the computer they are logged into.

ComputerOU – all computers reside here, including those in the ExcludeGroup

ExcludeGroup – computers that should not get the screen lockout setting

My plan:

Create a GPO with the screen lockout setting

Enable Loopback Processing in Replace mode

Link the GPO to the ComputerOU

Scope the GPO to Domain Computers

Under Security Filtering, DENY the ExcludeGroup

Before I set all this up, is there an easier way to accomplish this task?

Thx

Hello,

I just started getting used to OneDrive for Business and had a couple of questions regarding the new OneDrive for Business Next Generation Sync Client and OneDrive.exe. I already looked at many websites and articles regarding this topic but still was NOT able to do or solve my questions (I am kind of new to IT in general). So I would really appreciate it if you could NOT just send me a link to a website or article.

1. I cant seem to run/deploy OneDrive.exe properly (or so I think, I am not sure). I downloaded the Deployment Package, ran the DefaultToBusinessFRE and EnableAddAccounts that were inside the package and downloaded the OneDrive.exe. I also synced the computer to my OneDrive for Business. However, I cant seem to apply the other Administrative settings such as DisablePersonalSync, GPOEnabled, DefaultRootDir, DisableCustomRoot, etc. (which are the settings that I am interested in applying). How can I apply these settings on OneDrive for Business to be applied to other users through group policy? (I am using windows 10).

(a step by step guide would be greatly appreciated!!!)

2. I should also be able to apply some group policies through GPMC right? I opened my GPMC but can only see a SkyDrive folder (which has 3 templates). Is there a OneDrive for business folder that has some templates as well? How do I get this?

(since I am not very good using technology, as a last resort, I would also be okay and very greatful if someone could give me or let me know which templates are available on GPMC for OneDrive for business) → a list with description of the available templates would be awesome)

Regards

Hi, 

I have succesfully tested the Local Admin Password Soln on my test env. The only thing iam not able to come across online is a command to revoke access provided to a group. 

for these commands below , is there a revoke/remove switch as well ? e.g. - if i want to remove Domain Admins to read password or if i want to remove a particular OU of computers from SelfPermission that i may have already granted  ?

1. Set-AdmPwdReadPasswordPermission 

2. Set-AdmPwdComputerSelfPermission

Thanks - appreciate any reference to an existing blog or reply

Hello,

It seems like I cannot deploy properly OneDrive.exe. as an IT administrator.

I am using 2 virtual machines: a Windows 10 computer and a Windows Server 2012 R2 (to use GPMC on Active Directory)

My goal is to set the Administrative settings for OneDrive for Business so that all the users that are under my tenant (...@companyx.onmicrosoft.com) are bound/tied to these settings that I applied. So here are my questions.

As the IT administrator:

1. Do I have to install and set up the adminsitrative settings of the new OneDrive for Business Next Generation Sync App on ALL computers? (as in the computers that my users are using)? Or do I just set the administrative settings on my computer (win10) and would they also apply to all users under my tenant?

   -I would appreciate a detailed guide on how to properly deploy and add the configuration setting registry keys on OneDrive.exe. I tried to follow the guide on the article "Deploying the OneDrive for Business Next Generation Sync Client in an enterprise environment" but was NOT able to do it. If someone could provide me a guide with screenshots on how to do this, it would be very helpful. (please remember I am new -and not so good- to IT)

 2. I understood that some settings such as "DefaultToBusiness" and "EnableAddAccounts" are able to be set before the installation of OneDrive.exe. Is it okay if I do not run the "EnableAddAccounts"? Since we do NOT want our users to be using any other OneDrive account on their computers (other than the company's OneDrive for Business), if I do not run this setting, it will not allow them to add another O365 or OneDrive (consumer) account to that computer right??

3.How do I set the other administrative registry keys (DisablePersonalSync,EnableEnterpriseTier,GPOEnabled,DefaultRootDir, and DisableCustomRoot)?? Again, I tried to follow the guide provided on the article "Administrative settings for the OneDrive for Business Next Generation Sync Client" but was NOT successful. So a detailed guide with screenshots might help me understand and run these settings in a better way (and hopefully be succesfful).

4. Since these administrative registry keys are applied through Group policies, do I have to set them through my GPMC?? Right now I can only see the folder "Skydrive" which contains 3 templates. How can I apply all these administrative settings for OneDrive for Business on my Server (windows server 2012 R2) so that they apply to all computers under my domain?? Please, a guide with screenshots would be easier to understand and follow.

I am sorry this got really long, but I hope someone can help me out

Regards

We have GPO with the following setting in place: Windows Settings \ Security Settings \ Local Policies \ Audit Policy \ Audit account logon events

We need to exclude from this policy (actually from creating events in event log) one domain account which is used to run some task on each domain computer every one week. Is it possible to exclude this account in GPO? I believe not as I cannot find such option.

Another option for us will be to remove every event from security event log which contains this domain account name. But is it possible to remove singe events from event log? As I can see there is a way to clear the whole log only (https://www.google.pl/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjY5vv16NHLAhXn73IKHS3JBPYQFggbMAA&url=http%3A%2F%2Fserverfault.com%2Fquestions%2F8339%2Fhow-can-i-remove-specific-events-from-the-event-log-in-windows-server-2008&usg=AFQjCNFzSzY40mIEYWgVKHl1p2mn659CWQ&sig2=DEKkXpUNO81n2Y3edcY1tA)

My understanding is that W10 (and I guess, 8.1) fast boot does not process shutdown or startup scripts, push installs etc in GPOs: a restart or shift-shutdown is required before a full boot runs the scripts.  Testing on my one W10 client confirms that repeated restarts do not apply changed policies in GPO Computer Configuration nodes that require foreground processing.

While fast-boot can be disabled by GPO, I find it strange that MS would not provide the ability to retain the benefits both of the W10 fast start "user experience" and the management capability of computer GPO processing.  Is the W10 client GPO not able to set a flag to force a full reboot when background GPO processing notes a change that require foreground processing?  From https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/22/group-policy-basics-part-3-how-clients-process-gpos/ it seems that the GPO client knows that foreground processing is needed.

Happy for my ignorance to be pointed out if I'm missing something.  Thanks in advance.

I was making some changes to group policies relating to WSUS recently and notice some odd issues. When I'm in GP Management on my workstation and run the Policy Results Wizard for any user and computer, I'm getting alerts that all the policies are "Inaccessible, Empty or Disabled". Looking at the Policy Events tab, everything says it applied just fine. When I go to a DC and run the exact same report, it shows no alerts and looks like everything is just fine. 

Screen shots below: 

This is from my workstation (Win 8.1):

And the exact same computer/user from the DC (Win Server 2012):

Why am I getting conflicting reports?

SYSTEM CONFIGURATION:

Windows Server 2008 R2  DNS and Active Directory installed. Exchange Server 2010 installed, but disabled. 

This is the only Domain Controller on the network. The other server is running Server 2008 R2 but Active Directory is not installed.

The Exchange Server stopped working because the mail store and other processes would not start. I also noticed problems with Active Directory. I disabled the Exchange Server and started checking out Active Directory. I rebooted the server and now I see the Group Policy Event 1055 in the system event log.

I checked out the DNS server and it appears to be working. I checked the DNS logs and no errors were found. If I try to access anything on Active Directory such as "Domains & Trusts" or "Users & Computers", an error message is displayed stating the server is not operational.

I need this problem resolved ASAP!

Thanks,

Password policy resides in computer settings.

Just wondering , How users are affected through Password policy

Hello,

I am attempting to utilize group policy to harden UNC paths on my two domain controllers.  I have followed along the steps to create a central GPO store, and have created an object in accord with MS15-011.

I have the following settings:

Status:  Enabled

Paths <values>

\\dc1 <RequireMutualAuthentication=1,RequireIntegrity=1,RequirePrivacy=1>

\\dc2 <RequireMutualAuthentication=1,RequireIntegrity=1,RequirePrivacy=1>

Once I apply it to my DC OU, things rapidly go downhill.  Specifically, I am no longer able to view the settings on what appears to be any already-in-place GPOs.  Further, when I attempt to edit any GPO, it claims I don't have permission to do so.

When I remove the Harden UNC path GPO from the domain controller OU, everything appears to restore either right away or after a GPUPDATE /FORCE.

I get that the theory is in order to get at shares on these machines (which include the Policies), I'd need better proof of who I am.  Well, I am already accessing the DC1 via Remote Desktop (to the virtual host) and Hyper-V as the Domain Admin.  I didn't really bother to test DC2 since DC1 broke.

The only thing I could think of off hand is that the certificate on the workstation (somewhere in the chain) is not trusted by the DC, so fails the Mutual Authentication check.  I've thought about re-applying these one by one, but I'm hesitant to go putting things on domain controllers that I know could cause issues.

Has anyone encountered this before, and if so, what is going on?

Thanks,

M.

 We are currently developing an MMC SnapIn Extension, that extends multiple group policy objects (GPOs) in the following tree: GPO->Computer Configuration->Policies->MySnapInExtension

(Sorry, but no images or links allowed :(  )

Thechnology is MMC 3.0, .NET 3.5, C#, VS2013. The extension is available on all GPOs.

The main class of the extension looks like this (in an anonimized way)

----------

[SnapInSettings("{3B6F64DC-4572-4A64-957A-E8A9E2FEBD54}", DisplayName = "DisplayName", Description = "MMC Snap-In")]
[ExtendsNodeType("{8FC0B739-A0E1-11D1-A7D3-0000F87571E3}")]
[ExtendsNodeType("{D37CB93E-0DDC-4204-AA04-C3D70B01A7D8}")]
public class ExtensionSnapIn : NamespaceExtension
{
}
--------------

Everything works fine except I cannot determine which GPO is the parent of the currently opened extension. I would like to know this because I have to write into the registry to the following path: HKLM\Software\Company\Product\Client Group Policy\[GPOID]\

I would like to have the ID (guid) of the GPO dynamically:

I have tried a lot of things with no result at all:

    In the ExtensionSnapIn class there is an inherited PrimaryScopeNode property which has a NodeType property which is a GUID. Unfortunately, this property always returns 00000000-000-0000-0000-000000000000. However the documentation says that about the PublishesNodeTypeAttribute:

    If a node does not have this attribute, it cannot be registered as an extensible node.

    Whenever I'm trying to read from the PrimaryNode.SharedData like this:

Sample:
--------------------
//private const string shdata = "CCF_SCE_GPT_UNKNOWN";
//private const string shdata = "CCF_SNAPIN_CLASSID";
//private const string shdata = "CCF_DISPLAY_NAME";
//private const string shdata = "CCF_NODETYPE";
//private const string shdata = "CCF_SZNODETYPE";
//private const string shdata = "CCF_SNAPIN_CLASSID";
//private const string shdata = "CCF_DISPLAY_NAME";
//private const string shdata = "CFSTR_DSOBJECTNAMES";
private const string shdata = "CCF_SCE_GPT_UNKNOWN";

public ExtensionSnapIn()
{
    this.PrimaryNode.SharedData.Add(new SharedDataItem(shdata));
}

protected override void OnInitialize()
{
    SharedDataItem sharedDataItem = this.PrimaryNode.SharedData.GetItem(shdata);
}
----------------

I'm always getting an exception. For CCF_NODETYPE, CCF_SZNODETYPE, CCF_SNAPIN_CLASSID, CCF_DISPLAY_NAME I'm getting this:

    The following clipboard format is reserved for use by MMC: CCF_DISPLAY_NAME. Specify another clipboard format.

The rest of the clipboard formats just give a PrimarySnapInDataException with this stack trace:

    at Microsoft.ManagementConsole.SharedDataItem.GetData() at Balabit.SyslogNgAgent.MMC.ExtensionSnapIn.OnInitialize() in c:\Source\Bergholz\Client\Client.Product\Main\src\MMC\ExtensionSnapIn.cs:line 65 at Microsoft.ManagementConsole.Advanced.NamespaceExtension.ProcessNotification(Notification notification) at Microsoft.ManagementConsole.Internal.SnapInClient.Microsoft.ManagementConsole.Internal.IMessageClient.ProcessNotification(Notification notification) at Microsoft.ManagementConsole.Executive.SnapInInitializationOperation.OnStart() at Microsoft.ManagementConsole.Executive.RunningOperationsTable.EnqueueOperation(Operation operation) at Microsoft.ManagementConsole.Executive.NamespaceExtensionComponentData.GetScopeNodeForExpand(IDataObject dataObject, IntPtr hScopeItem) at Microsoft.ManagementConsole.Executive.ComponentData.OnExpand(IDataObject dataObject, Boolean isExpanding, IntPtr hScopeItem) at Microsoft.ManagementConsole.Executive.ExpandMmcNotification.OnNotify(IntPtr dataObject, IntPtr arg, IntPtr param) at Microsoft.ManagementConsole.Executive.MmcNotifyTarget.Notify(IntPtr dataObject, NotificationType eventType, IntPtr arg, IntPtr param)

I have googled this problem for days, and I have read tons of articles about MMC Extension SnapIns, and GPO, but I have not yet found any usable solutions for my problem.

Thanks for your help in advance.

Hello, I'm having trouble finding a clear way to do this.  I need to hide the E: drive in addition to the other options in Group policy. Ultimately I need to hide A,B,C,D and E for my terminal server users through a group policy.

When I made what seemed like good changes in the ADMX file I got an error which I searched and found that the ADMX file was out of sync with the ADML file.

Do I need to add the same reference in both the ADMX and ADML files?

Is notepad a good way to accomplish this?

Should I use the ADMX Migrator tool as some site suggest?  There is very little instruction that I can find how to use this tool.

Thank you in advance for your help.

Scott