Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

The processing of Group Policy failed.

March 25, 2016, 11:35 am
$
0
0
The processing of Group Policy failed. Windows attempted to read the file \\domain.com\SysVol\domain.com\Policies
{xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx}\gpt.ini from a domain controller and was not successful. Group Policy settings may no
t be applied until this event is resolved. This issue may be transient and could be caused by one or more of the followi
ng:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domai
n controller).

c) The Distributed File System (DFS) client has been disabled.

How can i trouble shoot.

Group policies are not replicating from one Domain controller to another. How to troubleshoot.

Search

Long Logon Times On Any Wifi

March 25, 2016, 10:21 am
$
0
0

Hello,

I've been getting complaints of long logon times when users are trying to use their laptops via wifi. This issue happens on both the work network and their home networks. If the computer is plugged into Ethernet at the office, the logon time is roughly 5-10 seconds. If they are disconnected from the Ethernet, the logon time could range from 2-10 minutes. Majority of these machines are Windows 7 SP1 x64 Lenovo X250 or T450, most of them have been imaged in the past year.

My thoughts are the computer is attempting to communicate to a DC while connecting to Wifi. If I'm right, is there a way to turn off that check through GP or at least reduce the timeout to 5 seconds? If I'm wrong, do you have any other idea of what maybe causing the issue?

Thank you for your time!

-Jake

OneDrive for Business Administrative settings

March 27, 2016, 6:18 pm
$
0
0

Hello,

I posted this question on the Technet forum but was told to post it here, so... I hope someone can help me out here?

It seems like I cannot deploy properly OneDrive.exe. as an IT administrator.

I am using 2 virtual machines: a Windows 10 computer and a Windows Server 2012 R2 (to use GPMC on Active Directory)

My goal is to set the Administrative settings for OneDrive for Business so that all the users that are under my tenant (...@companyx.onmicrosoft.com) are bound/tied to these settings that I applied. So here are my questions.

As the IT administrator:

1. Do I have to install and set up the adminsitrative settings of the new OneDrive for Business Next Generation Sync App on ALL computers? (as in the computers that my users are using)? Or do I just set the administrative settings on my computer (win10) and would they also apply to all users under my tenant?

   -I would appreciate a detailed guide on how to properly deploy and add the configuration setting registry keys on OneDrive.exe. I tried to follow the guide on the article "Deploying the OneDrive for Business Next Generation Sync Client in an enterprise environment" but was NOT able to do it. If someone could provide me a guide with screenshots on how to do this, it would be very helpful. (please remember I am new -and not so good- to IT)

 2. I understood that some settings such as "DefaultToBusiness" and "EnableAddAccounts" are able to be set before the installation of OneDrive.exe. Is it okay if I do not run the "EnableAddAccounts"? Since we do NOT want our users to be using any other OneDrive account on their computers (other than the company's OneDrive for Business), if I do not run this setting, it will not allow them to add another O365 or OneDrive (consumer) account to that computer right??

3.How do I set the other administrative registry keys (DisablePersonalSync,EnableEnterpriseTier,GPOEnabled,DefaultRootDir, and DisableCustomRoot)?? Again, I tried to follow the guide provided on the article "Administrative settings for the OneDrive for Business Next Generation Sync Client" but was NOT successful. So a detailed guide with screenshots might help me understand and run these settings in a better way (and hopefully be succesfful).

4. Since these administrative registry keys are applied through Group policies, do I have to set them through my GPMC?? Right now I can only see the folder "Skydrive" which contains 3 templates. How can I apply all these administrative settings for OneDrive for Business on my Server (windows server 2012 R2) so that they apply to all computers under my domain?? Please, a guide with screenshots would be easier to understand and follow.

I am sorry this got really long, but I hope someone can help me out

Regards

Query- Change Local Administrator Password in windows server via GPO

March 27, 2016, 11:16 pm
$
0
0

Hi ,

I have created a GPO to change 700+ machines localadmin password to standard password.but the problem now is, when I select below option in computer configuration.

Preferences -Control Panel, and then right-click Local Users and Groups. From the menu select New - Local User.  Select Update -select Administrator .When I was about to give the password there, its showing like the password place is faded out.

Can anyone help me to correct this ? Is there any other config need to change ?

GPO didn't work

March 27, 2016, 7:15 pm
$
0
0
I define software restricition ploicy, but I can still copy *.exe into windows\temp directory, also may I know how to check variable Temp is pointing to which folder?

Application user access using AD and GP

March 28, 2016, 5:07 am
$
0
0

Hi 

I am deploying a new application to a Windows platform which can only be used by a select group of users, what is the best practise for securing application access using AD and GPO. My knowledge of AD & GPO is good but i am never had to restrict user access to a application and instead of muddling my way through this I would like to know the best practise.

Event 1096 - Registry policies

May 6, 2014, 1:01 pm
$
0
0

Hello there,

I'm getting this event every time I run gpupdate on my server:

The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

Where is the first place to look at?

I did the GPRESULT /H GPReport.html but it only shows an error with registry policies.

Thanks.

IE Site to Zone using registry issue

March 28, 2016, 7:30 am
$
0
0

I am trying to create/ use the registry to govern my trusted, intranet site list but I am running into an issue.

When using the following:

User Config\Preferences\Windows components\ registry

I go to the following path:

HKCU\software\Microsoft\windows\current version\internet settings\zone map\domains

But the GPO will not let me go past domains, below domains is my website listings. how can I go past the other keys and create these settings? The links below are what I am using as a reference.

http://www.grouppolicy.biz/2012/07/how-to-configuring-ie-site-zone-mapping-using-group-policy-without-locking-out-the-user/

https://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html

Search

GPOs do not apply on Windows 10 Enterprise x64

September 10, 2015, 6:03 am
$
0
0

Hi there,

When booting a Windows 10 machine (Lenovo laptop) GPOs are not loaded. Of course I can apply them later on via gpupdate /force.

When I have a look into the system log I get always an error in there with the ID 1058. Checking the error code in the details says: Network access is denied (error code 65).

It tries to access a gpt.ini file from the policies but does not get through.

When I restart the computer, click the link in the error message I get an error that the file cannot be accessed. Nevertheless after about 30 seconds the access to the file just works.

For me it seems that there is a service pending start which is needed for the domain access. I bet it has to do with DFS as the GPO access works via DFS path(namespace).

This is quite annoying as the machine policies are not loaded neither the user policies.

Here the details from the error message:

Log Name:      System

Source:        Microsoft-Windows-GroupPolicy

Date:         10.9.2015 13.19.02

Event ID:      1058

Task Category: None

Level:        Error

Keywords:     

User:         xxxxxxx\xxxxxxx

Computer:      xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Description:

The processing of Group Policy failed. Windows attempted to read the file \\my.domain.com\SysVol\my.domain.com\Policies\{3933BE19-C3FF-4C22-9434-B64C654C8B06}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.

b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

c) The Distributed File System (DFS) client has been disabled.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />

    <EventID>1058</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>1</Opcode>

    <Keywords>0x8000000000000000</Keywords>

    <TimeCreated SystemTime="2015-09-10T10:19:02.977910800Z" />

    <EventRecordID>1318</EventRecordID>

    <Correlation ActivityID="{9C0C77C4-AFC1-4A0E-9BFE-BE698091D73C}" />

    <Execution ProcessID="932" ThreadID="3588" />

    <Channel>System</Channel>

    <Computer>xxxxxxxxxxxxxxxxxxx</Computer>

    <Security UserID="S-1-5-21-1410795398-2781916069-518169928-1178" />

  </System>

  <EventData>

    <Data Name="SupportInfo1">4</Data>

    <Data Name="SupportInfo2">912</Data>

    <Data Name="ProcessingMode">1</Data>

    <Data Name="ProcessingTimeInMilliseconds">421</Data>

    <Data Name="ErrorCode">65</Data>

    <Data Name="ErrorDescription">Network access is denied. </Data>

    <Data Name="DCName">\\xxxxxxxxxxxxxxxxxxxxxxxxxxx</Data>

    <Data Name="GPOCNName">cn={3933BE19-C3FF-4C22-9434-B64C654C8B06},cn=policies,cn=system,DC=xxx,DC=xxxxxxxx,DC=xxxxx</Data>

    <Data Name="FilePath">\\my.domain.com\SysVol\my.domain.com\Policies\{3933BE19-C3FF-4C22-9434-B64C654C8B06}\gpt.ini</Data>

  </EventData>

</Event>

exclude policy with user settings from certain computers

March 23, 2016, 12:42 pm
$
0
0

I need to set a screen lockout time for most computers in my domain. This is a User Config setting.  There is a subset of computers that should not get this setting. However any user could potentially log into any computer & I want them to get the correct setting for the computer they are logged into.

ComputerOU – all computers reside here, including those in the ExcludeGroup

ExcludeGroup – computers that should not get the screen lockout setting

My plan:

Create a GPO with the screen lockout setting

Enable Loopback Processing in Replace mode

Link the GPO to the ComputerOU

Scope the GPO to Domain Computers

Under Security Filtering, DENY the ExcludeGroup

Before I set all this up, is there an easier way to accomplish this task?

Thx

Issue Configuring Windows Firewall Using GPO: Unable to enable logging & settings remain after removing GPO

March 15, 2011, 9:43 am
$
0
0

Hello,

I am having two issues when attempting to configure firewall settings on Windows 7 clients in our domain.

First:

I am trying to turn on firewall logging for Windows 7 clients as part of a Group Policy Object.   I am using the following resource as a reference point. http://technet.microsoft.com/en-us/library/cc742433.aspx

I am having an unusual issue when attempting to log connections.  Each time I uncheck the Not Configured box for the file save location and save the GPO the box is rechecked when I re-open the GPO.

For example:

After clicking on the Customize Setting for Logging I select:

The default path for logging: %systemroot%\system32\logfiles\firewall\pfirewall.log
Uncheck the box for Not Configured
Leave the Size limit set to the Default 4096
Uncheck the box for Not Configured
Set Log Dropped Packets: Yes
Set Log Successful Connections: Yes

When I reopen the GPO all settings remain except:

The default path for logging: %systemroot%\system32\logfiles\firewall\pfirewall.log
Not Configured is now checked

I have also noticed some other unusual behavior from this GPO.  The GPO applies a few specific firewall rules to clients, such as allowing FTP communication to specific servers.  If I remove servers from the computer group receiving the GPO and\or unlink the GPO the GPO settings continue to apply to the clients.  The only way I am able to remove the applied firewall settings is to remove the computers from the domain.

Any suggestions on these issues would be appreciated.

Thank You,

Setting up a user home directory

March 28, 2016, 10:51 am
$
0
0

I would like to set up a 'Home Directory' for users to use when they log in rather than their 'My Documents' folder on their computer. I have been all over the net learning about how to and I believe that I have the jest however, our set up is at 3 separate locations with users at each. I am still not clear how this should be setup in our environment that would not incur bottlenecks and slow access over a WAN. Ideally, I would like user A files stored on server A so that when user A logs in, he is doing so locally but still within the domain. Is it possible to have each user on the same domain to log into the server at their location for their Home Directory? Thanks

Our setup: one forest

Server A. Primary domain. Windows Server Standard R2. 30 users

Server B. Backup domain. Windows Server Standard R2. 25 users

Server C. Backup domain. Windows Server Standard R2. 10 users

All 3 locations are on a static VPN with replication

Set values to Current User registry to a specific group of computers

March 15, 2016, 11:08 am
$
0
0

Hi there,

I have a problem that I cant solve...

I need to deploy a GPO that change values of some keys in the Windows Registry, that are inside of the HKCU tree. But I need to only apply it to a group of computers. So...

I have created a GPO that acomplish the changes, but when I want to set a security filter for the computer group, the GPO wont work. The GPO is inside the OU where the computers resides, and I set the loopback policy as well.

I dont want to create a new OU and move the computers inside.

Can you help me!??

Regards


How to allow non-admin users to install software updates of Java, FLASH and Adobe Reader?

January 18, 2013, 9:25 am
$
0
0

Hi all,

I have a company (+150 users) and I would like  to allow users to update Java, FLASH and Adobe Reader only.

These software are already installed in the hosts, but there are updates of the program every week and it needs to be updated.

How can I give permissions to every user in the domain to do that? Just "Java, FLASH and Adobe Reader"

Remember that I dont want distribute software because they were installed.

I tried to enable "Enable user to patch evelated products" directive but it didn't work at my domain.

is it possible?

Local security policy of AppLocker is not overridden by Domain Group Policy

March 28, 2016, 12:02 am
$
0
0

Hi,

We was using local AppLocker policy in our client machine. But now we want to allow some other applications to b installed in the Client Machine by creating the AppLocker policy and importing them in the Windows Server Group Policy so that it will be override local AppLocker Policy. When we type Gpresult command in the client computer I can see the name of policy but this is not allowing our new applications. It behaves as same old Applocker Policy.

But when I Import same policy locally then it starts working. But i want this policy will implemented only through GPO so that we can update our Applocker policy Time to time.

Thanks

Abhishek

Search

Software Restriction Policies and Installers That Use Temp folders.

March 25, 2016, 2:21 pm
$
0
0

We use SRP's with certificate rules and they work quite well.  However, a number of software publishers (I'm looking at you, Autodesk) will sign their main MSI/installer file, but then the installation process tries to run unsigned executables in Temp folders, which, of course are blocked.  This is especially annoying for program updates/patches because I either have to disable the SRP to install the updates or add hash rules for all the unsigned executables.

Has anyone found a workable/safe solution or have any advice?

--Bill

Setting program defaults with Group Policy

March 16, 2016, 8:46 am
$
0
0

Hello, this might be a bit of an odd question..

 However on one of our application servers I need to be able to set Internet Explorer as the default photo viewer for JPEG files  users. Can anybody suggest the best method of doing this? We are using Windows Server 2008 R2.

 I've tried to create a new association under User Config, Preferences, Folder Options and set the file extension JPEG to open with C:\Program Files\Internet Explorer\iexplore.exe , however, this doesn't seem to work. 

 If anybody has any suggestions they would be much appreciated. Thank you.

 

WMI Filter for Group Policy to look at the IP address

March 22, 2016, 9:27 am
$
0
0

Hi, We have a situation where I need a WMI filter to look to see if the IP address of the device falls into range in the filter. IFit does, then the group policy will not apply. If it doesn't, then the GPwill apply. This is an overall policy to catch all devices.

Another GP will apply at a sites and services level with the correct settings for that site.

The query I have written is:

Select * From Win32_IP4RouteTable Where Name Like "192.168.44.%" OR Name Like "192.168.87.%"

I know this doesn't have a NOT, but every time I add it, it doesn't work?? This is how I wrote this:

Select * From Win32_IP4RouteTable Where Name Not Like "192.168.44.%" OR Name Not Like "192.168.87.%"

I'm using the WIM Tester if this helps?

I hope this makes sense and someone can help??

Cheers

Steve

The processing of Group Policy failed.

March 25, 2016, 11:35 am
$
0
0
The processing of Group Policy failed. Windows attempted to read the file \\domain.com\SysVol\domain.com\Policies
{xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx}\gpt.ini from a domain controller and was not successful. Group Policy settings may no
t be applied until this event is resolved. This issue may be transient and could be caused by one or more of the followi
ng:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domai
n controller).

c) The Distributed File System (DFS) client has been disabled.

How can i trouble shoot.

Group policies are not replicating from one Domain controller to another. How to troubleshoot.

Invoke-IpamGpoProvisioning : Failed to import GPO. The data is invalid. (Exception from HRESULT: 0x8007000D) Event ID 2002

April 3, 2013, 2:10 am
$
0
0
HI,

at the momemt I am testing the new IPAM Feature of Server 2012. I followed this guide: http://technet.microsoft .com/de-de/library/hh831622.aspx

in the task of configuration the powershell command Invoke-IpamGpoProvisioning should be runned, but it fails with the following error:

Invoke-IpamGpoProvisioning : Failed to import GPO. The data is invalid. (Exception from HRESULT: 0x8007000D)
At line:1 char:1
+ Invoke-IpamGpoProvisioning -Domain domainname.tld -GpoPrefixName ipam -Ip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Invoke-IpamGpoProvisioning], Exception
    + FullyQualifiedErrorId : InvalidOperation,Invoke-IpamGpoProvisioning



In the event viewer is the following event logged:


- <System>
  <Provider Name="Group Policy Management" />
  <EventID Qualifiers="49152">2002</EventID>
  <Level>2</Level>
  <Task>0</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2013-04-03T08:50:29.000000000Z" />
  <EventRecordID>272</EventRecordID>
  <Channel>Application</Channel>
  <Computer>hostname.tld</Computer>
  <Security UserID="S-1-5-21-2155411338-4212752665-2881386377-1108" />
  </System>
- <EventData>
  <Data>The data is invalid.</Data>
  <Data>C:\Users\username\AppData\Local\Temp\ipamprov</Data>
  <Data>{09673450-4573-42E8-85D0-104144DF0BA3}</Data>
  <Data>IPAMGPO_DNS</Data>
  <Data>IPAMGPO_DNS</Data>
  <Data>{7F345996-1D92-4194-85BF-72BFB5298EDA}</Data>
  <Data>ipamtestsetup.com</Data>
  <Data>ipam_DNS</Data>
  <Data>{F53ABEDA-B34B-4486-8E8F-D8537CCACC96}</Data>
  <Data>hostname.tld</Data>
  </EventData>

    


can someone give me a hint to resolve this error.



kind regards,
Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>