Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Implement administrative templates for Win10, Win8.1, and IE11

March 29, 2016, 12:58 pm
$
0
0

Hi there, 

I want to implement administrative templates for Win10, Win8.1, and IE11 to the domain controller. After some reading, I got kind of confused. Based on what I read and my understanding(if it's correct), I need to download administrative template for each of them, install them to my local machine, and then copy them to the central container store which is located in the domain controller. After that, it should be done(again, it's correct). Here comes my questions.

1. What's different between Win8.1 and Win10 templates? Should I apply both of them, or only the higher one which is Win10, and it will cover Win8.1, too? Because it looks like they have the same .admx files after installing templates to my local machine.  

2. From the link https://www.microsoft.com/en-us/download/details.aspx?id=40905, I need to run command to copy everything from local machine to the domain controller. Can I just manually copy and paste everything from local to the domain controller?

3. Can three of them apply to the same central container store and not replace each other? Because they all have some folders with the same name.

Thank you.

 


Search

"Turn off the upgrade to the latest version of Windows through Windows Update" gone after updating the WindowsUpdate.admx

February 26, 2016, 1:52 am
$
0
0

At the moment we still use 2008 R2 Domain controllers.

I've updated the admx files to support Windows 10.

In the past,I enabled the "Turn off the upgrade to the latest version of Windows through Windows Update" GPO setting so my domain joined Windows 7 machines will certainly not start upgrading to Windows 10.

But now, this setting is not longer included in the new WindowsUpdate.admx file! So the setting is lost. I can see it in the GPO settings under "Extra Registry Settings", but I can't change it anymore.  If I roll back to the older WindowsUpdate.admx, other new Windows 10 settings will be lost, so this is not a solution. How can I fix this?

Internet explorer setting_playing video issues.

March 29, 2016, 11:49 am
$
0
0

We are updating our IIE settings via GPO from IEM to the newer IE templates, during testing we have encountered the following issue.

Windows 7 OS: IMDB does not play trailers, only shows as buffering. You tube plays videos.

Windows 8 and 8.1: IMDB does not play trailers, only shows as buffering. Same for you tube.

Which settings do I need to enable/ fix?

Disable Automatic Default Printer Management

March 29, 2016, 12:56 pm
$
0
0
How can I disable the automatic default management through a GPO?

Reboot time

March 29, 2016, 12:59 pm
$
0
0
What type of tool (Powershell or GUI) on figuring out from my server how long a client computers has been up and has been rebooted?

Certificate Autoenrollment seems not working for existing certificates

March 28, 2016, 10:30 pm
$
0
0

Hi All

This is my first time on this forum, so please let me know if the topic is incorrect.  And, apologize for my English as well.

I have a problem with Certificate Autoenrollment policy that I have implemented for the company.  The problem is that when users get new laptops then join them to the domain, the existing User certificate are not re-issued. For the old laptops, if the user and computer certificates are accidentally deleted, the existing ones are not re-issued either.

However, If I try to revoke the certificates via the CA console, the new one can be issued to the client.

A bit of background for ADCS environment.  AD Certifcate services is installed on a Windows 2008 R2 Enterprise domain controller.

The user certificate is duplicated from existing one, and I enable "Publish certificate in Active Directory" and check "Do not automatically reenroll if a duplicate certificate exists in Active Directory" option as well.

As for GPO, I create a GPO and link it to at the domain level in GPMC.  The "Automatic certificate management" under User Configuration is set to Enabled, and the following options are also Enabled.
- Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates
- Update and manager certificates that use certificate templates from Active Directory

Hopefully, anyone has encountered this before and can help me with solutions.

Thank you,
Ake

Group Policy Error and DHCP with Active Directory?

March 18, 2016, 6:54 am
$
0
0

Hi,

I was wondering if someone could shed some light on howcome every week or two the windows server DHCP blocks out then the active directory then everything else Besides the DNS. So recently users tell me that they cant print or they dont get DHCP because of this error. Whats odd i have installed other servers with the same ISO and never encountered this problem. The solution is a restart and everything works but its around every week or so this happens.  Also when I connect to the RDP I get that the server certificate expired which is odd even after the restart. Im attaching some photos sorry that its in Spanish :( I also want to note that I installed it around less then a month and its giving these issues

Thank you

GPP folders - delete action

March 29, 2016, 12:12 pm
$
0
0

server 2012 R2 AD, windows 7 and 8.1 clients.

we have some static IE favorites that we push to all users from a central location. to do this, I have a GPO with a Folder GPP (user configuration) that deletes:

%favoritesdir%\folder1\

the options selected on the delete preference are:

Action:Delete
-delete this folder (if emptied)
-Recursively delete all subfolders (if emptied)
-Delete all files in the folder(s)
-allow deletion of read-only files/folders

what I would expect this to do is delete everything in "%favoritesdir%\folder1\" and then delete "%favoritesdir%\folder1\" itself. 

the same gpo also has a Files GPP to copy some internet shortcut files from \\server\share\folder1\*.* back into %favoritesdir%\folder1\.

if this were working how I want, the Folder GPP would delete the folders, and the File GPP would recreate the folders and put some files in them. c:\users\me\favorites\folder1 would always have a datestamp of the last gpupdate. but that's not happening.

if I manually delete c:\users\me\favorites\folder1, then do gpupdate, the new folder1 and all shortcuts all get created correctly by the files GPP. but folder1 is not getting deleted and recreated with just a regular gpupdate or logoff/logon. I turned on trace logging for files and folders, but no errors appear. If I enable informational trace logging, I just see:

2016-03-29 13:54:54.193 [pid=0x2ac,tid=0x125c] Starting class <Folder> - Folder1.
2016-03-29 13:54:54.193 [pid=0x2ac,tid=0x125c] Policy is not flagged for removal.
2016-03-29 13:54:54.193 [pid=0x2ac,tid=0x125c] Completed class <Folder> - Folder1.




Search

Windows 10 Enterprise LTSB 2015, which ADMX?

March 16, 2016, 9:16 am
$
0
0

I'm aware that there are RTM and 1511 versions of the Windows 10 ADMX.  We are about to deploy a Windows 10 Enterprise LTSB 2015 machine for a VIP, but foresee using regular Windows 10 Enterprise (1511 or newer) in the future once we upgrade from SCCM 2007 R3 to a newer version.

Which ADMX files should we install?  The RTM or 1511 version?

The Group Policy Client Side Extension Folder Redirection Issue

August 15, 2011, 5:35 am
$
0
0

Hi,

Windows Server 2008 R2 frequently generating this alert can anyone help on this? Or any hotfix for this?

"The Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance"

Regards@ Sanjay

 

Windows server 2012 R2 Group policy compatibility check before domain upgrade from 2008R2

March 30, 2016, 6:53 am
$
0
0

We are planning to upgrade our active directory environment from Windows Server 2008 R2 to Windows server 2012 R2 domain. I need to understand if there are any known issues with this kind of upgrade or a checklist to consider before moving for upgrade (apart from Group policies as well).

Also please let me know specifically if there are any issues with Group Policy infrastructure as well when we upgrade?

Waseem Khan MCP, MCITP, VCP, VCA, ITIL


[GPMC Warning] The security principal [S-1-5-21-145447..] referenced in extension [Folder Redicrection] cannot be resolved,..

March 30, 2016, 4:16 am
$
0
0

I get the above error when I check In GPO: xxx...Succeeded, but not the following issue

[GPMC Warning] The security principal [S-1-5-21-145447..] referenced in extension [Folder Redicrection] cannot be resolved,..

What should I do to rectify this error ?

Assistance with GPO loopback policy

March 30, 2016, 3:14 am
$
0
0

Hi,

I have assigned some software to install under user configuration and the GPO is applying to a computer OU that contains only computer objects not users. I have enabled loopback processing mode and added security filtering to only apply to a security group containing the specific computer objects requiring the software. I have granted apply permissions to the security group and 'domain users'.

The software is installing to all users across the domain, however I only want it to install to users logging onto the computers in the security group. Where have I gone wrong?

Thanks in advance.

Jonny

Change to password policy not taking effect.

March 30, 2016, 5:52 am
$
0
0

About three months ago, I made a change to the password policy increasing the maximum password age.  I've waited this long just to make sure I was past the original limit of days and that I had gone through at least one password change cycle for everyone.  I find that the new age is not being applied and passwords are still expiring at the original limit. 

I've checked that computers are not in an OU that is blocking inheritance.

Running GPRESULT /SCOPE COMPUTER /Z shows that the policy is being applied with the correct age. 

Any suggestions for further troubleshooting?

Screen saver with locking password not working

March 30, 2016, 11:45 am
$
0
0

Well, I've read about 30 posts and did everything that I think is possible to make this screen saver work.. still not working.

This is an AD domain with Windows 2008R2 DC, windows 7 (x86 and x64) clients.. The group policy is enabled and appears to be an applied User GPO.. From the client, I run gpresult and and RSoP and it showed that the GP was applied and the only one configuring this setting..but the client shows no screen saver.. 

 

The GP looks fine

The RSoP says that it is being applied

Looks like it's the only GPO for this setting

I'm stumped.. I tried different usernames, but all look the same.. This is a VM workstation but other GP's are working.. I've rebooted the workstation several times, forced GP (gpupdate /force) with no luck.

William McConnell


Search

Merging Local Policy and Group Policy

March 30, 2016, 6:01 am
$
0
0

Hi,

Today I have come across a requirement where a development team wants to grant LOGON AS A SERVICE right to local user on few servers. At present this policy setting is applied by GPO, which grants permission to list of users accounts.

The GPO is also applied to many other computers. So modifying this GPO will affect all the clients and servers where it applied.

I want to just add a local user to the list of users who have logon as a service.

Can I add another GPO and apply only to specific servers? will it merge OR overwrite the other policy setting?
Or, Can I add specific user via local policy? Is there any settings to modify in GPO or Local system to achieve this?

Also let me know how to add a local user account in above policy setting in a GPO?
just user name?
e.g: for domain user -  "domain\user "
for local user - "user"

Thanks!!

Copying .ADMX files to local gpo

March 30, 2016, 5:14 pm
$
0
0

I am trying implement a gpo for win 10 devices, I created a win 10 test machine and downloaded the Windows10_Version_1511_ADMX file and had it installed to C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Version 1511\.  The dilemma I have is how do I copy these over to C:\Windows\PolicyDefinitions, when there is already .admx files there.  I tried copying via powershell(with admin rights) with no luck, changing ownership of policydefinitions and still get access denied.

Can someone point me in the right direction?



Group policy for users to add in particular group from particular OU

March 23, 2016, 3:05 am
$
0
0

Hi,

I am having a particular application user created in their specific application OU. Now I want all user to be added into one of the universal group and that group should be having membership of local administrator on specific application servers(We have specific OU created for servers on application basis). for second part I know that the group needs to be added in restricted access. But how should we automate the first part via group policy such that if a new user is created and moved to the specific OU it gets automatically membership of specific universal/domain local group.

Disable Adobe Reader Add-on in IE Won't Work

November 20, 2012, 11:05 am
$
0
0

Hi,

I’m having an issue where I can’t disable the Adobe PDF Reader add-on in IE through GPO. What happens is the add-on says that it is disabled, but PDFs still open inside of IE.

If I don’t apply any policy, and manually disable it, it works fine (PDFs open in their own Adobe Reader application).

The policy I’ve applied is Windows Components/Internet Explorer/Security Features/Add-on Management/Add-on List. I’ve entered {CA8A9780-280D-11CF-A24D-444553540000} for the Adobe Reader add-on, and gave it a value of 0. I’ve also enabled Windows Components/Internet Explorer/Security Features/Add-on Management/All Processes, thinking that might help. I’ve done this in both the Computer and User settings.

If anyone can tell help me with this I’d really appreciate it.  I’ve spent a lot of time on this, and I seem to be getting nowhere.

Thanks

windows server 2012 r2 ad gpo how to disable folder sharing under file explorer

March 31, 2016, 6:13 am
$
0
0

Hello

We publish applications thru RDS on a windows server 2012 r2. We also publish the file explorer with limited access to files and explorer options. We use a GPO to define these options. Clients are accessing thru RDWEB.

One option we want to disable is the file sharing tab on our published file Explorer . Not that our users can do any real sharing because the security won't let them, but they still have the possibility to try sharing and during this process they are offered the search facility that let them search and discover AD users. This is what we want to avoid. 

Does anyone know how to disable the Share tab?

thanks

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>