We have a small domain with two domain controllers running Windows Server 2012 (NOT R2).

Recently, one of our GPOs (our main GPO) became out of sync across the two DCs.  Using GPMC, the infrastructure status report listed 1 DC with replication in progress, and the issue was a version mismatch.
The versions for that GPO were mismatched.  I'm not sure how it happened, but we tried setting both GPOs to have the same exact settings, then updating the GPT.INI file to give them the same version number.

This got rid of the error about the versions being wrong, but it then said the content was mismatched.

We copied the GPO folder from the other DC over to the DC that was listed with "replication in progress" and checked the status again.  Now it says "ACLs" under SysVol.  ("The SysVol Permissions for one or more GPOs on this domain controller are not in sync with the permissions for the GPOs on the Baseline domain controller.")

I've verified that all the permissions I can see look the same on both ends.  I've checked the NTFS security settings on C:\Windows\SysVol\sysvol and all subfolders.  I've done the same for the SYSVOL share.  I've also done the same within GPMC - select the GPO and then go to the Delegation tab, then go to Advanced, then Advanced again.  Everything looks the same to me when comparing both servers.

I believe at one point we even tried to dump the ACLs for the particular GPO from icacls on one server and restore it on the server listed with "replication in progress".  It didn't help.

We're using DFSR (not FRS).  At this point I'm not sure if anything is working because when I create a NEW GPO on one server it isn't created on the other - AD will see it but the actual files don't sync.  (C:\Windows\SYSVOL\sysvol\dom.ain\policies\ will have it on the server you create it on, but not on the other server.)

I'm trying to follow http://technet.microsoft.com/en-us/library/cc773238%28WS.10%29.aspx#BKMK_045 but we don't have SCOM, we're not on 2012 R2 so we don't have the PowerShell commandlets, and I'm not seeing a "DFS Management" tool.
dfsrdiag replicationstate reports no active inbound/outbout connections, but I'm unsure how to force a sync or test one - it asks for a replication group name and I don't know what to specify.  We don't use DFSR for anything else, it was just auto-configured during setup of Active Directory on these servers.

Any help would be appreciated.

Hi everyone!

Once I was able to set a software deployment from GPO on a Win 2008 Server Standard SP1, and it worked... and still works... whenever a new machine is attached to the domain, the application is installed correctly.

But now I can't do it anymore (setting a new one), because the option "Software installation" is missing. Within the policies 'folder' I can see software config, win config and admin templates. Within the software config i should see 'Software installation' but it's empty. Both for machine and user.

Also under user config->preferences->win config when right-clicking applications, new->application-> there's no more submenus so I can't set it from there neither

Any ideas?

Hi,

I have to grant RDP access and Local Logon rights a team ONLY for OS & Hardware Maintenance purpose.

As part of this task, I tried to grant remote login access for a normal user to domain controller, but couldn't not.

I have added the user id in "Allow log on through terminal services" and "Allow logon locally" under following location, and verified it is applied.

• Computer Configuration -> Windows settings ->
  Security Settings -> Local policies -> User Rights Assignment

Since it was not working, I selected one domain controller, and Denied all other policies to it. I.e, only one policy is applied to selected domain controller (we have 4 DC's), to make sure no other policy is causing the problem.domain controller

Could any one help to grant access to normal user to login to Domain Controller?

Here is the event from security log

Event ID: 4825

FailureAudit:

"A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.

.................. .

This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop

Hi!

I have 2 question.

How to disable the Office Store in Office 2016 on clients from Server 2012 r2 with GPO?

I want to disable the Adobe collaboration for all computers in network with GPO. How?

Waiting for your reply!

Zsolt

Hello,

I am required to install some log forwarding software (Splunk) across our entire Windows environment.  The software requires the following permissions on the service account that it runs under:

Full control over Splunk's installation directory
Read access to any files that will be indexed
Permission to log on as a service
Permission to log on as a batch job
Replace a process level token
Permission to act as part of the operating system
Permission to bypass traverse checking

I attempted to push these permissions out using a GPO but during testing I realized that while the GPO successfully granted these permissions to the splunk service account it also removed any other permissions for any other user accounts.  For example the ONLY account with replace a process level token was the splunk service account, all other accounts were removed by the GPO.

I only want to add this account with the above permission, I don't want to alter any existing permissions and I need to push this out to the entire Windows Domain (this includes 2000, 2003, 2008, and 2008R2).  Can this be done via GPO?

Thanks.

Hi, 

i want to prevent a group of users in AD - their ability to share  files / folders that are local to their desktops. 

coming across a few forums i get the GPO - Local Computer Policy, User Configuration, Administrative Templates, Windows Components, and Network Sharing. and to enable the setting.

This however doesnt seem to be working and as i tested - i still have the ability to go to folder properties and Share the folder from Advanced Sharing. A possible reason could be that i also have admin rights to the desktop. 

Is there a GPO -policy setting that will disable Folder sharing for both standard users and admins alike ? 

I do not want computers to join domain and stay in computers default container. I rather want them to be in designated Computer OUs. I prefer to manually add their names in AD, then join them to domain. Is there a GPO or way to join to domain only registered AD computers and deny joining to domain any computer which name is not found in Active directory?

I am looking for help on how to setup a group policy.  I have a remote desktop server and I want to apply a group policy when the user logs on to a remote desktop session on the remote desktop host and is not an administrator.  Is there a way to do this and how?

Thanks.

Hello,

I've been getting complaints of long logon times when users are trying to use their laptops via wifi. This issue happens on both the work network and their home networks. If the computer is plugged into Ethernet at the office, the logon time is roughly 5-10 seconds. If they are disconnected from the Ethernet, the logon time could range from 2-10 minutes. Majority of these machines are Windows 7 SP1 x64 Lenovo X250 or T450, most of them have been imaged in the past year.

My thoughts are the computer is attempting to communicate to a DC while connecting to Wifi. If I'm right, is there a way to turn off that check through GP or at least reduce the timeout to 5 seconds? If I'm wrong, do you have any other idea of what maybe causing the issue?

Thank you for your time!

-Jake

After my pc did an update my desktop icons have been replaced with big blue arrows.

How do I get my icons back.

server 2012 R2 AD, windows 7 and 8.1 clients.

we have some static IE favorites that we push to all users from a central location. to do this, I have a GPO with a Folder GPP (user configuration) that deletes:

%favoritesdir%\folder1\

the options selected on the delete preference are:

Action:Delete
-delete this folder (if emptied)
-Recursively delete all subfolders (if emptied)
-Delete all files in the folder(s)
-allow deletion of read-only files/folders

what I would expect this to do is delete everything in "%favoritesdir%\folder1\" and then delete "%favoritesdir%\folder1\" itself. 

the same gpo also has a Files GPP to copy some internet shortcut files from \\server\share\folder1\*.* back into %favoritesdir%\folder1\.

if this were working how I want, the Folder GPP would delete the folders, and the File GPP would recreate the folders and put some files in them. c:\users\me\favorites\folder1 would always have a datestamp of the last gpupdate. but that's not happening.

if I manually delete c:\users\me\favorites\folder1, then do gpupdate, the new folder1 and all shortcuts all get created correctly by the files GPP. but folder1 is not getting deleted and recreated with just a regular gpupdate or logoff/logon. I turned on trace logging for files and folders, but no errors appear. If I enable informational trace logging, I just see:

2016-03-29 13:54:54.193 [pid=0x2ac,tid=0x125c] Starting class <Folder> - Folder1.
2016-03-29 13:54:54.193 [pid=0x2ac,tid=0x125c] Policy is not flagged for removal.
2016-03-29 13:54:54.193 [pid=0x2ac,tid=0x125c] Completed class <Folder> - Folder1.

I'm struggling getting Group Policy Preferences Drive Mapping to work over wireless (WPA2-Enterprise using Certificates) from our (fully patched) Windows 10 Surface Pro 4s.  The Active Directory user account's Home Folder drive map also does not appear.  All of these paths use DFS (Server 2008 R2).

Shortly after login, a manual Gpupdate will cause the mapped drives to appear.  Waiting 30 seconds before login also works for both the mapped drives and the home folder.

We've had the "Always wait for the network at computer startup and logon" enabled since XP days.  I tried setting the "Specify startup policy processing wait time" to 60 but this made no difference (nor did it lengthen boot).  The wireless NIC does not appear to have a "Wait For Link" type setting to enable.

Event logs show Event ID 4098 with source "Group Policy Drive Maps" saying the preference item "failed with error code '0x80070035 The network path was not found.'"

I had wondered if the underlying problem might be the new UNC Hardening feature but even adding an exception for "\\DomainNetBIOSname" did not help.

The only significant clue to what's going on is that when I changed my user account home folder to a direct UNC path to the server rather than via DFS, my home drive was able to appear correctly.  The DFS Client service (as seen in regedit) already has a Start type signifying "System".

I'm not sure where to go from here.  Does anyone have any ideas?  Thanks!

(Cross-posted as suggested from the Windows 10 Networking forum.)

Hi there,

When booting a Windows 10 machine (Lenovo laptop) GPOs are not loaded. Of course I can apply them later on via gpupdate /force.

When I have a look into the system log I get always an error in there with the ID 1058. Checking the error code in the details says: Network access is denied (error code 65).

It tries to access a gpt.ini file from the policies but does not get through.

When I restart the computer, click the link in the error message I get an error that the file cannot be accessed. Nevertheless after about 30 seconds the access to the file just works.

For me it seems that there is a service pending start which is needed for the domain access. I bet it has to do with DFS as the GPO access works via DFS path(namespace).

This is quite annoying as the machine policies are not loaded neither the user policies.

Here the details from the error message:

Log Name:      System

Source:        Microsoft-Windows-GroupPolicy

Date:         10.9.2015 13.19.02

Event ID:      1058

Task Category: None

Level:        Error

Keywords:     

User:         xxxxxxx\xxxxxxx

Computer:      xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Description:

The processing of Group Policy failed. Windows attempted to read the file \\my.domain.com\SysVol\my.domain.com\Policies\{3933BE19-C3FF-4C22-9434-B64C654C8B06}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.

b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

c) The Distributed File System (DFS) client has been disabled.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />

    <EventID>1058</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>1</Opcode>

    <Keywords>0x8000000000000000</Keywords>

    <TimeCreated SystemTime="2015-09-10T10:19:02.977910800Z" />

    <EventRecordID>1318</EventRecordID>

    <Correlation ActivityID="{9C0C77C4-AFC1-4A0E-9BFE-BE698091D73C}" />

    <Execution ProcessID="932" ThreadID="3588" />

    <Channel>System</Channel>

    <Computer>xxxxxxxxxxxxxxxxxxx</Computer>

    <Security UserID="S-1-5-21-1410795398-2781916069-518169928-1178" />

  </System>

  <EventData>

    <Data Name="SupportInfo1">4</Data>

    <Data Name="SupportInfo2">912</Data>

    <Data Name="ProcessingMode">1</Data>

    <Data Name="ProcessingTimeInMilliseconds">421</Data>

    <Data Name="ErrorCode">65</Data>

    <Data Name="ErrorDescription">Network access is denied. </Data>

    <Data Name="DCName">\\xxxxxxxxxxxxxxxxxxxxxxxxxxx</Data>

    <Data Name="GPOCNName">cn={3933BE19-C3FF-4C22-9434-B64C654C8B06},cn=policies,cn=system,DC=xxx,DC=xxxxxxxx,DC=xxxxx</Data>

    <Data Name="FilePath">\\my.domain.com\SysVol\my.domain.com\Policies\{3933BE19-C3FF-4C22-9434-B64C654C8B06}\gpt.ini</Data>

  </EventData>

</Event>

Having been part of 10 or more domains, I've seen this done several different ways and just wanted to get some input on what you all have landed on as a good approach.

So at one large company, they have a root domain level GPO for global settings.  One of them is Logon as a Service and they put every single service account in that list that were known.

I have a similar GPO for that setting and similar, but I have different GPOs and add them at the OU level where the OUs are broken out by site and or datacenter.  About 25 of them right now.

I always felt this approach was best but after managing this set up for the last few years, I really wonder if that setting should be in a GPO at all.  Especially for large enterprises where there are segmented groups of administrators.

The problem of course is that when you enable that policy setting, then every account needing that setting must be listed as the setting on the local security policy is grayed out.

I suppose it makes a lot of sense in large environments where you might have dozens of servers and you don't want to micromanage each system when one policy can take care of it all.

Anyway, I'd love some feedback.

Due to size limitations on asking questions I've had to make this a multi-part question

I am trying to install fonts via login script and GPO.

First, I have changed all options on my power plan to hibernate instead of sleep.

I have changed my power plan to never hibernate when plugged in, but, it does that. ???

I have a problem with some new computers containing solid state drives which will not apply group policies at startup. All other PC's apply the GPO's no problem.

Manually running gpupdate /force successfully applies the GPO's.

I have set the following policies: Always wait for the network at computer startup and logon: Enabled Startup policy processing wait time: 60 seconds.

The event viewer has the following error:

The system calls to access specified file completed.
...Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
The call failed after 1141 milliseconds.

I can access the gpt.ini file and policies folder just fine from the client.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System><Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" /><EventID>7017</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x4000000000000000</Keywords><TimeCreated SystemTime="2016-04-02T21:37:13.149910400Z" /><EventRecordID>3244</EventRecordID><Correlation ActivityID="{DCF633C7-4000-4643-83C6-ED71691672ED}" /><Execution ProcessID="896" ThreadID="340" /><Channel>Microsoft-Windows-GroupPolicy/Operational</Channel><Computer>...</Computer><Security UserID="S-1-5-18" /></System>
- <EventData><Data Name="OperationElaspedTimeInMilliSeconds">1141</Data><Data Name="ErrorCode">65</Data><Data Name="OperationDescription">%%4132</Data><Data Name="Parameter">...\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini</Data></EventData></Event>