I'm deploying printers to Remote Desktop Services sessions using Group Policy Preferences. When a user logs in for the first time all printers are created correctly. Every subsequent login I get the follow event log error for each printer in the GPP.

Log Name:      Application
Source:        Group Policy Printers
Event ID:      4098
Task Category: (2)
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Description:
The user 'Printer-A' preference item in the 'RDS Printers {4B82A841-77B3-457A-87CE-87A73C04F63C}' Group Policy object did not apply because it failed with error code '0x80070bc4 No printers were found.' This error was suppressed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Group Policy Printers" />
    <EventID Qualifiers="34305">4098</EventID>
    <Level>3</Level>
    <Task>2</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-14T02:31:14.000000000Z" />
    <EventRecordID>3395</EventRecordID>
    <Channel>Application</Channel>
    <Computer>RDS01.domain.com</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data>user</Data>
    <Data>Printer-A</Data>
    <Data>RDS Printers {4B82A841-77B3-457A-87CE-87A73C04F63C}</Data>
    <Data>0x80070bc4 No printers were found.</Data>
  </EventData>
</Event>

Printers still appear to work but I get TONS of these errors.

DCs are Windows Server 2008 R2 SP1. RDS server is Windows Server 2008 R2 SP1.

I have found lots of other posts of people having the same issue but never a solid resolution. Below are the various things I have tried.

• Install KB2748246. Updates win32spl.dll (11/8/2012, v6.1.7601.17994) to (11/8/2012, v6.1.7601.22156). Still get the error.
• Domain Admins get the error as well.
• Restarting the spooler, log off, log on, same error.
• Typing the printer name instead of browsing. Same error. http://www.eversity.nl/blog/2011/02/gpp-event-id-4098-warning-0x80070bc4-no-printers-were-found
• Disabling Point & Print Restriction. Same error - http://support.microsoft.com/kb/2618460
• Doesn't matter if the “Action” on the printer is set to Create or Update.
• Doesn’t matter is there is any ILP or not.
• Doesn’t matter if group in ILP is typed or browsed.
• Doesn’t matter is its HP, Canon, or Sharp device.
• Doesn’t matter if Print Processor is WinPrint/RAW or 3rd party.
• Doesn’t matter if using FQDN or hostname to the print server.
• “comp\admin\system\logon\Always wait for the network at computer startup and logon” in base policy. Same error.
• If I add a new printer it appears to not give the error on any printers that follow it. Must have something to do with the fact that it is installing the new printer so subsequent printers are “refreshed” without issue.
• Enabling CSE for Printers logging shows similar error.
  Initial Logon (Gets errors)
  2013-02-14 14:46:13.422 [pid=0x3e8,tid=0x14a4] {9A5E9697-9095-436d-A0EE-4D128FDFBCE5}
  2013-02-14 14:46:13.422 [pid=0x3e8,tid=0x14a4] Starting class <SharedPrinter> - Printer-A.
  2013-02-14 14:46:13.422 [pid=0x3e8,tid=0x14a4] Starting filter [AND FilterTerminal].
  2013-02-14 14:46:13.422 [pid=0x3e8,tid=0x14a4] Adding child elements to RSOP.
  2013-02-14 14:46:13.423 [pid=0x3e8,tid=0x14a4] Session: 3
  2013-02-14 14:46:13.423 [pid=0x3e8,tid=0x14a4] Protocol: 2
  2013-02-14 14:46:13.423 [pid=0x3e8,tid=0x14a4] Client Name: COMP1
  2013-02-14 14:46:13.424 [pid=0x3e8,tid=0x14a4] Passed filter [FilterTerminal].
  2013-02-14 14:46:13.424 [pid=0x3e8,tid=0x14a4] Starting filter [OR FilterTerminal].
  2013-02-14 14:46:13.424 [pid=0x3e8,tid=0x14a4] Adding child elements to RSOP.
  2013-02-14 14:46:13.424 [pid=0x3e8,tid=0x14a4] Session: 3
  2013-02-14 14:46:13.424 [pid=0x3e8,tid=0x14a4] Protocol: 2
  2013-02-14 14:46:13.425 [pid=0x3e8,tid=0x14a4] Client Name: COMP1
  2013-02-14 14:46:13.425 [pid=0x3e8,tid=0x14a4] Failed filter [FilterTerminal].
  2013-02-14 14:46:13.425 [pid=0x3e8,tid=0x14a4] Filters passed.
  2013-02-14 14:46:13.425 [pid=0x3e8,tid=0x14a4] Set user security context.
  2013-02-14 14:46:13.425 [pid=0x3e8,tid=0x14a4] Adding child elements to RSOP.
  2013-02-14 14:46:13.920 [pid=0x3e8,tid=0x14a4] Properties handled. [ hr = 0x80070bc4 "No printers were found." ]
  2013-02-14 14:46:13.921 [pid=0x3e8,tid=0x14a4] Set system security context.
  2013-02-14 14:46:13.929 [pid=0x3e8,tid=0x14a4] EVENT : The user 'Printer-A' preference item in the 'RDS Printers {4B82A841-77B3-457A-87CE-87A73C04F63C}' Group Policy object did not apply because it failed with error code '0x80070bc4 No printers were found.'%100790273
  2013-02-14 14:46:13.929 [pid=0x3e8,tid=0x14a4] Error suppressed. [ hr = 0x80070bc4 "No printers were found." ]
  2013-02-14 14:46:13.930 [pid=0x3e8,tid=0x14a4] Completed class <SharedPrinter> - Printer-A.

• Gpupdate after 2 minutes (No errors)
  2013-02-14 14:47:39.015 [pid=0x3e8,tid=0x1730] {9A5E9697-9095-436d-A0EE-4D128FDFBCE5}
  2013-02-14 14:47:39.015 [pid=0x3e8,tid=0x1730] Starting class <SharedPrinter> - Printer-A.
  2013-02-14 14:47:39.015 [pid=0x3e8,tid=0x1730] Starting filter [AND FilterTerminal].
  2013-02-14 14:47:39.015 [pid=0x3e8,tid=0x1730] Adding child elements to RSOP.
  2013-02-14 14:47:39.015 [pid=0x3e8,tid=0x1730] Session: 3
  2013-02-14 14:47:39.016 [pid=0x3e8,tid=0x1730] Protocol: 2
  2013-02-14 14:47:39.017 [pid=0x3e8,tid=0x1730] Client Name: COMP1
  2013-02-14 14:47:39.017 [pid=0x3e8,tid=0x1730] Passed filter [FilterTerminal].
  2013-02-14 14:47:39.017 [pid=0x3e8,tid=0x1730] Starting filter [OR FilterTerminal].
  2013-02-14 14:47:39.017 [pid=0x3e8,tid=0x1730] Adding child elements to RSOP.
  2013-02-14 14:47:39.017 [pid=0x3e8,tid=0x1730] Session: 3
  2013-02-14 14:47:39.018 [pid=0x3e8,tid=0x1730] Protocol: 2
  2013-02-14 14:47:39.018 [pid=0x3e8,tid=0x1730] Client Name: COMP1
  2013-02-14 14:47:39.018 [pid=0x3e8,tid=0x1730] Failed filter [FilterTerminal].
  2013-02-14 14:47:39.018 [pid=0x3e8,tid=0x1730] Filters passed.
  2013-02-14 14:47:39.019 [pid=0x3e8,tid=0x1730] Set user security context.
  2013-02-14 14:47:39.019 [pid=0x3e8,tid=0x1730] Adding child elements to RSOP.
  2013-02-14 14:47:39.029 [pid=0x3e8,tid=0x1730] Properties handled.
  2013-02-14 14:47:39.029 [pid=0x3e8,tid=0x1730] RunOnce value created [SUCCEEDED(S_FALSE)]
  2013-02-14 14:47:39.029 [pid=0x3e8,tid=0x1730] Handle Children.
  2013-02-14 14:47:39.029 [pid=0x3e8,tid=0x1730] Set system security context.
  2013-02-14 14:47:39.037 [pid=0x3e8,tid=0x1730] EVENT : The user 'Printer-A' preference item in the 'RDS Printers {4B82A841-77B3-457A-87CE-87A73C04F63C}' Group Policy object applied successfully.
  2013-02-14 14:47:39.037 [pid=0x3e8,tid=0x1730] Completed class <SharedPrinter> - Printer-A.

Any thoughts?

Patrick Hoban
http://patrickhoban.wordpress.com

Hi all,

We are planning to disable Windows Scripting Host through GPO for preventing virus,

 We want information about there is any big impact for the user if disabling Windows Scripting Host,

Thanks, Mariappan Shanmugavel

In my Default Domain Controllers Policy, I have Audit Directory Service Access enabled and set to Success.  When I check my domain controllers, in Local Security Policy, it is set to Not Audit and the options are grayed out (I'm assuming because my GPO should overwrite it).  When I check rsop.msc, I can see that it is set to success.

I'm trying to setup Netwrix Auditing, and it is detecting that it is not enabled.

Hi,

can anyone has the steps to set standard Admin Password via GPO ?

Actually I have created a GPO to set standard admin password on 3000+ servers and the policy is linked to the servers OU where the 3000 server are moved.After a day when I checked few of the machines password changed to standard and few of them not changed to standard password. One thing I noticed in those few server is UAC is enabled and I have disabled UAC setting in control panel of the servers manually for testing and restarted to check the local admin password and found the password is not changed to standard password.

One more thing which I wanted to share is, when I was about to set password in GPO the first time I was unable to give the password ,as the option to give password was disabled .But when I uninstalled the patch KB2928120from the DC where I have created the GPO, I was able to give the password .

The steps which I have set in GPO is below. IS there any other steps which need to be included in GPO for successful implementation of this policy ? 

Computer Configuration- Preferences,-Control Panel, and then right-click Local Users and Groups. From the menu select New - Local User.  Select Update as the action, type Administrator into the User name text box, then type the new password into the Password text box, confirming the password in Confirm Password text box. Press OK.

Having been part of 10 or more domains, I've seen this done several different ways and just wanted to get some input on what you all have landed on as a good approach.

So at one large company, they have a root domain level GPO for global settings.  One of them is Logon as a Service and they put every single service account in that list that were known.

I have a similar GPO for that setting and similar, but I have different GPOs and add them at the OU level where the OUs are broken out by site and or datacenter.  About 25 of them right now.

I always felt this approach was best but after managing this set up for the last few years, I really wonder if that setting should be in a GPO at all.  Especially for large enterprises where there are segmented groups of administrators.

The problem of course is that when you enable that policy setting, then every account needing that setting must be listed as the setting on the local security policy is grayed out.

I suppose it makes a lot of sense in large environments where you might have dozens of servers and you don't want to micromanage each system when one policy can take care of it all.

Anyway, I'd love some feedback.

dear

last year, we found some windows 7 PC need to restart many times can be login every morning.

sometimes, the windows OS system halted at Welcome window and you need to restart the Windows.

sometimes, the windows OS system halted at search network  window and you need to restart the windows.

last year ,our AD Domain server is Windows Server 2003.

now, our domain server OS is windows server 2012 R2.

but the problem remains.

the event of Windows 7 client as below:

路可以歪着走，但是方向一定要是对的~！

Hi,

my server is windows 2003 with AD.

I added "Domain Users" to this group policy:  [Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the system time]

However, ordinary domain users still cannot change the system time.

Help pls.

marc

Hi,

I have assigned some software to install under user configuration and the GPO is applying to a computer OU that contains only computer objects not users. I have enabled loopback processing mode and added security filtering to only apply to a security group containing the specific computer objects requiring the software. I have granted apply permissions to the security group and 'domain users'.

The software is installing to all users across the domain, however I only want it to install to users logging onto the computers in the security group. Where have I gone wrong?

Thanks in advance.

Jonny

Hi Guys,

For many versions of office and windows we have allowed our users access to the Mail icon in the Control Panel on our RDS servers. However since upgrading to Windows Server 2012 R2/Office 2016 Pro Plus the previous group policy setting is not working.

In the list of "Show only specified Control Panel items" we have tried entering the below with no success (the icon is missing for our users):

- mail

- mlcfg32.cpl

Has this changed in Office 2016 or Windows Server 2012 R2?

~ Shaun

Hello All

I am having a problem with GPO settings I have removed causing errors with gpupdates.

I was having some issues with the 6to4 IP address showing up in the DNS and causing some connection issues, so I originally disabled the 6to4 adapter via GPO (Computer \ Policies \ Administrative Templates \ Network \ TCPIP Settings \ IPv6 Transition Technologies \ 6to4 State - configured and set to disabled). 

Later we decided it would be better to simply disable the IP Helper service - so we did this system-wide, then set this policy setting back to "Not configured."

However, now whenever my clients do a GPUpdate, they all end up with an error for the TCPIP settings.  The error message in the RSOP shows that it cannot apply TCPIP settings because the service (the IP Helper service) is not running.

Why is it still trying to apply TCPIP settings if I set them all back to Not Configured? How do I clear out this error without having to re-enable the IP Helper service everywhere?

Thanks in advance!

Have created successfully via GPO here an SRP rule.

The enforcement is set to "All users except local administrators".

Now have the problem that the standard user correctly blocked the start of the program, but is also the Administrator via UAC.

How can i install as a Administrator via UAC an active SRP rule a program?

Thanks for any help here
Stefan

I have an odd case where someone set a Group Policy PREFERENCE to DELETE a registry value under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\... The registry value that it deleted wasn't originally applied by a policy,but was applied once by an application.

The problem is now if if I remove this policy the registry value comes back. There are reasons behind this that aren't relevant, but I need to remove this policy and I WANT the registry to stay tattooed. Where are these values getting backed up to that after the policy is no longer applied the values are restore? I am 100% sure group policy is the one putting the value back and not an application. If there is a cache that stores this I could clear it before removing the policy, but I cannot find anything on this.

Hello

I'm looking for a way to Kill RDP connection with idle & disconnected state. the server's owners usually connect to the servers from their PCs to the servers using the Remote Desktop Connection and they forget to disconnect properly. some left disconnected connections cause an issue later for those user where their AD accounts get locked out due to reset their password.

now I want to apply a group policy on all servers in the domain to do:

• kill disconnected connection after 1 hour.
• kill idle connection after 4 hours.

our domain is windows 2008 R2 (native) and the we have a mix of OS running on the member servers. we have a few windows server 2003 R2 and the majority is windows server 2008 and windows server 2008 R2.

any idea is highly appreciated....

Systems Specialist

I am confused a little bit here and I am hoping someone can help clear this up --

I a GPO configured with approx 15 scheduled tasks as GPP items. All of these scheduled tasks are configured with an action of Replace.  This is because, initially, I had the "Remove this item when it no longer applies" option ticked, forced my action to be Replace. 

What I noticed about this was, (or it seemed this way) was because these GPPs were scoped to a user, if you rebooted the machine and re-logged in as this user - the tasks would get re-created.  As a result, in the windows xp task window, it looked as if they had never run before.  This makes sense, because, assuming you reboot daily, every day you would start fresh.

This created a sort of confusion for our help desk, so I unchecked the "remove this item when it no longer applies" checkbox and checked the "Apply once and do not reapply". 

Now, this morning, I found a mistake with one of the tasks - I had the start in path set incorrectly.  I would like to modify this information in the task - so I modified this individual GPP, went to the client machine, ran a gpupdate /force, rebooted the machine and logged in expecting to see the change and I did not. 

Is this because of the "apply once and do not reapply"?  Also - if GPPs refresh themselves every 90 minutes and I don't have this apply once checkbox checked, will this revert me back to looking like the task has never run after every refresh??

Thanks in advance

sb

I am looking for help on how to setup a group policy.  I have a remote desktop server and I want to apply a group policy when the user logs on to a remote desktop session on the remote desktop host and is not an administrator.  Is there a way to do this and how?

Thanks.

Hi all,

I'm new to this forum (and powershell in general) and created this account just to see if I can get an answer to this question. I'm running Windows 7 Professional and need a script to uninstall all nonpresent USB mass storage devices from device manager (and possibly some other devices). I tried using the Devcon.exe utility, but found that it can't uninstall nonpresent devices (only present ones). Essentially, I'm trying to find a way to emulate device manager's uninstall utility for nonpresent devices. Is there any way to uninstall these devices with a script? I'm hoping to deploy this to a larger environment eventually.

I've looked at this page http://blogs.technet.com/b/wincat/archive/2012/09/06/device-management-powershell-cmdlets-sample-an-introduction.aspx and many others like it, but none seem to be able to actually uninstall a nonpresent device. (pnputil.exe doesn't seem to update the registry properly, which leads to the devices reappearing in device manager)

Any help at all would be appreciated, and I apologize if I've missed something obvious in my search for an answer to this question.

Thanks!

Sam S.

Is it possible to configure an account from one domain in a different domain to log on as a service?

Domain A has a one way trust to Domain B. Domain B has no trust to Domain A. 

Account from Domain A has permissions to access specific location but account in Domain B does not. 

Added account from Domain A into the Log on as service right local security policy. 

When I attempt to configure service to log on as account using the account from Domain A I get a denied access.