Hi all,

I have a 2008 r2 RDS session broker and 4 session hosts all on 2008 r2.

How do I go about configuring point and print so that a GPO will install a printer on all 4 session host servers for any user that logs into the session host?

The users connect via a broker.

Can this be done?

Many thanks

Hello. We have an issue with multiple users and their redirected desktops. What is happening is some users are not getting their redirected desktops. This happens randomly throughout the company. All the users are in the same OU and the GPO is applied to the OU that the user accounts are located in. I did a GPUPDATE /R command and it shows that the policy has been applied. If the user logs into a different PC with their same username/password then they get their redirected desktop with no issues. The temporary fix that we have been doing is deleting their local profile and have them re log back on their pc then everything is working fine again. My questions are 1)What might be causing this? 2)Any other suggestions for us to try to find the cause and correct it so that we do not have to keep deleting the local profiles? There are two DC's. Both are 2012 Server. Domain/Forrest running in 2012 mode. Thanks in advance.

I followed the link: https://blogs.technet.microsoft.com/dougga/2011/09/12/managing-client-machine-local-admin-rights/ to create a gpo policy but somehow the first part which is the list of members that should always have local admin rights is not working. Only built\administrators is the only group that can be added in. But if I have the second group enabled, then besides computername is added, all the other groups I specified will be added as well.

Any advice on the first group?

Thank you very much!

Hello All,

I have request to change password policy for All administrator and other privileged accounts at least every 60 days from 30 days,

I am not able to find the setting in Default Domain policy for Admin accounts.

Can any one help on this?

Thanks in advance

Aamir

NA

Hi,

Wondered if anyone can help.

We have an OU structure split between "Desktops" & "Laptops".

We have a number of "USER" GPO's that don't apply when we put a machine inside the laptop OU - However when we put the PC in the desktop OU the user GPO's work perfectly. (Majority of GPO's are inherited at the general computers level)

I've run GPRESULTS when the machines are in the LAPTOP OU and only about 5 standard policies are applied. There's nothing in event logs or Group Policy Operational log and nothing..

Just wondered if someone could point me in right direction of what to look for.

Thanks In Advance.

Hello Team,

I have a scenario here which describe the issue and need advice on the same.

We have a GPO that enables "Offer Remote Assistance" and have applied it for different OUs based on the country. Now few days back an onsite engineer reported that he have lost admin access to all the system. But its not the same for all the OUs only for three OUs that are effected. And the users in those group have lost admin access to all the system in that particular OU.

I checked the groups assigned as a part of this GPO on the OUs. The AD delegation of all the groups seems to be same.

I checked on few systems affected and found that this particular group does not appear in "Administrators" local group. But the same appears in the systems in the OUs that does not have this issue.

I am not sure how to proceed and fix this. I checked the GPO and groups in that and everything seems to be fine.

Regards,

Suman Rout

Hi All!

Is there a way to allow searching of Active Directory shared pinters in the required OU ONLY ? In addition, searching printers in other OUs must be denied.

Prefer to do this using GPO.

Thanks in advance!

     Recently the user Configuration Group Policy Settings configured for my domain have failed. I found the following error when running rsop on several different workstations: Group Policy Infrastructure failed due to the error listed below. Not Found. Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently status information for the other components is not available.

     We have a single domain with eight domain controllers (OS = Windows Server 2008R2 (Domain and Forrest level is Windows 2008R2)), 30 member servers (all Windows Server 2008R2), and 220 client workstations (all Windows 7 Professional SP1) in three different time zones.

     Event logs have not been helpful in resolving this issue.

     What should I be looking at.

Is there any way to deploy Office 2016 ProPlus Volume License edition plus Visio and Project not silently so that the users see a basic UI with a progress bar so they can see the installation but cannot interact with it or cancel it?

We do not want to show the command prompt window showing details of installation commands in the login script itself.  We instead want to show the Office GUI progress box as the installation runs during startup so the users don't think their workstation is stuck while booting.  

Can Office installation startup scripts run with the installer set as /QB, not /QN?

Recently I found a weird thing that if I remove the gpo about restricted administrators group which includes domain admins, then I can no longer remote into any workstations or servers saying access denied. I thought domain admins should be able to remote into any workstations or servers. It seems that domain admins have to be added to the local admininstrators group to be able to remote into workstations and servers. I tried to create gpo with remote desktop users with domain admins in it but still no luck.

Does remote access have to be the member of local administrator group? I am lost.

Please advise.

I would like to do this on server:

1. create new folder "C:\MyScripts"
2. copy "myscript1.vbs" to "C:\MyScripts"
3. create schedule task which will run this script

My plan is to create a GPO and do this to solve the problem:

1. configure "Folders" inside "Computer Configuration\Preferences\Windows Settings" with action "Update" (because some of servers already have this folder created), path "C:\MyScripts" and set "Apply once and do not reapply"
2. configure "Files" inside "Computer Configuration\Preferences\Windows Settings" with action "Update" (because some of servers already have this files), Destination File: "C:\MyScripts\myscript1.vbs" and set "Apply once and do not reapply", for "Source file(s)" I'm not sure - it's one of my questions below
3. configure "Scheduled Task" inside "Computer Configuration\Preferences\Control Panel Settings" with action "Update", run "C:\MyScripts\myscript1.vbs", etc.., and set "Apply once and do not reapply"

My questions are

1. Is there a better (more elegant) way to solve my problem ? (please, don't say logon/logoff, startup/shutdown policies because servers are already running) ?
2. What is the best practice for "Source file(s)" option in "Files" item ? Could I have my script stored with the policy on DC ? I don't want to have it somewhere on file share...

Hello,

I'm having some issues with GPMC on my 2012R2 domain controller. Every time I try to open comp config > policies > windows settings I receive the error message "mmc has detected an error in a snap-in and will unload it" with the error message "mmc has detected an error in a snap-in and will unload it"and with the exception trace code stating:

Could not load file or assembly 'dnscmmc,
Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of
its dependencies. This assembly is built by a runtime newer than the currently
loaded runtime and cannot be loaded

I also receive the a similar error message when I try to open the and configure the firewall settings in any of my GPOs.

"mmc has detected an error in a snap-in and will unload it" and the exception trace message stating:

Could not load file or assembly 'AuthFWSnapin,
Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of
its dependencies. This assembly is built by a runtime newer than the currently
loaded runtime and cannot be loaded.

This error only occurs on my DC. There is only one DC in my entire forest because the environment is so small.  After installing Win 7 remote admin tools on a Win 7 PC and using GPMC from the workstation, no error messages are received.

I found a similar issue happening on Server 2008 R2 but that required a hotfix and something to do with .net 3.5.x. My server is up to date with all updates and patches. I ran sfc /scannow, no luck.  I reverted back from using a GPO central store and the same thing is still happening. I also searched for dnscmmc and AuthFWSnapin on the DC to see if the files were missing. I found both but they have a newer version number than what the error message is complaining about.

I tried attaching the error images to this post but could not because my account needs to be verified still.

If anyone has any more troubleshooting ideas, it would be greatly appreciated.

Thank you,

Tibor

A single Windows 7 Pro workstation on HP Compaq Pro 6305 SFF in a small business with 1 DC (Small Business Server 2008) errors on gpupdate /force with the following: The processing of Group policy failed.  Windows could not resolve the computer name. This could be caused by one or more of the following:

GPresults produced:

(I edited out private info and replaced with generic placeholders in italics)

I am concerned that the Domain name and Domain type in Computer Settings are different from the ones in User Settings.

Event Viewer logs the following after GPupdate:

System Log:

EventID 1055

Group policy Operational log:

EventID 7017

EventID 7320

EventID 7004

The following has already been tried:

From afflicted machine, browsed to each and every Policy folder within sysvol, couldn't find any security issues or access denied.

Reset Password on the Computer account in AD on the DC.

Disjoined the workstation from the domain, deleted the computer account on DC and rejoined.

This machine resides in same OU as all other workstations which are functional.

This particular machine has many applications which are critical to the business, so re-install of OS is a very last resort.

Any help is much appreciated.

Brian

hi

i have one windows 2008R2 domain controller and one user he have admin membership .When i log in with that account to a windows 7 pc(member of same domain) i am not able to change any setting like lan properties ,uninstall or reinstall any programs.

 Also i want to give domain users only the rights to change lan properties (for laptop users). 

Also i have one head office and one branch office .Which configuration can i use Additional dc or child dc.

90% laptop users ,

Thanks In Advance 

Hey guys....  Why is my pc's not restarting after Windows Updates?  The NAG appears but never does the count down and restarts.  I have check Group Policy and the "No Auto Restart with Logged On User" is not enabled (still set for not configured).  I checked Regedit HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU\NoAutoRebootWithLoggedOnUsers is not set.  We wanted this to turn on for our users, but cannot seem to get it to work.  Like i said, the NAG appears and you can postone, but if you dont touch it the pc never restarts.  FYI, we are using Server 2008R2 Standard GP.  Thanks

Greetings,

We are running Windows 2008 Server Standard 32 bit as a Domain Controller.

We have implemented group policy to block USB & CD Drive access.

Group Policy performs the following on client machines :-

1. Rename C:\windows\inf\usbstor.inf to disabled.usbstor.inf

2. Rename C:\windows\inf\usbstor.pnf to disabled.usbstor.pnf

3. Set Start value = 4 in Registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

4. Set Start value = 4 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdrom

To enable USB manually we perform following on client machines :-

1. Rename C:\windows\inf\disabled.usbstor.inf to usbstor.inf

2. Rename C:\windows\inf\disabled.usbstor.pnf to usbstor.pnf

3. Set Start = 3 in Registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

4. Set Start value = 1 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdrom

Issue:-

If we perform above steps to enable USB or CD ROM manually.

Both USB & CD ROM displays "Access is denied"(Please refer to images attached below)

Observation:-

- We have even tested the same with Domain Admin's account still the issue exists.

- The above scenario works fine with DC (Windows Server 2003 & Windows Server 2012)

- As we remove PC from Domain to Workgroup, CD ROM & Flash Drives start to work again.

Please advise.

Thanks

Regards,

S. Soheb Akhtar

Hi,

I'm using Group Policy Management in Microsoft Management Console on my Domain Controller server, and when I edit a group policy, I spend a lot of time to do the following tasks with the Group Policy Management Editor window:

-> Maximizing the window

-> Increasing the left pane size

Is there a way to set up a default size, so that I don't spend 10s multiply by the number of GPOs I have to edit!

I have full access to my domain controller, so I can edit the registry!

Thanks for your ideas, it will save me a lot of my daily time!

Recently the User Configuration group policy settings configured for my domain have failed. I found the following error when running rsop on several different workstations with a test user: Group Policy Infrastructure failed due to the error listed below. Not Found. Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.

     We have a single domain with eight domain controllers (OS Windows Server 2008R2, Forest and Domain functional level Windows Server 2008R2), 30 member servers (OS Windows Server 2008R2), and 220 clients (OS Windows 7 Professional SP1) in three different time zones.

     Event logs have not been helpful. What should I be looking at?

JeffRowlandXF

Hi there,

When booting a Windows 10 machine (Lenovo laptop) GPOs are not loaded. Of course I can apply them later on via gpupdate /force.

When I have a look into the system log I get always an error in there with the ID 1058. Checking the error code in the details says: Network access is denied (error code 65).

It tries to access a gpt.ini file from the policies but does not get through.

When I restart the computer, click the link in the error message I get an error that the file cannot be accessed. Nevertheless after about 30 seconds the access to the file just works.

For me it seems that there is a service pending start which is needed for the domain access. I bet it has to do with DFS as the GPO access works via DFS path(namespace).

This is quite annoying as the machine policies are not loaded neither the user policies.

Here the details from the error message:

Log Name:      System

Source:        Microsoft-Windows-GroupPolicy

Date:         10.9.2015 13.19.02

Event ID:      1058

Task Category: None

Level:        Error

Keywords:     

User:         xxxxxxx\xxxxxxx

Computer:      xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Description:

The processing of Group Policy failed. Windows attempted to read the file \\my.domain.com\SysVol\my.domain.com\Policies\{3933BE19-C3FF-4C22-9434-B64C654C8B06}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.

b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

c) The Distributed File System (DFS) client has been disabled.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />

    <EventID>1058</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>1</Opcode>

    <Keywords>0x8000000000000000</Keywords>

    <TimeCreated SystemTime="2015-09-10T10:19:02.977910800Z" />

    <EventRecordID>1318</EventRecordID>

    <Correlation ActivityID="{9C0C77C4-AFC1-4A0E-9BFE-BE698091D73C}" />

    <Execution ProcessID="932" ThreadID="3588" />

    <Channel>System</Channel>

    <Computer>xxxxxxxxxxxxxxxxxxx</Computer>

    <Security UserID="S-1-5-21-1410795398-2781916069-518169928-1178" />

  </System>

  <EventData>

    <Data Name="SupportInfo1">4</Data>

    <Data Name="SupportInfo2">912</Data>

    <Data Name="ProcessingMode">1</Data>

    <Data Name="ProcessingTimeInMilliseconds">421</Data>

    <Data Name="ErrorCode">65</Data>

    <Data Name="ErrorDescription">Network access is denied. </Data>

    <Data Name="DCName">\\xxxxxxxxxxxxxxxxxxxxxxxxxxx</Data>

    <Data Name="GPOCNName">cn={3933BE19-C3FF-4C22-9434-B64C654C8B06},cn=policies,cn=system,DC=xxx,DC=xxxxxxxx,DC=xxxxx</Data>

    <Data Name="FilePath">\\my.domain.com\SysVol\my.domain.com\Policies\{3933BE19-C3FF-4C22-9434-B64C654C8B06}\gpt.ini</Data>

  </EventData>

</Event>