In a Windows Server 2008 R2 enviroment with 50 clients how from Group Policy would I set up the ability to have the client computers log off if they are idle for more than a specified time?
↧
Logging off Idle Clients
↧
IPSec Policy Issue
We push out an IPSec policy via GPO. The policy updates and is applied to the target machines correctly but we get the error below when run from a command prompt. We did delete the previous policy and created a new policy, which I've found to be the wrong way of removing a policy. I've deleted the registry key on the machines that hold the policy info, but still receive this error. The error is also logged in the event viewer. When running Group Policy Modeling no errors are found and the correct policy is shown. When Group Policy Results in Advanced view errors are displayed and the deleted policy is displayed. The message "The policy object does not exist."
Does anyone have suggestions on what may be causing this and how to fix?
Error when running gpupdate /force from a command prompt.
Updating Policy...User Policy update has completed successfully.
Computer Policy update has completed successfully.
The following warnings were encountered during computer policy processing:
Windows failed to apply the IP Security settings. IP Security settings might hav
e its own log file. Please click on the "More information" link.
Windows could not record the Resultant Set of Policy (RSoP) information for the
Group Policy extension <IP Security>. Group Policy settings successfully applie
d to the computer or user; however, management tools may not report accurately.
For more detailed information, review the event log or run GPRESULT /H GPReport.
html from the command line to access information about Group Policy results.
↧
↧
Group Policy For Wireless Clients Not Working As Desired
Hello All,
(Windows Server 2012 R2 Domain, Windows2008 Radius, Windows7 Wireless Clients)
(Goal)
- We want to have the ability to create a domain password policy so that our wireless client computers will get prompted to change their passwords when prompted (right now our default domain policy is not setup yet to force password changes) at login but
we ran into some issues when testing password changes.
- Our wireless clients connect through a Microsoft Radius NPS server. We also have a NAC device that acts as a proxy so that computers can register their laptops - the NAC then hands the connection back to the Radius after the registration is complete. If a password is changed then there appears to be an issue authenticating unless we go hardwire, change the password and then connect back to wireless after the password gets cached. For us to get around an issue with wireless clients having authentication issues when the password is changed we needed to create an OU and used the settings from this link as a guideline: https://msdn.microsoft.com/en-us/library/dd759176.aspx
- So we created the OU and enabled and linked the OU and here is a summary of what is going on:
(Testing Password Change/Rebooting Laptop)
- If we set the account in AD to prompt user to "change the password at next login" after a reboot we do not see the "wireless OU" splashed at the login screen. When logging in the previous password is cached and the user is not
prompted to change the password.
(Logging Off and Logging On)
- However if we logoff (after the logging on at reboot) we then do see the Wireless OU and then we do get prompted to enter the old password and enter a new password. So it appears that when the computer is shutdown or rebooted, during the reboot and
the login process the wireless GPO policy is not processed but when you logoff and logon the wireless GPO policy is processed.
Sorry for the long post. Hope this making sense to someone.
Thanks for the time,
Bob
↧
Log On As A Service GPO
So its a best practice to use a domain account for services .... ie backup software, SQL, exchange etc.
And if you have a service account that needs to hit the majority of computers in the network then you would use a group policy.
Problem that I have... is that when you use a group policy to add "Log on as a service" - then you cant add one to a server that only that server needs. If I have one service account user that needs Log on as a Service on only one computer - I cant add it locally... and if I want to use a GPO - I would have to create a separate GPO and filter it to that one computer.
This doesn't make sense to me and feels limited. Is there a policy that I can use for "Log on as a service" that can use item level targeting, and I can add multiple etc...
Any thoughts on how you have managed this would be helpful. I like using the GPO for obvious reasons, but I don't want to grant "Log on as a service" for the account that really only needs to have that right on one server.
In my example - I created a managed service account for SQL 2014. I only need that service account added to the SQL 2014 Server - no all servers in the domain.
Thanks
John
Alternatively - It would be nice if it was like Firewall rules.. I can create a GPO for the domain wide needs, and then add some locally as needed. If you use a GPO to manage this, then the local GPEDIT.msc option is greyed out and you cant add them locally...
↧
PC's not restarting after updates?????????
Hey guys.... Why is my pc's not restarting after Windows Updates? The NAG appears but never does the count down and restarts. I have check Group Policy and the "No Auto Restart with Logged On User" is not enabled (still set for not configured). I checked Regedit HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU\NoAutoRebootWithLoggedOnUsers is not set. We wanted this to turn on for our users, but cannot seem to get it to work. Like i said, the NAG appears and you can postone, but if you dont touch it the pc never restarts. FYI, we are using Server 2008R2 Standard GP. Thanks
↧
↧
GPUPDATE fails to apply computer settings "Access Denied"
A single Windows 7 Pro workstation on HP Compaq Pro 6305 SFF in a small business with 1 DC (Small Business Server 2008) errors on gpupdate /force with the following: The processing of Group policy failed. Windows could not resolve the computer name. This could be caused by one or more of the following:
a) Name Resolution failure on the current domain controller.b) Active Directory Replication Latency (an account created on another domain co
ntroller has not replicated to the current domain controller).
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.
GPresults produced:
(I edited out private info and replaced with generic placeholders in italics)
I am concerned that the Domain name and Domain type in Computer Settings are different from the ones in User Settings.
C:\Users\username>gpresult /rMicrosoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 4/8/2016 at 7:21:27 AM
RSOP data for Mydomain\Username on FPB2015-HP : Logging Mode
----------------------------------------------------------------
OS Configuration: Member Workstation
OS Version: 6.1.7601
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\Username
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=FPB2015-HP,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=Mydomain,DC=
local
Last time Group Policy was applied: 4/8/2016 at 7:15:23 AM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: TLG10HO333E2J
Domain Type: WindowsNT 4
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
NT AUTHORITY\Authenticated Users
System Mandatory Level
USER SETTINGS
--------------
CN=Username,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Mydomain,
DC=local
Last time Group Policy was applied: 4/8/2016 at 7:15:23 AM
Group Policy was applied from: Myserver.mydomain.local
Group Policy slow link threshold: 500 kbps
Domain Name: Mydomain
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Windows SBS CSE Policy
Small Business Server Folder Redirection Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Default Domain Policy
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
Windows SBS User Policy
Filtering: Denied (Security)
File/Print Deployment All Users
Filtering: Denied (Security)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Windows SBS Folder Redirection Accounts
Medium Mandatory Level
C:\Users\username>
Event Viewer logs the following after GPupdate:
System Log:
EventID 1055
Group policy Operational log:
EventID 7017
EventID 7320
EventID 7004
The following has already been tried:
From afflicted machine, browsed to each and every Policy folder within sysvol, couldn't find any security issues or access denied.
Reset Password on the Computer account in AD on the DC.
Disjoined the workstation from the domain, deleted the computer account on DC and rejoined.
This machine resides in same OU as all other workstations which are functional.
This particular machine has many applications which are critical to the business, so re-install of OS is a very last resort.
Any help is much appreciated.
Brian
↧
Preferences Item-level targeting of a computer
My question is: With higher-level security filtering using a security group, you remove the Authenticated Users from the scope of the GPO (in the Security Filtering pane of the GPO), and you add the security group you want that GPO to apply to. When you want to 'item-level' target a specific preference item to a specific computer, but the overall GPO is still not in-scope of all computers in the OU to which it is linked, what are the implications for leaving in the Authenticated Users versus still only including the computer/computer group in the Security Filtering scope? (in terms of performance of having all computers have to evaluate the GPO only to 'learn' that they are not targeted in the preference item, etc.).
The specific example: I would like to use a single GPO to map 4 different drives to 4 different groups of computers. For each drive mapping, I thought I would item-level target the security group of computers that needs to map only that drive. Should I continue to include Authenticated Users in the overall scope of the GPO, or should I remove that and filter the overall GPO on those computers that I'm item-level targeting? Or is this six of one half a dozen of another?
So maybe the real question is, compare and contrast how a GPO is filtered at the higher Security Filtering level versus the item-targeting level. Maybe.
Tony Auby
↧
Simulate Resultant Set of Policy on OUs
I've searched up and down the internet for way to simulate a resultant set of policies for two OUs on a domain with PowerShell, similar to what is done with the Group Policy Modeling wizard within the Group Policy Management console,
but have yet to find a clear answer if it's possible. Any ideas on what to try or definite answer would be very helpful.
↧
Apply different GPO based on an logged on PC
Hello dear forum gurus
I need a help regarding GPO. So lets imagine I have a user Joe.Smith, that must logon both Thin Client (RDS Farm) and a PC. I have a GPO, named (lets imagine) ThinClientGPO for Thin Client users and a GPO for PC users named PC_UsersGPO.
So how to apply GPOs based on what he is logging on. I mean I'd to ThinClietn GPO to be applied when user logs on Terminal Server and another one when he logs on to a PCs.
Both GPO have User Configuration settings.. soI cannot Figure out hot to deploy User Configuration nSettings based on a logged on Computer
Vusal M. Dadashzadeh
↧
↧
GPO - Interactive Logon: Prompt user to change password before expiration
Dear Microsoft's Support Team,
I'm encountering a case related to GPO that notify to users before users's password expiration. Although i set (Prompt user to change password before expiration: 3 days) and client are applied policy correctly. Unfortunately when user logon into webmail OWA, it always appear the message box that notify for user remain x days to expire date (x > 3).
I had double-check client that their PC has applied the GPO (also check on registry shows Password ExpiryWarning = 3), I tried on both domain joined workstation and non-domain joined laptop, the result also the same. Dont know have another parameters need to set or did i do wrongly or missing something. I'm very appreciated if you could help me to solve the problem.
My system environment as the following:
DC: Windows 2008 R2 Standard sp1
Domain functional level: 2003
GPO Settings:
- Max Password Age: 30
- Min Password Age: 0
- Interactive Logon: Prompt user to change password before expiration: 3 days
Mail: Microsoft Exchange 2013 Enterprise
Thanks and Regards,
Thanh
↧
Office Startup Script That Shows Installation Progress?
Is there any way to deploy Office 2016 ProPlus Volume License edition plus Visio and Project not silently so that the users see a basic UI with a progress bar so they can see the installation but cannot interact with it or cancel it?
We do not want to show the command prompt window showing details of installation commands in the login script itself. We instead want to show the Office GUI progress box as the installation runs during startup so the users don't think their workstation is stuck while booting.
Can Office installation startup scripts run with the installer set as /QB, not /QN?
↧
Searching AD shared printers in the required OU only
Hi All!
Is there a way to allow searching of Active Directory shared pinters in the required OU ONLY ? In addition, searching printers in other OUs must be denied.
Prefer to do this using GPO.
Thanks in advance!
↧
Group Policy Infrastructure failed due to the error
Recently the user Configuration Group Policy Settings configured for my domain have failed. I found the following error when running rsop on several different workstations: Group Policy Infrastructure failed due to the error listed below. Not Found. Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently status information for the other components is not available.
We have a single domain with eight domain controllers (OS = Windows Server 2008R2 (Domain and Forrest level is Windows 2008R2)), 30 member servers (all Windows Server 2008R2), and 220 client workstations (all Windows 7 Professional SP1) in three different time zones.
Event logs have not been helpful in resolving this issue.
What should I be looking at.
↧
↧
Registry update through group policy works partially
Hello,
I'm trying to enable the following registry key on all clients using group policy so i used the update option and kept the information below
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL | REG_DWORD | 1 |
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version | REG_DWORD | 1 |
The the second registry key (Version) was deployed successfully on my test computer but the first one (EnableADAL) won't deploy.
Can anyone please help shed some light on what i am missing.
↧
How can I run an AGPM Service with a MSA account? (Windows 2008R2 domain and forest functional level)
I did a search on Internet and it seems that I'm not the only that have some troubles to install this service with a MSA account.
I have installed an MSA account 'AGPM1svc' in an AD with Windows 2008R2 domain and functional level. This account will be used only on one single server. I ran the necessary PowerShell commands.
As a test I ran this PS command on the server where AGPM server is installed:
Test-ADServiceAccount agpm1svc -> Result= True
I have added "AGPM1svc" in the correct AD groups "backup operators and Group Policy creator owners"
Provide the account full control on the archive folder and temp folder on the AGPM server.
But when I try to start the AGPM service I get this error in event viewer:
"Service cannot be started. Microsoft.Agpm.AgpmException: Service startup was aborted because no matching SPN was found registered for the service account: CN=AGPM1svc,CN=Managed Service Accounts,DC=ki,DC=com
at Microsoft.Agpm.Spn.Verify()
at Microsoft.Agpm.AgpmServerHost.Start()
at Microsoft.Agpm.AgpmService.OnStart(String[] args)
at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)"
Is it possible to use MSA accounts on an AGPM service?
Can someone help me with this?
Thanks
↧
User Gpo not working
Hello everyone! I have a question about aGPO...
I createdfolder redirection (Documents) ondomain users. It is on server A (HeadQuarters A) and everything works fine,I apply iton theOU"HQA"and noproblems (Documents points to \\serverHQA\Documents\%username%).
The problemis when a user has totemporarily moveto another headquarter. User object don´t move on ActiveDirectory.
This person goes physically to headquarters B and does login on a computer of this place ( Computer object on OU "HQB" and User object in "HQA").
By the GPO, the documents of this user should be on "HQA" (\\serverHQA\Documents\%username%) because I haven´t moved user object in AD ( folder redirection is on user policy) , but something was wrong because user points to \\serverHQB\Documents\%username%, as if the user had changed of OU in ActiveDirectory. (On OU HQB there is another redirection folder to \\serverHQB\....)
What can i do? What´s the problem?
Thanks for your help!!
↧
Stopping Windows 10 apps from running (xbox, candy crush) on a domain
Hi all,
I hope someone can help me. I am an IT technician working in a school. We had some machines that were on the domain updated to windows 10.
We have a server, windows server 2008 R2 (DC) running but I am having trouble with stopping programs being used like candy crush, xbox and such services. Kids are over the moon but from an IT and educational point of view this isn't great. So the question is. Can I stop these apps from being downloaded and being used and if not does anybody have a script that I could use in a group policy to disable this feature?
Many Thanks in advance.
↧
↧
GPO logging
I am trying to figure out what is happening when our GPO's run. I want to see which one takes the longest. I found this link: https://support.microsoft.com/en-us/kb/944043 and near the bottom they have a section called "How to enable logging in the Gpsvc.log file" I have followed this to the letter and I never get a gpsvc.log created. This is all being done on a Windows 7 32-bit machine.
How come this file does not get created? And is there another way to find out which GPO takes the longest to execute?
mqh7
↧
ADMX Templates not found in GPMC
I have a win2008r2 domain that was upgraded from win2003. I added the admx files to the policydefinitions folder but I don't see them available when editing gpos.
Am I missing something? I have this problem on my DC and on my local Win7 workstation.
↧
PC's not restarting after updates?????????
Hey guys.... Why is my pc's not restarting after Windows Updates? The NAG appears but never does the count down and restarts. I have check Group Policy and the "No Auto Restart with Logged On User" is not enabled (still set for not configured). I checked Regedit HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU\NoAutoRebootWithLoggedOnUsers is not set. We wanted this to turn on for our users, but cannot seem to get it to work. Like i said, the NAG appears and you can postone, but if you dont touch it the pc never restarts. FYI, we are using Server 2008R2 Standard GP. Thanks
↧