Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Log On As A Service GPO

April 22, 2016, 9:14 am
$
0
0

So its a best practice to use a domain account for services .... ie backup software, SQL, exchange etc.

And if you have a service account that needs to hit the majority of computers in the network then you would use a group policy.

Problem that I have... is that when you use a group policy to add "Log on as a service" - then you cant add one to a server that only that server needs.  If I have one service account user that needs Log on as a Service on only one computer - I cant add it locally... and if I want to use a GPO - I would have to create a separate GPO and filter it to that one computer.

This doesn't make sense to me and feels limited.  Is there a policy that I can use for "Log on as a service" that can use item level targeting, and I can add multiple etc...

Any thoughts on how you have managed this would be helpful.  I like using the GPO for obvious reasons, but I don't want to grant "Log on as a service" for the account that really only needs to have that right on one server.

In my example - I created a managed service account for SQL 2014.  I only need that service account added to the SQL 2014 Server - no all servers in the domain.

Thanks
John

Alternatively - It would be nice if it was like Firewall rules..  I can create a GPO for the domain wide needs, and then add some locally as needed.  If you use a GPO to manage this, then the local GPEDIT.msc option is greyed out and you cant add them locally...

Search

Multiple WMI Filters

April 27, 2016, 9:00 am
$
0
0

Hi
I'm trying to create two WMI queries for one WMI filter to apply to a GPO.
As the GUI lets you do this I would assume its a valid operation.
I have to create 2 queries as the namespace is different for each query.

Query 1. Is OS Windows 10
   Root namespace = root\cimV2
select Version, ProductType from Win32_OperatingSystem where Version like "10.%" and ProductType = "1"

Query 2. Does the computer belong to this OU? "ou=Staff,dc=company,dc=co,dc=uk"
   Root namespace = root\RSOP\Computer
Select * From RSOP_Session Where SOM like '%ou=Staff,dc=company,DC=co,dc=uk'

I have both of these working on their own but when I add the two of them to the WMI editor (which allows you to do this) they don't work.

So ...
Q1. Is this allowed (I assume it is) Maybe it's not working because the namespace differs
Q2. Does the GPO engine AND these two queries? I'd prefer to OR them if somehow possible.

Any help most appreciated ....


Active Directory logon tracking

April 27, 2016, 10:00 am
$
0
0

I have a batch file that runs when a user logs on that prints to a text file: 

echo IN user: %username% computer: %computername% date: %date% time: %time% >> \\XXXX\deploy\Logs.txt

I have the same script set as a logoff script that does the same thing just labeled OUT, since there isn't a way to run a program upon logout:

echo OUT user: %username% computer: %computername% date: %date% time: %time% >> \\XXXX\deploy\Logs.txt

The batch file prints fine, the logoff script prints as well but prints the entire cmd line:

C:\Windows>echo OUT user: XXXX computer: XXXX date: Tue xx/xx/xxxx time: xx:xx:xx.xx  1>>\\XXXX\deploy\Logs.txt

It still shows me who logged in when and where though.

Is there anyway I can get it to stop doing that? The first time the logoff script actually ran it printed correctly, but every time after that it started printing the entire cmd line

Searching AD shared printers in the required OU only

April 19, 2016, 12:20 am
$
0
0

Hi All!

Is there a way to allow searching of Active Directory shared pinters in the required OU ONLY ? In addition, searching printers in other OUs must be denied.

Prefer to do this using GPO.

Thanks in advance!


Applying group policy shortcuts policy - slow login.

March 15, 2011, 6:00 pm
$
0
0

Hi there,

I am doing some fine tuning on a Windows 2008/Citrix server farm. And am trying to improve the login times.
There is an approximately 10-12 second hang on 'applying group policy shortcuts policy'. If I can eliminate or decrease this it will make a significant difference to the users.
The only shortcuts that are being implemented (updated) via gpo are approximately 20 favorites.
The problems is similar to this old thread: http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/30e0e3a8-3aa1-4394-8d90-aba841d7dfbb

Below is an extract of the userenv log. I believe at the point the login hangs.
Any suggestions would be appreciated.

GPSVC(4b8.1778) 13:42:54:874 GPLockPolicySection: Sid = S-1-5-21-8915387-1468793353-720635935-18633, dwTimeout = 30000, dwFlags = 0
GPSVC(4b8.1778) 13:42:54:874 LockPolicySection called for user <S-1-5-21-8915387-1468793353-720635935-18633>
GPSVC(4b8.1778) 13:42:54:890 Sync Lock Called
GPSVC(4b8.1778) 13:42:54:890 Writer Lock got immediately.
GPSVC(4b8.1778) 13:42:54:890 Lock taken successfully
GPSVC(4b8.1778) 13:42:54:890 ProcessGPOList: Entering for extension Group Policy Shortcuts
GPSVC(4b8.1778) 13:42:54:890 UserPolicyCallback: Setting status UI to Applying Group Policy Shortcuts policy...
GPSVC(4b8.1778) 13:42:54:905 ProcessGPOList: No changes. CSE will not be passed in the IwbemServices intf ptr
GPSVC(4b8.1778) 13:43:11:410 ProcessGroupPolicyCompletedExInternal: Entering. Extension = {C418DD9D-0D14-4EFB-8FBF-CFE535C8FAC7}, dwStatus = 0x0
GPSVC(4b8.1778) 13:43:11:426 GetWbemServices: CoCreateInstance succeeded
GPSVC(4b8.1778) 13:43:11:426 ConnectToNameSpace: ConnectServer returned 0x0
GPSVC(4b8.1778) 13:43:11:442 ProcessGroupPolicyCompletedExInternal: Extension {C418DD9D-0D14-4EFB-8FBF-CFE535C8FAC7} was able to log data. Error = 0x0, dwRet = 0. Clearing the dirty bit
GPSVC(4b8.1778) 13:43:11:442 CExtSessionLogger::Log: Didn't find an instance of the extension object when trying to set the dirty flag.
GPSVC(4b8.1778) 13:43:11:442 ProcessGroupPolicyCompletedExInternal: Finished processing extension <Group Policy Shortcuts> at 12935259 ticks (ms)
GPSVC(4b8.1778) 13:43:11:457 ProcessGroupPolicyCompletedExInternal: Leaving. Extension = {C418DD9D-0D14-4EFB-8FBF-CFE535C8FAC7}, Return status dwRet = 0x0
GPSVC(4b8.1778) 13:43:11:457 ProcessGPOList: Extension Group Policy Shortcuts returned 0x0.

Thanks
Matt F

Change default browser to IE in WIN 10

April 15, 2016, 8:06 am
$
0
0
Hi all!

I want to change the default browser in WIN10, from Edge to IE, with Group Policy. I try to import default associations with DISM, but did'n work. I have a Windows Server 2008 R2 Active Directory server, with Windows 10 Group Policy templates.

Anybody have a solution for this problem?

Thanks for the answer!

Set/change WMI Filter and Security filter outside Advanced Group Policy Management for non Domain Admins

April 28, 2016, 1:21 am
$
0
0

Hello

We have just implemented Microsoft Advanced Group Policy Management for editing of GPOs.

We have some GPOs that users not are Domain Admin too.

Some users need to set/change WMI filter and Security filter on GPOs.

How is this possible outside AGPM without being Domain Admins?

If we put explicity rights to an GPO in Group Policy Management for a group this is overwritten by AGPM when we Deploy a GPO.

Morten

Morten Holst

GPUpdate /force hangs, no error message, no events

April 25, 2016, 12:07 pm
$
0
0

Pretty much the title. I've been trying to force Group Policy updates on a single machine on my domain, and the process simply hangs while displaying "Updating policy...". I've seen some other gpupdate.exe-related problems on these forums, but they all seem to involve error messages or anomalous events. 

This, however, produces no error messages on the console, not even timeouts. It'll run indefinitely. There are also no events logged during this time, let alone any error events. All the other machines on the domain run gpupdate without incident.

Background: this is a Win 10 box, all the other machines in the OU are Windows 7. I know there were a few GPO-related failures with this machine regarding software deployment (is it even possible to install .NET 4.5.2 on Win 10 machines?), but running gpupdate /force used to complete, at least. The failures would occur during boot. Now the machine seems to have gotten itself into a weird state where I can't force a gpupdate even if I switch OUs or remove the offending policies.

Thoughts?



Search

RegGetValue returned data type differs from the data type mentioned in admx file for the gpo setting

April 28, 2016, 4:18 am
$
0
0

For the gpo setting: "Network directories to sync at Logon/Logoff time only", in the corresponding UserProfiles.admx file, datatype is mentioned as REG_EXPAND_SZ:

<text id="CscSuspendDirectories_Message" valueName="CscSuspendDirs" maxLength="4096"expandable="true" />

(expandable="true" means REG_EXPAND_SZ instead of REG_SZ as mentioned in here )

but i get the data type as REG_SZ when reading that subkey value using RegGetValue method.

Am using the statement: RegGetValue(hKey, NULL, achValue, RRF_RT_ANY, &dataType, NULL, &size);

dataType and size are of type DWORD.

hKey is pointing to registry key "Software\Policies\Microsoft\Windows\System"

and achValue is referring to "CscSuspendDirs"

am getting dataType as 1 (REG_SZ) when the function call returns which differs from what mentioned in admx file for the setting.

How to get the correct data type?

GPO "Deployed Printer Connections" Component Failed

April 28, 2016, 4:23 am
$
0
0

Hi,

We are running a VDI environment with over 1000 Windows 7 desktops provisioned on top of a "thin" Windows 7 base image and we are attempting to deploy printers to the think Windows 7 base image, that will then get pulled through to the VDI session, to allow users to be able to print. This works for the majority however we have some users that report their printer is not available, and upon investigation it looks like the printer is not installed on the underlying base machines.

I've been running some troubleshooting and when I process group policy modeling with a user and the PC object in AD, the results fail with deploying the "Deployed Printer Connections"

This is a screenshot of the error that gets displayed running the modeling on the domain controller. Typically, I have checked the logs on the domain controller and there is not any additional information on what this might be, logged at all. Could anyone provide more information on what this actually means that's failed? Because it doesn't look like the actual GPO objects have failed to process at all. I don't understand this.

Disable only windows firewall notifications in Windows 10 with Group Policy

April 28, 2016, 1:59 am
$
0
0

Hi!

How to disable only the windows firewall notifications in Windows 10 with group policy? I tried with registry change but didn't work.

Anybody have a solution for this problem?

Szilard

Registry update through group policy works partially

April 25, 2016, 2:56 am
$
0
0

Hello,

I'm trying to enable the following registry key on all clients using group policy so i used the update option and kept the information below

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL

REG_DWORD

1

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version

REG_DWORD

1

The the second registry key (Version) was deployed successfully on my test computer but the first one (EnableADAL) won't deploy.

Can anyone please help shed some light on what i am missing.

Adding bulk sites to trusted zone

April 28, 2016, 4:28 am
$
0
0

Hello 

I have to add around 150 sites as trusted zone, we are aware of the adding to “Site to the zone assignment list” in Administrative Templates and selecting option 2.

is this the only option to add all those sites one by one or do we have any other options as well for bulk addition

Regards

Aamir

NA

GPO for adding reg key on win 10 systems

April 22, 2016, 6:52 am
$
0
0

Hi,

I'm trying to create a GPO that will allow me to add a folder & reg key inside that only restricted for Win 10 using GPO. I used the command on command prompt and it works as expected but I want it to be achieved using GPO how can I do it?

here is command that I used.

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade /f /v AllowKMSUpgrade /t REG_DWORD /d 1

Below is the image of what i'm trying but it's now working. I've also applied WMI for Win 10 filtering.

Deleted Groups.xml

April 27, 2016, 12:39 pm
$
0
0
Hello:

My DCs are windows 2012, with a few 2008s. I do not have a suitable backup of my default domain policy.


I accidentally deleted the groups.xml file located at '\sysvol\<domain>\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml'.

Now I am getting the following error:


The client-side extension could not apply computer policy settings for 'Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}' because it failed with error code '0x80070002 The system cannot find the file specified.' See trace file for more details.


I am afraid to do a "dcgpofix /ignoreschema /target:<domain>" because I fear that it will not copy into the new Default Domain Policy the cert that was issued for EFS.

Is there any way out of this?

Thanks!
Search

GPMC for Wimdows 10

April 28, 2016, 7:53 am

New GPO error for a group : Filtering: Denied (Security)

April 28, 2016, 7:48 am
$
0
0

Hi,

I created a new User GPO linked to an OU.

In delegation I have Authenticated Users with read permission and a security group with apply group policy permission.

With a gpresult I have the result :

The following GPOs were not applied because they were filtered out

NAME_OF_THE_GPO
Filtering:  Denied (Security)

If I put a user member of the security group directly in delegation with apply group policy permission, it works well.

Any idea ?

Thank you for your support.

Set a default associations configuration

April 26, 2016, 8:43 am
$
0
0
Hi Guys,

I'm deploying Windows 10 Enterpise November Update (Build 10586) via MDT. I have set VLC to be the default audio/video player, Adobe Reader to be the default PDF viewer and Chrome to be the default browser.
I used this tutorial to create an xml file of the settings using Dism /Online /Export-DefaultAppAssociations.
After setting the default associations configuration file in Group Policy, VLC and Adobe Reader are succesfully the default programs but Edge remains the default browser. It should be Google Chrome.

Because it is not working I tried the registry tweaks that I found on this website:

<?xml version="1.0" encoding="UTF-8"?>
<DefaultAssociations>
  <Association Identifier=".htm" ProgId="ChromeHTML" ApplicationName="Google Chrome" />
  <Association Identifier=".html" ProgId="ChromeHTML" ApplicationName="Google Chrome" />
  <Association Identifier="http" ProgId="ChromeHTML" ApplicationName="Google Chrome" />
  <Association Identifier="https" ProgId="ChromeHTML" ApplicationName="Google Chrome" />
</DefaultAssociations>

But this results in Edge saying "An app default was reset" (to Edge). To fix that I tried the fix
on this website to no avail. I have downloaded and installed the windows 10 1115 admx templates and the Google Chrome admx templates and I have set Chrome to be the default browser in user settings.
This is not changing anything. (I know the user has to start Chrome once for this to take effect).
The weird thing is that settings the default associations through the xml file as well as setting Chrome as default browser works at 5 other locations but this location... not so much.

What could be the culprit?





Active Directory logon tracking

April 27, 2016, 10:00 am
$
0
0

I have a batch file that runs when a user logs on that prints to a text file: 

echo IN user: %username% computer: %computername% date: %date% time: %time% >> \\XXXX\deploy\Logs.txt

I have the same script set as a logoff script that does the same thing just labeled OUT, since there isn't a way to run a program upon logout:

echo OUT user: %username% computer: %computername% date: %date% time: %time% >> \\XXXX\deploy\Logs.txt

The batch file prints fine, the logoff script prints as well but prints the entire cmd line:

C:\Windows>echo OUT user: XXXX computer: XXXX date: Tue xx/xx/xxxx time: xx:xx:xx.xx  1>>\\XXXX\deploy\Logs.txt

It still shows me who logged in when and where though.

Is there anyway I can get it to stop doing that? The first time the logoff script actually ran it printed correctly, but every time after that it started printing the entire cmd line

GPO Issue after Migration

April 28, 2016, 7:02 pm
$
0
0
we have migrate our AD from 2008 R2 to 2012 R2, when we try to apply some policy we face the issue "AD/SYSVOL version mismatch message is displayed in Group Policy Modeling Wizard result"
Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>