Hi,

when using a powershell script as User Logon Script, it's not possible to list mapped network drives with this code:

$wmifoo = Get-WMIObject -query "Select * From Win32_LogicalDisk Where DriveType = 4"
foreach ($foo in $wmifoo) {
	echo "found: $foo.DeviceID"
}

...but when running the script through the PowerShell console, the code works as expected.

Is this a known limitation or do I need to change some security setting for this to work?

Thanks

- fraenki

Hi Team,

Is it possible to apply security Filtering for Apply and Deny in single policy? Recently I have applied computer policy at domain level and I want to exclude this policy for certain computers?

Is it achievable by security filtering?

Regards,

Karthikeyan R

How can I make use of the GPO to update the drvers\etc\hosts file of my domain users ?

Can it be done ?

Hello,

I inherited a Active Directory with a Default Domain Policy that included a folder redirection.  I have since migrated to new server and set this policy to "Not Configured".  However the users are havning problems with perfromance opening files on their desktop and network locatoins and getting weird "problem sending a command" messages sporadically when opening up Excel files.  It is not all users I do not think.

In the Folder redirection logs on all computers there continues to be logs regarding folder redirection policy being applied including 1006 event logs with "0x8004" code for redirect options for documents, desktop, etc.  In group policy management the Folder Redirection policy continues to show up in the GPO "Settings" pane even though all of the policy is set to "Not Configured".

How do I completely remove this Folder Redirectoin policy from the Default Domain Policy so it is not trying to apply to all of the PCs?

Also if anyone can shed any light or troubleshoting on the slow perfromance and "sending a command" message that would be great.

Hello All

I have a task to backup all the GPO in my DC on daily basis, is there easy way like script, so that i place in task schedular

Please advise any other method

Thanks

Aamir

NA

When i try to create a Local user on the clinets through GPO i am getting error as below

This preference requires the CPassword attribute which is a known security risk.To help protectyour environment,some actiosn may not be available.for further information about CPassword,click help below.

SJK

Hi,

I restored an active directory backup of Server 2012r2 using Veeam to restore a deleted organisational unit folder and each time I did the backup restore from the previous day or days before that, the folder kept disappearing again. I suspected the folder vanished because there was an AD replication on another server that was changing everything back to how it just was so I removed the AD role on the second server and attempted to restore the backup again. Now there is only one AD and no replication to another server.

Well this has brought back the deleted folder which is great but there is now a problem with Group Policy, when I go to open Group Policy Management, it says that "The system cannot find the path specified" but it still opens up, however, things are not working correctly.

If I navigate to the Sysvol folder on the current working AD, I get this folder: NtFrs_PreExisting___See_EventLog

I saw this below in a thread somewhere else but want some opinions if this is the correct way to do things?

The fix from Microsoft Support was to copy the two folders (policies/scripts) back from C:\windows\sysvol\sysvol\domain.local\NtFrs_PreExisting___See_EventLog to the C:\windows\sysvol\sysvol\domain.local\ folder, then stop the NTFRS service, then set the BurFlags key to D4, which does an Authoritative restore.

(Should I be doing this?)

I also tried to login to the previous AD replication server after I uninstalled the role but I couldn't login anymore. So I unjoined this server from the domain and tried to rejoin it again but I keep getting "The specified user already exists" message.

Do I need to clean up the metadata on the old replication server to be able to join it again and if I do, what things can go wrong?

Am I on the right path here?

The server is still 2003 and IE is mostly IE11

Hello,

we are having some problems after the MS16-072 updates for Microsoft Windows, regarding GPO.

After updating the client computers, they did not apply several GPOs which had group security filtering, regarding:

• Network shares mapping
• Shared printers mapping
• Remote configuration of scheduled tasks

The workaround given by the MS16-072 issue, basically set read permissions fro 'Authenticated Users' and 'Domain Computers', did not solve the problem.

Our infrastructure consists of:

• Domain Controller: Samba 4 over Ubuntu Server, upgraded to latest version (4.1.6)
• File Server: Windows Server 2012R2, domain member
• Printer Server: Windows Server 2012R2, domain member

When we run a GPResult /h we get this 3 error messages:

Group Policy Drive Maps failed due to the error listed below.
Access is denied.
Additional information may have been logged. Review the Policy Events tab in the console or the applications event log for events between ..

Group Policy Printers failed due to the error listed below.
Access is denied.
Additional information may have been logged. Review the Policy Events tab in the console or the applications event log for events between ..

Group Policy Scheduled Tasks failed due to the error listed below.
Access is denied.
Additional information may have been logged. Review the Policy Events tab in the console or the applications event log for events between ..

And, in the Event Viewer, we are getting '0x80070005 Access is denied' errors, as can be seen here:

The client-side extension could not apply user policy settings for 'Mapejat Printers Grup CaminsTECH {CAA6C767-68BB-42C2-A1E3-175AXXXXXXXX}' because it failed with error code '0x80070005 Access is denied.' See trace file for more details.

Log Name: Application
Source: Group Policy Printers
Event ID: 8194
Task Category: (2)

We tried to set the correct permissons. RSOT is working OK, we have deleted in clients \Programdata\Microsoft\Group Policy\History, and without success.

The only thing that solves the problem is by removing the updates that change the GPO behavior ( KB3159398 for Windows 7 and KB3163622 for Windows 10), but is a mess to remove them from all the domain computers.

Any ideas or suggestions will be really appreciated.

I 've a GPO with folder redirection applied with a security filter.

Document and Desktop redirection are redirected and available  offline (CSC).

The policy was set to move back to original location.

With last windows update, the policy was not applied due security problem.

I've fixed the security permission, and FOLDER redirection still no work.

Client are running  windows 7/10.

client log event 502

Failed to apply policy and redirect folder  \\DFS\folder

Redirection options=0x9001.

Hi there, I am creating my first user lock down policy for Windows 10 clients in a test lab, I must say I'm finding windows 10 terrible to secure with the metro apps and search functions acting like a run command

So far my policy has worked for my standard lockdowns (control panel, run etc) but now I'm trying to block the windows store apps (store policy has worked, despite being windows 10 pro) I have attempted to do this through app locker, by blocking candy crush etc which hasn't worked, despite the policy applying. In addition I've tried to block command prompt, mmc and mstsc which also has not worked. 

I have been having issues with the policy applying full stop, whilst now I have some applied it hasn't been refreshing with gpupdate /force , whilst it states it's applied successfully it actually hasn't. I don't know if fast boot is to blame, so I disabled it. And enabled a 60 second wait time as the system boots for group policy sync. 

I'm really stuck, when I did server 2008 and windows 7 group policy was instant, and just seemed to work, yet server 2012 r2, windows 10 and check clients seem to just be working horribly, I've never had as many issues with group policy before.

Generally, should u be doing a gpupdate /force on a DC prior to a client as well? I mught be a but rusty on that front

Thanks :-)

Hi

I am trying to setup Windows 10 Education for my domain and am having issues with the search bar. I have locked down the All Apps section and use a redirected desktop to a UNC share for the application shortcuts. However, I want the users to be able to use the basic search. I have turned off cortana and web search via GPO and I have set the "Remove Run Menu from Start Menu" GPO to enabled. Which does prevent UNC share access in an open Window and C:\ access but if you place c:\ or a UNC share path into the Windows 10 search on the task bar you still have access.

At present I have local My documents folder because they use large applications like Photoshop CC and it works better when running from the local My documents and then copying to a networked home folder when they are finished. I have also tried denying access to the c:\ under the GPO for User Config > Admin Temp > Windows Components > File Explorer > "Prevent access to drives from My Computer" but whilst this stops all access to c:\ it then means you cant use local My documents and sadly UNC paths are still able to be browsed to through the search.

Has anyone come across this issue so far. I have tried looking at blogs and Google searches but the only stuff out there points to the GPO's I have already mentioned which don't stop UNC from search.

Surely Microsoft hasn't released a product with search facillity that cant lock UNC access for standard users. The only way i can stop this at present is to remove the search option from the task bar. Which is rubbish

 I also cant find a way to redirect the All Apps menu through a GPO. If I could do this I would turn off search. So it seems that the only setting I can push out is a redirected Desktop and whilst this is good it means you have to know where all the shorcuts live in each folder on the desktop in order to open an application.

Any help would be greatly appreciated


kind regards

Simon

Hi Team,

I have a requirement to configure a software package via GPO. And I am aware that we can use the settings  "computer configuration-Policies-Software Settings-Software Installation - right click -new package and give the path of the package.

Here in my case we have some around 40000+ servers in 9 regions and in all 9 regions we have storage share too.

So is it possible to configure the same package in region wise ?

Eg : If the 3000 + servers is in US region, I will use US storage share as the software package path and will configure in above settings.And the same for other regions too.

Can anyone please confirm the possibility ?

Hi. We have some internet settings configured via GPP. However this is not working for some users.

Upon refresh (automatic or manual), they will get an error that processing of the Internet Settings failed.

I've investigated all logs (GPO log in eventvwr, GPO tracing log, userenv debug log).

They all say processing failed with cannot find the file specified error, but none of these logs says WHAT file it cannot find or access.

GPO tracing log:

Entering ProcessGroupPolicyExInternet()
2016-06-30 14:23:07.877 [pid=0x390,tid=0x9208] SOFTWARE\Policies\Microsoft\Windows\Group Policy\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}
2016-06-30 14:23:07.877 [pid=0x390,tid=0x9208] BackgroundPriorityLevel ( 7 )
2016-06-30 14:23:07.877 [pid=0x390,tid=0x9208] DisableRSoP ( 0 )
2016-06-30 14:23:07.877 [pid=0x390,tid=0x9208] LogLevel ( 2 )
2016-06-30 14:23:07.893 [pid=0x390,tid=0x9208] Command subsystem initialized. [SUCCEEDED(S_FALSE)]
2016-06-30 14:23:07.938 [pid=0x390,tid=0x9208] Variables subsystem initialized. [ hr = 0x80070002 "System cannot find the file specified." ]
2016-06-30 14:23:07.944 [pid=0x390,tid=0x9208] Leaving ProcessGroupPolicyExInternet() returned 0x00000002

Userenv log (debug level 0x00030002):

GPSVC(390.9a10) 14:23:05:614 ProcessGPOList:++ Entering for extension Group Policy Internet Settings
GPSVC(390.9a10) 14:23:05:620 LogExtSessionStatus: Successfully logged Extension Session data
GPSVC(390.9a10) 14:23:05:622 ProcessGPOList: lpGPOInfo->lpGPInfoHandle->dwExtnCount is 2 for Group Policy Internet Settings.
GPSVC(390.9a10) 14:23:05:659 ProcessGroupPolicyCompletedExInternal: Entering. Extension = {E47248BA-94CC-49C4-BBB5-9EB7F05183D0}, dwStatus = 0x2
GPSVC(390.9a10) 14:23:05:661 GetWbemServices: CoCreateInstance succeeded
GPSVC(390.9a10) 14:23:05:662 ConnectToNameSpace: ConnectServer returned 0x0
GPSVC(390.9a10) 14:23:05:662 ProcessGroupPolicyCompletedExInternal: Extension {E47248BA-94CC-49C4-BBB5-9EB7F05183D0} was able to log data. Error = 0x0, dwRet = 2. Clearing the dirty bit
GPSVC(390.9a10) 14:23:05:662 CExtSessionLogger::Log: Didn't find an instance of the extension object when trying to set the dirty flag.
GPSVC(390.9a10) 14:23:05:662 ProcessGroupPolicyCompletedExInternal: Finished processing extension <Group Policy Internet Settings> at 179830515 ticks (ms)
GPSVC(390.9a10) 14:23:05:663 ProcessGroupPolicyCompletedExInternal: Leaving. Extension = {E47248BA-94CC-49C4-BBB5-9EB7F05183D0}, Return status dwRet = 0x0
GPSVC(390.9a10) 14:23:05:664 ProcessGPOList: Extension Group Policy Internet Settings returned 0x2.
GPSVC(390.9a10) 14:23:05:664 ProcessGPOList: Extension Group Policy Internet Settings was able to log data. RsopStatus = 0x0, dwRet = 2, Clearing the dirty bit
GPSVC(390.9a10) 14:23:05:665 ProcessGPOList:--
GPSVC(390.9a10) 14:23:05:665 CPolicyCriticalSectionCollection: Deleting critical section for UserSid <S-1-5-21-xxxx-yyyy-zzzz-26718>
GPSVC(390.9a10) 14:23:05:665 Deleting sidString <S-1-5-21-xxxx-yyyy-zzzz-26718>
GPSVC(390.9a10) 14:23:05:666 ProcessGPOs(User): Extension Group Policy Internet Settings ProcessGroupPolicy failed, status 0x2

How am I supposed to diagnose this when it doesn't say WHAT file it cannot access/find? How can I troubleshoot this further?

Edit: tried troubleshooting this with procmon during manual gpupdate refresh, but couldn't find anything either.

I have an issue with a group policy I am creating for a mandatory desktop wallpaper on users desktops. I have....

• created the policy,
• linked it to the domain level,
• disabled "Computer configuration settings" in GPO status,
• added the appropriate group in "Security Filtering"
• logged on to the computer as a user in the specific group
• ran gpupdate /force on the server, ran gpupdate /force on the client computer 
  even restarted the computer and I cannot get the group policy to apply. After running the "Group Policy Results" wizard it tells me "inaccessible" under reason denied after the test runs. If I then add the "Authenticated Users" group to the security filtering box the policy applies with no issue. I have also tested this by creating a test OU and linking the GPO to that OU with both the user and the group I am singling out to that OU, added only the group to security filtering and same issue. Once I add "Authenticated User" to the security filtering though it again works with no issue. What am I doing wrong???

Thanks in advance!

Chad Guiney

Hello 

I created Test GPO adding 5 uses to set a home page in IE

User config>Policies>Admin temp>Internet Exp>Disable chaning home page settings

For user 1 it is not getting applied from begining

for User 2 it got applied for one day and again changed back to old one

for other 3 users it is working fine,

When i do gpresult /r for User 2. The below GPO is filtered out under Users setting

Test IE home page
    Filtering:  Not Applied (Unknown Reason)

Can any one advise on this.

thanks

Aamir

NA

Hi all,

I have a training room. The previous admin had a GPO in place with lots of settings to remove \ hide control panels, windows options and functions from the default training user account and PCs.

This method makes it impossible to edit the default training user profile and PCs on the fly...like making a change to the default printer or adding a new one quickly...I have to removing the machines and user account from policy, make the change then moving them all back in... 

This I find a real overkill...my idea is simply to turn UAC on and make it prompt for Admin creds for all changes to the systemevery time?

I have set the GPO but it does not prompt every time?

It prompts on the secure desktop once as expected then from there on out seems to 'cache' the initial creds and all other tasks that require elevation from there on out simply work without prompting on the secure desktop?

These are my settings...any idea why it is not prompting every time for elevation creds?

Thanks in advance...

durrie

When I rebooted my desktop today (for the first time in several weeks), I noticed it now takes several minutes for me to login. The first time it happened, I suspected the login process hung so I resorted to a "hard" reboot (i.e. by holding down the power button). However, the subsequent attempt also took a very long time -- but I walked away from the computer for a while and when I returned the login process had eventually completed and I saw my familiar items on the desktop.

However, I started seeing errors about exceeding my profile storage space. Note that I have a group policy configured to restrict profile storage to 250 MB. My current profile size is 5,795,030 (> 5GB).

I now see all files in my Documents folder being counted in the profile size calculation. However, I'm using Folder Redirection (via group policy) to store my documents on a file server -- and, consequently, these files were previously not counted as part of my profile.

I recently installed the latest round of patches via Windows Update (actually a local WSUS server) and I suspect the issue might be related to the following:

MS16-072: Security update for Group Policy: June 14, 2016

From <https://support.microsoft.com/en-us/kb/3163622>

Also note that after applying the updates, I used the script in the following post to identify GPOs that needed to be "tweaked" to grant "Domain Computers" Readpermission (and subsequently made the change to the GPOs):

MS16-072 – Known Issue – Use PowerShell to Check GPOs

From <https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/>

Has anyone else seen a similar issue with their profiles suddenly ballooning in size?

It seems strange that something like this could "slip through the cracks" -- but given the fiasco with Windows 10 and roaming profiles (ref1, ref2, ref3, ref4), it is also quite possible that this configuration is something that is not included in the test plan.

Hi Community,

ive got a Domain with two W2K12R2 DCs using File Replication Service, we have some strangebehaviour regarding Group policies. After researching a littlebit i noticed that gpotool.exe reports sysvol mismatch, but the DS / Sysvol version of the GPOs is the same.

I used WinMerge to find out whats different and noticed that only the file date of the file "comment.cmtx" is different.

Is this a Problem? What can i do?

Friendly name: GPO_X
Error: DC01 - DC02 sysvol mismatch
Details:
------------------------------------------------------------
DC: DC01
Friendly name: GPO_X
Created: 20.07.2012 06:46:35
Changed: 02.03.2016 14:23:48
DS version:     1109(user) 1(machine)
Sysvol version: 1109(user) 1(machine)
Flags: 2 (user side enabled; machine side disabled)
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: DC02
Friendly name: GPO_X
Created: 20.07.2012 06:46:35
Changed: 02.03.2016 14:24:02
DS version:     1109(user) 1(machine)
Sysvol version: 1109(user) 1(machine)
Flags: 2 (user side enabled; machine side disabled)
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------