Many persons are talking about a Windows Update setting named "No auto-restart for scheduled Automatic Update installation".

However, we have only "No auto-restart with logged on users for scheduled automatic updates installations".

I guess this functionality has been removed in Windows 2008...

Other people have asked the same question than me on this Technet forum.
But their question has been redirected to an article which does NOT give the answer,
and the question has been locked...

Does anybody know why this setting is missing
and if it is possible to bring it back?

Hello IT guru's,

I have a question, I have 2 domains with a trust.

We have AGPM installed and configured in domain A, now we want to install AGPM also on a DC in Domain B with the same configuration as we used in domain A.

We get no errors, Domain B is getting the right setting, reads all the policies but all the options are greyed out so we can't check out policies etc.

Does anyone have the same problem or does somebody have an solution for this?

Thank you for reading this and i hope we can come up with a solution

Best regards,

Pascal

The Netherlands

I'm trying to run the following script:

echo "Hello, World!"
echo "Hello, World!" >> ~/Desktop/helloWorld

as a test to determine if the setting actually works under:

User Configuration > Windows Settings > Scripts (Logon/Logoff) > Logon

I would expect the script to start a powershell instance and write "Hello, World!" to it, then create a file on the desktop of the user with the group policy set. I don't see either of those things happening though. Is this just because scripts are run before a user's home directory is initialized or is it because the script isn't actually being run at all.

To be clear, I have set it to allow scripts to be run; and when I manually run the script, it behaves as I expect.

J. Duke Rogers Communicore Technologies & Triangle Forensics

Dear all,

I have a group policy problem about applying the security filtering.
There are two 2008R2 DC and running the sync mode. (DC 01 and DC 02)
I create the GPO called "Map Server03 Driver" and link it under the IT Team OU. (the level of OU : xxxx.local>My Company>Corporate Service>IT Team)
Since I need apply this GPO to one user only, so I setup the filtering and add the user (IT Testing) under the security filtering column.

After this procedure, when I using the "IT Testing" account to logon the Win 7 PC,  the policy does not work.
When using gpresult /r to checking the detail, I am not found the GPO "Map Server03 Driver" is applied
Just the four domain level GPO applied only.

I try to use "Authenticated Users" instead the "IT Testing" account, this GPO is work normally.

The "IT Testing" account is under "IT Team" OU

Anyone can let me know the problem or the is it have a worng procedure in setting up the GPO?

Thank you.

Hello

Some clients (Windows 7 Sp1) are under Microsoft Domain (Win 2008 R2).

I activated the GPO for redirect folders (My Documents) to a Group of users, with offline mode enabled.

This GPO is correctly deployed to the clients, and in fact My Documents folder is correctly redirected to the server. On the client, I can work on it without any problem.

The problem is about offline files.

If I remove the network cable, or if I click on "offline" in My Documents, the files appear grey, with a grey X on them, and if I try to open them, I see a message thay say the files are not available.

On the client machines, Offline Files is enabled, and disk space for them is used.

But if I click on "visualizza file offline" (see files offline), and I try to open the files, I can't, and I see the same message that the files aren't available.

Automatic synchronisation seem to be executed correctly, in fact I see the cyan tick saying all is ok. But if I try to syncmanually, every file strike the error that is impossible to access the files because the file is used by another process.

In the sync centre there aren't sync conflicts.

I have a GPO setup that sets up printers and sets up the default printer.

By accident, I forgot to add one printer (SupervisorPod).  Upon doing so, I did notice the correct printer was set as default.

I then added the missing printer(SupervisorPod), and noticed it took the default printer setting, even though the GPO doesn't specify it as so.

I've taken a screenshot of the GPO in question.

For whatever reason, the "MC-SupervisorPod-BW" is becoming the default printer, if I remove it, the "MC-Dispatch-BW" printer becomes default.  If it makes any difference, the Supervisor printer is using the HP Universal PCL-6 driver.

Hi,

Lately we having an issue with event 1101 on some of our servers,

I did check the users that recieves t he event 1101 and al of theml belong to the same OU. this OU is a sub OU to one other OU that we use it for our Exchange multi tenancy.

If I remove one of the users that recieves the event 1101 from the sub OU to e.g. User OU and log back to the same server no error 1101, when put the user back to the sub OU then again get the error 1101.

I did check the Parent OU and the Autenticated users has no Read access, but at the sub OU  the Autenaticted users have Read Permission.

The only group policy is link to the OU is the default domain policy and no other Policy

I have 2 questions:

1. Why we get the event 1101 for the same user on some servers and not on all of the servers that this user login to.

2. we did not hadve this issue before and I see it just for some weeks now, how can we correct theis issue.

I also check the read gplink and write gpoptions and I have to say non of our OU has Allow permission to both of them.

Any help would be appreciate it.

Thanks

Shahin

Hi,

I'm looking into modifying the Location (path) of some mapped drives. The drives are being mapped using Group Policy Preferences. The Action setting on each of the drive mappings is set to "Update".

I noticed that when I we modify the location (path unc), the change does not take effect for the end user (the drive is not mapped to the new location, it points to the old location path.....verified it by running net use on client after modifying policy and force updating the gpo and logoff/logon). What is the best practice/recommended way of modifying the location (path) when the drive is mapped using GPP?

I noticed that if i change the Action to "Replace" then it appears to work but i'm afraid that since replace recreates it every single time this might cause issues of mapped drives not showing up for end users (a majority of our company users use laptops on wifi at work, and some work over Direct Access). At least thats what i've read on some of the threads online. So trying to figure out what is the best/recommended way to go about it.

The properties of each drive mapping in general are:

Action: Update
Location: \\server1\share1 (this is the path we are looking to modify in several of drive mappings)
Drive Letter: Use (using a fixed drive letter)
Hide/Show this drive: Show this drive
Hide/Show all drives: No Change

We have 2008 R2 forest level and vast majority of clients are Win 7.

Your feedback/assistance will be much appreciated.

Hello, 

Trying to troubleshoot a GPO that is not applying to users, I ran GPOTool on my main DC (Win Server 2008 R2), I have two other DCs (Win Server 2008 R2) as well. The main DC is DCS01, the other two DCs are DCS02 and DCS03. The first time I ran GPOTool, the results showed a sysvol mismatch. I noticed the timestamp on the GPO on each server did not match, so I tried making a change to the GPO to see if that would get it update across all DCs. After making the change I ran GPOTool again and the timestamp for the GPO matched on all three DCs but it keeps showing an error. Here is the error:

Policy {DBDAAE93-AC89-40C4-9C84-CD3513342690}
Friendly name: U_Basic User Policy
Error: DCS03.abc.xyz - DCS01.abc.xyz sysvol mismatch
Details:
------------------------------------------------------------
DC: DCS03.abc.xyz
Friendly name: U_Basic User Policy
Created: 8/2/2007 3:18:38 PM
Changed: 6/27/2016 4:21:07 AM
DS version:     30(user) 0(machine)
Sysvol version: 30(user) 0(machine)
Flags: 2 (user side enabled; machine side disabled)
User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: DCS02.abc.xyz
Friendly name: U_Basic User Policy
Created: 8/2/2007 3:18:38 PM
Changed: 6/27/2016 4:21:04 AM
DS version:     30(user) 0(machine)
Sysvol version: 30(user) 0(machine)
Flags: 2 (user side enabled; machine side disabled)
User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: DCS01.abc.xyz
Friendly name: U_Basic User Policy
Created: 8/2/2007 3:18:38 PM
Changed: 6/27/2016 4:20:49 AM
DS version:     30(user) 0(machine)
Sysvol version: 30(user) 0(machine)
Flags: 2 (user side enabled; machine side disabled)
User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]
Machine extensions: not found
Functionality version: 2

As you can see, the error doesn't specify the sysvol versions on both DCs, it just says there's a mismatch. Any ideas how can I fix this?

Any help is greatly appreciated! Thanks!

Few day ago we had problem with DFSR and errors (5014,4612,5002) due unclean shutdown. This has been solved now, SYSVOL is now synced. But now i have problems with User Preferences which are not applied.

We have lot of GPOs mostly computer policies and they we working ok. User policies are working also ok but preferences are not:

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
    Local Group Policy
        Filtering:  Not Applied (Empty)

    Shortcutxxx
        Filtering:  Not Applied (Unknown Reason)

The user is a part of the following security groups

- User preferences are linked to the user OU and contain only User preferences (Shortcuts).

- Security Filtering is setup by Groups

After spending two day investigating i have noticed:

- When Security Filtering is setup by User or Group it does NOT work

- When Security Filtering is setup by authenticated user (bulid in) it does WORK.

Something is wrong with sec. filtering. No matter what policy is checked for user or group it DOES not work (Filtering:  Not Applied (Unknown Reason))

Groups or Users have right to read and apply GPO!

Please Help.

This all was working until yesterday, after DFSRs errors we fixed this does not work anymore.And if i set GPI to Group or User, on computer when i do :

gpupdate /force

and then

gupudate /r

i do not see this (Not Applied (Unknown Reason), i do not filtering at all (for this GPO). I must set Auth. users so policy apply and then set for user or group then i can see this. It is strange.

In basic, whatever policy if filtered by user or group, is NOT applied. or ((Not Applied (Unknown Reason)

Edit: To be clear. :

- create GPO, set sec. filtering to user or group and remove authe. user. Login to computer with that user and use :

gpresult /r

No policy.

- reate GPO, set sec. filtering to authe. user  Login to computer with that user and use same as above, and works. After that on DC change filtering to user or group and remove auth, go to pc and run:

gpupdate /force
gpresult /r

and got code:

Group Policy problem (Not Applied (Unknown Reason)

Hi to all,

we have a 2012 R2 domain where is applied, at root, one GPO that set Account Lockout settings.

We need to exclude some service accounts from this GPO. Is it possible?

Tried to set on accounts the "Password never expires" and "User cannot change password" with no luck.

Thank you!!

-DS-

I have a PC that has some power settings pushed out by the default domain policy in an AD environment.

Of course on the local machine I get "some settings are managed by your system adminstrator".

The machine is temporarily no longer in contact with the domain controller (it's been physically moved and not on the same network now) so it can't get updated GPO settings.

I believe that if I edit the local group policy it won't make a difference because of Group policy processing and precedence.

Since it's only temporary away from the AD network, I still want to use the settings of the AD user.

Is there somewhere in the registry that this is stored that I can edit the power plan manually until it can sync back up with the domain? (I just need to prevent it from sleeping while plugged in - it's currently set to 1 hour)

Thanks!

Allen Crist

I have a customer with a Windows Server 2008. I am needing to update their password policy but I cannot edit any of the group policies. If I try and edit the password policy I get the error

"The system cannot find the file specified. Failed to save \\domain\sysvol\domain\Policies\{GUID}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf. Make sure that this object exists."

If I try and add a mapped drive is give me an empty message prompt with error as the title.

I have checked the permissions on the sysvol and have disabled anti-virus but still get issues.

Hi All,

I installed windows patches last night and this morning found out that there were a number of issues with my GPO's.

Example: desktop image would not show up, A, B, C and D drives that were meant to be hidden from users is now showing up.

I found out that it was because of this update KB3159398. Here is the support article

https://support.microsoft.com/en-gb/kb/3163622

When I uninstalled this update and rebooted, everything was back to normal.

Just though I write something up incase someone else is having this issue after applying the updates last night on windows 2008 R2 server.

Kind Regards

While settings up new computer for a user, running gpupdate /force will apply GPOs applied to Authenticated Users, any other GPO applied to security group won't apply or be even listed among applied or denied when run gpresult command. So limited number of GPOs work on this specific laptop.

When Authenticated users are added to GPO scope it started to be applied. When login to different computer with the same user's credentials all GPOs work as expected. Looks like it system (specific computer) related.

User is in OU to which GPO applied and member of security group which is in same OU.

Hi,

I have windows 2012 r2 server which is my DC. Soon as I create this particular GPO to disable to USB's I get this error message when trying to do a GPupdate. I enabled 'All Removable storage classes: Deny All Access' and then I got the message. Soon as I set this to 'not configured' then that message disappears.

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file \\domain.local\SysVol\domain.local\Policies\{BE34041F-27E6-4A6F-98C0-4A2C150D67A2}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.

b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

c) The Distributed File System (DFS) client has been disabled.

User Policy update has completed successfully.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

Anyone had tyhis before ? Andy why its just doing this on this GPO ?

Hi Guys,

I have inherited a Network with a few issues, my current big issue is that GPO's are not applying to users when they login to Terminal Servers. I checked on all of the Domain Controllers that the SYSVOL is up-to-date and that there are no Sync Errors showing in the event log on Domain Controllers. 

I have then looked at the Event Log on the Terminal Servers and again there is nothing relating to GPO failures. I have run GPResault on one of the user accounts being affected and I get back the SID of the GPO and Inaccessible. It's been a while since I've had issues like this with Group Policy and can't think what it is that is causing the issue. Does anyone have any suggestions?

I have tried to re-join the Terminal Server to the Domain to see what happens and at the moment that hasn't fixed the issue.

I am able to browse the SysVOL on the Domain Controllers so access to the files structure is fine. 

TPark IT Technician

Hi All,
I've been using GPO's for years and I would consider myself quick knowledgeable on how they works but I'm stuck at a strange issue.

I'm testing a new GPO that only contains User Configuration and specific users in the security.  For some reason the GPO never applies until I add the same specific users computer accounts to the security.  I'm thinking this has something to do with loopback although it is not activated in this particular GPO.  

Any ideas?

Due to a server migration I am trying to change our current folder redirection location for our end users.  Currently there is a GPO which is configured to 'create a folder for each user under the root path'.  This path is hosted on a very old Novell Netware server but otherwise works fine.

I will not be modifying or deleting the old GPO, but instead applying the new GPO via group membership. Therefore I believe that I will not be able to have folder redirection move the files, but will instead be using robocopy.

The issue occurs when I add folder redirection to the new GPO.  It adds additional information to the root path.

On the old GPO the path looks like this: \\server\share\username

On the new GPO the path looks like this \\server\share\username\my documents

I assume that this is due to the domain now being 2008 based instead of 2003. However this screws up my plan and I want to know if there is a way I can force the new policy to apply the correct file path?