I need to apply GPO using WMI Filter to computer prefix COMP and to a Windows OS7 Desktop and Above. These are ones I am using for Windows7 Desktops and COMP Prefixes .
SELECT * from Win32_ComputerSystem WHERE NAME LIKE "COMP0[0-9][0-9][0-9][0-9][0-9]%"
SELECT * from Win32_OperatingSystem WHERE VERSION LIKE "6.1%" AND ProductType="1
Should I simply added additional Query or amend the existing ones ?
Hi,
I created group policies to map network drives. These are user policies and are assigned to an OU containing our users.
All worked well, but in the last couple of days they have not been applying to new users, nor do they re-apply if I remove a mapped drive then log off / on.
Running a gpupdate /force shows no issues.
Running a gpresult -r brings back
MAP <drive name> on <Server Name> <! this is my group policy name!>
Filtering: Not Applied (Unknown Reason)
It only seems to be an issue on Windows 10. When I log onto the server or another server 2008 in the network they map just fine.
I renamed one of the GP's just to see if it was being picked up - but no joy.
I created a new test drive mapping and applied it to the same user OU, but it is not being picked up by the gpupdate /force either.
Event log on the client machine shows:
"The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy."
does anyone have any idea?
Thanks!
Ian
Hi. I asked this question on the MS Community Forums, but it was suggested I ask again here ....
I have two Windows 7 Pro machines in a small network, connected to a Domain, hosted on Server 2012 R2 Standard.
As my Office 365 Small Business Premium (with Office 2013) was shortly to expire, and I was going to migrate to Business E3 (with Office 2016), I let Office update itself from 2013 to 2016, just so I could be sure everything was ok before actually migrating to the new subscription. (As recommended, I subsequently uninstalled Office 2016 SB Premium, and installed Office 2016 ProPlus)
I'm now puzzled by an issue on both machines. The Folder Redirection (of My Documents, and some others) has stopped working, and has gone back to local storage. So where the Library used to contain (spaces added to allow posting) \\ Server \ Users \ <name> \ My Documents , it is now C: \ Users \ <name> \ My Documents .
Looking back, I couldn't understand why the first logon after the Office upgrade was taking so long (probably over an hour) - I now suspect it was copying the entire folder contents from the server to the local machines(s). The local Documents folders timestamps show they were created at the time the first upgrade was done.
The Group Policy for Folder Re-Direction on the server has not changed, and the Server Group Policy Modelling Wizard shows that the folder re-direction policy GPOs should win ok.
Can anyone suggest what has happened, and how to fix it. It is a bit of a nightmare scenario to discover that the folders which I thought were a single copy on the server have actually become two local copies as well.
Thanks, Don
Hi, I have been advised to change the Default Domain Policy. The main features are: minimum password length 8 characters.<o:p></o:p>
The updates policy should have: minimum password length 8 characters and complexity enabled.<o:p></o:p>
I have test up a test GPO and OU and attached the policy. The machine picks up the updates settings ok (ran gp results/wizard)<o:p></o:p>
When i press ctr-alt-delete and change the password it does not force the user to set a complex password. Is there any reason why this is not happening. Im assuming it would update to complex. Attached is the updates policy.Any help appreciated<o:p></o:p>
Thanks<o:p></o:p>
Hello,
On two of my Win2008 R2 DC, I cannot update Security Settings via GPO.
GPOs are allowed and no error is logged but anything under Security Settings isn't updated by changed made.
I know the GPOs itself is applied since Admin Templates will update accordingly
So lets say I add, remove or change Audit Policies and then GPupdate force on the target, the changes reflected will not take effect and will not be listed in the RSoP.
Any idea on what is going on here? I've tried many things I found searching online for two days but nothing does it. I used to work a few weeks ago but as soon a started messing around with Audit Policies, it's now broken...
Good Day,
We are running Server 2012 R2 Standard.
Using Group Policy we redirected My Documents, Desktop to another server (File Server) and Offline Files activated on user machines.
File Server running Server R2 Essentials
File Server had a Hard disk failure.
While rebuilding the server users continued working since Offline Files was activated.
After reinstallation the File Server we brought it back to the network.
(Mistake) Assumed that the user machines will sync what they have to the File Server. But they sync from the Server which had not info now all My Documents and Desktop contents are gone.
Thought we would find them in %SystemRoot%\CSC, but it also now it is also blank
Is there a way to recover these files
Thanks
I believe I am having issues related to MS16-072 ( KB3159398 ).
All my user based GPOs have either Authenticated Users in the security filter ( with read access in the delegation tab ) or Domain Computers in the delegation tab with read access. One of our user GPO's map a network drive for users based on an AD group membership.
Our help desk started receiving calls after we pushed out this months patches about mapped drives not being there while the user was connected through VPN.
While running through some attempts to reproduce the issue I noticed that if I boot up off the network I no longer have the mapped drive. If I boot up on the network I have the drive mapped.
Before MS16-072 the mapped drive would still be present in the network locations but in a disconnected state ( Red X ) if I booted up off the network. If I uninstall MS16-072 and do those same two test the drive is present in each scenario. I also get the drive is mapped but disconnected.
Is anyone else seeing this with MS16-072?
Hi,
I have created separate group policy" Group policy for wallpaper". But its not working.
Please help to resolve this issue.
Regards,
Ramaiah C
Server 2012 R2 with all clients at Windows 7 Pro 64 bit.
Had two DCs (Server 2008 R2), added the Server 2012 R2, took down the old main 2008R2, things were working fine, but as of last week PCs are slowly losing GPO settings. Saying there is a mismatch, or that the policy is empty. Tried the hotfix for the server, no luck. Nothing seems to apply to having a Windows 7 PC.. any ideas?
Have a odd issue where GPO is applying, I'm setting auditing on, all Audit Policy settings are turned on for Success and Failure, and the policy is applying. But I have nothing in the security log file. GPResult shows the policy applied.
Out of curiosity I opened the local GPEdit.msc. When I look at the audit settings, they are controlled by domain policy, in other words, the icon is changed, and the settings are grayed out. BUT success and failure is not checked off, they are all set to No Auditing.
Clearly it's like i have a competing policy that says No Auditing, but I do not. Any thoughts?
FYI:
Applied Group Policy ObjectsI have a customer with a Windows Server 2008. I am needing to update their password policy but I cannot edit any of the group policies. If I try and edit the password policy I get the error
"The system cannot find the file specified. Failed to save \\domain\sysvol\domain\Policies\{GUID}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf. Make sure that this object exists."
If I try and add a mapped drive is give me an empty message prompt with error as the title.
I have checked the permissions on the sysvol and have disabled anti-virus but still get issues.
Originally setup the NGSC as part of the TAP, and used the following keys;
DefaultToBusinessFRE - to set the default option to the Business client, rather than Personal
EnableEnterpriseTier - to get deferred updates to the client
EnableAddAccounts - to allow users to add (other?) accounts to the client
Now, are all of these redundant?
The second one seems to have been replaced by EnableEnterpriseUpdate, and the other two are changed completely - perhaps - by DisablePersonalSync for the former (to stop Personal use, as opposed to just make Business the default).
Can anyone confirm this? Can't find anything that states just this, just that recent docs don't mention the 'old' ones anymore.
Been using the page below for the latest ADMX files and advice:
Hi,
How can we go about cleaning/deleting preceding user-GPO that was no longer application to the user?
I.E. for instance, user has been assigned with Office 2010/2013 gpo. Now since his/her computer is upgraded to Office 2016, user should only need Office 2016 gpo.
All user-Officexxxx GPO is set to 'Authorized users', thus it goes out to users who has the relevant Officexxxx installed.
However, when a user's computer is upgraded with Ofifce2016, the preceding O2007/O2010 user (as well as computer) GPO settings stay with the user (not being removed). The user ending getting 3 set of Office GPOs.
What is the best way to remove unnecessary preceding Office20xx GPOs from users?
thank you
We're using Windows Server 2008r2, the system was set up a while ago when it was managed by an IT team for us
I've always wondered why none of the GPO services work and have been having a look, I'm able to go through the process of setting them up - but at the end of the process it always gives various error messages.
For example: GPO to manage logging out of users from service (force logoff when logon hours expire)
The parameter is incorrect
Failed to save
\\domain.local\SysVol\domain.local\Policies\{62746005-FB0B-4191-8073-9E677F115787}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
Make sure that this object exists.
Server is updated with all latest updates.
I've been looking at various topics similar to this but cannot find anything that seems relevant to this issue.
Has anyone seen this issue before? any helpful solutions would be appreciated.
What I am trying to do is apply a Group Policy Object to an OU, that has several other Policies (42 to be exact) being inherited and block one from being inherited.
I am testing an NEW encryption "Group Policy Object" on a OU for the "AdminUsers" group. At the root level I have the OLD encryption "Group Policy Object." I want to apply the GPO to the "AdminUsers" OU but I have the old GPO being inherited from the root level.
How can I block the OLD policy object, so that I can link the NEW policy object to the OU. I do not want to "Block Inheritance" since that would block all "Policy Objects" coming from the root and I can't do that.
Thanks everyone
Hi to all,
we have a 2012 R2 domain where is applied, at root, one GPO that set Account Lockout settings.
We need to exclude some service accounts from this GPO. Is it possible?
Tried to set on accounts the "Password never expires" and "User cannot change password" with no luck.
Thank you!!
-DS-
Hello,
We have a GPO set for computer configuration, applied at top of domain level, that sets Site To Zone assignments for many sites. Our users log onto a 2012 R2 remote desktop deployment with user profile disks (essentially roaming profiles). ESC is turned off on each of the servers in the pool.
Until recently, this GPO was working fine, but for most (if not all) users, the GPO is now seen to apply but the sites do not appear in IE under any zone.
If the user logs into the server whilst they have admin privileges, turns ESC on, and then back off through server manager, the sites all of a sudden appear in IE control panel. This then seems to follow them when logging into other servers, and cures the issue.
This is obviously not a workable solution for all 250 users in our org, so am hoping someone may be able to assist with diagnosing this? I wonder if there was some Windows update that has messed with the ESC config in the registry somehow, which caused this?
Cheers, Eds
Hi,
I have a domain environment and have modified default GPO policy "Don't run specified Windows applications" to restrict domain users.
I have similar requirement for the local users including administrator to restrict certain application, I researched and found we have to achieve by modifying the local group policy on individual computer.
Doing manually on all thousand system is a challenge to edit local group policy, is there a way I can restrict local users accessing certain application by domain group policy?
- Charles
After installing KB3167685 on a locked down 2012 RDS server Internet Explorer 10 is having some issues with freezing.
When launching IE 10 adobeflashutil_activeX.exe also loads. IE will not fully load a page. The wheel will just spin and spin. Half the menu items are grayed out as well.
If I open another tab, both pages will load.
If I use taskmanager to kill Flash the page will load, but I have to kill Flash a few times.
If I disable the Flash add-on (Shockwave Flash Object) the problem goes away.
This does not happen to the domain administrator account as that account bypasses the group policy I use to lock down RDS.
My impression is that Flash is trying to process a command or configuration change but the GP is blocking it, but that is just a guess.
The policy is a loopback policy.
Any thoughts?