Back in Feb of this year I ask a question for help on where to place MS Office 2010 admin templates so I could control Group Policy Settings for Outlook 2010.  The following link will take you to that question/post.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/94a46026-da50-4949-b7ac-b7b5a0af5814/where-do-i-place-the-office-2010-admin-templates-on-my-domain-controller?forum=winservergen

Sometime recently, (I don't go into Group Policy Management very often) I started getting an error when I edit any policy and click on either Computer Configuration\Policies or User Configuration\Policies.  The error is the following:

Encountered an error while parsing.

Resource '$(string.Advanced_EnableSSL3FallBack)'
referenced in attribute displayName could not be found.

File C:\Windows\PolicyDefinitions\inetres.admx, line 795,
column 308

Can someone please tell me what is causing this and/or what I did wrong when adding the MS Office admin templates.  I need to correct this.   thank you

Hi there,

When booting a Windows 10 machine (Lenovo laptop) GPOs are not loaded. Of course I can apply them later on via gpupdate /force.

When I have a look into the system log I get always an error in there with the ID 1058. Checking the error code in the details says: Network access is denied (error code 65).

It tries to access a gpt.ini file from the policies but does not get through.

When I restart the computer, click the link in the error message I get an error that the file cannot be accessed. Nevertheless after about 30 seconds the access to the file just works.

For me it seems that there is a service pending start which is needed for the domain access. I bet it has to do with DFS as the GPO access works via DFS path(namespace).

This is quite annoying as the machine policies are not loaded neither the user policies.

Here the details from the error message:

Log Name:      System

Source:        Microsoft-Windows-GroupPolicy

Date:         10.9.2015 13.19.02

Event ID:      1058

Task Category: None

Level:        Error

Keywords:     

User:         xxxxxxx\xxxxxxx

Computer:      xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Description:

The processing of Group Policy failed. Windows attempted to read the file \\my.domain.com\SysVol\my.domain.com\Policies\{3933BE19-C3FF-4C22-9434-B64C654C8B06}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.

b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

c) The Distributed File System (DFS) client has been disabled.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />

    <EventID>1058</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>1</Opcode>

    <Keywords>0x8000000000000000</Keywords>

    <TimeCreated SystemTime="2015-09-10T10:19:02.977910800Z" />

    <EventRecordID>1318</EventRecordID>

    <Correlation ActivityID="{9C0C77C4-AFC1-4A0E-9BFE-BE698091D73C}" />

    <Execution ProcessID="932" ThreadID="3588" />

    <Channel>System</Channel>

    <Computer>xxxxxxxxxxxxxxxxxxx</Computer>

    <Security UserID="S-1-5-21-1410795398-2781916069-518169928-1178" />

  </System>

  <EventData>

    <Data Name="SupportInfo1">4</Data>

    <Data Name="SupportInfo2">912</Data>

    <Data Name="ProcessingMode">1</Data>

    <Data Name="ProcessingTimeInMilliseconds">421</Data>

    <Data Name="ErrorCode">65</Data>

    <Data Name="ErrorDescription">Network access is denied. </Data>

    <Data Name="DCName">\\xxxxxxxxxxxxxxxxxxxxxxxxxxx</Data>

    <Data Name="GPOCNName">cn={3933BE19-C3FF-4C22-9434-B64C654C8B06},cn=policies,cn=system,DC=xxx,DC=xxxxxxxx,DC=xxxxx</Data>

    <Data Name="FilePath">\\my.domain.com\SysVol\my.domain.com\Policies\{3933BE19-C3FF-4C22-9434-B64C654C8B06}\gpt.ini</Data>

  </EventData>

</Event>

We are giving permissions to a domain account for our backup system to Exchange servers for the user rights assignment of "replace a process level token". However, when this GPO is applied, the existing entries are deleted. Thus removing several"IIS APPPOOL\NET v4.3" and similar accounts from this policy.

Is there a way to set a GPO which will apply this right to a domain account without losing the local accounts? ( merge) ?

Thanks in advance!!

Tom

Hello there,

I'm getting this event every time I run gpupdate on my server:

The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

Where is the first place to look at?

I did the GPRESULT /H GPReport.html but it only shows an error with registry policies.

Thanks.

I've been beating my head against some group policy settings that just are NOT working on a 2012 R2 RDS server, but work fine on another one at a different location.

But I just remembered that the problematic site, while we have a 2012 R2 DC, is still stuck at a 2003 domain/forest level since we're still waiting for their software developers for this program of theirs to migrate them off of that 2003 domain controller where  it was initially installed, and onto a new server we recently put into play.

So the only thing that is different between where these settings work, and where they don't, is really the forest and domain level.  Where it worked as expected, it's native 2012 R2 levels for everything.  Where it fails, we have that last 2003 domain controller still in play.

Is there some place I can find out what level those need to be for things to work, such as folder redirection for Start Menu, and similar things?  I've been googling my rear end off, but haven't found anything yet that helps me find the required domain and forest level for these settings.

Thanks

John

John

Hi Guys 

After I upgrade for version 1511 KB3149135 and KB3163018

all my GPO stop to work, I make a simple test, install a version of windows 10 and don´t update and the gpo applied normally, after the upgrade it stops to work but if I make a recovery from a previously time ( before the upgrade) it starts to work again

the strange thing is that in gpresult is like the gpo didn´t exist at all.

When i tried to change password then got this message"Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain"

But i fulfill all requirements and try to change policy.But not work.

Thanks, Limon Dhaka,Bangladesh

• Dear

• Rename Domain Controller (System (host) Name) example

• ligo.ad.net  to  LIP.ad.net

• and Reconfiguration DNS Server 

• Configuration Group Policy  Active Directory :
                           password must meet complexity requirment=Diable

• Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain

• • Configuration Group Policy  Active Directory And Cilent :
                             password must meet complexity requirment=Diable

• Client (Windows XP and Windows 7 and Windows 8) 

• Display  Message Error

  Email Address : mr_abdi@live.com

Hi,

I have created separate group policy" Group policy for wallpaper". But its not working.

Please help to resolve this issue.

Regards,

Ramaiah C

Hello,

I setup file/folder auditing on selected files and folders that I am required to audit on my small 2008 R2 / Win 7 Pro network.  I setup this auditing through the GPMC console as a domain policy.  After I enabled this policy, the Event Viewer on the servers and the workstations no longer show any of the Application/Security/System events...it was working prior to enforcing my new GPO.

I THINK my mistake was not addressing permissions themselves in the GPO, and since some of the audits I configured affected some system32/winevt folders and files, the permissions are messed up.  Not only are the events not showing up in Event Viewer, the *.evtx files are not being created in the system32/winevt/log folder.

What specific files and folders would prevent logging of these events?  And what should the permission be?  If anyone has experience or theories...I'm all ears!

Thanks in advance.  

Hi,

Lately we having an issue with event 1101 on some of our servers,

I did check the users that recieves t he event 1101 and al of theml belong to the same OU. this OU is a sub OU to one other OU that we use it for our Exchange multi tenancy.

If I remove one of the users that recieves the event 1101 from the sub OU to e.g. User OU and log back to the same server no error 1101, when put the user back to the sub OU then again get the error 1101.

I did check the Parent OU and the Autenticated users has no Read access, but at the sub OU  the Autenaticted users have Read Permission.

The only group policy is link to the OU is the default domain policy and no other Policy

I have 2 questions:

1. Why we get the event 1101 for the same user on some servers and not on all of the servers that this user login to.

2. we did not hadve this issue before and I see it just for some weeks now, how can we correct theis issue.

I also check the read gplink and write gpoptions and I have to say non of our OU has Allow permission to both of them.

Any help would be appreciate it.

Thanks

Shahin

Hi,

I have an issue when I run gpupdate /force on the user client. It gives me an error message, see below:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>gpupdate
Updating Policy...

User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were enc
ountered:

The processing of Group Policy failed. Windows could not apply the registry-base
d policy settings for the Group Policy object. Group Policy se
ttings will not be resolved until this event is resolved. View the event details
 for more information on the file name and path that caused the failure.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.

Please help how to resolve

Thank you. Jeff

Hi Guys,

I have inherited a Network with a few issues, my current big issue is that GPO's are not applying to users when they login to Terminal Servers. I checked on all of the Domain Controllers that the SYSVOL is up-to-date and that there are no Sync Errors showing in the event log on Domain Controllers. 

I have then looked at the Event Log on the Terminal Servers and again there is nothing relating to GPO failures. I have run GPResault on one of the user accounts being affected and I get back the SID of the GPO and Inaccessible. It's been a while since I've had issues like this with Group Policy and can't think what it is that is causing the issue. Does anyone have any suggestions?

I have tried to re-join the Terminal Server to the Domain to see what happens and at the moment that hasn't fixed the issue.

I am able to browse the SysVOL on the Domain Controllers so access to the files structure is fine. 

TPark IT Technician

Hello, 

Trying to troubleshoot a GPO that is not applying to users, I ran GPOTool on my main DC (Win Server 2008 R2), I have two other DCs (Win Server 2008 R2) as well. The main DC is DCS01, the other two DCs are DCS02 and DCS03. The first time I ran GPOTool, the results showed a sysvol mismatch. I noticed the timestamp on the GPO on each server did not match, so I tried making a change to the GPO to see if that would get it update across all DCs. After making the change I ran GPOTool again and the timestamp for the GPO matched on all three DCs but it keeps showing an error. Here is the error:

Policy {DBDAAE93-AC89-40C4-9C84-CD3513342690}
Friendly name: U_Basic User Policy
Error: DCS03.abc.xyz - DCS01.abc.xyz sysvol mismatch
Details:
------------------------------------------------------------
DC: DCS03.abc.xyz
Friendly name: U_Basic User Policy
Created: 8/2/2007 3:18:38 PM
Changed: 6/27/2016 4:21:07 AM
DS version:     30(user) 0(machine)
Sysvol version: 30(user) 0(machine)
Flags: 2 (user side enabled; machine side disabled)
User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: DCS02.abc.xyz
Friendly name: U_Basic User Policy
Created: 8/2/2007 3:18:38 PM
Changed: 6/27/2016 4:21:04 AM
DS version:     30(user) 0(machine)
Sysvol version: 30(user) 0(machine)
Flags: 2 (user side enabled; machine side disabled)
User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: DCS01.abc.xyz
Friendly name: U_Basic User Policy
Created: 8/2/2007 3:18:38 PM
Changed: 6/27/2016 4:20:49 AM
DS version:     30(user) 0(machine)
Sysvol version: 30(user) 0(machine)
Flags: 2 (user side enabled; machine side disabled)
User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]
Machine extensions: not found
Functionality version: 2

As you can see, the error doesn't specify the sysvol versions on both DCs, it just says there's a mismatch. Any ideas how can I fix this?

Any help is greatly appreciated! Thanks!

Hi,

Will uploading the Windows 10 version of startmenu.admx to the central store break or disable the existing version of the same file? I need to control the Start Menu for Windows 10 and Windows 7.

Thanks

Jason

Hi,

I'm trying to configure Windows Update policies so when I go into WSUS and approve updates for a group, those servers will then automatically download the updates, install the updates and then restart the server once its been completed.

At the moment I am not seeing this behaviour, the policies I have configured are currently set to:

Allow Automatic Updates immediate installation                                                                                  Enabled

Configure Automatic Updates                                                                                                             Enabled

3 - Auto Download and notify for install

Do not connect to any Windows Update Internet Locations                                                                   Enabled

Specify intranet Microsoft update service location                                                                                Enabled

Turn on recommended updates via Automatic Updates                                                                        Enabled

With these settings enabled, the updates do not download and install automatically. I then enabled the policy 'Automatic Updates detection frequency' to every one hour, which then prompted the download of the updates. But the automatic install is still not working.

Can somebody please clarify this is correct, or if what I want is even possible.

Thanks,

Daniel

I'm trying to disable the Windows 10 feature that keeps changing the last used printer to the default on all of our domain joined computers at both locations. I attempted to browse the remote registry of a workstation I modified after I made the change on a workstation to disable the Windows 10 default printer feature however the HKEY_Current_User path was not available. I could only see HKEY_LOCAL_MACHINE and HKEY_USERS when using the registry wizard in Group Policy Management

My next thought was then to choose local computer using the wizard on the server and create the following key on our server and deploy it that way but I was curious if that was safe to do? the key is "HKEY_Current_User\Software\Microsoft\WindowsNT\CurrentVersion\Windows\LegacyDefaultPrinterMode" set to 1 (See link below)

http://windowsitpro.com/windows-10/reverting-new-default-printer-feature-windows-10-november-update

Hi, I've done before controlling Windows Firewall via GPO under

Computer Configuration > Administrative Templates >  Network > Network Connections > Windows Firewall > Domain Profile

and select Define inbound program exceptions

But the programs I allowed before are most of all .exe's which are very easy to define. What about windows components like these 2

1. File and Printer Sharing

2. Windows Management Instrumentation

The reason why I need to exempt both is because we have a SCCM server which I need to install clients. And in order for these clients to be installed, both components are needed to be excluded.

Do they have a shortened .exe file? or processes?

Thanks

Jeff

I am setting up a GPP to insert some users into the local Administrators group and when I browse for a regular user it puts it into the GPP no problem but when I select a inetorgperson account I get the following error"The object selected does not match the type of destination source. Select again."

Can you not select a inetorgperson to include in the GPP for local Administrators?

Specifically looking for(and we don't have it):

Computer Configuration\Administrative Templates\Windows Components\Windows Update\Always automatically restart at the scheduled time

Based on:

https://support.microsoft.com/en-us/kb/2885694  

(we need too configure this setting to prevent 2012 servers from rebooting when ever they feel like it)

I've downloaded and installed these: https://www.microsoft.com/en-us/download/details.aspx?id=36991

But I'm still missing the setting.

Any idea's?