Hi I want to change the privacy setting for the Internet Zone from Medium to Low. Can't seem to find the right location in the GP. Can someone please point me in the right direction.

I've deployed a few 2012 Servers using the same Group Policies that I have been using on our 2008 R2 SP1 servers for Windows Update.  On the 2008 R2 SP1 servers the boxes install updates at 2:00am and restart.  The 2012 servers install the updates at 3:00am and display a prompt that they will restart in a couple days.  It is now 14 days later and they still have not rebooted.  This is the only Group Policy applied to the OU these servers are in.  When looking at the UI for Windows Update > Change Settings, it says "Some settings are managed by your system administrator" but you cannot see the details like you used to so I know that Group Policy is at least trying to control Windows Update.  I've looked in the registry on the 2012 servers and the Group Policy settings are there but not all of them appear to be working.  Why is this occurring and what do I need to do to fix it?  Thanks.

Hi!

I set this query : Select * from CIM_DataFile where Name='C:\\Program Files\\bginfo\\startup_template.bgi' and LastModified='20100810145110.821214+120' in a WMI Query targeting. It's working fine but I would like to replace c:\\program files with the variable"programfilesdir". I've tried different syntax with no success.

Thanks for your help

Chris

Hi,

We have applied a policy on the OU to apply a wallpaper from network location like\\Servername\wallpaper.jpg using the User based policy Administrative Templates\Desktop\Desktop\Desktop wallpaper. It is working fine however we have filtered out a group of users from this policy by changing ACL of policy to deny read and apply GPO for this group

After rebooting the PC the wallpaper becomes blank but after sometime if the user reboots his PC then it again shows the wallpaper.

We have created another policy and in filtering i have allowed only this group to apply GPO and configured policy Administrative Templates\Desktop\Desktop\Desktop wallpaper to disable but still no help.

I have checked the path "AppData\Roaming\Microsoft\Windows\Themes" and found a different image file as Transcodedwallpaper.jpg.

I am not able to understand from where the wallpaper is getting applied. I have thoroughly checked but there is no other wallper policy.

In RSOP.MSC the policy with wallpaper disabled is showing as applied

We recently upgraded several Windows 7 pro sp1 clients to Windows 10 Pro (10586).  Since the upgrade several Group Policies (in this case, specifically User Policies) have been failing to apply successfully or even be displayed in any context by gpresult/r or the group policy results wizard.  We are running a 2008 R2 domain.  These are all policies that were and are still functioning properly on all Windows 7 pro SP1 clients.  All clients are fully patched as of today.  

I've refreshed group policy and rebooted these machines countless times.  We simply can't seem to figure out why these clients are behaving in this manner.  Any direction or suggestions would be appreciated.

Thanks in advance.

Hi,

I've been using Group Policy to deploy printers for a couple years now and generally speaking it's worked well.  I recently purchased a handful of new computers and am trying to roll them out to my users.  I've setup 5 computers in the last few days and they all get the same policies. 

Problem is, is that only one of the 8 or 10 printers in the policies is getting installed on these new computers.  All existing computers are working fine from what I can tell.

I checked GPResults /R and it reports that the policies are being applied.  I tried multiple reboots and even a few GPUpdate /Force commands.  Still no joy, as they say.

I thought I might have a time sync issue because of a warning in event viewer but I was able to get time to sync and that didn't help either.  Only related message I see in the event viewer is a warning about the Group Policy Client Side Extension Group Policy Drive Maps being unable to apply because changes must be processed before system startup or user logon.  But my drive maps are applying correctly.

Any thoughts as to what would cause this or any other troubleshooting steps I can take? 

Thanks in advance,

Linn

Hi all,

I'm having an issue whereby folder redirection settings aren't being applied to Windows 10 clients.

I'm running Windows Server 2012 R2 Standard with the latest updates and Windows 10 Professional with the latest updates.

Event viewer shows a list of the GPOs being processed, however the folder redirection one isn't listed. There are no WMI filters on the folder redirection GPO and it works fine with Windows 8.1 clients. The strange thing is it isn't even listed - so no errors as such. 

Has anyone else experienced this issue?

Thanks,

KL

This is the second day that I have had a call come in with a user having issues with drive mappings so I am getting worried there could be a larger issue at play and am hoping you all could help me figure it out.

The issue today is with a different GPO than the one yesterday but the same kind of issue dealing with drive mapping.

The user is logging into their computer and the drive is not being mapped.  Checking the gpresult I find that the GPO is being denied as inaccessible and only showing the Unique ID instead of the name.

This is not happening for all users.

Things I have tried

• I have checked to ensure the user is in the correct security groups to have access to the GPO
• I have checked the permissions in AD and SYSVOL for that GPO and even verified the effective permissions for that user.
• Logged in as that user I can navigate to the SYSVOL and even open the GPO ini file in it's folder so no doubt the user has access to the GPO.

How I fixed it yesterday but would prefer to find a better solution or the reason why this is happening

• Yesterday I deleted the GPO and recreated it with the same settings and that fixed the issue.

Any help would be greatly appreciated.

Hello

Some clients (Windows 7 Sp1) are under Microsoft Domain (Win 2008 R2).

I activated the GPO for redirect folders (My Documents) to a Group of users, with offline mode enabled.

This GPO is correctly deployed to the clients, and in fact My Documents folder is correctly redirected to the server. On the client, I can work on it without any problem.

The problem is about offline files.

If I remove the network cable, or if I click on "offline" in My Documents, the files appear grey, with a grey X on them, and if I try to open them, I see a message thay say the files are not available.

On the client machines, Offline Files is enabled, and disk space for them is used.

But if I click on "visualizza file offline" (see files offline), and I try to open the files, I can't, and I see the same message that the files aren't available.

Automatic synchronisation seem to be executed correctly, in fact I see the cyan tick saying all is ok. But if I try to syncmanually, every file strike the error that is impossible to access the files because the file is used by another process.

In the sync centre there aren't sync conflicts.

Hi,

I'm trying to remove every icons from the start menu, in order to only use the All apps area by the way of a GPO.

So I have tried to apply a "blank" layout : here is the xml :

<LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
  <LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
    <StartLayoutCollection>
      <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" />
    </StartLayoutCollection>
  </DefaultLayoutOverride>
</LayoutModificationTemplate>

The problem is that the "search" icon always remains and it seems that it is why the start menu layout doesn't apply : 

Then I have applied another XML layout template with some applications (I am sure this xml file is correct) and same thing : the search application remain in a group named "Windows Server".

I have never added the search application to the start menu and I have never created such a group.

Moreover the shortcut search is not present in C:\ProgramData\Microsoft\Windows\Start Menu\Programs as well as in C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs.

I'm using Windows Server 2016 TP5...

Thank for your reply!

hello gentlmens,

I'm a student and i have a problem i cant Edit my Default Domain Policy

"Group Policy Management/Forest:test.com/Default Domain Policy

even "Default Domain Controllers Policy" cant Edit

I'm an Administrator i have full rights, is something messing?

please help.

Prior to deploying MS16-072 / KB3159398 to our Win7 and Win8 systems, we reviewed all our GPOs and added Authenticated Users with read where it was removed for security filtered GPOs per the Microsoft guidance due to the user policy processing context changing from user based to computer based.

We have now deployed KB3159398 to a few test win7 and win8 systems and after comparing before and after gpresult reports are seeing a different issue impacting the Windows 7 systems only, we are wondering if Microsoft is aware of this additional issue with the patch.

After receiving the patch Win7 systems are showing anAD / SYSVOL Version Mismatch Alert with the SYSVOL version showing as 65535 for almost all computer policy as well as user policy GPOs. Win8 systems with the patch deployed are not showing issue and show no alerts, and they show the AD / SYSVOL version in sync as normal.

When looking at the details for a specific GPO, the SYSVOL version now shows as SYSVOL (65535). Looking at other articles online, it appears this version that is displayed is likely not correct and may be due to the GPO being inaccessible to the computer or user (when a GPO is not accessible to the computer or user, the GP engine stores the SYSVOL version as hex FFFF, which translates to a decimal value of 65535).

I am wondering is Microsoft is aware of this as another issue with patch KB3159398?

I should clarify that the mismatch is showing for many GPOs that have always had Authenticated Users listed in Security Filtering (read and apply group policy), as well as for computer policy, so it isn't only showing for GPOs where Auth users was recently added.

I do see other people reporting this exact issue here:

https://community.spiceworks.com/topic/1678833-sysvol-version-not-showing-correctly-gpo-security-correct-after-kb3159398

Hello,

Just followed this without luck https://technet.microsoft.com/en-us/library/cc759506(v=ws.10).aspx

I have 2 computer policies and 1 seems to be getting applied where the the permissions are authenticated users and the other denied (due to Denied due to security filtering), I have a specific AD group bound to it with the correct users in it.

They are similar policies, what happens if the user is in both, do they merge or one wins and denies the other?

If I run the GPO wizard it says it's denied because of  security filtering.

Thanks

We are having issues with new machines going into a specific subnet not pulling or re-applying gpo's to workstations at the branch office only. 

We have done wireshark testing, Validated DNS, WINS ran dcdiags, gpresults . We have relocated user and computers to different branch offices and they work fine. 

From a delete profile or new profile the gpresults are blank or empty. Preset systems gpresults run fine. 

We have tested networking for that branch office and trace routes and pings are successful to the dc's.

Thanks,

Chris

Our labs install our printers through a simple Start Menu\Programs\Startup VBS script that points to a printer depending on the machine name.  This saves anywhere from 1-5 minutes from our login times.

This morning after the new cumulative update KB3163912 all our lab machines are now prompting for admin credentials to install these print drivers.

I have changed the Point and Print Restrictions section of our GPO to both "disabled" and "enabled" but without server restrictions, and disabling elevation prompts.  Neither take any effect.

After removing KB3163912 the printers install fine without any prompts.

We can add our printers back to the typical GPO location for now, but no doubt we will receive complaints on our login times increasing.

GPResults show our group polices are processing fine on machines that are both pre and post KB3163912.

I am trying to installing Remote Management through GPO.

Environment is Server (2012 R2) as administrator and client computer is Windows 7 Professional (SP1).

When I run this, it works

    Invoke-Command -Computer Client -ScriptBlock {Restart-Computer -Force}

When I run this, it fails.

    [string]$UserID = 'MyDomain\Administrator'
    [string]$Password = "Password"
    [System.Security.SecureString] $SecurePassword = ConvertTo-SecureString  $Password -AsPlainText -Force
    $Credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($UserID, $SecurePassword)
    Invoke-Command -Computer Client -Credential $Credentials -Authentication Basic -ScriptBlock {Restart-Computer -Force}

This is the error message

[CLIENT] Connecting to remote server CLIENT failed with the following error message : The WinRM client
cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is
not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the
TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts
list might not be authenticated. You can get more information about that by running the following command: winrm
help config. For more information, see the about_Remote_Troubleshooting Help topic.+ CategoryInfo          : OpenError: (CLIENT:String) [], PSRemotingTransportException+ FullyQualifiedErrorId : ServerNotTrusted,PSSessionStateBroken

Hello,

I have noticed over the past couple years that when we change or remove group policies based on changes in our environment, the settings on our computers change and still give that fun message stating "Some settings are managed by your system administrator" and will not allow you to modify them.  I have tried multiple things while searching forums about this, including applying a new GPO to hopefully overwrite the old one; deleting registry keys which are supposed to remove the old policies; removing the machine from the domain, then running gpupdate /force, and rejoining; and others I cannot think of off the top of my head.  In the end, the settings remain the same and remain unchangeable.  The only way I have found to get rid of these settings is to wipe the machine and reinstall Windows.  Two examples of settings I am talking about:

1) We had a GPO which pushed out SSIDs to our laptops.  At some point, we made changes to the SSIDs that we use, and changed the GPO accordingly.  The new SSIDs were pushed out, but the old ones remain and still do not allow for removing them manually on the computer - even though the old policy no longer even exists.  So users who have been around long enough to remember the old ones still get confused and sometimes try connecting to these because they auto-populate in the list even though they are not an actual broadcast SSID anymore.

2)  Similar story as above, but with power settings.  Things like changing the behavior of pressing the power button, closing the lid on laptops, timeouts for turning off the screen and putting the computer to sleep.  We have found the need to change these settings for some users/computers, but when we remove the old GPO and apply a new GPO to overwrite these settings, they do not take effect.  Also, they cannot be changed manually if the old GPO is removed and no new GPO is applied.

Has anybody else run into this issue, and found a way around it other than re-imaging?  Preferably it also does not involve removing the machine from the domain and rejoining... as a couple machines in our organization that have fallen victim to this are servers.  Any help would be greatly appreciated!

I have a GPO with Folder Redirection settings for users which redirects the Desktop and Documents folders to a network location accessible through DFS. The GPO is linked to the OU containing the users. It also has Security Filtering applied with a specific Global security group. The group contains two other groups which contain the users affected. The GPO is enabled, the link is not enforced and Policy inheritance is not configured on the OU. Loopback processing is not enabled as well. This configuration worked for a while without any issues.

One day I noticed that files written to the Desktop and Documents folders are no longer kept in sync with the server version. This applies to all users that had Folder Redirection configured. I checked and determined that these folders are actually in the local user profile on the computers - as if the policy had been removed. Normally, when the folders are redirected, they do not appear in %USERPROFILE%. And indeed - the policy does not apply anymore, I verified this using gpresult. Interestingly, the GPO is neither listed in the Applied GPO list, nor in the Denied GPOs list. However, the policy IS linked and ENABLED and CONFIGURED. I also checked whether the GPO is linked from all domain controllers' point of view - it is, no replication issues. Everything behaves as if the policy has been removed and the folders got redirected back to the local user profile which is to be expected, however the policy is linked. Interestingly, when the user logs on, the message "Applying Folder Redirection settings" appears for about 20 seconds. When this used to work, the message was shown only for 2-3 seconds. Any ideas how to investigate further?

Bear with me as I set this up.  Four weeks ago, I stood up a server with 2012R2 to build a domain.  Everything went well, except the Windows 7 machines could not open the shares.  As it turns out, Windows 7 could not use the added Encryption feature when creating the shares, however, I already destroyed my server by reinstalling 2012R2 before I figured that out.  Ever since, all Windows 10 machines are not able to get the Group Policy.  I am on my fourth installation and rebuilding of my domain.

I was afraid that some metadata might have been left over from the previous installs, so this last time I ran a Clean All during installation.  I took my time like the first install, adding one role at a time, updating the server, and making my configuration. The roles installed are AD-CA, AD-DS, DNS, DHCP (inactive), File Server, FSRM, FS VSS, and Storage Services.  Features are .NET 4.5, .NET 4.5 WCF Services TCP Port Sharing, GP Management, Remote Server Admin Tool>AD-DS & AD LDS Tools>Active Directory module for PS, AS DS Tools>Active Directory Admin Center and AD DS Snap-Ins & CL Tools.

I set my default group policy to use 128 bit encryption, schannel requires encryption or signature always, and then other logins are negociated, but do not require encryption.  I left default domain controller policy alone at first.  I made several other changes as well.

When I joined the Windows 10 machine A to the domain, it did not take all GPO's.  I joined Windows 10 machine B and that did not take all GPO's.  Both machines failed gpupdate, Event ID 1058 Error 5 Access Denied.  I've looked this up for hours, but could not find an answer that corrected my issue.  Both machines were previously on the earlier domains and had residual evidence of that in the registry.  Unfortunately, the newest login information/user was not updated with the current data under HKLM\Software\Microsoft\Windows\CurrentVersion\GroupPolicy.  History has the new domain name and the correct server name, but that was also the previous FQDM (changed it for security reasons by adding a secondary level)(subdomain.domain.com). That was machine A.  Machine B, after joining to the domain had very little domain information.  Only under History did it have the server name and the FQDM.  The users had no domain info.

So, I realized that everything work when Windows 10 was never previous joined to a domain and that is when I took a fresh Windows 7 machine that was never on this domain or any previous and then installed Windows 10 as a clean install.  I did not give it time to do any updates and then quickly joined the PC to the domain and renamed it.  The registry failed to get anything off the domain and failed gpupdate.  The only other settings that may affect anything is to restrict anonymous logons or anonymous anything and to exclude anonymous from Everyone user profile.

I then went through my server errors messages and made corrections.  Most of the errors are due to services running before AD DS got fully running.  I ran some CMD tests and all were successful.  I do not remember all, but nltest was one. I ran Wireshark on both the server and Machine A and confirmed that the server is denying access to my Windows 10 machines.  ON the server side, Invoke-GPUpdate machinename, or with the IP, fails as computer is not responding. Target is shutoff or Remote Scheduled Task Management Firewall Rule disabled. CategoryInfo :OperationTimeout ArgumentException. FullyQualifiedErrorID:COMException,Microsoft,GroupPolicy.Commands.InvokeGPUpdateCommand.

When I run update from Group Policy>right-clickDomain>Group Policy Update... Fails Error Code 8007071a remote procedure call was cancelled.

Turned off all firewalls.  Activated all possible services.  Turned off IPv6.  Ran Wireshark

Wireshark shows ldap binds successful, SMB2 negotiations as being successful, and then SMB2 Session Setup Response, Error: STATUS_ACCESS_DENIED followed by resets.  This is the case whether I did a gpupdate from client or invoke-gpupdate from server.

Machine A Event Viewer under Applications&Services>Microsoft>Windows>GroupPolicy- system call to access specified file completed. Call failed after 32 milliseconds.

Event ID 7017 Error Code 5.

And then the System Log> Event ID 1058 Error 5.

I am able to browse the network to the share and open files/folders.  Access is only denied with GPUpdate.  DNS works well as all machines point to the DC, nslookup is good, I RDP into the DC using its domain name.  There has to be a setting somewhere on the server to allow this.

The server has SMB errors

SMB Session Authentication Failure

Client Name: \\192.168.186.104
Client Address: 192.168.186.104:4857
User Name: domainname\justinh
Session ID: 0xFFFFFFFFFFFFFFFF
Status: {Access Denied}
A process has requested access to an object, but has not been granted those access rights. (0xC0000022)

Guidance:

You should expect this error when attempting to connect to shares using incorrect credentials.

This error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.

This error can occur when using incorrect usernames and passwords with NTLM, mismatched LmCompatibility settings between client and server, duplicate Kerberos service principal names, incorrect Kerberos ticket-granting service tickets, or Guest accounts without Guest access enabled

Event ID 551 Error and these relate to each fail gpupdate.

Sorry this is so long, but I have been trying to figure this out for three weeks.  Been all over Google, Microsoft, and other help sites.  

Justin