Hi,

I created group policies to map network drives.  These are user policies and are assigned to an OU containing our users.

All worked well, but in the last couple of days they have not been applying to new users, nor do they re-apply if I remove a mapped drive then log off / on.

Running a gpupdate /force shows no issues.

Running a gpresult -r brings back 

MAP <drive name> on <Server Name> <! this is my group policy name!>
            Filtering:  Not Applied (Unknown Reason)

It only seems to be an issue on Windows 10.  When I log onto the server or another server 2008 in the network they map just fine.

I renamed one of the GP's just to see if it was being picked up - but no joy.

I created a new test drive mapping and applied it to the same user OU, but it is not being picked up by the gpupdate /force either.

Event log on the client machine shows:

"The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy."

does anyone have any idea?

Thanks!

Ian

Hi All,

I have a GPO to enforce screensaver using the sstext3d.scr screensaver. The issue is that users keep changing the text displayed until it is reapplied at intervals. I have used Software Restriction Policy (as suggested from my other post) but this actually prevents it from being activated. That is, when it is time for the screensaver to come on, I hear the chime but the screen just locks instead of displaying the scrolling text. Is there a way to prevent users from changing the text but also allow it to be activated?

TIA,

Vlad

Ebor

Hi there,

When booting a Windows 10 machine (Lenovo laptop) GPOs are not loaded. Of course I can apply them later on via gpupdate /force.

When I have a look into the system log I get always an error in there with the ID 1058. Checking the error code in the details says: Network access is denied (error code 65).

It tries to access a gpt.ini file from the policies but does not get through.

When I restart the computer, click the link in the error message I get an error that the file cannot be accessed. Nevertheless after about 30 seconds the access to the file just works.

For me it seems that there is a service pending start which is needed for the domain access. I bet it has to do with DFS as the GPO access works via DFS path(namespace).

This is quite annoying as the machine policies are not loaded neither the user policies.

Here the details from the error message:

Log Name:      System

Source:        Microsoft-Windows-GroupPolicy

Date:         10.9.2015 13.19.02

Event ID:      1058

Task Category: None

Level:        Error

Keywords:     

User:         xxxxxxx\xxxxxxx

Computer:      xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Description:

The processing of Group Policy failed. Windows attempted to read the file \\my.domain.com\SysVol\my.domain.com\Policies\{3933BE19-C3FF-4C22-9434-B64C654C8B06}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.

b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

c) The Distributed File System (DFS) client has been disabled.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />

    <EventID>1058</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>1</Opcode>

    <Keywords>0x8000000000000000</Keywords>

    <TimeCreated SystemTime="2015-09-10T10:19:02.977910800Z" />

    <EventRecordID>1318</EventRecordID>

    <Correlation ActivityID="{9C0C77C4-AFC1-4A0E-9BFE-BE698091D73C}" />

    <Execution ProcessID="932" ThreadID="3588" />

    <Channel>System</Channel>

    <Computer>xxxxxxxxxxxxxxxxxxx</Computer>

    <Security UserID="S-1-5-21-1410795398-2781916069-518169928-1178" />

  </System>

  <EventData>

    <Data Name="SupportInfo1">4</Data>

    <Data Name="SupportInfo2">912</Data>

    <Data Name="ProcessingMode">1</Data>

    <Data Name="ProcessingTimeInMilliseconds">421</Data>

    <Data Name="ErrorCode">65</Data>

    <Data Name="ErrorDescription">Network access is denied. </Data>

    <Data Name="DCName">\\xxxxxxxxxxxxxxxxxxxxxxxxxxx</Data>

    <Data Name="GPOCNName">cn={3933BE19-C3FF-4C22-9434-B64C654C8B06},cn=policies,cn=system,DC=xxx,DC=xxxxxxxx,DC=xxxxx</Data>

    <Data Name="FilePath">\\my.domain.com\SysVol\my.domain.com\Policies\{3933BE19-C3FF-4C22-9434-B64C654C8B06}\gpt.ini</Data>

  </EventData>

</Event>

Hello ALL

we are using 2012 R2 DC and want to disable the USB divices in all the client machines

i found the path as below, however i am not able to find system under Administrative Temp. Please advise, what am i missing

1. User Configuration-> Policies-> Administrative Templates-> System->Removable Storage Access
2. Computer Configuration-> Policies-> Administrative Templates-> System-> Removable Storage Access

thanks

NA

hi,

i've curently deployed roaming user areas on my network, and what i'm looking to do is to put the computer seting in a different GPO to the user settings ?

is this doable ?

at the moment i have 8 GPOs that control the users and to give them roaming user areas i have modify all of the GPO,

is there a way so that the curent 8 GPO only control the users and a 9th that would control all the cmputers ?

that way if i want to modify the computers i only have to modify 1 GPO and not 8

Hello, 

Trying to troubleshoot a GPO that is not applying to users, I ran GPOTool on my main DC (Win Server 2008 R2), I have two other DCs (Win Server 2008 R2) as well. The main DC is DCS01, the other two DCs are DCS02 and DCS03. The first time I ran GPOTool, the results showed a sysvol mismatch. I noticed the timestamp on the GPO on each server did not match, so I tried making a change to the GPO to see if that would get it update across all DCs. After making the change I ran GPOTool again and the timestamp for the GPO matched on all three DCs but it keeps showing an error. Here is the error:

Policy {DBDAAE93-AC89-40C4-9C84-CD3513342690}
Friendly name: U_Basic User Policy
Error: DCS03.abc.xyz - DCS01.abc.xyz sysvol mismatch
Details:
------------------------------------------------------------
DC: DCS03.abc.xyz
Friendly name: U_Basic User Policy
Created: 8/2/2007 3:18:38 PM
Changed: 6/27/2016 4:21:07 AM
DS version:     30(user) 0(machine)
Sysvol version: 30(user) 0(machine)
Flags: 2 (user side enabled; machine side disabled)
User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: DCS02.abc.xyz
Friendly name: U_Basic User Policy
Created: 8/2/2007 3:18:38 PM
Changed: 6/27/2016 4:21:04 AM
DS version:     30(user) 0(machine)
Sysvol version: 30(user) 0(machine)
Flags: 2 (user side enabled; machine side disabled)
User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: DCS01.abc.xyz
Friendly name: U_Basic User Policy
Created: 8/2/2007 3:18:38 PM
Changed: 6/27/2016 4:20:49 AM
DS version:     30(user) 0(machine)
Sysvol version: 30(user) 0(machine)
Flags: 2 (user side enabled; machine side disabled)
User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]
Machine extensions: not found
Functionality version: 2

As you can see, the error doesn't specify the sysvol versions on both DCs, it just says there's a mismatch. Any ideas how can I fix this?

Any help is greatly appreciated! Thanks!

We're using Windows Server 2008r2, the system was set up a while ago when it was managed by an IT team for us

I've always wondered why none of the GPO services work and have been having a look, I'm able to go through the process of setting them up - but at the end of the process it always gives various error messages.

For example: GPO to manage logging out of users from service (force logoff when logon hours expire)

The parameter is incorrect

Failed to save

\\domain.local\SysVol\domain.local\Policies\{62746005-FB0B-4191-8073-9E677F115787}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

Make sure that this object exists.

Server is updated with all latest updates.

I've been looking at various topics similar to this but cannot find anything that seems relevant to this issue.

Has anyone seen this issue before? any helpful solutions would be appreciated.

hi

I make new gpo and want to import only computer policy portion from existing policy? Is that possible?

Hello,

I have a domain controller on a SBS 2008 server, all my clients are running on windows 10 pro.

I'm trying to install a WSUS on a Windows 2012R2 server in order to send updates to all the Windows 10 clients.

I created a test OU in order to test a GPO settings with WSUS, I added to this OU several Windows 10 machines, but the

Windows 10 machines are not getting the GPO settings for the WSUS and also are not registering to the WSUS server.

When I run gpresult /r on the Win10 machines under the Test OU I see the the WSUS GPO is not shown in the Applied Group Policy Objects list

Q1: Does SBS 2008 GPO settings applies and support Windows 10?

Q2: How can I investigate the source of this problem?



Thanks,

Wmickey

Group policy link order.

If you have a GPO with only "loopback - replace" applied (it's a remote desktop server), along with 6 other GPO, applied to an OU, does the link order where the loopback policy is applied make a difference?

For example:

Applied Group Policy Objects
    -----------------------------
        Loopback - Replace
        Copy of User - Drive Mapping
        Copy of User - DFS Folder Redirection
        Copy of User - DFS Map User Folder
        Copy of User - Upload Drive (Z)
        Copy of User - Trust Local
        Default Domain Policy
        Local Group Policy

-OR-

Hi All,

I installed windows patches last night and this morning found out that there were a number of issues with my GPO's.

Example: desktop image would not show up, A, B, C and D drives that were meant to be hidden from users is now showing up.

I found out that it was because of this update KB3159398. Here is the support article

https://support.microsoft.com/en-gb/kb/3163622

When I uninstalled this update and rebooted, everything was back to normal.

Just though I write something up incase someone else is having this issue after applying the updates last night on windows 2008 R2 server.

Kind Regards

Hi I got this error from my windows 2008 server:

Eventid 8194

Client side extension could not remove computer policy settings for ' ' because it failed with error code '0x8007000d The data is invalid.'

Detail: remove computer 0x8007000d The data is invalid

How do I solve the issue?

Regards.

When I rebooted my desktop today (for the first time in several weeks), I noticed it now takes several minutes for me to login. The first time it happened, I suspected the login process hung so I resorted to a "hard" reboot (i.e. by holding down the power button). However, the subsequent attempt also took a very long time -- but I walked away from the computer for a while and when I returned the login process had eventually completed and I saw my familiar items on the desktop.

However, I started seeing errors about exceeding my profile storage space. Note that I have a group policy configured to restrict profile storage to 250 MB. My current profile size is 5,795,030 (> 5GB).

I now see all files in my Documents folder being counted in the profile size calculation. However, I'm using Folder Redirection (via group policy) to store my documents on a file server -- and, consequently, these files were previously not counted as part of my profile.

I recently installed the latest round of patches via Windows Update (actually a local WSUS server) and I suspect the issue might be related to the following:

MS16-072: Security update for Group Policy: June 14, 2016

From <https://support.microsoft.com/en-us/kb/3163622>

Also note that after applying the updates, I used the script in the following post to identify GPOs that needed to be "tweaked" to grant "Domain Computers" Readpermission (and subsequently made the change to the GPOs):

MS16-072 – Known Issue – Use PowerShell to Check GPOs

From <https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/>

Has anyone else seen a similar issue with their profiles suddenly ballooning in size?

It seems strange that something like this could "slip through the cracks" -- but given the fiasco with Windows 10 and roaming profiles (ref1, ref2, ref3, ref4), it is also quite possible that this configuration is something that is not included in the test plan.

I'm trying to disable the Windows 10 feature that keeps changing the last used printer to the default on all of our domain joined computers at both locations. I attempted to browse the remote registry of a workstation I modified after I made the change on a workstation to disable the Windows 10 default printer feature however the HKEY_Current_User path was not available. I could only see HKEY_LOCAL_MACHINE and HKEY_USERS when using the registry wizard in Group Policy Management

My next thought was then to choose local computer using the wizard on the server and create the following key on our server and deploy it that way but I was curious if that was safe to do? the key is "HKEY_Current_User\Software\Microsoft\WindowsNT\CurrentVersion\Windows\LegacyDefaultPrinterMode" set to 1 (See link below)

http://windowsitpro.com/windows-10/reverting-new-default-printer-feature-windows-10-november-update

Hi,

I've been using Group Policy to deploy printers for a couple years now and generally speaking it's worked well.  I recently purchased a handful of new computers and am trying to roll them out to my users.  I've setup 5 computers in the last few days and they all get the same policies. 

Problem is, is that only one of the 8 or 10 printers in the policies is getting installed on these new computers.  All existing computers are working fine from what I can tell.

I checked GPResults /R and it reports that the policies are being applied.  I tried multiple reboots and even a few GPUpdate /Force commands.  Still no joy, as they say.

I thought I might have a time sync issue because of a warning in event viewer but I was able to get time to sync and that didn't help either.  Only related message I see in the event viewer is a warning about the Group Policy Client Side Extension Group Policy Drive Maps being unable to apply because changes must be processed before system startup or user logon.  But my drive maps are applying correctly.

Any thoughts as to what would cause this or any other troubleshooting steps I can take? 

Thanks in advance,

Linn

okay I have windows 10... a few pics I transferred from a windows 8.1 computer have been giving me trouble with renaming them ... even ones that I did on this computer have too

it keeps saying this

This action cant be completed because this file is open in LockScreenContent Server

Help please .. there's stuff I need to rename

This is the second day that I have had a call come in with a user having issues with drive mappings so I am getting worried there could be a larger issue at play and am hoping you all could help me figure it out.

The issue today is with a different GPO than the one yesterday but the same kind of issue dealing with drive mapping.

The user is logging into their computer and the drive is not being mapped.  Checking the gpresult I find that the GPO is being denied as inaccessible and only showing the Unique ID instead of the name.

This is not happening for all users.

Things I have tried

• I have checked to ensure the user is in the correct security groups to have access to the GPO
• I have checked the permissions in AD and SYSVOL for that GPO and even verified the effective permissions for that user.
• Logged in as that user I can navigate to the SYSVOL and even open the GPO ini file in it's folder so no doubt the user has access to the GPO.

How I fixed it yesterday but would prefer to find a better solution or the reason why this is happening

• Yesterday I deleted the GPO and recreated it with the same settings and that fixed the issue.

Any help would be greatly appreciated.

I created a new drive mapping in a GPP, after applying the GPO to a few people it deleted there ability to view drives. If you open "this PC" view in windows 10 it shows nothing but my the quick access view options. It just corrupted their profiles not the computer other users still have access to their drives how can i fix this issue without deleting profiles.

Hello,

We have a GPO set for computer configuration, applied at top of domain level, that sets Site To Zone assignments for many sites. Our users log onto a 2012 R2 remote desktop deployment with user profile disks (essentially roaming profiles). ESC is turned off on each of the servers in the pool.

Until recently, this GPO was working fine, but for most (if not all) users, the GPO is now seen to apply but the sites do not appear in IE under any zone.

If the user logs into the server whilst they have admin privileges, turns ESC on, and then back off through server manager, the sites all of a sudden appear in IE control panel. This then seems to follow them when logging into other servers, and cures the issue.

This is obviously not a workable solution for all 250 users in our org, so am hoping someone may be able to assist with diagnosing this? I wonder if there was some Windows update that has messed with the ESC config in the registry somehow, which caused this?

Cheers, Eds