Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Microsoft Office 2010 (machine)/Security Settings/IE Settings

August 4, 2016, 6:02 pm
$
0
0

Hi,

Few questions around the Office 2010 (machine) \ Security settings \ IE security hoping to get some clarification.

We downloaded the Office 2010 computer security from SCM 4.0 (as below figure, the IE Security settings is for Microsoft Office 2010):

When import the cab file into a computer gpo for office 2010. The IE settings went into the office 2007 system (machine) template, and nothing in the Office 2010 (machine) template:

We have tried exporting from scm and importing to different GPO many times. The IE Security settings always goes into Office 2007 template.

>> Can you please clarify if this is by design / or known issue / .... or ?

>> Problem is we cannot put this computer Office 2010 GPO to PRD env, as there are computer Office 2007 gpo out there with a different set of IE Security settings.

So we manually changed the IE settings for computer Office 2010 gpo.

However, another mystery (or not), for any settings configured, I.E Add-on Management, Bind to Object etc on the Office 2010 (machine) template, it get "replicated" / set on the Office 2013 (machine) as well as the Office 2016 (machine) !!!

>> This is by design . ????? Because we also noticed that by changing the Office 2013 (machine) policy for a Office 2013 GPO, the settings also get "replicated" to Office 2010 & Office 2016 template!!!

>> If this is by design ... how is it going to work for an environment where there are many version of Office on the PRD env, where each Office version has it own computer GPO with different settings?

Best Regards,





Search

The following GPOs were not applied because they were filtered out - Filtering: Denied (Security)

August 2, 2016, 9:58 pm
$
0
0

Hi Folks,

I'm getting this error when I run gpresult /r.

History of the policy:

I've created a group policy (under Computer Configuration) to create schedule tasks on our domain computers.

The policy is applied to workstation OU (where there are about 150 computers) but this policy needs to be applied ONLY to the computers that specific member of Global Security Group is logged into it.

I applied the Security Filtering by adding that Security Group and removing the Authenticated Users, then from Delegation tab, added Authenticated users to Read the policy.

How do I go about applying this policy correctly?

Thank you.

Sam.

Interactive Logon Message

August 15, 2016, 4:26 pm
$
0
0

All,

Is there a way to have more than one message by using the Interactive Logon: Message text for users attempting to log on?

If not, is there a way you can display a message when the user logs on and they have to press "ok" before they see the desktop?

Thanks in advance.

Jason

Remote Session Limits GPO applied but not working

August 15, 2016, 7:24 am
$
0
0

Hello all,

I have created and verified application of a GPO to limit disconnected or idle remote sessions to a specific period of time and then to disconnect them if this limit is reached. Although, after testing it numerous times, the GPO is not working. I created and html file using gpresult /scope computer and verified that the GPO is listed. In the scope of the GPMC, domain users, domain computers, and authenticated users is listed. The GPO is also built in User configuration AND Computer configuration. I have tried it just in user configuration but it did not work. I have not tried it alone in computer configuration yet as I wanted to see if anyone has any ideas. Thanks!

Edit: I also forced replication over all the DC and that does seem to be working as well.

-Tyler


Windows 10 Group Policy Preferences for Start Menu Shortcuts getting access denied

August 15, 2016, 2:27 pm
$
0
0

Hi All,

I have a Windows 10 Group policy (Users) and have Preferences to add several shortcuts to the Start menu and all of them are getting an Access Denied error when the policy is applied and you guessed it there is nothing added to the start menu.  I have all of the items checked to "Run in logged-on users's security context".  I have the network locations to have Authenticated Users and the group of folks this will apply to having Read, List, and Execute access on the share and all folders.

The error I am getting is: Event 4098, Group Policy Shortcuts

The user 'Phone' preference item in the 'Staff Win 10 {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}' Group Policy Object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.

It doesn't tell where it is being denied which is very frustrating.  Has anyone seen this, do you have a fix?

Jeff

editing ADMX file

August 15, 2016, 3:20 pm
$
0
0

Hi,

I need to edit ADMX, in other words to see all the Settings of ADMX.

The reason:

I replaced old ADMX with newer version. There are some problems that I suspect could be related to the replacement.

I think that some of the settings were suppressed in a new ADMX beside that new are available now.

I may be mistaken because most of the people confirmed that new admx never caused the problem.

But just to be sure I would like to compare both.

So, can we see the content of admx without using GPMC?

--- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis


DC Promo Problem

August 10, 2016, 4:58 pm
$
0
0

Hi All,

I've just promoted two new 2012 R2 DC's to our domain, currently we have two 2008 R2 DC's still running in Server 2003 mode.

Everything went as planned, but after looking around for some unrelated audit history I noticed that the Default Domain Policy has somehow been reset to the default settings of 6 characters minimum and the lockout times were also changed.

The interesting part.

1.This happened exactly the same time as the first promotion.

As far as I know this is not an expected result, right?

Any help appreciated!

Microsoft Edge favorites and homepage group policy settings not applying

August 1, 2016, 3:43 pm
$
0
0

Hi Everyone,

I've been working on getting group policy ready for our organization's Windows 10 roll out later this year. For certain computers, we need to be able to direct the Edge homepage to our SharePoint site, as well as be able to push out "favorites" directly to Edge.

When I first began working on our group policy settings, I was able to use the Windows 10 group policy settings "Configure Corporate Home Pages" and "Configure Favorites" to push these settings to our computers, and for a while it worked just fine. 

I noticed a couple of weeks ago that for some reason Edge is no longer going to SharePoint, nor is it displaying any websites under "favorites", despite my specifying these settings in GP.

What's strange is if I run RSOP.MSC I can see that the machine is getting the Edge policies, however once I run Edge, none of the settings apply.

Today I also modified the setting "Turn off Password Manager" in Edge group policy settings, and that one applies perfectly fine. I can see it in RSOP.MSC, and when I go to Edge advanced settings, the option is greyed out. However even with this setting working correctly in the same Group Policy Object as the other 2, the only one that applies is the Password Manager policy.

Because this is a Computer Policy, I've tried specifying the computer name in the scope, but still nothing.

Any help is greatly appreciated at this point!

Thanks!

Search

Prevent users to save specific type of file

August 9, 2016, 8:50 am
$
0
0

Hi, I want help to prevent all users on my domain to save certain types of files. But i want to block via extensions like .mp3, mp4, .zepto, etc. Im not sure how i can useApplocker or Software Restriction Policies i cant find where i can put the extension name. I will be very grateful.

With Thanks

Mapped drives not showing

August 8, 2016, 4:00 am
$
0
0

Hello 

We use Group Policy Preferences to map a number of drives to our users. All was working fine but now not all are not showing in the Computer window. Some users will get a drive but other will not. 

Running a GPResult we see that the drives are getting mapped same if we run a RSOP.MCS. We have also looked through the Event Log on both the client and servers and again cannot find anything out of the ordinary. Last week we remade the GPO from scratch, went through all Share, NTFS settings and user group membership, still no luck. 

Any ideas would be fantastic as we are fast running out of ideas. 

Thank you 

Group Policy for Execution Policy does not work for Powershell 5

August 9, 2016, 4:52 pm
$
0
0

Hi,

I have several Windows 7 workstations running with Powershell 3. The powershell UserPolicy execution policy (Remote Signed) comes from a GPO that I created.

Recently, I upgraded to Powershell 5 on multiple workstations and the GPO setting doesn't apply anymore. The UserPolicy now shows Undefined on these machines even though the gpresult tells me that the GPO has applied.

I reverted back to Powershell 3 on a few machines and the GPO applies perfectly as the UserPolicy changed to RemoteSigned.

Can you please help me?

Thanks,

Ashwin

Multiple queries in WMI filter for GPO

February 7, 2012, 7:19 am
$
0
0

Is it possible to have two different queries, querying two different classes, in a WMI filter?

I have read on one or two sites that you just create two seperate queries below each other, but that doesn't seem to work - at least not when I test it with WMI explorer.

An example of what I would want to do is:

Filter for all workstations running Windows 7 and that have a disk volume called 'OS'

So combining:

select * from Win32_OperatingSytem where Version >= '6.1' and ProductType = '1'

select * from Win32_LogicalDisk where VolumeName = 'OS'

??

GPO network issue

July 27, 2016, 10:32 am
$
0
0

I have an issue where Citrix servers will take 30 mins to process GPOs and login if the 2008 domain controller that holds the PDC role is inaccessible. I've identified that its a particular GPO that is being applied to the Citrix servers that causes this issue. If that GPO is removed the servers login fine even when the PDC is inaccessible.

The domain controller in question holds all the FSMO roles and all our site configurations are correct, with correct subnets, etc

What I can't figure out is why this would be the case. Can anyone give me a clue as to why a particular GPO is being accessed or is depending the PDC and not the local site DC?


GPP Printers: TCP/IP printer gets port IP_2.0.0.0

May 1, 2013, 9:23 am
$
0
0

Hello all.

I'm dealing with GPP printers and try to create two TCP/IP printers.Action is "update", Ienabled "use DNS-Name", the names I enter do exist in DNS and resolve to addressess that answer ICMP.Both resolve to my DCs and not to real printers, but that should not matter...

After doing GPUpdate on the client I have two new printers. Both have the SAME Port IP_2.0.0.0 assigned, pointing to the IP address2.0.0.0 ?!?!?

After changing one printer to a fixed IP (instead DNSName) and doing GPUpdate again, this new port gets created, but the printer itself is stuck to the oldand wrong port IP_2.0.0.0?!?

Client is Win8 x64, all automatic windows updates installed. I did this same thing years ago with Vista, and it worked flawlessly. And doing the same on other clients running Win7 x64 or WinXP works, too.

Is it me not seeing my error, or is GPP Printers broken in Win8?

And as I'm talking about that, one more issue: When I select a different shared printer paht, my local printer doesn't get updated - in neither OS. If I change action to "replace", it gets updated - but that's not the goal to reach, because this in fact deletes and recreates the printer. And all user settings for the prinner are lost.

I'm stuck and will happily receive any advice ;-)

regards,Martin

BTW: For those of you that are also reading the german GPO forum - I also asked the question there: http://social.technet.microsoft.com/Forums/de-DE/gruppenrichtliniende/thread/56540ea0-df1b-4531-889d-2bc034f9cbe2

Of course, one answer would already satisfy me...

NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!


Using GPOs to secure IE11

August 16, 2016, 4:14 pm
$
0
0

I recently embarked on a project to configure a student lab and one of the goals set forth was to limit the capability of student users from altering the configuration as well as deleting browsing history. While I was able to configure a lot of settings that help achieve this goal there was one issue that popped up among several that I simply could not work around via GPO. The delete browser history option remains available via alternate means despite having enabled the setting here:

Admin Templates>Windows Components>Internet Explorer>Delete Browsing History>Prevent access to delete browsing history

Users are still able to use the keyboard shortcut of Ctrl+Shift+Del or access the options via the safety menu and delete history. Am I missing some additional settings that can be enabled? I have combed through my options several times and I simply don't see it. I have seen articles referencing a registry key which can disable this but that would impact everyone I want to restrict specific users in specific OUs not every single user of the computers being managed. Any insight is greatly appreciated.


Search

GPO to avoid DNS-Registration in specific networks

August 16, 2016, 8:12 am
$
0
0

Hello everybody,

I'd like to create a GPO to avoid that our Windows-Clients (Laptops) register their Wifi-IP in DNS.
Sure - It would be easy to remove the checkbox in Advanced IPv4-Settings via GPO, but that should only happen if the client is in a specific Wireless-network.

Is there a possibility to do this via GPO?

Regards
Miranda

How do I successfully deploy shared printers via GPO? error 0x80070bcb on Windows 10 Pro + Windows Server 2012 R2

August 16, 2016, 9:15 am
$
0
0

I keep getting a GPO error 0x80070bcb on my Windows 10 Pro clients when trying to install a Brother shared network printer. Apparently this error means it can't find a driver (or can't install it).

  1. The printer is shared from a Windows Server 2012 R2 machine, which is also a DC in my domain.
  2. Printer is defined in GPO in User Configuration -> Preferences -> Control Panel Settings -> Printers as a simple Shared Printer with no special settings.
  3. I have downloaded the latest driver from the Brother website, which claims that the driver is WHQL Certified.
  4. I have installed both the 64-bit and 32-bit version of the driver to the print server.
  5. I have enabled Point and Print Restrictions via GPO in Computer Configuration -> Policies -> Administrative Templates -> Printers, and specified the aforementioned print server as an authorized source of drivers. Additionally, users can only print to machines in their forest, and I have disabled warnings and elevation prompts when installing a new printer (warning only is enabled for updating a driver).
  6. Printing works fine from the server.

What else is necessary to overcome this error?

Windows Server 2012 - problem with Disable any functions for users on Win XP

August 16, 2016, 2:08 am
$
0
0

Hello!

I'm new in Windows Server and i try to learn it. Pleasebetolerant.

I have trouble with group policy for users in Windows XP Pro

I'm trying disable functions like Task manager, Control Panel, disable desctop background etc. Any one of this function not works for me.

I Have 2 virtual machines: 1. Win Serv 2012, 2. Winows XP Pro. Both can ping therebetween and web sites ( google.com )

I created users : user1 and user2 and some more users. I instaled DHCP, AD DS, DNS. I connected  My XP to domain. All based functionaly was done and for example permissions to files works for them.

What i do for polices:

-Create Organization Unit in my domain.

- In GPO i create new GPO and i go EDIT

- I go to user configuration -> polices -> admin templates -> control panel and i edit "Prohibit acces to control Panel and PC settings" -> ENABLE ( so i disable it for users)

- Same i do for Task Manager, Wallpaper change etc.

- Next i go back to AD Users and Computers -> refresh on domain to show new Unit -> go tu Users -> Right Click on user1 -> Move... -> and move to new Unity.

- Then i logout User1 and log in again User1.

- And unfortunately User1 still can go to control Panel :/

Some body know what i do bad or what is wrong with this that my users on Win Xp Pro can operate setting which were disabled for them?

"GPO - Last time Group policy was applied" not up to date

August 10, 2016, 7:39 pm
$
0
0
Hey there. I have this issue whereby most of my users have this GPO outdated as one year ago. However, their Computer Setting is updated. I did not know where to start to troubleshoot this issue. Any advise for me?

Intermittent Failure Applying Drive Map Policy

August 17, 2016, 8:55 am
$
0
0

I have a standard group policy that I have used for years to map network drives.  Over the last several months I have noticed that users are having times where the drive maps are not being made.  All drive maps in the policy are set to replace and looking at the logs I can see where the drive maps are successfully removed.  When they start the process of adding them back, I get the following error in the log.

2016-08-17 07:46:13.821 [pid=0x488,tid=0x13c8] Error reading GPE XML data file. [ hr = 0x80070041 "Network access is denied." ]
2016-08-17 07:46:13.821 [pid=0x488,tid=0x13c8] Completed loading of package. [ hr = 0x80070041 "Network access is denied." ]
2016-08-17 07:46:13.822 [pid=0x488,tid=0x13c8] EVENT : The client-side extension could not apply user policy settings for 'Standard Drive Map Policy {B33E472F-FD76-48BF-B7C4-36C467AA64CB}' because it failed with error code '0x80070041 Network access is denied.'%100790275
2016-08-17 07:46:13.822 [pid=0x488,tid=0x13c8] Completed apply GPO. [ hr = 0x80070041 "Network access is denied." ]
2016-08-17 07:46:13.823 [pid=0x488,tid=0x13c8] User impersonation uninitialized.
2016-08-17 07:46:13.838 [pid=0x488,tid=0x13c8] Leaving ProcessGroupPolicyExDrives() returned 0x00000041

If I run gpupdate /force it will re-read the policy and apply it properly.  Does anyone have any ideas as to what could be happening here?  Where do I start trying to troubleshoot this issue?


Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>