Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Drive Mapping

August 19, 2016, 8:33 am
$
0
0

Hello,

I am having problems mapping a drive. I have tried it using both servers running Windows Server 2012 & Windows Server 2008. 

This is how it's configured on the Windows Server 2012 

Security Filtering is being applied to two security groups. the first targeting all computers in my OU & second targeting all users in my OU. 

I tried both Create, Update, & Replace as the action

I have entered the location and checked reconnect

I have clicked the common tab selected both: Run in Logged-on user's security context (user policy option) & Item-Level Targeting. I have targeting two security groups. 

I have ran gpupdate /force and checked the system that the drive is suppose to be applied to and the drive wasn't there. I ran gpresult and discovered it wasn't being applied due to Filtering: Denied (Security)

This is how it's configured on Sever 2008

I selected delete under the action tab & then delete the drive under Windows 2012 before trying it out on the other server.

Security Filtering is being applied to two security groups. the first targeting all computers in my OU & second targeting all users in my OU.  I have also tried using just authenticated users in security filtering.

I tried both Create, Update, & Replace as the action

I have entered the location and checked reconnect

I have clicked the common tab selected both: Run in Logged-on user's security context (user policy option) & Item-Level Targeting. I have targeting two security groups. 

I have ran gpupdate /force and checked the system that the drive is suppose to be applied to and the drive wasn't there. I ran gpresult and discovered it wasn't being applied due to Filtering: Denied (Security)

I can't discover what's causing the policy to be denied due to security. could someone assist me?

Thanks,

Search

Account Keeps Locking out Cross Domain

August 19, 2016, 11:30 am
$
0
0

We have an environment where a batch file is fired off in one domain to map drives in another domain.  the batch file has simple net use commands to map the drives with the username and password explicitly defined.  we have a group policy that says please lock the account after 6 failed logon attempts in the domain where the account lives.  A few times a day this is happening, where users in citrix are accessing a web app, it fires off the map drive batch file, and they are in business.  but the account locks out after a while.

does anyone know if their is some group policy that limits logon attempts from one domain to another?  we see the account, we know where it is initiating from, yet it just wants to lock after a while.

thank you

Ken

Edge Favorites - In folders

August 4, 2016, 12:03 pm
$
0
0

When setting up the Configure Favorites GPO (CC > Policies > Administrative templates > Windows Components > Microsoft Edge) how would you create a folder structure to dump them in?  You know... cause as a company we like organization rather than dumping everything in the root?

I assumed I could just set Value Name like this:

Folder1\Favorite1

Folder1\Favorite2

Folder2\Favorite1

etc...

Nope. No dice.

I want to block application with the help of group policy

August 20, 2016, 5:16 am
$
0
0

Hello Support,

I am using ADFS 3.0 with O365. Please help to create group policy restricts accessing o365 application.

for example if user A try to access share point then it should  be block but when user b try to access share point then it should be work (both are different group member)

Advance Group Policy Management issue

August 11, 2016, 4:58 am
$
0
0

We are running Windows Server 2012 R2 64 bit..  AGPM is version 4.2.22 after installing MS 16-072 KB3159398 and  MS 16-075 KB3161561 AGPM stopped working I can no longer get to change control folder.  AGPM service will not run.  I have removed these patches and Policies seem to be set correctly, however.  I cannot get to change control. When I try to open folder I get a MMC cannot initialize snappin.  Also log file has a config  error Failed to initialize Program files\Microsoft\AGPM\Server\AGPM.exe.config line 3 ...configuration schema error
 Also in an effort to fix issue I ran the following:

Get-GPO -All | Set-GPPermissions -TargetType Group -TargetName "Domain Computers" -PermissionLevel GpoRead

I get an Expection from HResult:0x80070005(E_ACCESSDENIED)

Upon further research I have found that on my Domain Controller policy guid the icacls is showing duplicate and different values for I have

 for 3 users with different permissions and on my member server policy guid I have one user with different permissions how do I remove the incorrect icacls


Windows 10 Group Policy Preferences for Start Menu Shortcuts getting access denied

August 15, 2016, 2:27 pm
$
0
0

Hi All,

I have a Windows 10 Group policy (Users) and have Preferences to add several shortcuts to the Start menu and all of them are getting an Access Denied error when the policy is applied and you guessed it there is nothing added to the start menu.  I have all of the items checked to "Run in logged-on users's security context".  I have the network locations to have Authenticated Users and the group of folks this will apply to having Read, List, and Execute access on the share and all folders.

The error I am getting is: Event 4098, Group Policy Shortcuts

The user 'Phone' preference item in the 'Staff Win 10 {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}' Group Policy Object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.

It doesn't tell where it is being denied which is very frustrating.  Has anyone seen this, do you have a fix?

Jeff

Applying Screen Saver and Background using GP

June 16, 2016, 2:27 am
$
0
0

I have pushed the Screen Saver and Back Ground screen using group policy. It is working fine but since that time user facing issue slowness in the network in the remote branches.

Below are the steps how I have implemented this. I created a share folder and copy the background and screen saver in it and give the UNC path in the Group policy.

Any have idea how to fix this issue.

IGrouppolicyobject new method doubt

August 21, 2016, 3:12 am
$
0
0

Hi..

I am trying to create gpo programatically across forest using IGrouppolicyobject.

For New method of IGrouppolicyobject:

For 1st argument: Am passing LDAP://dcname/DC=domain,DC=com

2nd argument: gpoName

3rd argument: GPO_OPEN_READ_ONLY

And before creating igrouppolicyobject interface's object, am impersonating (using LogonUser windows function) as the domain admin on which the gpo is getting created. And impersonation is successful.

But am getting:

Access is denied. - Error Code : 80070005

when trying to create gpo using New method of IGrouppolicyobject.

But am able to open the already existing gpo using OpenDSGPO method of IGrouppolicyobject successfully.

Kindly guide me.

Search

Windows Server - Start Menu Layout

July 15, 2016, 9:11 am
$
0
0

Hi,

I'm trying to remove every icons from the start menu, in order to only use the All apps area by the way of a GPO.

So I have tried to apply a "blank" layout : here is the xml :

<LayoutModificationTemplate Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
  <LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
    <StartLayoutCollection>
      <defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" />
    </StartLayoutCollection>
  </DefaultLayoutOverride>
</LayoutModificationTemplate>

The problem is that the "search" icon always remains and it seems that it is why the start menu layout doesn't apply : 

Then I have applied another XML layout template with some applications (I am sure this xml file is correct) and same thing : the search application remain in a group named "Windows Server".

I have never added the search application to the start menu and I have never created such a group.

Moreover the shortcut search is not present in C:\ProgramData\Microsoft\Windows\Start Menu\Programs as well as in C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs.

I'm using Windows Server 2016 TP5...

Thank for your reply!


i need a GPO to enable photos, signature and link auto download for domain users only

August 6, 2016, 2:45 pm
$
0
0

hi

i need a GPO to enable photos, signature and link auto download for domain users only, FYI the junk filter is disabled 

thanks 

Using Group Policy Objects to hide specified drives

August 10, 2016, 11:04 am
$
0
0

Hiding a special drive Q with Group Policies

Platform: Windows Server 2008R2

We have edited the following files:
% SystemRoot% \ Policydefenitions \ Explorer.admx
% SystemRoot% \ Policydefenitions \ en-US \ Explorer.admx

Now what should we do?

a) Save these files with Save As and rename these files to the following:
% SystemRoot% \ Policydefenitions \ Explorer_special.admx
% SystemRoot% \ Policydefenitions \ en-US \ Explorer_special.adml

b) Then create a new GPO object called HideSpecialDrives?

But where do the new Explorer_special.admx file in the Group Policy object displays:
Will it appear like this:
User Configuration - Administrative Templates - Windows Components - ????

Or it will it appear like this:
User Configuration - Administrative Templates (custom) - ???

Right now it looks like this before we done anything - see screenshot

(But how will it look like after we done the above described?)

Windows Server 2012 - problem with Disable any functions for users on Win XP

August 16, 2016, 2:08 am
$
0
0

Hello!

I'm new in Windows Server and i try to learn it. Pleasebetolerant.

I have trouble with group policy for users in Windows XP Pro

I'm trying disable functions like Task manager, Control Panel, disable desctop background etc. Any one of this function not works for me.

I Have 2 virtual machines: 1. Win Serv 2012, 2. Winows XP Pro. Both can ping therebetween and web sites ( google.com )

I created users : user1 and user2 and some more users. I instaled DHCP, AD DS, DNS. I connected  My XP to domain. All based functionaly was done and for example permissions to files works for them.

What i do for polices:

-Create Organization Unit in my domain.

- In GPO i create new GPO and i go EDIT

- I go to user configuration -> polices -> admin templates -> control panel and i edit "Prohibit acces to control Panel and PC settings" -> ENABLE ( so i disable it for users)

- Same i do for Task Manager, Wallpaper change etc.

- Next i go back to AD Users and Computers -> refresh on domain to show new Unit -> go tu Users -> Right Click on user1 -> Move... -> and move to new Unity.

- Then i logout User1 and log in again User1.

- And unfortunately User1 still can go to control Panel :/

Some body know what i do bad or what is wrong with this that my users on Win Xp Pro can operate setting which were disabled for them?

Mapped drives not showing

August 8, 2016, 4:00 am
$
0
0

Hello 

We use Group Policy Preferences to map a number of drives to our users. All was working fine but now not all are not showing in the Computer window. Some users will get a drive but other will not. 

Running a GPResult we see that the drives are getting mapped same if we run a RSOP.MCS. We have also looked through the Event Log on both the client and servers and again cannot find anything out of the ordinary. Last week we remade the GPO from scratch, went through all Share, NTFS settings and user group membership, still no luck. 

Any ideas would be fantastic as we are fast running out of ideas. 

Thank you 

Some Policy Settings Not Applying

August 22, 2016, 7:17 am
$
0
0

Hello,
We have an issue with Group Policy (2008 R2 Enterprise, Windows 8.1 & Windows 10)

Scenario:
-Helpdesk images the computer, no issues present.
-User logs in (first login), notices the IE home page and laptop power settings, are not being applied. (there may be other settings not being applied, this is what we've identified)

The bulk of the policy settings are applied, however some minor settings like the IE Homepage & power settings do not apply until:
- User Log Off/On
- User Restart
- Manual gpupdate /force
- Login and Wait 90 minutes

If I login and check the registry, the key is defaulted to microsoft.com, until the log off/on or restart or gpupdate in which case it does update to the companies homepage url and power settings are populated.

Background Info:
We want the user to be able to modify the homepage, so we are using a registry key deployment via GPO
User Config - Preferences - Window Settings - Registry

When running gpresult - it shows no errors with User or Computer policy.

Computer Configuration\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon (We have this enabled already)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GpNetworkStartTimeoutPolicyValue
- No difference using this method, delaying it 60 seconds.  Checking the registry, the file does not exist until 
doing a gpupdate /force, reboot, log off/on or waiting 90 minutes.  
Ref: https://support.microsoft.com/en-us/kb/2421599

Delegation Tab of User includes: 
Authenticated Users - Read (from security filtering)
Domain Admins- Edit settings, delete, modify security
Enterprise Admins - Edit settings, delete, modify security
Enterprise Domain Controllers - Read
System - Edit settings, delete, modify security

Please Help

Troubleshooting Group Policy to Windows 10 LTSB

August 22, 2016, 12:05 pm
$
0
0

Group Policy is a lot like Exchange. It works so great, when it wants to work. Of course group policy isn't finding its way to my computers.

My network is simple; 200 computers on a relatively flat network (2 vlans), and two server environment, one of which is the domain controller.  The computer are in the correct OU's and the group policies are enabled for the OU's they need to be applied to.

The workstations are Windows 10 LTSB computers and my server is 2012 R2 Standard.

I've reviewed many of the troubleshooting steps online both Microsoft and 3rd party.

Maybe I'm missing something, because this is aggravating.

The one and only policy that I need to work right now is printer deployments.

Search

GPO doesnt apply in Win10. Not even in "filtered out"

August 22, 2016, 2:46 am
$
0
0

Hi,

We have one GPO for determine wheter or not you can be local admin on your local PC. This GPO has been working without any problems in our environment for several years. Now with the implementation of Windows 10 we realised its not applying, not filtering out nor even showing in the list of accessible GPOs on the client.

I've tested by joining a user to this group and logging in to a Win7 client, works like a charm.

Tested logging in to a Win10 client, .. nothing.

Windows 10 output.

C:\WINDOWS\system32>wmic group where name='Administratörer' get
sid
SID
S-1-5-32-544

GPO

Administratörer (BULTIN) (Order: 1)

Local Group

Action

Update



Properties

Group name

Administratörer (BULTIN)

Description

Local administrator

Current user

Add

Delete all member users

Disabled

Delete all member groups

Disabled



Add members

BUILTIN\Administratörer

S-1-5-32-544


Have anyone any idea of what the problem can be?

Regards

Haris

Will I be able to manage GPO from 2008 R2 or Windows 7 after updating Central Store to Windows 10 Templates

August 16, 2016, 11:48 pm
$
0
0

Good morning,
i want to support Windows 10 in a Server 2008 R2 AD Domain (no 2012 Servers yet).
Will i be able to manage GPOs using Windows 7 or 2008 R2 RSAT after updating the Central store to the new Windows 10 templates?
Could there be a coexistence in Managing W7 GPOs from W7/2008 RSAT and Managing W10 GPOs from W10 RSAT?
Best regards

Deploy Screen Saver ( .mov and .png ) through GPO

August 22, 2016, 2:08 pm
$
0
0

Hi,

We have Windows Server DC 2012 R2 Domain Controllers and Client Computers are windows 7.

How to deploy .mov and .png files as a screen saver. I have three files which I need to deploy as a single screen saver. 

file1.mov ( 802 KB )

file2.mov ( 2.27 MB )

file3.png ( 1.69 MB )

The display can be in sequence one by one, but it must be deployed as a single screen saver.

Since the total size is 4.8 MB, what will be the recommended procedure to deploy. Please advise.

Thanks in Advanced.

Regards,Ali



IE - Lan settings getting over-written, via IE GPP settings.

August 22, 2016, 5:01 am
$
0
0

Hello Guy's,

Below IE Lan settings are getting overwritten and below settings are getting checked off:

I have below GPP settings on server 2012 r2:

Should I change them to Red?

Thanks in advance

GPP Run Once and do not reapply doesn´t work in Windows 10 v1607

August 12, 2016, 4:43 am
$
0
0

My observation is, that when I create GPP for user, create update or replace registry settings and set it to apply only once, it will not inherit. Right after I disable this Run Once - option, I get it working.

I´ve tested this in multiple machines with multiple accounts in my lab. Can anyone else confirm?


In Windows 10 1511 Run once works fine!
Viewing all 19997 articles
Browse latest View live
Search