I'm trying to add an entry to the Hosts file on my Windows clients.  We don't have an internet URL for our DAC IP address so we have to fake one in the Host file.

I found a simple script to append it, but it keeps adding the new entry on the same line as the last REM'd sample line in the host file.

How can do this so it reliably creates the new entry on a new line without duplicates?

@echo off

SET NEWLINE=^& echo.

FIND /C /I "da.contoso.com" %WINDIR%\system32\drivers\etc\hosts
IF %ERRORLEVEL% NEQ 0 ECHO %NEWLINE%^62.116.159.4 da.contoso.com>>%WINDIR%\System32\drivers\etc\hosts

There's no place like 127.0.0.1

Hi,

when we play a video with Media player, the server sends MMR data and H264 data.

sometimes, the client will receive MMR data. sometimes, the client will receive H264 data.

        Is it possible to set the server always to send H264 data to the client data?

        we play a video with other players. the server always sends H264 data to the client.

why doesn't Media player always send H264 data to the client?

our server is 2012 R2.

        OS is win8 enterprise.

Thanks,

Derek

Hello

Some clients (Windows 7 Sp1) are under Microsoft Domain (Win 2008 R2).

I activated the GPO for redirect folders (My Documents) to a Group of users, with offline mode enabled.

This GPO is correctly deployed to the clients, and in fact My Documents folder is correctly redirected to the server. On the client, I can work on it without any problem.

The problem is about offline files.

If I remove the network cable, or if I click on "offline" in My Documents, the files appear grey, with a grey X on them, and if I try to open them, I see a message thay say the files are not available.

On the client machines, Offline Files is enabled, and disk space for them is used.

But if I click on "visualizza file offline" (see files offline), and I try to open the files, I can't, and I see the same message that the files aren't available.

Automatic synchronisation seem to be executed correctly, in fact I see the cyan tick saying all is ok. But if I try to syncmanually, every file strike the error that is impossible to access the files because the file is used by another process.

In the sync centre there aren't sync conflicts.

HI,

I've 4 servers, AD, Terminal, SQL, Web.

Recently some technicians came to install something in the terminal services server and it crashed the server.

Then I restored the server image with shadow protect and the group policy I have with the time limit of the disconnected remote sessions no longer works.

I've tried making a new group Policy with the same settings but no luck.

Can you guys help me?

Bear with me as I set this up.  Four weeks ago, I stood up a server with 2012R2 to build a domain.  Everything went well, except the Windows 7 machines could not open the shares.  As it turns out, Windows 7 could not use the added Encryption feature when creating the shares, however, I already destroyed my server by reinstalling 2012R2 before I figured that out.  Ever since, all Windows 10 machines are not able to get the Group Policy.  I am on my fourth installation and rebuilding of my domain.

I was afraid that some metadata might have been left over from the previous installs, so this last time I ran a Clean All during installation.  I took my time like the first install, adding one role at a time, updating the server, and making my configuration. The roles installed are AD-CA, AD-DS, DNS, DHCP (inactive), File Server, FSRM, FS VSS, and Storage Services.  Features are .NET 4.5, .NET 4.5 WCF Services TCP Port Sharing, GP Management, Remote Server Admin Tool>AD-DS & AD LDS Tools>Active Directory module for PS, AS DS Tools>Active Directory Admin Center and AD DS Snap-Ins & CL Tools.

I set my default group policy to use 128 bit encryption, schannel requires encryption or signature always, and then other logins are negociated, but do not require encryption.  I left default domain controller policy alone at first.  I made several other changes as well.

When I joined the Windows 10 machine A to the domain, it did not take all GPO's.  I joined Windows 10 machine B and that did not take all GPO's.  Both machines failed gpupdate, Event ID 1058 Error 5 Access Denied.  I've looked this up for hours, but could not find an answer that corrected my issue.  Both machines were previously on the earlier domains and had residual evidence of that in the registry.  Unfortunately, the newest login information/user was not updated with the current data under HKLM\Software\Microsoft\Windows\CurrentVersion\GroupPolicy.  History has the new domain name and the correct server name, but that was also the previous FQDM (changed it for security reasons by adding a secondary level)(subdomain.domain.com). That was machine A.  Machine B, after joining to the domain had very little domain information.  Only under History did it have the server name and the FQDM.  The users had no domain info.

So, I realized that everything work when Windows 10 was never previous joined to a domain and that is when I took a fresh Windows 7 machine that was never on this domain or any previous and then installed Windows 10 as a clean install.  I did not give it time to do any updates and then quickly joined the PC to the domain and renamed it.  The registry failed to get anything off the domain and failed gpupdate.  The only other settings that may affect anything is to restrict anonymous logons or anonymous anything and to exclude anonymous from Everyone user profile.

I then went through my server errors messages and made corrections.  Most of the errors are due to services running before AD DS got fully running.  I ran some CMD tests and all were successful.  I do not remember all, but nltest was one. I ran Wireshark on both the server and Machine A and confirmed that the server is denying access to my Windows 10 machines.  ON the server side, Invoke-GPUpdate machinename, or with the IP, fails as computer is not responding. Target is shutoff or Remote Scheduled Task Management Firewall Rule disabled. CategoryInfo :OperationTimeout ArgumentException. FullyQualifiedErrorID:COMException,Microsoft,GroupPolicy.Commands.InvokeGPUpdateCommand.

When I run update from Group Policy>right-clickDomain>Group Policy Update... Fails Error Code 8007071a remote procedure call was cancelled.

Turned off all firewalls.  Activated all possible services.  Turned off IPv6.  Ran Wireshark

Wireshark shows ldap binds successful, SMB2 negotiations as being successful, and then SMB2 Session Setup Response, Error: STATUS_ACCESS_DENIED followed by resets.  This is the case whether I did a gpupdate from client or invoke-gpupdate from server.

Machine A Event Viewer under Applications&Services>Microsoft>Windows>GroupPolicy- system call to access specified file completed. Call failed after 32 milliseconds.

Event ID 7017 Error Code 5.

And then the System Log> Event ID 1058 Error 5.

I am able to browse the network to the share and open files/folders.  Access is only denied with GPUpdate.  DNS works well as all machines point to the DC, nslookup is good, I RDP into the DC using its domain name.  There has to be a setting somewhere on the server to allow this.

The server has SMB errors

SMB Session Authentication Failure

Client Name: \\192.168.186.104
Client Address: 192.168.186.104:4857
User Name: domainname\justinh
Session ID: 0xFFFFFFFFFFFFFFFF
Status: {Access Denied}
A process has requested access to an object, but has not been granted those access rights. (0xC0000022)

Guidance:

You should expect this error when attempting to connect to shares using incorrect credentials.

This error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.

This error can occur when using incorrect usernames and passwords with NTLM, mismatched LmCompatibility settings between client and server, duplicate Kerberos service principal names, incorrect Kerberos ticket-granting service tickets, or Guest accounts without Guest access enabled

Event ID 551 Error and these relate to each fail gpupdate.

Sorry this is so long, but I have been trying to figure this out for three weeks.  Been all over Google, Microsoft, and other help sites.  

Justin

Our labs install our printers through a simple Start Menu\Programs\Startup VBS script that points to a printer depending on the machine name.  This saves anywhere from 1-5 minutes from our login times.

This morning after the new cumulative update KB3163912 all our lab machines are now prompting for admin credentials to install these print drivers.

I have changed the Point and Print Restrictions section of our GPO to both "disabled" and "enabled" but without server restrictions, and disabling elevation prompts.  Neither take any effect.

After removing KB3163912 the printers install fine without any prompts.

We can add our printers back to the typical GPO location for now, but no doubt we will receive complaints on our login times increasing.

GPResults show our group polices are processing fine on machines that are both pre and post KB3163912.

I installed the GPO role to a member server where the software I need to control the services is, so that I could get the correct services into a group policy.  It all seemed to work.  I assigned the user Allow - Read and Allow - Start, Stop, Pause and continue rights.

The GPO is then applied to the OU that houses many member servers, however the security filtering is set so that it's applied to only the one server.  Server has been rebooted.

GPResult shows it as an applied (computer) policy object.

The user does not log into the server.  He opens the services mmc locally, and then tries to connect to the remote machine, which results in an access denied error.  I know the rights are correct for the services themselves, and he should be able to restart the services, but he needs to be able to get into the services snapin first.  Did I miss something with rights that would enable the snapin to be opened?

I have a GPP that has multiple immediate tasks that apply to various OUs in AD.  One of the tasks item level targets our Servers OU (so it applies to all our servers), and is configured to run as an Immediate Task (runs each time group policy is updated). It simply calls a batch file.  I deployed two servers today, and placed both in the Servers OU, did a gpupdate /force and rebooted both, as I normally do when deploying new servers.  One server got the GP without issue, the second also got it, but now fails to run on subsequent gpupdates with the following Event Log information:

Level: Warning

Source: Group Policy Scheduled Tasks

Event ID: 4098

Task Category: (2)

General: The computer 'Install ShadowProtect SPX - Draper Servers' preference item in the 'Deploy Software - SPX {4FA68D3F-5B93-4F54-8498-F75535C43F01}' Group Policy Object did not apply because it failed with error code '0x800700b7 Cannot create a file when that file already exists.' This error was suppressed.

Server 2012 R2 - Of 76 servers, this issue is happening on at least 3.

I noticed this problem first at the release of Windows 10.  I posted a question on it in the Spiceworks forums here, along with the resolution i found.  Essentially, all I had to do was delete the regkey that mentions the GP name located at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Install ShadowProtect SPX - Draper Servers".  However, something has recently changed in Microsoft Land, and these keys do not get created any more for scheduled/immediate tasks.  

The first server has no issues creating the task and running the batch file on subsequent gpupdates.

I did attempt the fix suggested here, but I get the same results.

Also, the tasks are running as NT Authority\SYSTEM, so this fix also does not apply to me.

We have a terminal server we are deploying, and I wanted to use some group policy lockdown besides just our normal terminal lockdown policy.  We already have a policy about the cryptlocker type things launching in temp locations, but I wanted something more comprehensive than that.

This is a pretty simple environment, with a handful of known programs to allow.  So I wanted to set a default deny and only allow things in our additional rules to run.

It *SHOULD* be pretty straightforward I had thought, but it's just been frustrating.

I started out doing this via a 2012R2 DC.  I created a policy and applied it to the OU that the terminal server sits in.  I only applied it for a single user though for testing, since developers are on here now getting their application set up, so I didn't want to apply it to the two RDP groups I have created for this.

I tried doing it via the user configuration, but nothing happened whatsoever when that user logged in.  So then I tried via the computer configuration section.  And this is where it got flakey on me.  It applied but ignored rules.

I had it set as "disallowed" for the default security level.  I left the two MS rules in place to start, the systemroot and programfilesdir registry key location rules.

So first I was seeing in multiple posts on various forums that just putting a program folder for the path rule would allow anything in subfolders to run.  But it appeared to not function that way, so I tried just a folder, with several EXE's in it, without specifying the EXE's, just the c:\foldername

No joy.  So then I tried explicitly giving the path to a program and allowing it to run unrestricted.  And even then, after doing a GPUPDATE / FORCE on the terminal in question, then after it updates, logging in with the user that's in the scope settings of the policy for the security filtering, even things with absolute paths AND EXE names give me the error about blocked by group policy.

My other policies are working great, for redirection of the start menu and such, and even the generic lockdown  policy.  But for some reason I'm just having a nasty time with the Software Restriction policy, and can't get it to function.

Google searches are turning up a billion things that aren't very useful, and after about 4 hours of searching and testing, I'm no better off than I was when I first started trying this today. 

I'm hoping someone will have something obvious I've overlooked, i.e. "For this to work,  you first have to set A, then B."

Enforcement is set on all sofware files except libraries, all users except local administrators (since the account that's being tested is not an admin account) and its set to ignore certificate rules.  Trusted Publishers is blank, and designated file types is the default list.

Disallowed is the default setting for the security levels.

And an example of an additional rule that fails is this for testing: C:\Windows\System32\calc.exe

It is set for an unrestricted security level.

Yet when I try to run calculator, it tells me it's blocked by policy.  Once I disable this test restriction policy, it works fine again.

Thanks for any leads.

John

John

Hi,

Forgive me if this is not the right forum for this question, but I have setup folder redirection using GP for all my computers.  Works well to keep all the user's desktop, documents, favorites and such on the server where they can be backed up and follow them from computer to computer.  These have all been Windows 7 Pro desktops.

Now I have a group of users who want to use laptops instead of desktops, Windows 10 Pro laptops.  I've joined the laptops to the domain and my folder redirect GP seems to be working as desired.  However, when I take the laptop out of the building, off the network, I get errors for each redirected folder because, of course, I'm not on the network.  At this point in time I do not want to mess with VPN.

So I thought offline files was the way to go but I can't seem to figure out how to make my redirected folders available offline.  Nor for that matter any file within those folders. 

What am I missing here?  Isn't offline folders the correct solution or is there some configuration option I've not found yet?

Thanks in advance,

Linn

Has the "Turn on TPM Backup to Active Directory Domain Services" been removed from the latest Administrative Templates for Windows 10 and Windows Server 2016 (released 8/5/2016)?

Is this no longer an available option for the latest builds?

thanks

Hello, 

   Sorry if this is a simple question but we have mostly Windows 7 machines and someone created a group policy to turn off User Account Controls.  We are starting to deploy Windows 10 and noticed that people are not able to do certain things when User Account Controls are off.  Is there a way to make it so Windows 10 can get all the group policies except for that one?  Thanks for any help you can give me. 

One GPo reports this.

I deleted the GPo and recreated it manually again. But the "orphaned" GPo still resides in SYSVOL

Wanted to delete it manually from SYSVOL, but I do not have access to the GUID folder (as Ent. Admin) and I can't take ownership ower it.

Gpo no longer in gpedit or ADSI edit

Even tried delete it from command promt, no success

How to force it to go away?

Regards, Lars.

We seem to have an issue with printers switching defaults after logging off. They seem to assign alphabetically once restarted.

We push our printers out by GPO with print management ( we just run PushPrinterConnections.exe as logon script ) this installs local printers fine, We also have it so users can change their default printers and from what I see no other GPP or Object setup up to define the defaults. 

If a users changes their default it works fine but when they log off and back on it changes back to the printer first on the list alphabetically. ( note it does not include local printers i.e Cute PDF ) it only defaults to networked printers.

it is like the printers are being refreshed or pushed out every log in causing the first deployed set to default everytime. We need the changes to be saved on logout but not sure where to go next

Any suggestions?

Hello all,

I want to disable the WIFI connections on users laptop whenever the user is connected to the LAN with the ethernet cable.

- WIFI should be enabled when the cable is not plugged.

- WIFI should be disabled when the cable is plugged.

Can this be done via GPO?

Any logon scripts that can be triggered to check the device manager for plugged network cable then enabling and disabling the WIFI.

The whole idea is users should be prevented to use WIFI at the office but WIFI should be enabled when they move outside the office.