Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

GPOs are not applied - "The user does not have RSOP data"

September 7, 2016, 10:00 pm
$
0
0

Hello experts

I'm having issue with applying GPOs to some specific users when they logon to my computers.

I have one Windows 7 Professional N x64 in OU "Win7", and there are 2 GPOs applying on that OU. All users are allowed to logon to that computer because it's a public computer, however so far I have 2 users cannot have GPOs applied when they log onto that computer, dozens of users don't have this issues.

When I tried to get GPRESULT after those 2 users logon, I received the message as below

Drive Z is available when I ran that command, I tried with drive C and all drives which users have permissions to store data, I still have the same result.

In Group Policy Management Console, I double-checked all GPOs applying on that OU, and none of them have "Apply group policy - Deny" as below

Besides, Security Filtering of those GPOs have "Authenticated Users", so all users log onto that computer should have GPOs applied.

Please kindly let me know if you have any ideas or experience.

Thank you very much.

Search

Download and install windows updates on shutdown only

September 8, 2016, 6:04 am
$
0
0

Hi There

Can someone help me on how i configure group policy to check, download and install windows updates on shutdown only.

Thanks

certificate enrollment policy group policy

September 14, 2016, 11:02 am
$
0
0

hi

server A: windows 2008r2 enterprise CA

server B: windows 2012r2 running certificate enrollment policy and certificate enrollment service ;

the certificate enrollment policy on server B is set with Kerberos authentication. The authentication on the virtual directory in IIS is set with enable kernel mode and negociate at the top and then ntlm as the next provider.

server B also hosts another set of CES CEP virtual directories for username password authentication for workgroup computers.

both sets of CES CEP and sitting in 2 application pools; one for both CES and one for both CEP; both application pools run under a domain account with delegation on server A

I am trying to add the URI to the certificate enrollment policy (Kerberos) in AD GPO for all domain client computers to get a certificate from server B using windows authentication. When pressing validate button I am getting "Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)"

same thing happens if I try to add the policy to a domain member through mmc

Access was denied by the remote endpoint. 0x803d0005 (-2143485947)

what permissions am I missing ? i'm guessing server B is missing some permissions in relationship with server A ?

IE11 Proxy settings

September 20, 2016, 1:25 am
$
0
0

Hello,

My DFL/FFL is Windows Server 2008 R2 and my DC Windows Server 2012 R2.

Client : Windows Seven SP1 32bits with IE11

I create a new GPO and configure GPP with IE10 settings. I configured a few options but Proxy settings are not applied. IE Settings on client side are empty. I created RegKey (ProxyEnable, ProxyOverride, ProxyServer) but it's not applied.

gpresult -> not problems

Have you any idea?

Thanks.

GP - Drive Map - Replace | Does not replace drive

September 19, 2016, 2:20 pm
$
0
0

I have verified the group policy is being applied to the user / machine.

I have done GPUPDATE /FORCE; tried logging off / on / off / on; have tried creating the policy in a new GPO; etc.

I have tried adding a DELETE as the first in the order followed a few steps below by an update.

I have tried adding a DELETE as the first in the order followed a few steps below by a replace.

Please let me know what else I can try.

Error with Source initiated collector

September 19, 2016, 9:59 am
$
0
0

I am trying to setup event forwarding to my domain controller. I have group polices  designating my domain controller to be the collection server. I also have group policies turning on the Winrm services according to rsop.msc the group policies are being applied. I used the domain computers as the group in the event subscription. I cannot seem to get it to work I am getting the following error when I run wecutil gr Test on my source servers.

Failed to get RuntimeStatus Active Property. Error = 0x2

the system cannot find the file specified

The status of the subscription is showing active in event viewer on my domain controller and I added the domain controller's machine account to the Event Viewers group in the domain builtin groups

any help is appreciated 

Server 2008 R2: Default Domain Controller Policy Settings Unable to View

June 21, 2016, 2:40 am
$
0
0

Hello teams,

Currently i am unable to take report of Default Domain Controller Policy  Settings on my DC 2008 R2. rest all Policies are working and able to take the report .

Please find the Screen shot Below

RemoteApp and Desktop Connection URL GPO is applying when Apply Group Policy Permission not set

September 9, 2016, 8:20 am
$
0
0

I have been trying to get this GPO working in a post MS16-072 world, and it's not behaving consistently with all the documentation I can find.

Basically, I am trying to follow best practice and only add Domain Computers (or even a single test machine for testing) account asRead (and not check Allow for Apply Group Policy in the permissions / delegation tab) and yet it still wants to apply every time.

I need this work so that I can then use Group Filtering to assign this policy to certain users and groups of users, but until I can get Domain Computers added as only Read, but have it not apply, I am stuck.

Any ideas?

Search

Software installation is not working through GPO

September 20, 2016, 3:38 am
$
0
0

Hi Experts,

I am trying to deploy mozilla and xml notepad through Group Policy. I have created a test OU on ad and moved few require users into that group. Created a policy assign the software when i try to login into domain machine from that specific user where we apply the policy software doesn't install at the same time when i run rsop.msc i can see policy has been pushed but why it didn't work i have no clue for reference I am attaching few snapshot also for better understanding. this is a client machine snapshot where it clearly shows it is been implemented and I tried changing the value of start policy processing wait time also saw somewhere in the forum but no luck interestingly whenever i run the command of gpupdate /force from client system it always shows below message. many times i choose yes and tried to login again but no luck. Pls advice accordingly. I am using Server 2008 R2 and client all machine is on windows 7 32/64 Bit. Pls let me know if any other information required.

output of client machine-

Updating Policy...

User Policy update has completed successfully.

The following warnings were encountered during user policy processing:

The Group Policy Client Side Extension Software Installation was unable to apply
 one or more settings because the changes must be processed before system startu
p or user logon. The system will wait for Group Policy processing to finish comp
letely before the next startup or logon for this user, and this may result in sl
ow startup and boot performance.
Computer Policy update has completed successfully.

For more detailed information, review the event log or run GPRESULT /H GPReport.
html from the command line to access information about Group Policy results.

Certain User policies are enabled that can only run during logon.

OK to logoff?. (Y/N)

Regards

Prem

GPO to change default Windows 10 apps from Store to Desktop apps?

February 11, 2016, 9:40 am
$
0
0

We have a GPO to disable opening Store apps, but the default apps remain store apps despite this.  For example, when the user clicks on an audio file attachment such as to play their voicemail messages received in Outlook, Windows 10 attempts to open the Groove music apps to play the file and the users then gets a message pop up saying this has been blocked by your administrator.

How can we change all the app defaults to Desktop apps via GPO?

KB3163912 breaks Point and Print Restrictions GPO settings

July 13, 2016, 1:10 pm
$
0
0

Our labs install our printers through a simple Start Menu\Programs\Startup VBS script that points to a printer depending on the machine name.  This saves anywhere from 1-5 minutes from our login times.

This morning after the new cumulative update KB3163912 all our lab machines are now prompting for admin credentials to install these print drivers.

I have changed the Point and Print Restrictions section of our GPO to both "disabled" and "enabled" but without server restrictions, and disabling elevation prompts.  Neither take any effect.

After removing KB3163912 the printers install fine without any prompts.

We can add our printers back to the typical GPO location for now, but no doubt we will receive complaints on our login times increasing.

GPResults show our group polices are processing fine on machines that are both pre and post KB3163912.

Wiireless Clients and GPO's

September 18, 2016, 7:51 pm
$
0
0

Server 2012 R2 with numerous GPO's. With a wire plugged into laptops, all GPO's work fine. When using wireless, GPO's do not work at all. I have Enabled "Always wait for the network at computer startup and logon group policy on both the server and the local laptop. I have enabled/disabled"Allow processing across a slow network connection". I have also made a registry edit found here:

https://support.microsoft.com/en-us/kb/840669

The laptops are windows 10 pro. Nothing special about the wireless. They are unifi AP's with AES and on the network segment that the server that houses the GPO's is on. Would appreciate any help

Auditing a Directory on a Windows 7 or 10 Client using Group Policy Settings

September 20, 2016, 12:44 pm
$
0
0

Hi folks - I'm trying to attempt to monitor a directory on client PCs using Group Policy.  I want to trigger a scheduled task from the event created by the files being modified.  In addition to the files in the directory I want to monitor triggering an event, I get an event triggered whenever any file in c:\Windows\System32 is accessed as well, usually by system processes. I only want to know about anything in the directory I want to monitor that is modified, created, or deleted.  Can anyone help me with what I need to change in my setup to make this happen, and ignore anything BUT what is changed in the monitored Directory?


My Setup Through GPO is as follows:

Computer Configuration

Poilicies

Windows Settings

Security Settings

File System

C:\path\Directory_Being_Monitored

Security Policy Settings -> Security-> Advanced -> Auditing Tabs  

Audit Success for Domain users Create Files/Write Data and Delete

Also 

Advanced Audit Configuration

Object Access

Policy

Audit File SystemSucess

Thanks in Advance.

Steve

Blank Output from powershell logon script Server 2012 R2 | Client Windows 7

September 21, 2016, 2:29 am
$
0
0

Hi Folks,

I am trying to collect data around mapped drives using powershell script.

I have created powershell script which gets the mapped drives and export the results to network share.

The script runs like a charm however when I use it to push via gpo > user > logon

the script run and generate 0k file with no data inside it.

I have tried using bat file wrapper, adding delay but there seems to be some issue. I can run the script and batch file directly from end user's pc and it works. So manually it works and with gpo it doesn't

Here is the code

sleep -Seconds 30
$CompName = $env:COMPUTERNAME
$UserNameDomain = (Get-WmiObject win32_computersystem).username
$UserName = $UserNameDomain.Split('\')
$FilePath = "\\fileshare\MDDC$\MappedDrive_" + $UserName[1] + "_" + $CompName + ".csv"
Get-WmiObject Win32_MappedLogicalDisk | Select Name, ProviderName, SystemName, @{Name="UserName";Expression={$UserNameDomain};} | export-csv -Path $FilePath -NoTypeInformation

#batch file wrapper

# powershell -no profile -executionpolicy bypass -file \\fileshare\MDDC$\getMappedDrives.ps1

Appreciate if you guys can help me get this working.

Regards, Navdeep

Folder Redirection Policy Not Applying

September 20, 2016, 12:31 pm
$
0
0

I am having trouble with getting a particular GPO to apply to a particular user account. I have created a folder redirection policy that redirects the desktop to a network location that the user has permission to.  The settings are:

The policy never seems to apply, and a GPResult on a client computer does not return this in the list of applied GPOs.

I ran a GP modeling query in GPMC and it shows that the policy should be applied to the user. However, if I run the same query in GP Results in GPMC it does not appear in the list of applied or denied GPOs. There are no other policies applied that perform redirection for the desktop, although there is another redirection policy in place for the documents folder.

When I run a GPUpdate /force when logged in as the affected user, I get the message that a folder redirection policy has been detected and this can only be applied with a logoff. I agree to the logoff but when I log back in I get the same result - no redirection and a subsequent GPUpdate /force gives me the same message again.

I applied another GPO to make sure that Fast Logon is disabled so that this will process policy synchronously. I can see via GPResult that this policy applied, but it has made no difference and the redirection policy still won't apply.

Affected client computers and my management workstation are both on Windows 8.1. Please let me know if you have any thoughts on why this may be happening or what else I can do to troubleshoot. Thanks!

Search

Windows Updates corrupt PST files on Roaming Profiles

September 15, 2016, 1:58 am
$
0
0
Hi guys!

I am having troubles with Windows Updates and roaming profiles...

I tunned the GPO "Exclude directories in roaming profile" to force sync "AppData\Local" This way I backup the Outlook pst files from "AppData\Local\Microsoft\Outlook"

This has been working great for a long time, because Windows update were manually installed on each PC with a local admin user (no roaming user).

But now I enable some Windows Updates GPO to force do it automatically meanwhile the user is logged on:
GPO: Configure Automatic Updates Value -> 4 = Automatically download updates and install them on the schedule specified below.

Then, a warning comes up to the users asking reboot to finish the updates... as usual.

User click on reboot
or
Do nothing and then turn of his computer at end workday

On both cases, the pst is corrupted.

I am sure that is a timeout issue... for some reason, Windows updates brake pst sync on shutdown (or reboot) and let it corrupted.

Nothing relevant showed on Windows Event. Not even following this steps to enable debug events https://technet.microsoft.com/en-us/library/jj649075(v=ws.11).aspx

On Event Viewer\Applications ands Services Logs\Microsoft\Windows\User Profile Service\
Operational: Event 7, Succesfully profile sync
Diagnostics: Nothing relevant.. only a few events 1001 and 1002 (Can't find ID event)

If set Windows updates to: 3 = (Default setting) Download the updates automatically and notify when they are ready to be installed , pst sync ok.

This only happens on the headqarter... at headoffice work ok...and this is the reasson:

HeadOffice: Server home place -> LAN 1GB
HeadQuarter: use headoffice server -> WAN link to HeadOffice FO 10MB

So... users on HeadOffice syn at 1GB and users on Headquarter sync at 10MB.

I think that should change the Windows Updates behavior at logoff...but no idea how can I do it.

Hopefully you can help me!

Group Policy Object (folder redirect)

September 19, 2016, 11:57 am
$
0
0

My "Documents" folder is being redirected through GPO to a network location on the server (typical).

The issue that I am having is that my "Documents" folder is being redirected to the WRONG network location. I am not sure how this can happen because I amnot a member in that security that it is linked to.

How can I remove myself from this GPO? I am a domain admin on this network.

The Group Policy Management reads: \\server\home$\sales\users\%USERNAME%\My Documents. I am not in the "sales" department nor am I in any sales security group that is linked to this GPO.

Windows registry changes does not reflect on the Group Policy.

September 21, 2016, 2:11 am
$
0
0
It's been noticed that many Group Policy configuration are not reflecting when its corresponding windows registry is modified. I will state an example to have a better clarity.

Example:

Set the following Group Policy (gpedit.msc) UI path to "Disabled"
Computer Configuration\Policies\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Turn off Microsoft Peer-to-Peer Networking Services

This group policy setting is backed by the following windows registry location (regedit):
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet:Disabled

Now edit the windows registry by setting the policy "Peernet" to "Enabled". Close the Group Policy and open again (gpedit.msc). Once you traverse to the GP UI path, you will notice that the changes updated in the windows registry are NOT Reflected.

Question is why does the changes made from the windows registry NOT getting updated in its corresponding Group Policy.


Enable Modern Authentication through Group Policy

September 21, 2016, 9:09 am
$
0
0

Hey all,

Is it possible to enable modern auth via GPO for Office 2013 rather than manual registry changes?

Thanks!

Microsoft Edge options missing from group policy

September 22, 2016, 12:59 am
$
0
0

I've installed the latest admx files for windows 10 (Windows10_Version_1511_ADMX) and the options for Microsoft Edge have disappeared in the Group Policy Management Editor.

The MicrosoftEdge.admx file is in C:\windows\PolicyDefinitions folder and also in the domain sysvol polices\policydefinitions

What have I done wrong?

Thanks

Viewing all 19997 articles
Browse latest View live
Search