Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

SBS 2011 Server Folder Redirection Help needed

October 2, 2016, 6:00 pm
$
0
0

The SBS server crashed (blue screened) during an attempt to install new printer drivers.  After the server came up it was found that DCOM was broken and thus Windows Installer fails (unable to install any programs) and access to AD, GPO, etc. fails (nothing can be registered/addressed).  I'm attempting to migrate what's left of the server to new hardware.  The broken server had a redirected folders policy.  I'd like to maintain that policy, however, I don't know how to "migrate" folder redirected data to the new server because I have no access to the GPMC to push out changes to the policy (point to new server or revert to local).  Any recommendations how I'm able to move this data to the new server so that it accepts it and syncs it with the new user profiles on their workstations?

I've already tried to migrate profiles, but no files seem to be preserved locally after the connection to the bad server is broken.  Is there some hidden folder that maintains the local sync'd copies I can access?  I'm also unable to adjust the policies manually locally to point to the new server.

Any help is appreciated.

Search

Permission on multiple group policies

October 3, 2016, 9:39 pm
$
0
0

Hi Guys,

I have to delegate group policy permissions to a group and it is quite simple if you have one or two GPOs however I have to delegate full permissions on all GPOs which are more than 50. Is there any way to grant permission on all GPOs instead of delegate permission on each GPO ?

Regards

Sarwar

Sarwar

GPO to activate Previous Versions / Shadow Copy on domain clients (windows 7)

October 22, 2010, 7:29 am
$
0
0
Hello,

In an 2008R2 domain environment with all Windows 7 clients, I want to activate the Previous Versions (aka shadow copies) feature on all disks/partitions of the clients machines.

Is there a way to do that via group policies / preferences?
Or another way?

Thanks,
Hendrik

SSD drives and GPOs

April 16, 2014, 8:57 pm
$
0
0

Hi there,
I've recently deployed 2 GPOs in a test environment that create and map user homefolders, as per http://www.alexcomputerbubble.com/using-group-policy-preferences-gpp-to-map-user-home-drive/

I've noticed that all PCs equipped with SSDs fail at mounting the home letter drive until restarted at least 3 times.
No such issues observed with PCs equipped with regular HDDs.
Before someone throws the infamous "Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon" resolution, know that it's been tried and produced no results.
I have encountered these SSD issues in the past when creating GPOs, logon scripts, and each time i NEVER was able to find any sensible explanation as to why this is such a stinger in my bubble. After trying many common suggestions, like the one mentioned above, it always ends up with: SSDs are just too bloody fast, and GPOs/logon scripts execute before network resource has a chance to become available. SSDs have become so common that arguably it makes little sense to consider HDDs as a primary drive in any worktation. My company runs 90% SSDs on 90 PCs.
I am running Windows Server 2008 R2 with Windows 7 clients.
Is Windows 2008/7 just not able/meant to deal with SSDs in a corporate environment? This is my runt for the day:) 




Server 2012R2 password notification

October 3, 2016, 10:24 am
$
0
0

Our end-users are not being notified of password to change password, and then get locked out. Win7 workstations

Been trying various GPO changes with no success.

Changing lock screen image

October 4, 2016, 2:51 am
$
0
0
I have applied a custom lock screen image using group policy. I have pushed that image to all the computers and applied that path in policy. Now I have change the image. I have again pushed the new file on all the computers in the domain. I applied policy also but it is not pushing the new image on the computers. Any one can help how to fix this issue.

Unable to reset user passwords from ADUC

October 4, 2016, 5:59 am
$
0
0

I am unable to reset user passwords from our 2k8 r2 DC.  I am out of ideas, so hopefully someone can give some advice.  when trying to reset any user's password i get the following error popup:

Windows cannot complete the password change for "user" because:  the password does not meet the password policy requirements.  Check the minimum password length, password complexity and history requirements.

I have verified that there is no longer any password policy defined through GP and GP Result shows none is being applied to my test user - or any user for that matter,  yet this error persists.  I cannot locate any other place where this might be set.  I have verified that the DCs (I have a primary and backup) are replicating properly.  I also verified there was no custom password key created or installed.  I am really at a loss so I'd appreciate any input here.

GPO and Service SID?

July 24, 2013, 2:57 pm
$
0
0
 

Hi, I'm a DBA installing SQL Server 2012.  SQL Server setup is creating service SIDs (e.g., NT SERVICE\MSSQLSERVER, NT SERVICE\MsDtsServer110, etc.) and granting them rights (e.g., SeServiceLogonRight, SeAssignPrimaryTokenPrivilege, etc.). 

Our GPO is removing rights from the service SIDs created by SQL setup.  We have been unable to add a service SID to GPO.  I think there is an error that the account does not exist.  We can add just the name (e.g., MSSQLSERVER, MsDtsServer110, etc.), but this does not seem to work as rights on the service SID are still removed. 

We did add NT SERVICE\ALL SERVICES (no error) and grant it SeServiceLogonRight.  I think this covers all service SIDs.  This appears to be working; however, I’m reluctant to grant some of the other rights to all services using service SIDs. 

Are only “well known” service SID values valid in GPO?  Is there any way to add a service SID such as "NT SERVICE\MsDtsServer110" into GPO?  Is there a best practice for handling service SIDs and group policy? 

Thanks.

Randy in Marin


Search

delete run history

October 4, 2016, 2:55 pm
$
0
0
there is a policy to delete the run history?

Automatically Shut down PC if idle for 1 Hour after 7.00pm

September 28, 2016, 1:23 am
$
0
0

Hi All,

How if I want to set at GPO to control all PC automatically shut down if idle for 1 hour after 7 pm?

Thanks.

Windows 7 is not prompting for password change

October 4, 2016, 2:56 pm
$
0
0

The problem is following:

I have a Windows 7 joined to domain. And it's not prompting for the password change even if it expires in 3 days.
I have only one GPO applied to the computer. Inheritance is disabled and I can see the correct result in the RSoP.

GPO contains following settings:

Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy > Maximum password age 3 days 
Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy > Minimum password age 0 days 
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon: Prompt user to change password before expiration 4 days 

UAC is enabled. User account "password never expires" setting in AD is unchecked. Bubble notifications are enabled.

What else could be the issue?

Thanks,

Best regards,

Roman


Windows Media Player

October 5, 2016, 4:01 am
$
0
0

Hi Guys ,

How to prevent/Disable the windows media player with the type like : mp3,mp4...etc   throw the GPO

KB3163912 breaks Point and Print Restrictions GPO settings

July 13, 2016, 1:10 pm
$
0
0

Our labs install our printers through a simple Start Menu\Programs\Startup VBS script that points to a printer depending on the machine name.  This saves anywhere from 1-5 minutes from our login times.

This morning after the new cumulative update KB3163912 all our lab machines are now prompting for admin credentials to install these print drivers.

I have changed the Point and Print Restrictions section of our GPO to both "disabled" and "enabled" but without server restrictions, and disabling elevation prompts.  Neither take any effect.

After removing KB3163912 the printers install fine without any prompts.

We can add our printers back to the typical GPO location for now, but no doubt we will receive complaints on our login times increasing.

GPResults show our group polices are processing fine on machines that are both pre and post KB3163912.

Run WiredAutoConfig service via GPO

October 4, 2016, 9:26 pm
$
0
0

Hello.

I have tried enabling the WiredAutoConfig service via GPO for 802.1x authentication. But it seems that it won't apply to the client. 

I have configured it via the GPO object, Computer Configuration->Policies->Windows Settings->Security Settings->System Services, have enabled the WiredAutoConfig, change it to Start automatic.

I have run gpupdate multiple times, restarted the client's PC, yet it did not apply. Im using windows server 2012 R2. The client's OS is Windows 7 Pro.

Any solutions?

Thank you.


add computers to a universal group

October 5, 2016, 6:43 am
$
0
0

hello - I have several computers in an OU, all these computers need to be a member of a universal group.

Is there a policy that will automatically add the computer to the u group once a computer is placed in that OU?

Search

2012R2: GPO not working for NLA/Printer Redirection

October 5, 2016, 8:45 am
$
0
0

Hi Guys, Working on trying to get a GPO to work for NLA and Printer redirection.  The GPO shows that it is applying in GPResult/RSOP but the UI is not reflecting the change. I've verified the GPO is showing as the winning GPO. If I open up the session collection settings both the NLA and Allow printer redirection checkboxes are checked. I've rebooted the host and for safe measure added the server to the security filtering for the GPO but it is still showing the settings as checked. Maybe its a UI bug, as I can RDP into the server without an issue even though NLA shows checked, but I've not tested to see if printer redirection is enabled or disabled in practice.

Its quite the simple GPO.

<span gpmc_settingdescription="This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process.

If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RD Session Host server.

To determine whether a client computer supports Network Level Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase Network Level Authentication supported.

If you disable this policy setting, Network Level Authentication is not required for user authentication before allowing remote connections to the RD Session Host server.

If you do not configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default.

Important: Disabling this policy setting provides less security because user authentication will occur later in the remote connection process.
" gpmc_settingname="Require user authentication for remote connections by using Network Level Authentication" gpmc_settingpath="Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security" gpmc_supported="At least Windows Vista" tabindex="0">


Printers not applied - Error 4098 0x80070005 Access is denied

August 29, 2011, 11:50 pm
$
0
0

Hi

I have a Domain controller + Print server, where customers local printeres is installed, as network printers (public IP).

GPO setting: User -> Preferences -> Control Panel Settings -> Printers -> Shared Printer (Name:\\DC\PrinterShareName

But when a user logging on to a remote desktop server they don't gets their printers.

The only thing I can find in the event log, on RD server, after I installed hotfix KB2457866, sorry its on danish:

Lognavn:  Application
Kilde:   Group Policy Printers
Dato:   30-08-2011 08:19:15
Hændelses-id: 4098
Opgavekategori:(2)
Niveau:  Advarsel
Nøgleord:  Klassisk
Bruger:  SYSTEM
Computer:  RD-server.domain.local
Beskrivelse:
bruger-indstillingselementet 'PrinterShareName' i gruppepolitikobjektet 'Printers - Company {D62092EA-3333-4E54-9588-6EEA1C797B41}' blev ikke anvendt, fordi der opstod en fejl med fejlkoden '0x80070005 Adgang nægtet.' Denne fejl blev ikke undertrykt.
Hændelses-Xml:<Eventxmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><ProviderName="Group Policy Printers"/><EventIDQualifiers="34305">4098</EventID><Level>3</Level><Task>2</Task><Keywords>0x80000000000000</Keywords><TimeCreatedSystemTime="2011-08-30T06:19:15.000000000Z"/><EventRecordID>143523</EventRecordID><Channel>Application</Channel><Computer>RD-server.domain.local</Computer><SecurityUserID="S-1-5-18"/></System><EventData><Data>bruger</Data><Data>PrinterShareName</Data><Data>Printers - Company {D62092EA-3333-4E54-9588-6EEA1C797B41}</Data><Data>0x80070005 Adgang nægtet.</Data></EventData></Event>

If I allow everyone on the printer it works.

But when I remove everyone, so only the users group is allowed on the printer the above error is logged.

This is logged in the system log, alot of times:

 

Lognavn:  System
Kilde:   Microsoft-Windows-DistributedCOM
Dato:   30-08-2011 08:32:38
Hændelses-id: 10009
Opgavekategori:Ingen
Niveau:  Fejl
Nøgleord:  Klassisk
Bruger:  I/T
Computer:  RD-server.domain.local
Beskrivelse:
DCOM kunne ikke kommunikere med computeren CSR|DC ved hjælp af nogen af de konfigurerede protokoller.

 

All servers are 2008 R2 SP1

/Kim


Copy file from DC to remote computers when users login.

October 5, 2016, 10:05 am
$
0
0

I was advised to post this on the forum by jrv and Richard Mueller, so figured I would and get more perhaps better information on how to accomplish?

Well I've looked and looked and haven't found anything quiet like what I'm needing to do so here goes.

I have a student domain that we must restrict students access to the computer and internet as much as possible. Since I'm not scripting/programing challenged I'm in hopes someone can give me a leg up on how to use Power Shell to do a login task for student sign ins.

I have a default.htm file with specific URLs and aps the students can access while on the computers. This default.htm file resides on my domain controller but I need a script that when the students login the .htm file will be copied down to the local machine to, say the C:\public\public documents folder where the GPO points IE 11 to go to for the default browser page.

Sure will appreciate any help I can get in accomplishing this task soon.

Thanks in advance!

MDL

Policy for setting up Ethernet as priority on Network settings

October 5, 2016, 10:04 am
$
0
0

I usually do it manually for my users by going to Network setting---advance setting and changing priority to Ethernet but since we have wifi and Ethernet enabled all over the place most of the laptops jump to wifi instead. Its hard to follow up individually while everyone is in our domain. I would love to see a domain policy where I can prioritize Ethernet through out the domain for all users.

thanks

Software installation is not working through GPO

September 20, 2016, 3:38 am
$
0
0

Hi Experts,

I am trying to deploy mozilla and xml notepad through Group Policy. I have created a test OU on ad and moved few require users into that group. Created a policy assign the software when i try to login into domain machine from that specific user where we apply the policy software doesn't install at the same time when i run rsop.msc i can see policy has been pushed but why it didn't work i have no clue for reference I am attaching few snapshot also for better understanding. this is a client machine snapshot where it clearly shows it is been implemented and I tried changing the value of start policy processing wait time also saw somewhere in the forum but no luck interestingly whenever i run the command of gpupdate /force from client system it always shows below message. many times i choose yes and tried to login again but no luck. Pls advice accordingly. I am using Server 2008 R2 and client all machine is on windows 7 32/64 Bit. Pls let me know if any other information required.

output of client machine-

Updating Policy...

User Policy update has completed successfully.

The following warnings were encountered during user policy processing:

The Group Policy Client Side Extension Software Installation was unable to apply
 one or more settings because the changes must be processed before system startu
p or user logon. The system will wait for Group Policy processing to finish comp
letely before the next startup or logon for this user, and this may result in sl
ow startup and boot performance.
Computer Policy update has completed successfully.

For more detailed information, review the event log or run GPRESULT /H GPReport.
html from the command line to access information about Group Policy results.

Certain User policies are enabled that can only run during logon.

OK to logoff?. (Y/N)

Regards

Prem

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>