Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Auditing a Directory on a Windows 7 or 10 Client using Group Policy Settings

September 20, 2016, 12:44 pm
$
0
0

Hi folks - I'm trying to attempt to monitor a directory on client PCs using Group Policy.  I want to trigger a scheduled task from the event created by the files being modified.  In addition to the files in the directory I want to monitor triggering an event, I get an event triggered whenever any file in c:\Windows\System32 is accessed as well, usually by system processes. I only want to know about anything in the directory I want to monitor that is modified, created, or deleted.  Can anyone help me with what I need to change in my setup to make this happen, and ignore anything BUT what is changed in the monitored Directory?


My Setup Through GPO is as follows:

Computer Configuration

Poilicies

Windows Settings

Security Settings

File System

C:\path\Directory_Being_Monitored

Security Policy Settings -> Security-> Advanced -> Auditing Tabs  

Audit Success for Domain users Create Files/Write Data and Delete

Also 

Advanced Audit Configuration

Object Access

Policy

Audit File SystemSucess

Thanks in Advance.

Steve

Search

Dsktop GPO

September 30, 2016, 12:38 am
$
0
0

Hello ,

I have about 15 users, where i want to unified there Desktop and use Roaming Profiles:

1- Restrict users from saving anything on Desktop

2- Create a Unified Desktop for all users containing My computer and My Documents only

Is there any GPO to do these two points?

I appreciate if you can help me

Regards

Remove suggested apps in windows 10 via group policy

September 27, 2016, 8:35 am
$
0
0
I have several windows 10 work stations  that the workstation start menu provides Suggested links for users to purchase and add software to the machines. How do I remove this option via group policy this is on a 2012 server domain

SBS 2011 Server Folder Redirection Help needed

October 2, 2016, 6:00 pm
$
0
0

The SBS server crashed (blue screened) during an attempt to install new printer drivers.  After the server came up it was found that DCOM was broken and thus Windows Installer fails (unable to install any programs) and access to AD, GPO, etc. fails (nothing can be registered/addressed).  I'm attempting to migrate what's left of the server to new hardware.  The broken server had a redirected folders policy.  I'd like to maintain that policy, however, I don't know how to "migrate" folder redirected data to the new server because I have no access to the GPMC to push out changes to the policy (point to new server or revert to local).  Any recommendations how I'm able to move this data to the new server so that it accepts it and syncs it with the new user profiles on their workstations?

I've already tried to migrate profiles, but no files seem to be preserved locally after the connection to the bad server is broken.  Is there some hidden folder that maintains the local sync'd copies I can access?  I'm also unable to adjust the policies manually locally to point to the new server.

Any help is appreciated.

GPO Assigned Applications not Deploying. GPO shows in GPRESULT but MSI not in GPRESULT /H

September 19, 2016, 6:04 pm
$
0
0

I have tried deploying an MSI at a client but the MSI is not picked up on the client or deployed. The GPO is applied but when running a gpresult /h the MSI is not present.

Other GPOs are applying OK and I have created a new GPO with other non Software Deployment settings and applied fine.

I have checked/tried:

  • Checked DCDIAG on DC (single DC domain) and OK. Confirmed nothing in FRS or any other obvious issues.
  • Checked DNS for any old DC entries (recent DC move from SBS).
  • Created a new share confirming permissions fine (Auth Users) and tried deploying in a new GPO from there.
  • Checked connectivity from the PC all OK.
  • Enabled Gpsvc.log and again can see it see the GPO but nothing else.

Nothing is logged for the application deployment in the System, Application or Group Policy logs on the PC Im testing from (this is not working for all PCs at the site though).

Is there some further logging I can check or enable to troubleshoot further?


Server NTP time problems?

September 27, 2016, 11:35 am
$
0
0

Let me start by saying I didnt really know where to post this, for I am not even 100% sure what server it is were using. I believe its 2012 r2, however I could be wrong. I apologize. Let me just explain whats going on. (Yes I am new to servers)

I had someone tell me their computer updates automatically and restarts on its own, regardless of the settings on that computer. So I went to the server and edited the group policy so that it was configured to download updates, but to notify before install. Great. Well, I went back to the problem PC and forced a sync to the server. It failed. The server time was way wrong. It was indicating about 2:30 am (when this was being done at about 4pm.) It also indicated it was the following days date. Telling me it was in the future. The person also told me that their second computers time was off as well..hmm.

I manually changed the time on the server. Clicked on the clock -> adjust date and time -> put correct time. What I didnt know, was that wasnt how you adjust a server time. I was then informed about NTP and how I need to set the flag to 5 and so on...but today, the person who I was fixing all this for, stated that the computer clocks were normal now. I didnt do anything besides change the local time on the server.

Here is where Im stuck. I dont really know what to do now. Does this give anyone any bit of info that can even remotely help me finish this through and make sure everything is set up correctly?

Which is best practices for apply group Policy

September 28, 2016, 12:30 pm
$
0
0

Hi Team,

please tell me.

Create and apply New Group policy to Computers OU or Users OU

which is best practices for Organization ?


Problem with inetres.admx

September 26, 2016, 2:38 am
$
0
0

Suddenly when opening Group policy manager and checking group policy settings, i get this:

Resource '$(string.SUPPORTED_IE11WIN8)' referenced in attribute displayName could not be found. File C:\Windows\PolicyDefinitions\inetres.admx, line 184, column 87

I tried copying same file (dated 14.11.2015) from another server > no change. Then downloaded newer version (dated 3.8.2016) and got this:

Resource '$(string.SUPPORTED_IE9_IE11NONWIN10)' referenced in attribute displayName could not be found. File C:\Windows\PolicyDefinitions\inetres.admx, line 162, column 103

Nothing GP related has been changed in weeks and old template has not given any errors before this.  Similar errors before were fixed with replacing file with another copy or updating to newer version. Server is 2008R2 std sp1

Any ideas what to try next?

Search

GPO to Create Scheduled Task to run program in logged-on user environment. Windows 10

October 6, 2016, 1:50 am
$
0
0

Good morning,

First I will briefly explain what I want to achieve followed by my questions below.

I need to run a program in the current logged-on user mode on all of the systems in our domain. Triggers are: whenever a user logs in, or when a network connection is made, or dropped.
(The Application automatically changes the Proxy settings to match the location they are in)

All of these goals can be achieved by creating 3 scheduled tasks:

- 1. Triggered when a connection is made        (MS-Windows Network Profile service event 10000)
- 2. Triggered when a connection is dropped    (MS-Windows Network Profile service event 10001)
- 3. Triggered when a user logs in.

Now here come my 2 questions:

When I create the task on my own machine, I can select more than only run on a schedule, I need the extra options also when setting this task through GPO. So I need to be able to run my app on Event-ID: 10000 of the Microsoft -Windows-Network/profile service. How can I achieve this through GPO, if all I see is run on a schedule?

Secondly, I would have done it all differently if I was not restricted by the fact that my APP must run in the environment of the current logged-on user. According to TechNet, this can only be achieved by creating the task through GPO.
If I prepare the task on my own system I always have to select a user, but the user should be %username% and that is not an option.

Anybody have some bright ideas / solutions for me?

Thanks,

Dylan

allow non admin users (without being local admin) the rights to install any software they choose without elevation, Not just deployed msi's etc.

October 6, 2016, 3:40 am
$
0
0

Is this possible?? as im going greyer by the minute.

I really need to allow non admin users or a group of domain users (without being local admin)  the rights to install any software they choose, Not just deployed msi's etc.

All software installations require elevated permissions by a domain admin to install however,

We have testers and dev guys that we need to allow to install any lil pieces of software all the time to test out product without me elevating the permissions everytime.

All users are not to be local administrators on any pc.

(have seen and tested a script that can make local admin domain admin in seconds :0/ little worrying considering all the security we have) .

Ive trawled the internet and can't seem to find anyway to do this on server 2012. 

Seems silly to have only domain admins that can elevate to install software???

I'll make a hero out of anyone who can solve this or help me out in anyway

All the best, G

GPOs for specific users

October 6, 2016, 3:32 am
$
0
0

Hi everyone,

I'm new to Windows Server, I've got a Server 2012 R2 DC. What is the correct way to set GPOs for specific users only?

Nicholas

@NicholasHayman

Screen Save Timeout issue

October 6, 2016, 6:11 am
$
0
0

Hi, I have been asked by Senior Managers to set up a screen lock policy for All Users which was configured no problem; User Configuration – Policies – Admin Templates – Control Panel  Personalization – Enable Screen saver Enabled, Screen Saver Timeout – 300 secs

Now, I have been asked to amend this and allow 1 user to have the screen saver timeout – 900 secs. How I tested this was have 2 policies; one with 300 secs to Authenticated Users and a Deny Group with the user added to this Group, the other policy 900 secs to Authenticated Users. (Doesn’t sound right, but having Security Filtering set this way works in test)

This works fine in my test OU (outside of main policies) but when it attach to Live OU Level it stays on 900 secs. I have tried to amend the Security Filtering Settings but no luck. No other policies are causing a conflict.

 A bit confusing I hope I explained ok. Let me know if you need more info here

 

GP 2008 R2

Windows 7 SP1 32 Bit

Applocker Policy

October 6, 2016, 12:30 am
$
0
0

Hi Guys,

I have an problem while i run the app locker policy, i have created one role to block the windows media player but the problem is when i apply the role and choose the specific application they block all ExE in windows why ?? what is the reason is there an wrong configuration ??

Regards ,

Ali

running a program on start up as a different user

October 6, 2016, 3:34 am
$
0
0

Hi Everyone,

So I need to run a program (setacl.exe) to edit the permissions in the registry on startup of a computer. Due to problems with the permissions I need it not to run as the system account, but as a different user account. Does anyone know of a way to do this?

Thanks!

Windows 10 Group Policies

October 6, 2016, 3:37 am
$
0
0

Hi,

Are the new policies for Windows 10 built in to Server 2012 R2 with the latest updates? I can't find the Microsoft Edge Policies.

Thanks

Nicholas

@NicholasHayman

Search

GPO question about Excel 2010 Trusted Locations

October 6, 2016, 9:51 am
$
0
0

Is there a way to use Group Policy to allow trusted locations on the network and add specific network locations, but prevent users from adding additional locations? This is for Excel 2010 in particular.

I've created a GPO to add a network location and to check the box to allow network locations. Ideally, though, we would like to lock it down to just the locations we add through group policy and no others and I can't see a way to do that.

Thank you.

Kenny

Disable laptop Webcam when Off-LAN

October 6, 2016, 12:36 pm
$
0
0

I work for a K12 school district that is deploying 1-to-1 Windows 10 laptops to all of their students.  The District has Privacy concerns regarding the integrated webcam built into the laptops.  They want to ENable the webcam when the Laptop is connected to the District's Private Wired/Wifi LAN, but they want the Webcam DISabled when the laptop is NOT connected to the secure private Wired/Wireless LAN.  They do NOT want the user to have the ability to re-enable the webcam outside of the LAN, nor do they want the solution to be dependant on the user having to log on with a local account (the district has applications/shoortcuts/links pushed to the student's domain profile that they want the student to still have access to when using the laptop off-LAN.

Is there any way to accomplish this using Group Policy, or will this require a different method to achieve?  And if so, any suggestions on HOW to accomplish this?

Thanks in advance,

Mark

The processing of Group Policy failed

October 5, 2016, 6:16 pm
$
0
0

We are seeing an issue on one of the machines in the domain where it fails to process all  of the group policies. (user and machine)
Here is one of the system error messages from the event log.

The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={51B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=local. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.
C:\Windows\System32\GroupPolicy and C:\Windows\System32\GroupPolicyUser folders are empty.
We attempted to dis-join and then join the domain, however group policy processing issue remains unresolved.
What would be the next troubleshooting step for this problem?

Thanks

KB3163912 breaks Point and Print Restrictions GPO settings

July 13, 2016, 1:10 pm
$
0
0

Our labs install our printers through a simple Start Menu\Programs\Startup VBS script that points to a printer depending on the machine name.  This saves anywhere from 1-5 minutes from our login times.

This morning after the new cumulative update KB3163912 all our lab machines are now prompting for admin credentials to install these print drivers.

I have changed the Point and Print Restrictions section of our GPO to both "disabled" and "enabled" but without server restrictions, and disabling elevation prompts.  Neither take any effect.

After removing KB3163912 the printers install fine without any prompts.

We can add our printers back to the typical GPO location for now, but no doubt we will receive complaints on our login times increasing.

GPResults show our group polices are processing fine on machines that are both pre and post KB3163912.

Forcing windows updates

October 6, 2016, 12:56 pm
$
0
0

Hello all,

I was wondering if anyone could answer a question I have in regards to forcing windows updates.  We currently use a WSUS server that will send updates out to users. The roadblock we are running into is users not restarting their computers to apply the updates. Is there a way to notify someone X amount of times and then on, say, the 4th time, we force a reboot? Thank you in advance!

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>