I was working on a Server the other day where a GPO was applied to the Domain PC's on a user level. To test we only added one User to the OU. When we went to the PC and ran Start > RUN > CMD > gpresult /h C:gpresult.html.
ADMx files were used. Bothe the ADMX and Language files are in the folders that they should be in.
The HTML file was being displayed like this http://sdrv.ms/11Bb4Gd
Has anyone seen this before? I have not and im not sure why.
Id appreciate any advice :D
In Windows Server 2008 R2
Lets assume user acct: User1
Password for User: 1234
I have assigned an automatic service to run based on User1's credentials for startup of service. I have also created a scheduled task that runs daily called ST1 that is assigned to run under the same users "User1" logon credentials.
Everything works fine if the password is set to not expire on the user and the password is not changed.
However I need the password to be changed for the user based on group policy every lets say 90 days.
This password change does not update the service or the scheduled task of the change of the users password and hence those services and scheduled tasks no longer function and the end-user has to manually go to each location where such a logon credential was assigned and change the password.
Is there some way to automate this password change to update all locations where the users logon is being utilized since the password change is being initiated through Windows User Account?
Is there a way to get a list of all services and scheduled tasks that are assigned to a specific user? At least that would remind me which locations I would need to update manually.
Hi, and thanks for taking a look.
My network has a 2008 r2 domain controller and a 2003 server backup controller. Recently I decided that hence forth I will be pushing software via GPO and security groups on my network.
I got this to work and it tested fine in the test environement.
When I tried to apply some software to the existing machines on the network the policy failed on certain machines. I traced the problem down to the 2003 server, tested several machines on the network and any machine connected to this server does not receive the policy correctly. I think this might be dues to the Server version difference. Finally I decided that I will make another 2008 R2 machine on the network a buckup controller and demote the 2003 to just being a file server again.
When I attempted to dcpromo my existing 2008r2 server to a Domain Controller I received the Access Denied message. I used this KB to try and resolve the issue.. http://support.microsoft.com/kb/2002413?wa=wsignin1.0 . The server was added to the Domain Controller OU, and the GPO does have my Administrator account set to “Enable computer and user accounts to be trusted for delegation”.
Additionally what I found is that when I perform whois /all while logged into a server with the Admin account it does not list “Enable computer and user accounts to be trusted for delegation” as being enabled, as a matter of fact it doesn't even list it.
So my problem is that at the moment my main Administrator account can neither promote or demote any Domain Controllers. I know that this account was previously used to promote domain controllers.
Any ideas as to what might be the root of this problem?
I would like to manage some of the settings on a Windows 8 machines in my domain.
My domain controller runs Windows 2008 R2.
Is there anywhere I can download administrative templates for Windows 8 machines to install on the Windows 2008 R 2 server?Just installed a Windows 2008 R2 intended for Terminal Server.
The \\Server has a share locally \\Server\TScommon$\Start-Menu where all users have access, and the share is set up properly.
However it does not work for my test-users.
Event log from a user logged on:
Successfully applied policy and redirected folder "Start-Menu" to "\\server\TScommon$\start-menu".
Redirection options=0x1020.
My Group Policy
Computer Configuration (Enabled)
Policies
Administrative Templates
Policy definitions (ADMX files) retrieved from the central store.System/Group Policy
Policy Setting
User Group Policy loopback processing mode Enabled
Mode: Merge
| Grant user exclusive rights to Start Menu | Disabled |
| Move the contents of Start Menu to the new location | Enabled |
| Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems | Disabled |
Policy Removal Behavior | Leave contents |
Administrative Templates\Start Menu and Taskbar
Add Logoff to the Start Menu Enabled
Prevent changes to Taskbar and Start Menu Settings Enabled
Remove and prevent access to the Shut Down command Enabled
Remove Clock from the system notification area Disabled
Remove My Music icon from Start Menu Enabled
Remove the "Undock PC" button from the Start Menu Enabled
Remove user's folders from the Start Menu Enabled
Turn off personalized menus Enabled
Turn off user tracking Enabled
Force classic Start-Menu Enabled
i have an old school internet explorer maintenance GPO setting up a couple of folders of IE favorites, containing a total of about 120 URLs accumulated over several years. we are in the process of both A. redirecting Favorites and B. changing the IEM over to group policy preferences (since IEM goes away with IE10). we still allow our users to create their own IE favorites in addition to the ones in our two folders.
i really do not want to create all 120 of these shortcuts by hand. it also seems kind of inefficient to have the same 120 shortcuts stored in 2000+ separate places (of course shortcuts aren't big, but still) rather than having them all in a single location where all users can read them. to that end, i could put them all into a network folder where everyone only has read permissions, and redirect favorites to that folder, but then the users lose their own favorites. in my head what i really need is to "redirect" two or three subfolders of Favorites to a different location than Favorites.
so my favorites get redirected to \\server\share\john.curtiss\favorites
but i need
\\server\share\john.curtiss\favorites\folder1 and
\\server\share\every.other.user\favorites\folder1
to point to \\server\readonlyshare\folder1.
i tried creating a File System shortcut object %favoritesdir%\folder1 pointing at\\server\readonlyshare\folder1, but when i click on that folder shortcut in IE, it opens up a separate windows explorer window rather than expanding within IE to display the URL shortcuts it contains.
clear as mud? thoughts on how to accomplish what i'm trying to do?
Hi everyone,
i've got a litte problem with GPP drive mapping and Win8 / 2012
On Windows7 / Server 2008 R2 everything is working for every user. On Win8 / 2012 RC the drive mapping is only (visible) working for non administrative users.
So i enabled GPP Logging and reviewed the logfiles and the eventlog, which is the same for every OS and User:
Window 2008 R2
2012-06-04 11:20:05.924 [pid=0x368,tid=0xb0c] EVENT : The user 'N:' preference item in the 'Global_UserLogon {C1C638C5-8E14-4DD4-96BF-B35013009E9B}' Group Policy object applied successfully.
Windows 8
2012-06-04 10:48:47.760 [pid=0x37c,tid=0xef0] EVENT : The user 'N:' preference item in the 'Global_UserLogon {C1C638C5-8E14-4DD4-96BF-B35013009E9B}' Group Policy Object applied successfully.
Long story short:
Windows7/2008 : GPP drive mapping is working for everyone
Window8 RP/2012 RC: GPP drive mapping is working for every user (according to the logs) but the drives only show for non admin users.
Any ideas? Known Problem for Win8/2012?
cheers Flip
Hello Guys,
I have got a problem using the Windows 8 GPMC.
If I want to use the new "Status" feature, I'm getting this failure:
We have got two 2008 R2 DCs and the rest is Server 2003 R2.
The DC that holds the FSMO roles is also a Server 2003 R2.
The error is the same as described here:
http://social.technet.microsoft.com/Forums/nb-NO/winserverGP/thread/baef3a58-bcae-4336-970a-1e9b4ebc03f8
It seems like GPMC can't get the list of DCs:
MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!
We would like to increase the duration for the balloon notifications for password expiration and Windows Updates ready to install from 5 seconds to 2 minutes.
I see that you can change this setting for on one Windows 7 computer for one user by going into the control panel ease of access and adjusting it there.
How can we set 2 minutes as the default setting for all current and future users via GPO?
Also, I have discover that there is Domain replication issues as well. Our primary AD which is on windows server 2003 standard SP2 and other AD on windows server 2008 r2 is have replication issues as well.
Your help and time is extremly valued.
Hi, we've configured a group policy regarding all Trusted Sites in our company. I've enabled "Sites to Zone Assignment list" and input all of the websites that are used by the company. Problem is if I enable this policy, the "add" button under Trusted Sites will be greyed out and users are unable to manually add sites, is there an option to still manually add sites even though there are prelisted sites which was done via gpo?
Thanks
Jeff
I wonder when this issue with GPMC´s filter will be fixed, that search can be run only with EN keyboard layout? If there is other regional settings set in server and you are using GPMC, you won´t find any results when trying to search gpo settings using filters. This was a priceless tip for me few years ago, after this I didn´t need to run through all nodes in GPMC trying to find desired set manually. Just use the search with good keywords and you are done. I´m also amazed, that this "bug" isn´t discussed very wide anywhere. I´ve tought this trick to around 10 admins so far and they were very thankful.
Treat this thread as feedback to MS. And take advantage this feature. Cheers!
When typing the keywords here, make sure you are using EN keyboard layout.
We are removing local admin rights from systems and require the Administration prompt for non Administrators.
I'm trying to enable UAC via GPO for a basic setup of "Administration Prompt" however the GPO settings for UAC are not working correctly. The GPO is applying the settings configured however when checking UAC in Control Panel the slider doesn't change position and no prompt is display when logged on as a non local admin.
The problem isn't with the GPO being applied but with the UAC settings. The current GPO settings applied are:
I've looked at: http://technet.microsoft.com/en-us/library/cc772207(v=WS.10).aspx but not sure what settings are being missed to enable it correctly. All other settings are set to "Non Configured"
Anyone have any pointers?
i've created a shortcut on the windows 2008 desktop via GPP user setting. after a gpupdate on the client, the shortcut works as intended when i double-click it, but i also assigned a shortcut key combination of CTRL + ALT+ U to the shorcut in the GPP, and this part is not working.
if i manually open the properties of the created shortcut and change the key combination to CTRL + ALT +M, it works.
if i then manually change the key combination back to CTRL +ALT + U, it still works.
if i then do a gpupdate--which is supposed to "Replace" the shortcut--CTRL+ALT+U still works.
if i delete the shortcut, and do another gpupdate, it gets created again, but CTRL+ALT+U does not work anymore.
can anybody else replicate this? is there a known issue with shortcut keys in GPP-created shortcuts?
We have two computers that will not update Computer Policy.
The event log shows a ID 1097. I have tired a w32tm /resync and tired to remove and re-add the computers to the domain, I have reset the accounts and check the permissions in there proprieties in Users and Computers. All with no luck.
I also put the computers in a separate OU with an epmty GPO linked and set block inheritance with no luck
Is there anything eles that I could try short of imaging the computers?
Hi,
Is it possible to deploy taskbar icons for users of Windows 7 computers with Group Policy?
I would prefer using Group Policy (User Configuration) Preferences instead of logon scripts or default user profile modifications.
By default there are Internet Explorer, Windows Explorer and Windows Media Player. I would like to remove the Media Player and add shortcuts to the basic Office (2010) programs (Outlook, Word, Excel and PowerPoint). Also if possible I would like to add shortcut to a web-based (Internet Explorer) ERP system with customized icon.
Thanks in advance for your help!
Best regards,
Toni
We have had in place for many years a custom non-managed "User Shell Folder" policy which provides redirection for many of the common shell folders we'd like users to retain. The reason being is that we don't have roaming profiles on PCs and also much of the environment is based upon Citrix (provisioned servers) which use mandatory profiles (non-persistent).
Therefore key data that we'd like to retain is redirected to a user's personal "home folder" on a storage system.
This works well enough but it's a custom .adm (non-managed) and we'd prefer to use the standard folder redirection policy which is easier to manage and can be given suitable precedence and easily debugged.
However there's a limitation, we currently redirect the following which aren't available in the standard folder redirection options so will always appear under %USERPROFILE%, which is local to the PC/Server:
All would be a real loss as they are used extensively at the moment and saved to user's home folder. Is there any alternative method to including those in redirection other than our custom user shell folder policy?
Thanks
