Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

2012 domain - one DC of four has error on gpmc.msc status tab - processing error occurred collecting data using this base DC

November 15, 2016, 12:26 pm
$
0
0

Our domain has two 2012 DC, one 2012 R2 DC, and one 2008 DC.

Only one DC has this problem (the 2012 DC that is not the PDC).
When one opens gpmc.msc and focus at the root of the domain, and on the Status tab click Detect Now.

A processing error occurred collecting data using this base domain controller. Please change the base domain controller and try again.

As per:
GPMC reports a Processing Error while trying to detect DCs
https://support.microsoft.com/en-ca/kb/2891966

1) DsGetDcName  is reading the name information from HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Hostname. 
Check the hostname entry, convert it to All CAPS and then restart the netlogon service on the DC to fix the problem.

Sure enough the other 2012 DC (the PDC) had a lower case name, so I  changed to upper case and restarted Netlogon service.
The error continued on the one DC.
Overnight all DCs were restarted due to WSUS updates.

The error continues on this one DC.

2) You should also check the below locations to make sure there is no deleted or conflict references for the fSMORoleOwner Attribute. You would get the same errors if you have a bad entry for this attribute reference.

Places to be checked:

1. Open ADSIEdit and connect to DC=DomainDNSZones,DC=Domain,DC=com.
Right click the object CN=InfraStructure
Look for the attribute fSMORoleOwner and verify it is pointing to the right FSMO holder.

The values show the PDC is listed in the wrong Site Location.

Unfortunately a prior administrator physically moved the DC with all the FSMO roles back in 2014, without demoting and re-promoting it. We have had several issues due to this bad move.

So my question is: is it ok to manually change the name of the site to correctly reflect the 'new' location of the DC?
It really does not explain though why only the one DC would have a problem while the others are fine.

Advice is appreciated thank you.

Andy

Search

GPO filtered out

November 20, 2016, 4:52 am
$
0
0

Hi, i configured a group policy object that changes some value on the registry.
but for some reason, not matter where i am linking that GPO I am always getting "the following GPO was not applied because they were filtered out"

I think it's maybe because we already have a gpo that has some settings and one of the settings is that setting that i configured into that GPO that doesn't work... (this GPO that doesn't work does the opposite - I want to do exceptions for some users).

Maybe I have a way to do exceptions for that existing GPO I have? I will be more than happy if you will tell me how to do that.

Thank you

auto archive in outlook using group policy

November 16, 2016, 4:31 am
$
0
0

Team,

Is it possible I can create and control auto archiving centrally for outlook through group policy.

New AD and largely default GPO blocks access to internet via WiFi

November 15, 2016, 9:16 am
$
0
0

I've been scratching my head over this for days. We're migrating the company network to a new domain (mostly in the Azure cloud) that has a largely default Group Policy. If the domain controller and/or the GPO is not available on the wifi directly, internet access is blocked. This prevents remote employees from using a VPN connection to connect TO the network to provide access to the DC/GPO, the lack of which prevents them from accessing the internet through WiFi. Catch 22.

If you are connected to an RJ-45 cable vs. WiFi there is no problem, nothing is blocked and you can kickoff the VPN just fine, it seems to be wireless specific.

I've looked in the Group Policy Management Editor and there is no Wireless Network Policy in place as far as I can tell. All I have is the default placeholder: "New Wireless Network Policy" sample that has nothing set on either the General or Network Preference tabs.

I've dug through all the settings and I've been unable to find anything that would seem like it would be blocking internet access via wireless connection.

Do I need to establish a wireless policy in order to prevent internet access being blocked by default? It seems like any policy I establish is for the purpose of locking DOWN Wifi access instead of allowing it, and that's the opposite of what we are trying to accomplish.

Group Policy isn't really my forte, but nobody else here at the moment has more background than I do and apparently I drew the short straw.

Any assistance or clarification anyone can provide would be greatly appreciated.

Thanks in advance for your time and attention.

OneDrive for business Group Policy Administrative Settings

November 21, 2016, 8:50 am
$
0
0

I am planning to apply Group Policy Settings for One Drive For Business next gen sync client which is being rolled out to customers.

I downloaded the ADMX/ADML files available as part of One Drive For Business Administrative Settings. After downloading the files we uploaded them to our Group Policy Store and observed they are not being pushed to user machines.

Any inputs on what could be potential issue?

We are running Windows 2008 R2 and not Windows 2012 Yet.

Is Server Operating system an issue? If so, Is there a 2008 R2 compatible ADMX file for One Drive For Business next gen sync client?

Thanks,

kesari suresh


How would I force an "Applications and Services Log" to be enabled via GPO?

November 21, 2016, 9:34 am
$
0
0
Okay, so my scenario is that I found out in 2012 R2 there is a new way of logging DNS client requests in Event Viewer, and I'm hoping to collect DNS requests from a bunch of Domain Controllers via Event Forwarding.  I'm familiar with Event forwarding so that's not a problem, but I wasn't sure how to force the settings for one of the entries in the "Applications and Services logs" in Event Viewer through GPO.  Has anyone done this before?  I'm assuming we're probably looking at GP Preferences and not GPO right?

How to set the intranet trusted sites on windows server 2008R2 when GPO Has internet options locked down

November 21, 2016, 10:12 am
$
0
0

I have a local web site that is on the local server to access a specific application web interface for administering the application.

IE Policies are controlled by administrator thru GPO.

How can I set the intranet trusted site for this application in the registry to be able to access the  applications web interface to be able to administer the supplication? 

2003 DC - GPO with login script not applying to users on Win 10

November 21, 2016, 12:57 pm
$
0
0

I have a login script that I want to use temporarily.  It is to standardize local computer admins by doing a series of NET USER and NET LOCALGROUP commands.

I cannot use psexec, at least not very easily, because our current setup (being changed next year) uses Linux based DNS which does not dynamically register workstation host names.  So getting 100+ live leases across 4 locations and remote users would be a nightmare.

I know the GPO works because I have a test user set up.  If I log into a windows 10 test machines and do a gpupdate /force, than log out and in, nothing happens.  So I run GPRESULT /R and I notice the new GPO is not in the list of applied GPOs.

If I follow the same exact steps on one of my spare laptops with Win 7, it works as intended.  Any ideas?

Search

Allow standard user (non admin) to update installed softwares

November 20, 2016, 8:08 pm
$
0
0

Hi,

Sorry if this has already been raised but I would like to allow standard user (non admin) to update softwares on the PC such as Adobe Reader, Java, Itunes, etc. However, new software (not installed) must require admin access to install software. 

I have enabled 'allows user to patch elevated products' but it didn't work. 

Is this achievable using GPO or something? Any suggestions.

Regards,

Mitesh


GPO to windows 7 and printers

November 20, 2016, 10:33 am
$
0
0

Hi,

OK long shot but hopefully someone has the answer please?

I have a group policy to 'update' my printers, 'remove' some others and 'create' 2 more. Basically this policy does everything its supposed to on certain pc's but not on others. Sometimes nothing happens , sometimes only partial printer deployment and on a couple more - perfect! the GPO seems to deploy if you check the windows logs 

After much hair pulling I tracked it down to the gpo refusing to be deployed due to the driver not being available. However its there on the server ( the gpo is set for no elevation, any printer in forest ).

If however you go through ( from a 'bad' win 7 pc )  to the print server and manually map to the printer that wont deploy, let it install ( to the win 7 pc ) you can use it. Now if you delete that printer from your win 7 pc that's not having its printers deploy properly you will see this time it will install that printer fine as part of group policy.

So why is it not just picking up the printer driver via GPO and working?

Thanks if you can help. Wasted 3 days so far on this....

SC

Problems setting Microsoft Edge Start page using Domain Group Policy

November 16, 2016, 7:18 am
$
0
0
I am having some trouble. I am trying to set the Homepage and Start page for Microsoft Edge. I can see settings for it in the local group policy but cannot find settings in the domain group policy. I have installed the most recent Windows 10/Server 2016 ADMX files. I am unable to find any registry keys I can edit to set the start and home page as well. Does anyone know a way to set the Edge start and home page for the entire domain without having to visit each computer individually. We are currently have a domain functional level of Server 2008. We have a Server 2012R2 Domain Controller and we have a Server 2008 domain controller. All of our workstations and laptops are running Windows 10 version 1607.

How to turn off "Public Folder Sharing" using group policy

November 21, 2016, 10:48 am
$
0
0

Hi!

I want to turn off "Public Folder Sharing" feature using group policy in order to be sure that every computer in the domain have this feature off.

Does anybody knows if that is possible?

Thanks in advance

Cristian L Ruiz

MSI

November 21, 2016, 10:09 am
$
0
0

Hello, 

I am trying to install some software in my server to send to my domain users, but it needs a msi file type to use, how do I create a msi file?

Thanks!

Lost proxy gpo

November 14, 2016, 6:53 am
$
0
0

Hi all,

I've an old gpo that set proxy for internet explorer (>=9) to a server, for example myserver1:8080

Now,  this server has been shutdown a lot of months ago, but we cannot find the policy that sets this value.. the usual locations are empty. A particular behaviour is that at first logon on a machine, the user got the wrong proxy. If you do a gpresult /h you cannot find something related to this settings, and if you deselect proxy in IE, at next logon the proxy is (correctly) not present. The only way to reproduce the error on the same machine is to delete user profile and logon again.

Any advice?

Thanks!

Client-Side Extension could not apply user policy settings / There is a time and/or date difference between the client and server

November 17, 2016, 11:46 am
$
0
0

So I'm having some time/date issues pertaining to group policies.  I'll try to explain the situation as simply as I can.  

We have 3 servers outside the US (they are an hour behind in time from our PDC time because of their time zone).  Those servers were in a domain that is setup as a two way trust with our domain in the US.  

Now, two of those servers were joined to our domain.  The remaining server which happens to be their domain controller has not been demoted and then promoted on our domain yet.  Here is the problem I'm having:

Users on our domain RDP into those two servers that were joined to our domain.  They process group policies located on our domain.  The problem that we are having is that not all the policy settings are being applied.  I am seeing these messages in the event viewer:

The client-side extension could not apply user policy settings for 'GroupPolicy Name F57D3-3F35-4747-8E3A-C89EE330FAF8}' because it failed with error code '0x80070576 There is a time and/or date difference between the client and server.' See trace file for more details.

So what I did is went to every domain controller in our domain and the trusted domain and synced up the time with our PDC.  It applies the time zone during the sync but they are all synced up.  The servers that we joined to our domain are also synced up with the PDC but I'm still getting this message.  

I read somewhere about the kerberos time threshold and how you can change that from the default 5 minutes to whatever you want.  But I shouldn't have to do that, the group policy should see that the time is synced up but the server is just in a different time zone from where it's pulling the group policies from.  Can anyone help?  


Search

Policy skipped.

November 17, 2012, 2:33 pm
$
0
0

Hi there,

i run in following problem.

GPSVC(308.490) 21:30:59:203 ProcessGPO:  Searching <cn={5E781B71-627B-4859-AA38-6D4C39D1EBC8},cn=policies,cn=system,DC=testdom,DC=local>
GPSVC(308.490) 21:30:59:203 ProcessGPO:  Machine has access to this GPO.
GPSVC(308.490) 21:30:59:203 ProcessGPO:  GPO passes the filter check.
GPSVC(308.490) 21:30:59:203 ProcessGPO:  Found functionality version of:  2
GPSVC(308.490) 21:30:59:203 ProcessGPO:  Found file system path of:  <\\testdom.local\SysVol\testdom.local\Policies\{5E781B71-627B-4859-AA38-6D4C39D1EBC8}>
GPSVC(308.490) 21:30:59:203 ProcessGPO:  Found common name of:  <{5E781B71-627B-4859-AA38-6D4C39D1EBC8}>
GPSVC(308.490) 21:30:59:203 ProcessGPO:  Found display name of:  <drive>
GPSVC(308.490) 21:30:59:203 ProcessGPO:  Found machine version of:  GPC is 0, GPT is 0
GPSVC(308.490) 21:30:59:203 ProcessGPO:  Found flags of:  0
GPSVC(308.490) 21:30:59:203 ProcessGPO:  No client-side extensions for this object.
GPSVC(308.490) 21:30:59:203 ProcessGPO:  GPO drive doesn't contain any data since the version number is 0.  It will be skipped.

All this happens on my testdom (one DC) and testclient based on W2K8R2. I have an other Policy running without any Problem. I check my eventlogs and found no errors...

MfG, Maikel Gädker

Gpo to add route via openvpn (admin privileges by app and user)

November 22, 2016, 2:12 pm
$
0
0
Hi

Can anyone suggest a way to run openvpn as an administrator so standard users can add a route (the command that fails es route.exe). preferrably via gpo

Some computer in our office has vpn connection, using open vpn gui software, but this needs to be run with admin privileges because after it connects, it adds static routes using (route.exe), when a regular user connect, the policies denied to add the static router.

So really what I'm looking for is a way to have a GPO that will allow all users to be able to add routes on the fly, without having to make changes to individual pc's. 

Thanks

Workfolders policy for specific computers for specific users

November 22, 2016, 7:33 am
$
0
0

We use work folders with redirected folders but because our server is across the WAN for all our offices it can take a very long time to load so I have also mapped a Home Folder drive to the root of each of the users workfolders.

The problem is when the users roam between offices and log into other computers I do not want the work folders to start replicating.  I want the work folder/redirected folders to only work on their primary machine.

Is there a way to do this or would I have to create a separate policy for each user related to their specific machine?

Missing desktop folder after Redirecting desktop back to the clients

November 14, 2016, 8:05 am
$
0
0
I have SBS2011 and Windows 7 clients.  For a long time, my documents have been redirected to my server with no problem. Recently, I decided to redirect my desktops to the server as well.  To do this, I checked the desktop box on the server management console for Folder Redirection.  Unfortunately, this created problems with laptop clients when operating out of the office network. In an effort to redirect desktops back to the client machines, I left the redirection checkmark on the server console and edited the group policy for Folder Redirection for the Desktop folder.  I specified the location for the Desktop for my user group to %UserProfile%\Desktop (described as "Redirect to the local userprofile location").  However, the desktop folder is missing from the user profile on the client.  On the client, under Computer properties, Advanced System settings, User Profiles, the profile name is DOMAIN\UserName.  Under c:\Users, the user profile folder is named UserName.DOMAIN.  Does %UserProfile% properly point to C:\Users\UserName.DOMAIN profile folder?  How can I get my Desktop folder back, and properly situated in the C:\Users\UserName.DOMAIN profile folder?

Group Policy Services

November 22, 2016, 6:24 am
$
0
0

I'm running group policy from windows server 2012. Windows server 2012 does not have the service TABLETPCINPUT. as a result, all PCs (all running win7) in the domain are not able to have the tabletpcinput service run. I've changed it to auto and it repeatedly changes itself back to disabled when gpupdate /force, or logon occurs.

How can I work around this?

Ryan Piselli

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>