Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Add read only exceptions to GPO that blocks USB devices that already has exceptions

November 22, 2016, 11:37 am
$
0
0

I have a GPO that blocks all USB devices with a group filled with users that are exceptions.

The way I set it up:

1. Create GPO named Block USB Devices.

2. Link to OU where all the users are located in. (Not the default users OU.)

3. Security Filtering is set to Authenticated Users.

4. Added the USB-Exceptions group to the Delegation tab and set Apply group policy to deny.

This works great but now they want another group of users that have read only access to USB devices so they can copy from the device to the machine but not vice versa.

How do I set this up so that it doesn't conflict with the first GPO?

Any assistance is greatly appreciated.

Thank you!

Search

Domain Controllers have two different sysvol locations

November 22, 2016, 6:57 am
$
0
0

I have two domain controllers one running windows 2008 R2 and another running Windows server standard service pack 2. The AD running windows 2008 R2 has its sysvol on drive S while the other AD has its sysvol on drive C. 

Recently one of our AD restarted and we are o longer able to edit GP on the windows 2008 R2 DC. most of the computers are also not picking the policies applied on the windows 2008 DC.

I am able to edit and view policies on the windows standard server.

Can anyone please guide on how to get these two DC's to replicate from the same folder.

Time on Server at DMZ Zone

November 22, 2016, 6:32 am
$
0
0

hi

we have a 3 servers in DMZ , and those server are not connected to the internet , its a VM machines host it ESXI

all of them use server 2012 as OS.

my problem here the time on the server keeps change everyday and they are joined to the domain to get from DC time.

i tried many things :

tmw32 source command , change time from ESxi , Remove vm tools , disable time service ,

but always with same result after query : source is local clock

can any one help and hope i made my self clear

Osma Othman

Hosted application stopped creating user profiles

November 22, 2016, 6:04 am
$
0
0

We have SAS 9.4 installed on several Windows 2008 R2 servers.  One of the servers acts a the web/app server that serves the SAS client; the rest of the servers act as the "compute" servers where the SAS jobs run on.  When functioning normally, when a new user runs SAS for the first time, their %userprofile% is created on whichever compute node they connect to.  That has just stopped happening and they now get an error that they have insufficient permissions to create c:\users\<userid>\.images.

We have two environments, staging and production.  This has stopped working in production, but still works in staging, yet I have not been able to identify what has changed.  I can delete a user profile in staging, log them into SAS, and their %userprofile% is created on the staging servers.  Not so in production.  The SAS services are run as a service account and that service account is trusted for delegation; that same service account is in the Administrator group on all the servers.  All servers are on the same domain, and according to our server admins, they all have the same group policy assigned.  They also say that nothing has changed, but that cannot be the case since this was working fine prior to ~10/17.

Does anyone have any ideas as to where I can look for security or policy settings that would affect this?

TIA.

How to use Group policy to control autodiscover

November 22, 2016, 2:43 am
$
0
0
All users in our organization are using the Outlook 2010 and  Outlook 2013, we would like to disable SCP lookup for autodiscover. Please kindly share the information with us. 

How to write a power shell script to disable group policy under Computer configuration.

November 22, 2016, 9:45 am
$
0
0

Hi,

How to write a power shell script to  Disable  "Always Prompt for Password upon Connect"    under  "Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security" and force a gpupdate.

regards

Somaraj

How would I force an "Applications and Services Log" to be enabled via GPO?

November 21, 2016, 9:34 am
$
0
0
Okay, so my scenario is that I found out in 2012 R2 there is a new way of logging DNS client requests in Event Viewer, and I'm hoping to collect DNS requests from a bunch of Domain Controllers via Event Forwarding.  I'm familiar with Event forwarding so that's not a problem, but I wasn't sure how to force the settings for one of the entries in the "Applications and Services logs" in Event Viewer through GPO.  Has anyone done this before?  I'm assuming we're probably looking at GP Preferences and not GPO right?

Start and stop services on a remote machine

August 24, 2016, 10:59 am
$
0
0

I installed the GPO role to a member server where the software I need to control the services is, so that I could get the correct services into a group policy.  It all seemed to work.  I assigned the user Allow - Read and Allow - Start, Stop, Pause and continue rights.

The GPO is then applied to the OU that houses many member servers, however the security filtering is set so that it's applied to only the one server.  Server has been rebooted.

GPResult shows it as an applied (computer) policy object.

The user does not log into the server.  He opens the services mmc locally, and then tries to connect to the remote machine, which results in an access denied error.  I know the rights are correct for the services themselves, and he should be able to restart the services, but he needs to be able to get into the services snapin first.  Did I miss something with rights that would enable the snapin to be opened?

Search

Restrict access to proxy settings in Firefox

December 6, 2011, 11:33 pm
$
0
0
I'm trying to restrict access via group policy to our users from changing the proxy settings. We are currently using Squid, so we don't want users removing the proxy settings. I've managed to get it restricted in IE, but having some difficulty in Firefox. Has anybody come across any issues with Firefox?

Desktop Wallpaper Group Policy doesn't work for Win 10 clients

April 25, 2016, 11:52 pm
$
0
0

Hii,
I have win 7 computers now upgrading to win 10.
I have installed win 10 on some PCs. We have a GPO (Domain controller win server 2008 R2) to set Desktop wallpaper of client PCs (We keep replacing the .bmp file for wallpaper which is used by that GPO, So wallpaper changes on client PCs by GPO.

Win 7 PC gets the wallpaper as it log-in to the network. I change the wallpaper in GPO, Win 7 get the updated wallpaper on next logon.
However Win 10 client gets the wallpaper only on first logon(when a user logs in for the first time to a PC) and then it never changes, That means GPO is applied only on first logon on win 10 client.
If I delete the user profile from the Win 10 PC then login with the same user, It gets the updated wallpaper then same thing never changes.
Is there any changes in win 10 logon script than win 7, What could be the issue.
Please help!!
Thanks!


GPO Preference Shortcuts "Remove this item when it is no longer applied" behavior issues (0x80070002)

November 23, 2016, 10:22 am
$
0
0

Greetings!

The problem:
GPO-pushed "%UserProfile%\Desktop" shortcut disappears when executed, Event Viewer indicates a 0x80070002 error. Program does launch. This problem prevents the user from launching the program again, or in some cases we have received reports that the shortcut disappears before they're able to double-click on the shortcut.

Error in Event Viewer:
"
The computer '<Name> preference item in the '<Policy> {GUID}' Group Policy object did not apply because it failed with error code '0x80070002 The system cannot find the file specified.' This error was suppressed.
"

Technical information about GPO setup:
We have a GPO that applies User Configuration only, linked to contoso.local (root), and has Authenticated Users in the security filtering. The only setting in this GPO, for testing purposes, is a Shortcut GPO Preference with this configuration:

"
Action: Replace 
Target type: File system object 
Shortcut path: %DesktopDir%\Program Launcher GPO
Target path: Z:\program.exe 
Arguments: Z:\program.exe 
Start in: Z:\
Icon path: \\contoso.local\netlogon\program.ico 
Icon index: 0 (default)
Shortcut key: None (default)
Comment: Program launcher
Run: Normal window (default)

Stop processing items on this extension if an error occurs on this item: No (default)
Run in logged-on user's security context (user policy option): Yes (default)
Remove this item when it is no longer applied: Yes (sets Action to Replace if 'Yes')
Apply once and do not reapply: No (default)
"

The Target path and Arguments fields are correct. For whatever reason, the program must be launched as "Z:\program.exe Z:\program.exe" to fix certain problems (which can also be negated via Program Compatibility set to Windows XP SP3 mode).

Z:\ is a mapped network drive and does exist and is accessible when the symptom of the problem is experienced. The user is able to go to Z:\ and manually launch program.exe.

Public Key Policie settings issue

November 17, 2016, 7:44 am
$
0
0

I have a gpo I am trying to clean up configurations on, it has the following set (below). When I go into the GPEditor to edit it (both win 7 templates and Windows 2012 R2 templates) these areas are blank/ empty. My MMC on Windows 7 shows these settings but my windows 2012 R2 does not... And I can not set them. 

I went into the public key policies path and looked at the 3 certificate settings and none of them are configured in Windows 2012 R2 (and Windows 7 MMC)... Do I need to reconfigure the "certificate path validation settings"? 


GPO not applying: Access Denied (Security Filtering)

September 10, 2016, 5:19 pm
$
0
0
Windows Server 2012 R2 Domain with users logging into a Windows Server 2008 R2 terminal server:

I've got a simple User GPP which implements a registry edit on the Windows 2008 machine. The registry edit hasItem Level Targeting enabled which targets the Windows Server 2008 computer specifically, using its DNS name (computer.domain.com).

In security filtering it is restricted to only a single user group some.users. I've checked the Delegation tab andsome.users has both Read access and Apply Group Policy. I have also added Domain Computer with Read access to the permissions list.

When I run "gpresult /user:specific.user /h gpresult.html" I am receiving an "Access denied (Security Filtering)" error. Inexplicably, when I also check the applied group membership in gpresult.html, it is showingdomain\some.users.

I'm really stuck here, as gpresult shows specific.user as belonging tosome.users group, and some.users has Read and Apply access in Security Filtering, so why is it getting denied?

I even tried creating a brand new test.user and test.group and changing the Security Filtering to apply ONLY totest.group, and the policy applied successfully when I logged in astest.user! But when I change it back to some.users, it starts getting denied again if I log in asspecific.user. :(

IE proxy server setting checked automatically when user connects to work network and unchecked proxy server setting from IE when disconnect from work network

November 23, 2016, 4:56 am
$
0
0

Hi,

If anyone know how to implement IE proxy server setting check automatically when user laptop connect to work network and uncheck proxy server settings from IE when user disconnects from work network.

please update..

Standard Domain controller Administrator policy

November 23, 2016, 9:16 pm
$
0
0

Hi Guys,

    Recently we build New Forest Domain environment, We need verify what standard policy we can to Domain Admins accounts,

 Kindly help me to identify and to enable NT 4.0 crypto Benfits and impact and what action as to be take care to run smoothly.

NT 4.0 Crypto Enabled on Domain Controllers (AD RAP)
Identify Actions / Changes

Identify impact to domain structure / environment

Thanks,

Mahantesh 

 

Search

GPO sync problems between 2 domain controllers.

November 3, 2016, 1:51 am
$
0
0

Is there someone who can help me to resolve this?  All of a sudden this stopped working.

The new DC is a 2012 r2 en the old dc is a 2008.

Can i set the clients to look only at the new dc?  So that i can disabke de old DC.

Than the sync isn't necesarry

Thanks


Rename GPO all group policy has stopped working

November 10, 2016, 2:47 am
$
0
0

Hello all,

As i'm doing some testing before going live in my company, i'm creating some GPO but when i changed the name of one GPO concerning some Icons for the accounting department, and applied the command GPOupdate /force on the server all the GPO has stopped working. And when logging in with an accountant user i can see the newly GPO added are not working.

Can someone please help and tell me how to resolve this issue.

Regards,

Default Domain Policy Error

November 9, 2016, 3:19 pm
$
0
0

Good afternoon,

We are seeing an issue on our network where the default domain gpo is not applying.

I looked in the event log and see the following after every reboot.

The client-side extension could not apply user policy settings for 'Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}' because it failed with error code '0x80070003 The system cannot find the path specified.' See trace file for more details.

I have done a bunch of basic troubleshooting - dns is good, all dc's are replicating to each other

Our setup is 4 domain controllers, one server 2008 holds all the roles, and 3 2008 r2 boxes as backup.

Workstations are all Windows 7.

I've tried reading on the internet about this error but I don't understand enough to try to troubleshoot.

I'm hoping someone might be willing to help out here.

Thanks for any advice.

Sean

Windows Event Log Collection best practices

November 16, 2016, 3:31 am
$
0
0

Is there a best practice document / article / Kb to allow us to configure large scale windows event log collection subscriptions over multiple collectors?


Where is hotfix for Win 10 like KB2917033 (Fix to use local ADMX files)

January 6, 2016, 2:13 pm
$
0
0

I have a Server 2008 r2 environment and am still testing Windows 10 client upgrades.  I want to create new GPOs for my Win 10 test clients but I am still hesitant to overwrite my central store with the new Windows 10 ADMX files as I will much more often have the need to edit Windows 7 settings in my GPO's.

I found hotfix KB2917033 located here:

https://support.microsoft.com/en-us/kb/2917033

Which allows for the use of local ADMX files, overriding the Central Store, when editing GPOs. This applies only to Windows 8 or Windows 7/2008r2.  I downloaded the Windows 8 version thinking it may work, but it knows I am on Windows 10 and will not let me install.

Question: Is there/Will there be a hotfix for Windows 10 clients to allow the use of their local ADMX files to edit GPOs in Group Policy Management?

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>