Hi,

I was updating the Advanced Audit Policy "Object Access\Audit Removable Storage" using the Local Group Policy Editor.

After changing the policy, I did a restart of the server and it was working initially. After a few days, I was getting the following error message on the server. 

---------------------------------------------------------------

Faulting application name: svchost.exe_gpsvc, version: 6.2.9200.16384, time stamp: 0x50108897
Faulting module name: auditcse.dll, version: 6.2.9200.16384, time stamp: 0x50109c99
Exception code: 0xc0000005
Fault offset: 0x0000000000012b19
Faulting process id: 0x5024
Faulting application start time: 0x01d25b6ae51f1b51
Faulting application path: C:\Windows\system32\svchost.exe
Faulting module path: C:\Windows\system32\auditcse.dll
Report Id: 239d169f-c75e-11e6-9424-0050568923b4
Faulting package full name: 
Faulting package-relative application ID: 

---------------------------------------------------------------

This error will also occur when I do a "gpupdate", which will bring down a lot of services. Below are the services:

1. Server
2. IP Helper
3. Shell Hardware Detection
4. Task Scheduler
5. Themes
6. User Profile Service

This Server is running on Windows Server 2012 and is joined to a domain.

If I did a restart of the affected server, i will get a "Failure to connect to Group Policy Client Services" message.

Please help. Thanks

Hello,

I have an issue with GPO which restricts access to USB storage devices.

My domain's both Forest and Domain functional levels are set to Server 2008 R2.

I have applied that GPO to all client computers. All clients are applied the policy successfully and blocked the USB storage device access except Windows 10 computers. Windows 10 computers are able to access USB storage without any issue.

I have investigated lot of things about this issue but didn't find any solution for this.

Do you have any idea for this issue?

Regards,

Thisaru Perera.

I need some help along these lines but I am not sure exactly what is going on.  I have a lot of custom GPOs that I cannot lose and need to recover.  We had some kind of catastrophic failure that caused the DCs to enter AD recovery mode.  I was gone over the weekend and another administrator recovered one of the DCs, built another, and demoted the other.  Everything seems to work fin now except group policy.  I am very knowledgeable in AD but for the life of me, I cannot find a way to fix this.  Here are the details:

MSP-DC00 - Windows Server 2008R2 Standard

MSP-DC01 - Windows Server 2008R2 Standard 

MSP-DC02 - Windows Server 2012R2 Standard

DC00 was the FSMO and all of the other roles holder.  The other administrator demoted DC01, built DC02 and transferred all roles.

DCDIAG on both servers shows:

        * The current DC is not in the domain controller's OU

        ......................... MSP-DC00 failed test MachineAccount

        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
        access rights for the naming context:

        DC=ForestDnsZones,DC=analytics,DC=local
        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
        access rights for the naming context:

        DC=DomainDnsZones,DC=analytics,DC=local
        ......................... MSP-DC00 failed test NCSecDesc

        Unable to connect to the NETLOGON share! (\\MSP-DC00\netlogon)

        [MSP-DC00] An net use or LsaPolicy operation failed with error 67,

        The network name cannot be found..

        ......................... MSP-DC00 failed test NetLogons

The new DC02 also shows:

Several of these:

        An error event occurred. EventID: 0x00000422

            Time Generated: 01/26/2017 11:45:12

            Event String:

            The processing of Group Policy failed. Windows attempted to read the file \\analytics.local\sysvol\analytics.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:


        ......................... MSP-DC02 failed test SystemLog

We have a server 2012 R2 domain which already has a GPO to deploy the power policy. The plan is set to active yet there are no USB settings for power. I need to disable selective USB suspend as there are USB devices that need to be on all the time yet I cannot figure out how to do so. 

Then I tried going to one of the computer to see if I could turn it off locally and it's grayed out. How can I disable this preferably via GPO?

I tired creating a reg key locally on that PC with the following info but that did not work

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
3. On the Edit menu, point to New, and then click Key.
4. Type USB for the name of the subkey, and then press ENTER.
5. Click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USB
6. On the Edit menu, point to New, and then click DWORD Value.
7. Type DisableSelectiveSuspend for the name of the DWORD, and then press ENTER.
8. Right-click DisableSelectiveSuspend, and then click Modify.
9. In the Value data box, type 1, and then click OK.
10. Exit Registry Editor.

I have IE kiosk(s) working perfect now I have a site that requires Edge, I thought it would be simple :-/

Can you help me set edge to auto launch webpage in kiosk mode please?

Hi

Can anyone tell me how to set SparseExclusionList using Group Policy please?

I tried GPO setting "Files not cached" but it creates a RegKey named "ExcludeExtension" which does not fix our issue with .tmp files and Offline File sync conflict. Only SparseExclusionList works.

DC -> Win2008R2
Client -> Win7 SP1 Enterprise

I'm getting a syntax error on the following WMI filter what am I doing wrong?

SELECT *  FROM CIM_DataFile WHERE path = "\\Program Files\Bluebeam Software\Bluebeam Revu\2016\Pushbutton PDF\\" OR WHERE Path = "\\Program Files\Bluebeam Software\Bluebeam Revu\Pushbutton PDF\\" AND filename="PbMngr5" AND extension="exe"

Mary

Hi Team,

I have a query mentioned below, kindly provide your valuable suggestions.

I have 2 DCs in my environment running on 2008 . Accidently I deleted one GPO . Could you please suggest me to restore the deleted GPO instead restoring complete AD ?

Thank you in advance.

Regards Sajin P S

Hello,

I have a problem with Restricted Groups GPO setting. I have created a GPO setting for an OU of computers in the domain. Even though I understood from several posts that if I define the GPO in the "This group is a member of" setting, this would add the group, this does not happen - the other users have been wiped and only the group added. OK, I can manage this and is not such a problem.

Here is the problem: I have been modifying the local Administrators group. The Administrators group now also gets wiped on servers, which means that the only user left in there is the local Administrator account, effectively kicking the domain admin out of the system! Of course the above policy does not apply to the servers so that the Domain Admin is not added and I am getting locked out of domain servers.

What am I missing, what am I doing wrong and how can I get rid of the Restricted Groups setting altogether without it messing up all the rights again?

Hello everyone,

I've been bashing my head against an issue I've encountered at my new job as a sysadmin - I need to deploy an inventory software via GPO (OCSInventory). Going through the software's documentation, I prepared everything required (startup/logon script and executable), created the GPO and... nothing. Now, some overview: we have four domain controllers spread out across three sites (a site and a failed DC had to be decomissioned, which I did cleanly with dcpromo /forceremoval and metadata cleanup). AD is a mess inherited from someone else but I've verified that SYSVOL replication (DFS) is normal, DNS is configured and is working properly and accounts are setup correctly.

Workstations are Windows 7 Pro x64 SP1 fully updated. Servers are Windows Server 2008 R2 x64.

GPO: startup script at %SYSVOL%\-domain-\Policies\-GPO-\Machine\Scripts\Startup invokes a silent installation and connection to webserver of an executable that's located in the same folder as the scripts (per OCSInventory's instructions).

Synchronous deployment ("Always wait for network...") is Enabled. Gpresult shows that the GPO is applied and not filtered out but script doesn't run.

When I start a workstation, I get the following errors:

Log Name:      System
Source:        NETLOGON
Date:          1/30/2017 9:06:35 AM
Event ID:      5719
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      COMPUTER.DOMAIN.com
Description:
This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following: 
There are currently no logon servers available to service the logon request. 
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

ADDITIONAL INFO 
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NETLOGON" />
    <EventID Qualifiers="0">5719</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-01-30T07:06:35.000000000Z" />
    <EventRecordID>9446</EventRecordID>
    <Channel>System</Channel>
    <Computer>COMPUTER.DOMAIN.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>DOMAIN</Data>
    <Data>%%1311</Data>
    <Binary>5E0000C0</Binary>
  </EventData>
</Event>

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          1/30/2017 9:06:35 AM
Event ID:      1055
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      COMPUTER.DOMAIN.com
Description:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: 
a) Name Resolution failure on the current domain controller. 
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
    <EventID>1055</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2017-01-30T07:06:35.656019900Z" />
    <EventRecordID>9513</EventRecordID>
    <Correlation ActivityID="{FED3F85B-CD89-45F8-917D-2178EAE88BF9}" />
    <Execution ProcessID="400" ThreadID="1188" />
    <Channel>System</Channel>
    <Computer>COMPUTER.DOMAIN.com</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SupportInfo1">1</Data>
    <Data Name="SupportInfo2">2052</Data>
    <Data Name="ProcessingMode">1</Data>
    <Data Name="ProcessingTimeInMilliseconds">0</Data>
    <Data Name="ErrorCode">1355</Data>
    <Data Name="ErrorDescription">The specified domain either does not exist or could not be contacted. </Data>
  </EventData>
</Event>

Until last week the workstations also generated the following errors:

Log Name:      System
Source:        Microsoft-Windows-Time-Service
Date:          1/27/2017 3:02:26 PM
Event ID:      129
Task Category: None
Level:         Warning
Keywords:      
User:          LOCAL SERVICE
Computer:      COMPUTER.DOMAIN.com
Description:
NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Time-Service" Guid="{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}" />
    <EventID>129</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2017-01-27T13:02:26.589472000Z" />
    <EventRecordID>9375</EventRecordID>
    <Correlation />
    <Execution ProcessID="1008" ThreadID="2068" />
    <Channel>System</Channel>
    <Computer>COMPUTER.DOMAIN.com</Computer>
    <Security UserID="S-1-5-19" />
  </System>
  <EventData Name="TMP_EVENT_DOMAIN_PEER_DISCOVERY_ERROR">
    <Data Name="ErrorMessage">The entry is not found. (0x800706E1)</Data>
    <Data Name="RetryMinutes">3473457</Data>
  </EventData>
</Event>

I got this resolved after noticing that the main site DC1 was configured with the loopback address 127.0.0.1 ONLY in the DNS Servers in the IPv4 Network Adapter properties -> I added the other site DCs as DNS servers, although I left the loopback address as primary DNS as this is the only DC in the main site. I also had to reboot it to complete the removal of properties from the removed site/DC, and I haven't seen the Ntp errors recur (note that workstations are getting time properly).

Now here comes the weird part...

I booted some VMs on my workstation. One clean Windows 7 x64, one updated to SP1, one fully updated. ALL deployed the GPO. Ran gpresult /R and rscop.msc and the GPO is applied normally, no errors at all. The software is being installed at startup.

I also noticed that if I tested by disabling and enabling the GPO to a test group of PCs after they have booted up and connected to the network, they're not generating errors in the event logs. New settings from GPO are being applied.

This leads me to believe that the network adapters aren't starting fully or there are some networking issues that prevent the startup script from executing, as it takes time for the machines to login and authenticate to the DC but I am at a loss why.

Any ideas would be greatly appreciated...

So, this is probably a simple question but I'm not sure of the answer and do not want to screw myself over.

In the WindowsServer2008R2AndWindows7GroupPolicySettings.xlsx, I'm looking at Enforce password history in the Security tab, for "Supported On" it states "Windows XP SP2, Windows Server 2003" am I right to assume this means anything above XP SP2 and Server 2003 will support the policy?  Is the Supported On column simple a minimum requirement to support on?

Sorry for the question, but like I said, I dont want to screw myself over my making wrong assumptions.

Thanks,

Huascar

Hello, With my shared deployment of Office 2016 on my RDS server my users are getting notifications in Outlook that there are updates available and gives them the option to install which on a heavily used server will hang it up.

I installed the Office ADMX template on my AD server and then set the policy under Updates to Hide.  I then did a gpupdate /force and logged in as a standard user.  The notifications still exist.  I ran gpresult /r from the users desktop and the policy was applied.  I added the correct user groups and server into the secion that the policy be applied to.  Not sure what to do at this point.  Any suggestions would be appreciated



I have an issue that is pretty strange. I have created a new GPO that runs a startup script and has been in place for a couple days now. All computers show that the policy was applied when using the gpresult /v /scope computer command. However the script does not actually run at startup. I have other computers in the same domain that run the script just fine. But these computers reside in a different site though. Not sure why but when running Group Policy Results on the DC in the site where the script does not run I get an alert that says..

"AD / SYSVOL Version Mismatch,Inaccessible, Empty or Disabled,Enforced"

When I run the same Group Policy Results on the DC in the site where the scriptsdo run I get the alert message...
"AD / SYSVOL Version Mismatch,Enforced"

Any ideas on what is going on?

Thanks!

Chad Guiney

Is there a GPO method of locking the PC down if a user is on and locks themselves out?

We have users who may work for a while even though they are locked out and certain services will cease to function.

I would like a method where if trhey lock themselves out it locks their PC and they would contact IT

I am trying to use a GPO to set the Outlook Anywhere configuration for our Outlook 2010 users (around 95% of the user base). I know the only setting available in a GPO by default is whether Outlook Anywhere is visible or not. I have downloaded the template to allow me to go into more depth as recommended here but despite having added this and it saying it is there I cannot see the 4 new options it is supposed to provide. The file I downloaded is fromthe Microsoft Download site and it is accepted when I right click Administrative Templates and select Add templates.

I also downloaded a newer version, with admx files, these are not even seen when I try to add them as new templates.

How can I get these options to appear?

I have researched this issue in the past but have not found a solution that fits my needs.

I would like to apply a GPO that will logoff all users from a PC in our classroom after two hours of inactivity (idle) however this force logoff can ONLY effect the user if they logged into our classroom computers that are in their own specific OU "Classroom Computers OU" 

All of my users are in a single User OU (I did not set this up and I am not allowed to change this). 

Is there a way to configure this?

Hi,

I have used group policy which will disable all the offline features.

GPO-->Computer Configuration-->Policies-->Administrative Templates-->Network->Offline Files.

Disabled the Option : Allow or disallow use of Offline Files Feature.

This setting is disabling all the offline files but users are not able to Activate other folders for offline availability.

Requirement:

Disable the offline file feature only for a single folder and User can activate offline available option for other folders.

Sugandh

So we were using a GPO to disable the existing local administrator on scoped servers then create a new local admin with password and add it to the local administrators group.

Since we created that GPO, Microsoft have released a security patch to stop the password being modified in any way so this method is no longer usable for us (https://support.microsoft.com/en-au/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13,-2014)

I'm having a tuff time trying to find a method to recreate the steps I was actioning in the GPO without going down the path of paying for a solution and was wondering if I have missed something?

Windows server 2003, 2008, 2012 clients.

| +-- JDMils |

any one plz help  me  how to enable computer configuration for non-administrators gp