Dear Forum,
I would like to ask for your experience by managing to reset password local admin for multiple computer by using any tools or scripts. Currently we can not put reset local password from GPO as it was disabled. thanks
Sokneang SAM
↧
Tools or Script to Reset Password Local admin From Domain (Bulk operation)
↧
Link GPO to multipe OUs
Hello
Can anyone tell me how to link multiple OUs to single GPO, i have around 256 OUs
Please asist
Aamir
NA
↧
↧
Trying to deploy Firefox in GPO and does not work, Can MSI be a problem?
I want to deploy Firefox from our Windows Server 2008 R2 but it does not work. My clients are Win7 and WinXP.
The result of gpresult /r tells me the particular policy is applied but software does not get installed, I am suspecting its the MSI. I picked MSI from "frontmotio.com" which is not silent install file. Does it matter?
Can I use a software to make one ?
Which one to use ?
Thanks
Satnam
↧
USB Storage Device Block Using GPO
Hello,
I have an issue with GPO which restricts access to USB storage devices.
My domain's both Forest and Domain functional levels are set to Server 2008 R2.
I have applied that GPO to all client computers. All clients are applied the policy successfully and blocked the USB storage device access except Windows 10 computers. Windows 10 computers are able to access USB storage without any issue.
I have investigated lot of things about this issue but didn't find any solution for this.
Do you have any idea for this issue?
Regards,
Thisaru Perera.
↧
Group Policy Audit?
Hi all,
I am currently looking at an environment that has almost 1000 Group Policy Object applied, and I need to understand what they do, which are still enabled but not being applied to any computers or user objects, and if any settings are being duplicated.
Are good starting points to get the ball rolling would be a great help
Thanks loads
↧
↧
GPP Printers
So I can see quite a few posts relating to this problem but not quite the specific issue we have.
I am mapping 2 printers from the same server using preferences under the User settings.
The first printer maps fine but the second printer gets an error which is access denied.
Both printers on the same server have the same security settings so why does one work and the other not?
This is driving me crazy and e are getting calls from users because they are not getting the second printer mapped.
Any ideas?
↧
MMC keeps crashing when attempting to save a WMI
Hi all.
Everytime I attempt to save a WMI I get the following:
I then click on 'Debug' and get this:
So basically I can't do anything!
This is what I find in the Application logs (Event id = 1000):
Faulting application name: mmc.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc808
Faulting module name: OLEAUT32.dll, version: 6.1.7601.17676, time stamp: 0x4e587ee8
Exception code: 0xc0000005
Fault offset: 0x000000000000984a
Faulting process id: 0x%9
Faulting application start time: 0x%10
Faulting application path: %11
Faulting module path: %12
Report Id: %13
Any help greatly appreciated! :-)
↧
User targeted GPO settings do not apply on Windows 10 (1607) computers if computer is filtered
Hi
I just had a bad experience applying GPO settings to Users using Windows 10 (1607) computers.
The GPO contains ONLY settings in the USER Policies section. NOTHING in the Computer section.
The filtering shows only 2 USERS in Security Filtering section.
The GPO does not apply to those 2 USERS! Typing "GPRESULT -r" does not even list it anywhere.
- If I add the computer(s) to the filtering section, it applies.
- It applies also OK if the user uses Windows 7 or Windows Server 2012-R2 computers without the need to add those computers to the filtering section.
This behaviour is new to me.Any thoughts?
Thanks.
Thomas.
↧
Can't Remove IE Maintenance settings from group policy
Dear Techies,
In group policy under IE Maintenance I configured some settings like home page and proxy settings etc, now I removed all settings from group policy, I cleared every thing but still I can see the IE settings under group policy.
1)automatically detect settings Disabled
2)automatic browser configuration Not configured.
Now the problem is I am giving some proxy settings in IE manually when I restarted the system proxy settings are getting empty and again I have to give them.
Please tell the procedure to remove IE Maintenance completely from group policy.
can anybody please help me to solve this issue.
Thanks in advance for your valuable support.
Regards,
Phani Kumar .B
In group policy under IE Maintenance I configured some settings like home page and proxy settings etc, now I removed all settings from group policy, I cleared every thing but still I can see the IE settings under group policy.
1)automatically detect settings Disabled
2)automatic browser configuration Not configured.
Now the problem is I am giving some proxy settings in IE manually when I restarted the system proxy settings are getting empty and again I have to give them.
Please tell the procedure to remove IE Maintenance completely from group policy.
can anybody please help me to solve this issue.
Thanks in advance for your valuable support.
Regards,
Phani Kumar .B
↧
↧
Computer applying printer GPO even though GPO is not assigned, any way to enable more logging?
I have a computer that appears to be processing a GPO that's adding printers. A gpresults doesn't show a any computer or user policies with printers in it. It's almost like a cached old policy is processing? Is that even possible? Is there anyway to enable additional logging so I can maybe catch a name of the policy or something? I don't really see anything to helpful in the event log GroupPolicy or Print Service section, expect that group policy had an issue installing one of the printer... I even tried removing the computer from the domain and adding it back. When I do group policy modeling, I see no printers should be installed in the report.
Any ideas?
Thanks in advanced!
↧
Lock PC if user is locked out
Is there a GPO method of locking the PC down if a user is on and locks themselves out?
We have users who may work for a while even though they are locked out and certain services will cease to function.
I would like a method where if trhey lock themselves out it locks their PC and they would contact IT
↧
Question on creating a new Group Policy when the settings are known
I'm creating a process to use across multiple environments which will presumably be the same OS versions, possibly not.
What are best practices around creating a GPO if the settings are known like across multiple environments?
Some app support people favor copying previous files and going it that way. Are there problems with this?
↧
Create Local Admin User on Domain Computers through GPO
I know there are quite a few threads on this but most of what I have found are old. And in 2015 some user on here said Microsoft
removedthe ability to create or modify any Group Policy which contains a Group Policy Preference that specifies account credentials.
I have been looking for a newer thread on this as I have tried to add local admins throgh GPO but it has not worked. Is it still possible to add through GPO or do I need to run a script?
And if it is possible can someone please help me out.
↧
↧
Trying to disable Office update notifications in Shared Deployment on RDS server
Hello, With my shared deployment of Office 2016 on my RDS server my users are getting notifications in Outlook that there are updates available and gives them the option to install which on a heavily used server will hang it up.
I installed the Office ADMX template on my AD server and then set the policy under Updates to Hide. I then did a gpupdate /force and logged in as a standard user. The notifications still exist. I ran gpresult /r from the users desktop and the policy was applied. I added the correct user groups and server into the secion that the policy be applied to. Not sure what to do at this point. Any suggestions would be appreciated
↧
How to determine if old Group Policies apply from a server 2003 DC to an upgraded server 2012 r2
I am upgrading the domain controllers from server 2003 to server 2012 r2.
I am no GPO expert.
Wondering the best way to know if any GPO's defined are still working or if need updating or whether best to start clean?
I still have 1 2003 server that will remain running but it is a file server.
i have found a powershell script to write out all the GPO's in the domain but they dont make any sense to me except the new one i just implemented for mapping drives.
Any suggestions
Thanks
Dominic
↧
User level GPO
Hi All,
We have department wise OUs present in your domain.
Example : OU present is "AdminTeam" and all administration departments members are part of this OU. Only Users are part of this OU and not the computers used by users.
Now is it possible to apply "Turn off AutoPlay" GPO on this OU and this will get applied to computers used by member in this OU ?
likewise can below policies applied on user level ?
OS based Drive EncryptionEnable Hidden Files
Turn on File History
Turn off AutoPlay
Windows Firewall ON
Turn OFF UAC
Enable DEP
Turn off Remote Assistance
-Atul
TheAtulA
↧
Using 'Wired Network (IEEE 802.3) Policy' breaks group policy
Hello,
To accommodate Windows 10 with Credential Guard we want to create a new group policy that configures the Wired Network authentication to use PEAP with certificates on our W10 devices.
When I create this policy (Policies > Windows Settings > Wired Network Policies > Create a new wired network policy for Vista and later) things start to go wrong. After everything is configured and I check the Settings tab of the policy, nothing is shown in the overview as if there is no policy set. When adding another group policy setting in this same policy, like for example the Wired AutoConfig service to start automatically, then this does show up in the Settings overview.
After this new policy then replicated to all other DC's, things get worse. The policy is not shown anymore in the GP Management console but it's GUID is still available in AD under System > Policies and in the SYSVOL folder. See screenshot below.
We have older wireless and wired network policies for our W7 devices that are working fine and my newly created wireless policy for W10 devices is also working fine. Also I can still create new policies without any problem as long as I don't touch the wired settings.
Anyone seen this behaviour before?
↧
↧
Startup script GPO fails to deploy
Hello everyone,
I've been bashing my head against an issue I've encountered at my new job as a sysadmin - I need to deploy an inventory software via GPO (OCSInventory). Going through the software's documentation, I prepared everything required (startup/logon script and executable), created the GPO and... nothing. Now, some overview: we have four domain controllers spread out across three sites (a site and a failed DC had to be decomissioned, which I did cleanly with dcpromo /forceremoval and metadata cleanup). AD is a mess inherited from someone else but I've verified that SYSVOL replication (DFS) is normal, DNS is configured and is working properly and accounts are setup correctly.
Workstations are Windows 7 Pro x64 SP1 fully updated. Servers are Windows Server 2008 R2 x64.
GPO: startup script at %SYSVOL%\-domain-\Policies\-GPO-\Machine\Scripts\Startup invokes a silent installation and connection to webserver of an executable that's located in the same folder as the scripts (per OCSInventory's instructions).
Synchronous deployment ("Always wait for network...") is Enabled. Gpresult shows that the GPO is applied and not filtered out but script doesn't run.
When I start a workstation, I get the following errors:
Log Name: System
Source: NETLOGON
Date: 1/30/2017 9:06:35 AM
Event ID: 5719
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: COMPUTER.DOMAIN.com
Description:
This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified
domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NETLOGON" />
<EventID Qualifiers="0">5719</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-01-30T07:06:35.000000000Z" />
<EventRecordID>9446</EventRecordID>
<Channel>System</Channel>
<Computer>COMPUTER.DOMAIN.com</Computer>
<Security />
</System>
<EventData>
<Data>DOMAIN</Data>
<Data>%%1311</Data>
<Binary>5E0000C0</Binary>
</EventData>
</Event>
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 1/30/2017 9:06:35 AM
Event ID: 1055
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: COMPUTER.DOMAIN.com
Description:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
<EventID>1055</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-01-30T07:06:35.656019900Z" />
<EventRecordID>9513</EventRecordID>
<Correlation ActivityID="{FED3F85B-CD89-45F8-917D-2178EAE88BF9}" />
<Execution ProcessID="400" ThreadID="1188" />
<Channel>System</Channel>
<Computer>COMPUTER.DOMAIN.com</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">2052</Data>
<Data Name="ProcessingMode">1</Data>
<Data Name="ProcessingTimeInMilliseconds">0</Data>
<Data Name="ErrorCode">1355</Data>
<Data Name="ErrorDescription">The specified domain either does not exist or could not be contacted. </Data>
</EventData>
</Event>
Until last week the workstations also generated the following errors:
Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 1/27/2017 3:02:26 PM
Event ID: 129
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: COMPUTER.DOMAIN.com
Description:
NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Time-Service" Guid="{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}" />
<EventID>129</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-01-27T13:02:26.589472000Z" />
<EventRecordID>9375</EventRecordID>
<Correlation />
<Execution ProcessID="1008" ThreadID="2068" />
<Channel>System</Channel>
<Computer>COMPUTER.DOMAIN.com</Computer>
<Security UserID="S-1-5-19" />
</System>
<EventData Name="TMP_EVENT_DOMAIN_PEER_DISCOVERY_ERROR">
<Data Name="ErrorMessage">The entry is not found. (0x800706E1)</Data>
<Data Name="RetryMinutes">3473457</Data>
</EventData>
</Event>
I got this resolved after noticing that the main site DC1 was configured with the loopback address 127.0.0.1 ONLY in the DNS Servers in the IPv4 Network Adapter properties -> I added the other site DCs as DNS servers, although I left the loopback address as primary DNS as this is the only DC in the main site. I also had to reboot it to complete the removal of properties from the removed site/DC, and I haven't seen the Ntp errors recur (note that workstations are getting time properly).
Now here comes the weird part...
I booted some VMs on my workstation. One clean Windows 7 x64, one updated to SP1, one fully updated. ALL deployed the GPO. Ran gpresult /R and rscop.msc and the GPO is applied normally, no errors at all. The software is being installed at startup.
I also noticed that if I tested by disabling and enabling the GPO to a test group of PCs after they have booted up and connected to the network, they're not generating errors in the event logs. New settings from GPO are being applied.
This leads me to believe that the network adapters aren't starting fully or there are some networking issues that prevent the startup script from executing, as it takes time for the machines to login and authenticate to the DC but I am at a loss why.
Any ideas would be greatly appreciated...
↧
AD : Hierarchy beetween USER GPO and COMPUTER GPO, for the same parameter
Hello,
I have 2 times the same parameter, inside AD, at computer and user level.
What is the hierarchy ?
Regards,
↧
GPO : enable the USB mass Storage and USB DVD drive, for Admin only
Hello,
Do you know the name(s) of the GPO used to enable the USB Mass Storage (usb key and drive) and also the USB DVD drive (external) ?
Regards
↧