Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Loopback for multiple policies

April 1, 2013, 9:08 pm
$
0
0

I thought I had a handle on loopback processing mode but now I'm starting to wonder. 

I have created a group policy using group policy preferences to map a network drive and set it at the domain level.  Works fine.

In a separate OU, I have two terminal servers.  I have created a couple GPOs for various things (none having to do with Preferences) and have loopback replace mode enabled.  It was my understanding that since loopback replace is enabled for the terminal servers, that any user that logs into the terminal servers will only have the GPOs applied that are applied to the OU that contains the terminal servers and all other GPOs - specifically the one that mapes the drive - would be ignored.  In other words, I would expect that the drive mapping policy would not take place for users when logging into the terminal server.  But they do.  If I have three GPO applied to the OU containing the terminal servers, do all of those GPOs have to have loopback enabled? 

Which brings up another question.  If loopback is enabled for an OU, what happes with default domain policy etc?  Are all of those settings ignored too?

What am I missing?

Search

Group Policy applying deleted policy object

March 25, 2013, 4:02 pm
$
0
0

Howdy guys n gals,

I'm having an issue at the moment where the settings from a deleted group policy object are still being applied. I will try to provide as much detail as I can below.

Domain / Forest Function level: Both Windows Server 2003

Server OS: Windows 2008 32 bit Standard

Clients: Windows 7 32 / 64 bit

GPO Applied directly to user container.

GPO Settings in question: User Config\Policies\Windows Settings\IE Maintenance\Connection\Proxy Settings

Alrighty, lets crack on. The issues started a few days ago when changes to the proxy exception list weren't being received by the client PCs, as part of my testing I removed the proxy settings completely from the policy.. this was not reflected on the clients or through a GPResult on the clients.

Further, the changes were not reflected through a GPResult on the domain controller via GPMC.
My next step was to delete the GPO and re-apply the settings through a new GPO. Still no success!

So I ran GPResults again from client and GPMC, both showed the settings from the deleted GPO, however they were displayed as the UID of the GPO instead of the name.
I've checked the SYSVOL\Policies folder for any trace of the deleted GPO but there is nothing there so I can't delete that.

Lastly, if I run GP modelling with the same user, computer, OU and group membership, the deleted GPO does not show as an applied GPO and the settings appear correct, the reverse is true for a GPResult.

Is anyone able to advise on next steps for troubleshooting?

Apologies if I have missed relevant information of this has been asked/resolved previously.

Cheers,
Tim

Password Policy doesn`t work

April 1, 2013, 3:14 pm
$
0
0

Hi all!

I have really strange problem with password policies on my domain. The thing is like this way: 

I have default domain policy which I have modified ("Password must meet complexity.." set to disabled), linked it to domain, enforced it. Once I try to change password on workstation (W7) it says that password doesn`t meet complexity rules. Min password age set to 1 day, maximum to 180 days. Remember 2 last passwords. 

Servers are 2012 Standard, any other policies do work with no problems at all. I haven`t tried fine-grained password policies, because I don`t need it.

Gpresult Wizard "run with target user and workstation" says everything is ok and shows correct settings. Gpupdate run few times and workstation was rebooted as well. It has never happened to me on 3 other domains...

Any ideas?

GPUpdate Over Microsoft VPN Returns Windows Can't Resolve User Or Computer Error

December 3, 2011, 5:50 pm
$
0
0

We are running a Windows 2008 Domain with Windows 7 Laptops that are primarily in the field.  We use the standard Windows VPN and have an ISA Server 2004 as a firewall.  The ISA Server is simply routing the traffic.  DHCP on the Windows 2008 Domain Controller handles IP addresses.

GPUpdate /Force runs fine if the laptops are on the network but when they access the network over the VPN (including if we use the DialUp Networking/PreLogin execution of the VPN) the GPUpdate /Force results in a failure due to Windows not being able to resolve the user name or computer name.  When we review the GPResults, the Sids are not translated into User Names or Computer Names on the report.  If we execute the same steps while on the internal network, User Names and Computer Names are reported accurately on the GPReport.

We have set RRAS to broadcast and reviewed every switch we can find from the client to the ISA Server to the Domain Controller.

What are we missing? 

Install and manage smtp

March 26, 2013, 8:03 am
$
0
0

Hello,

I've a domain with two windows server 2008 which are dc.

In my domain I've mainly windows 7 x64 and windows xp.  My boss asked me whether it would be possible to control all the traffic of each pc controlling the NIC of  each PC.

This is why I'd like to install the SMTP service for each pc.

Can anybody tell me how I could create a GPO for installing and managing the SMTP for all the pcs of the domain? (I think smpt is not installed by default on windows 7)

Thanks in advance.

Regards.

Manage Compatibility View for IE 8/9

March 27, 2013, 2:29 pm
$
0
0

Hi all,

I aim to force compatibility view only for particular websites hosted on my Intranet for my IE 8/9 clients.

To do this, I followed the solution explained here : http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/95c0b8e6-72b5-472f-a5cb-07b17a8294a1/.

The problem is the focus is on Top Level Domain, and I don't want the compatibility view to be applied for all the websites under the TLD.

Would you have a solution which allow me to set up a list more accurate of these websites ?

Thanks. Best regards,

FXE

bginfo and RSOP

April 2, 2013, 12:46 am
$
0
0

hello everyone

im using bginfo in our environment and thought it would be cool to have a list of applied GPOs as part of it but i cannot get it working the way i would like.

so... i created a custom field linking to the contents of a text file which contained the results of the query below

strComputer ="."Set objWMIService = GetObject("winmgmts:\\"& strComputer &"\root\rsop\computer")Set colItems = objWMIService.ExecQuery("Select * from RSOP_GPO")ForEach objItem in colItems  
    Wscript.Echo objItem.NameNext

then using this script at logon as  cscript /nologo rsop.vbs >rsop.txt

this is ugly as hell and was wondering if there was any easier way to capture the information. ideally i dont want all the crap that normally comes with gpresult etc just a list of the actual applied policies.

hopefully someone can suggest something as i reckon its a winner!

cheers all

Group policy does not work with fix IP (exclusion range)

March 26, 2013, 7:37 am
$
0
0
Our DHCP server leases IP addresses to our workstations but there is one classroom that needs fix IP addresses to monitor our students. We have a group policy that prohibits our students to use cmd prompt. When the student logs on to the pc and gets an address from the DHCP server everything works fine. When the pc has a fix IP and is in the exclusion range of the DHCP server, the policy does not work and the student can use the cmd prompt. It also takes ours to log on to the machine. When there is no fix address you can log on easely. How can we fix this problem?
Search

Office 2007 Trusted Locations - Enironment Variables Workaround

April 3, 2012, 1:07 am
$
0
0

Hi,

I seem to be in a catch 22 with trying to configure trusted locations for Office via GPO. Maybe someone can sanity check me? Let's take the example of Excell 2007.

Our client's environment is secure. In order to prevent users adding trusted locations themselves, the policy "Microsoft Office 2007 system/Security Settings/Trust Center/Allow mix of policy and user locations" is set to "Disabled". A few trusted locations are set as Trusted Location #1, #2 etc. Some are not on the local computer (e.g. intranet), so the policy Microsoft Office Excel 2007/Excel Options/Security/Trust Center/Trusted Locations/All Trusted Locations not on the computer" is set to "Enabled".

It appears that our Office 2007 installation has the default trusted locations as defined in http://technet.microsoft.com/en-us/library/cc179075%28v=office.12%29.aspx. However, once "Allow mix of policy and user locations" is set to "Disabled" these appear to no longer be in trusted. First question - is this correct? If it is, then ok, I still want to trust these locations, so I will add them into the GPO as "Trusted Location #n" and so on. Now the problem, http://technet.microsoft.com/en-us/library/cc179039%28v=office.12%29.aspx#section1 says that environment variables cannot be used when specifying trusted locations in GPOs (only if set in OCT). Some of these previously default trusted locations are in the user's %APPDATA% location e.g. "%APPDATA%\Microsoft\Excel\XLSTART". Also, I want to add some new trusted locations that are also in user specific locations that call for the use of environment variables too. How do I work around this?

I've tried manipulating the registry keys for trusted locations on "HKCU\Software\Microsoft\Office\12.0\Excel\Security\Trusted Locations" but this does not seem to have any effect (perhaps no surprise as I think these keys are the ones that store the default Office trusted locations that the GPO now ignores.

Will giving the user rights to the relevant policy registry keys for trusted locations and manipulating these values in logon script to resolve %APPDATA% so that the resolved path can be written to the registry value work? Or maybe my sanity does indeed need checking!!!

I hope I've explained the issue clearly, and would welcome any thoughts and/or corrections.

Regards,

Nigel

Regional Settings on DCs & Clients across different physical & AD sites

April 1, 2013, 10:36 pm

GPO modeling shows logon script should be running but no record in gpresult on workstation

March 28, 2013, 8:42 am
$
0
0

Hi guys,

Apologies if this has been covered somewhere and I have done a lot of forum trawling and tried various things with no joy.

I have a very simple batch file that copies a file from a server location to the users desktop:-

copy /y \\blah\blah\file "%UserProfile%\Desktop

all I want to do is get this running on a security group of peoples machines.  I have created a GPO and copied the batch file in to the \\corp.blah.com\SysVol\corp.blah.com\Policies\{0084EDCC-FB44-4CAD-AA14-C9C0DDBECF53}\User\Scripts\Logon area and linked it to my OU, ensured all the delegation rights are good etc. and when running the modeling in my GPM it says the policy should be applied but when I log the user on to workstation and check my gpresult /r it doesn't even show up anwhere under applied or not applied GPOs.

I have ticked the always wait for network box and even tried setting a maximum wait time for Group Policy scripts in case it was a network issue but still nothing!

Any thoughts would be appreciated?

Many Thanks

John

PS permissions are not the issue for the file location as am testing it on my account which is domain admin


Modify single setting in a large policy to "not configured" for a subset of users without duplicating whole policy

April 2, 2013, 7:33 am
$
0
0

Hi all,

We have a large "standard endpoint customization" GPO which among other things disables Auto Archive in Outlook.  It has come to light that a particular group of users now need Auto Archive enabled (that is to say, I want to set it as "not configured" and let the user change as appropriate) - but still need to enforce all the other settings in the customization policy.

My question:  How can I modify this (or any) setting to "Not Configured" and keep all other settings without unlinking and copying the original GPO and then linking the copied GPO and changing just the Auto Archive setting?  That would be messy because other changes to the customization policy would need to happen in 2 places rather than one..

Any thoughts?

Installing Adobe Reader on Netowrked machines

February 13, 2013, 3:15 am
$
0
0

Hi,

Before I ask the question I want to say that I am an application developer and have very limited knowledge when it comes to support and servers.

My goal is to install Adobe Reader (essentially update) to all networked PCs remotely, so that I do not need to go around one-by-one to do the job as it will take for ever.  The reason I have to do it is because users can not install anything on their machines.

First step I took is to create the batch file which downloads and installs the Adobe.  This worked on my local machine when tested.  

My questions now is how can I install Adobe for all users remotely ?

Is my batch file can be handy to do that ?

Perhaps I need to create another procedure like .exe file ?

As you can guess I have very limited knowledge on this and will appreciate for your help.

Thank you

Client side extension could not apply errors

April 3, 2013, 3:40 am
$
0
0

Hi,

I have my default domain policy and I have modified this to add a drive mapping. On some servers, this modification works fine. On other servers, this modification does not work. I get the following errors:

the client side extension could not apply computer policy settings for default domain policy because it failed with error code the system cannot find the file specified

There are some numbers surrounded by percentages but ommited this.

The RPC services are running, I am logged in with a domain account. What is missing?

Thanks

"Fast link detected" warning in GP management console

April 3, 2013, 3:58 am
$
0
0

Hello!

There is a message that is shown in every report i make in Group Policy Results section of Group Policy Management Console, saying that "A fast link is detected". I followed the link in the waring, but after I read the page several times, I concluded, that I can ignore the warning.

However, I noticed that the group policies are not applied when security filtering is used untl "gpupdate /sync" is executed...

Is this related to the fast sync?

In general, can somebody explain me the consequences of fast links briefly?

Search

WSUS GPO not working

April 2, 2013, 11:46 pm
$
0
0

I have setup a new WSUS server in my office.

and have also configure a GPO to push the WSUS policies to my workstations.

but it is not working because the WSUS policy is filtered out.

how do i enabled it ?

Audit policy between 3 domain controllers

March 27, 2013, 2:22 pm
$
0
0
Hello,

I have 3 domain controllers a part of one domain setup for syncronization.

I have a GPO setup to enforce audit policies so I can track user logons and such.

DC1 - audit policy is applied

DC2 - audit policy is applied

DC3 - all audit policies are not defined.

I am fairly new to AD and GPOs. Here is output of gpresults /v. Any help would be appreciated.

Thanks!

GPO Time Zones on 2008 Terminal Server

March 27, 2013, 9:16 am
$
0
0

Hello all.  We have a 2003 Terminal Server and a 2008 Terminal Server.  I have a handful of users that are located in different Time Zones.  Some connect via Mac RDC and some via Windows RDP.  We have a Group Policy in place for Time Zone Redirection which adjust the Time Zone in their session to what their local machine is set to.  It doesn't always work with the Mac clients.  No big deal, I just wrote a script to adjust their time zone and added it to their profiles individually.  This .bat file works great on the 2003 server, but changing the Time Zone is restricted on the 2008 server, for some reason.  I found the setting here: Group Policy Editor, Domain, Server Name, Computer Configuration, Plicies, Windows Settings, Local Policies / User Rights Assignment, CHANGE TIME ZONE. 

I added the specific user I am testing with here.  This user STILL cannot change the Time Zone, which is what is preventing the script from working on this server.  Users do have access to the Control Panel and can open the Date and Time applet, but cannot make any changes.

I must be missing something, another policy, something.  Any help is appreciated.  Thank you in advance.

Block access to D drive for a user account, on certain pc's

April 2, 2013, 11:52 pm
$
0
0

I am helping out a local high school, that has no dedicated IT guy to fix their computer woes. They have 3 computer labs, with 60+ pc's running Xp Pro, and 1 server running Windows Server 2003 R2.

I don't have a lot of experience working with global policies, apart from what search and youtube has taught me.

The pc's are partitioned into 2 parts: C drive and D drive.
They want to restrict access to the D drive in LAB 2 for the student account.
But allow access to the D drive in  LAB 1 for the same student account.

I know how to block access to the D drive for ALL students, but the problem lies with restricting for ALL students, depending on which computer they are using. (LAB 1 vs LAB 2)

Is there a way to accomplish this?

Been reading up on Loopback policy but not sure I am using it right.

Security check and documentation

March 27, 2013, 11:40 pm
$
0
0

Hi,

We have WS2003 and 2008 DC's in our environment. I'd like to create some security healthcheck about password policy, audit policy, access to events, compare our GPO security settings with best practices and as final create document with our revision. I'll also include powershell scripts to count number of "password never expires" settings, how many users have expired password (ex colleagues), etc. Questions:
- can I found somewhere useful template for that, I mean what should I include in this kind of revision?
- what should be official baseline from Microsoft (Security Compliance Manager or?) regarding suggested values of seetings?
- which AD atributes should I include in powershell scripts?
- please advice whatelse is useful, ideas, documents, templates, ...

Thnx!

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>