I've deployed a few 2012 Servers using the same Group Policies that I have been using on our 2008 R2 SP1 servers for Windows Update. On the 2008 R2 SP1 servers the boxes install updates at 2:00am and restart. The 2012 servers install the updates at 3:00am and display a prompt that they will restart in a couple days. It is now 14 days later and they still have not rebooted. This is the only Group Policy applied to the OU these servers are in. When looking at the UI for Windows Update > Change Settings, it says "Some settings are managed by your system administrator" but you cannot see the details like you used to so I know that Group Policy is at least trying to control Windows Update. I've looked in the registry on the 2012 servers and the Group Policy settings are there but not all of them appear to be working. Why is this occurring and what do I need to do to fix it? Thanks.
↧
Server 2012 Windows Update Group Policy
↧
Cannot query DllName registry entry
Hi,
Our XP PC seems having Winlogon application error that related to the following:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\]{7B849a69-220F-451E-B3FE-2CB811AF94AE} = Internet Explorer User Accelerators
{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} = Internet Explorer Machine Accelerators
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1085
Date: 4/6/2013
Time: 8:39:57 AM
User: NT AUTHORITY\SYSTEM
Computer:
Description:
The Group Policy client-side extension Internet Explorer Zonemapping failed to execute. Please look for any errors reported earlier by that extension.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
If the XP PC link enabled to the IE policy, it will register cannot query DllName registry entry in event log. This happen after some update to the policy.
On userenv>>
USERENV(3e8.3ec) 10:35:56:437 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(3e8.3ec) 10:35:56:437 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(3e8.eb8) 10:36:41:234 ProcessGPOs: Extension Internet Explorer Zonemapping ProcessGroupPolicy failed, status 0x57.
On rsop>>
Saturday, April 06, 2013 11:57:15 AM
Note: This component only reports overall status information. It does not report information about its individual policy settings; consequently, those settings will not appear in this tool. Please contact the vendor of this component to check if an updated version is available.
Internet Explorer Zonemapping failed due to the error listed below.
The parameter is incorrect.
But it is not issue on Windows 7 PC.
↧
↧
Any Dangers To Group Policy Management Console Template Modifications?
Besides those coming directly from Microsoft such as templates adding support for Microsoft Office customizations, new versions of IE etc, there are also templates from third party vendors or even templates manually created by hand for some kind of custom configuration options.
Is there any dangers to installing these? Suppose someone creates on themselves and imports their template that contains syntax errors in the template file or for some reason it just does not import "properly?"
How risky are these templates?
↧
RICOH Printing Preference failed to deploy through Group Policy
It is failed to deploy Printing Defaults of RICOH C4502A PCL6 through Server 2008 R2 Group Policy Preference, whether it is at Computer Configuration or User Configuration for Windows 7 and XP.
At Print Management, the required Printing Preference has been set at both Set Printing Defaults and Properties, e.g., black and white A4 as the first priority and color A4 as the second. However, both of them do not appear at client PCS and there are RICOH default settings only.
On the other hand, I have tried to have the shared printer manually by double clicking the server's shared printer at client PC. The result is the same.
I have called RICOH's support. They replied that it is beyond their specialist and it must be solved by Microsoft specialist.
Please help! It is urgent!
At Print Management, the required Printing Preference has been set at both Set Printing Defaults and Properties, e.g., black and white A4 as the first priority and color A4 as the second. However, both of them do not appear at client PCS and there are RICOH default settings only.
On the other hand, I have tried to have the shared printer manually by double clicking the server's shared printer at client PC. The result is the same.
I have called RICOH's support. They replied that it is beyond their specialist and it must be solved by Microsoft specialist.
Please help! It is urgent!
↧
Display warning message at logon screen by using GPO
Hi,
I'm trying to show a warning message to the users before they logon to the Windows 7. I used the Server 2008r2 GPO "Computer Policy->Windows Setting->
Local Policies->Security Option". I was able to create the message but it shows like following:
I want to know if there any way I can position and re-size to words??
Thanks.,
↧
↧
Stop user access to control panel
I've come across students who are copying the control panel shortcuts from somewhere onto a second drive on domain computers.
If they click on one of the copied shortcuts it opens up the corresponding control panel applet. Very annoying.
Even though the only access they have to control panel is through mobsync, copied shortcuts ignore the group policy as the policy says "hide", not "stop".
Is there a way to stop users accessing control panel applets, except for the approved one?
↧
win server 2008 r2 OU structure
Hello, How can one describe a Organizational Unit Design?
Lets say its for a business with offices at three different locations (within the same country), how can I set up that?
I would appriciate answers, and if you feel it's alot to explain, I would be glad if you could point me in some direction on where to read about it (a easy read!)
thanks.
↧
GPO to delete Temporary Internet Files Not working
I have set the setting in both computer and user policies "<a gpmc_settingdescription="This policy setting allows you to manage whether Internet Explorer deletes the contents of the Temporary Internet Files folder after all browser windows
are closed. This protects against storing dangerous files on the computer, or storing sensitive files that other users could see, in addition to managing total disk space usage.
If you enable this policy setting, Internet Explorer will delete the contents of the user's Temporary Internet Files folder when all browser windows are closed.
If you disable this policy setting, Internet Explorer will not delete the contents of the user's Temporary Internet Files folder when browser windows are closed.
If you do not configure this policy, Internet Explorer will not delete the contents of the Temporary Internet Files folder when browser windows are closed." gpmc_settingname="Empty Temporary Internet Files folder when browser is closed" gpmc_settingpath="User
Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Advanced Page" gpmc_supported="At least Internet Explorer 6.0 in Windows 2003 Service Pack 1" href="">Empty Temporary Internet Files
folder when browser is closed"
gpresults shows the policy applied, but it does not appear that temp files are being deleted. I'm not sure how to verify this because I don't think the box that says delete all browsing history on exit" should be checked since I don't want to delete everything. I don't see any check box on IE 8 that matches the verbiage in the GPMC.
Note: I do not want to delete" all browsing history" or cookies or passwords. I only want to specifically delete temporary Internet files when the browser is closed.
The computers are Windows 7 64-bit with IE 8.
What needs to be done to get this to work as expected?
↧
GPO screensaver issue
I need help with the following. Kind of new to scripting and GPO's.
I created a package via SCCM Console. Devices receive the package with a .scr file. I want to use PSExec tool to push out the change.
How can I go about this?
@echo off
"START%/systemroot%\system32\*.scr /s"
"exit"
↧
↧
Pre-create Documents folder on network share
Hello,
I must migrate 500 users Documents folder from SERVER1 to SERVER2.
Documents folder is redirected with GPO to \\SERVER1\Users\%username%. Offline files and synchronization is also enabled with GPO.
Active Directory Homefolder is configured to \\SERVER1\Users\%username%
Documents folder exists as a subfolder of users homefolder.
Total user data amount on SERVER1 is about 4 terabytes.
My question is:
I'm planning to retain same folder structure on SERVER2. I would like to use robocopy to copy Documents folders instead of using option to "Move the contents of Documents to the new location" because of better control what is being copied and when.
So, can I pre-create Documents folders to user's homefolders on SERVER2, copy data for example with robocopy and then redirect users Documents folder to new location without breaking any functionality on synchronization/offline cache?
I would really love to hear your thoughts and how did you migrated your redirected Documents folders from one share to another.
Thank you already! You're the best.
↧
Internet Explorer Zonemapping failed
Hi,
Anyone can assit on this?
It happen on XP machine only.
On rsop
Internet Explorer Zonemapping failed due to the error listed below.
The parameter is incorrect.
On userenv>>
USERENV(3e8.3ec) 10:35:56:437 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(3e8.3ec) 10:35:56:437 CUserProfile::CleanupUserProfile: Ref Count is not 0
USERENV(3e8.eb8) 10:36:41:234 ProcessGPOs: Extension Internet Explorer Zonemapping ProcessGroupPolicy failed, status 0x57.
↧
Phone/USB blocking GPOs
Hi,
We have standard group policy for blocking USB or external storage devices. Now as per the current scenarios some of phones and devices are being accessible from Desktop/laptop and these devices are being considered as WPD( Windows Portable Devices ). These PWDs can be straight away blocked through GROs which is available on 2008/R2 and running fine for windows 7 systems but having problem in windows XP systems. As per my understanding PortableDeviceApi.dll doesn't exist in XP. Kindly let me know if you have any mechanism or script through which PWD devices can be restricted.
↧
Missing Nodes in group policy editor
Hi,
I seem to be missing a couple of nodes in my group policy editor.
Missing nodes are Deployed Printers and Internet Settings from the User Config and Deployed Printers from the computer config.
At first I thought a replication issue as these nodes are visible on other DCs and when adding GPOs and AD entries these are created on the faulty DC.
There are no errors in the event logs however the GPOS that are configured using these nodes are not applying on the affected computer. Other GPO are applying fine.
Anyone seen this before?
Thanks
Tom
↧
↧
Log user off if program close
Currently have my GPO to limit access to only one program, that program auto-starts on login, but I want it to log users off when the program is closed.
I know I can do this via batch files, but how? I'd want the cmd window to be hidden (Note this program also runs in CMD, but a separate window).
↧
New 2012 Schema has no "Internet Explorer Maintenance" section in GPO
So microsoft wants us to use IEAK10 (yuck) since the GPO branding was too easy with GPO.
Anyway, those items were set in my 2008R2 GPO's, whihc have been converted to 2012 GPO's and I can no longer edit them.
I'd like to clean up the GPO's so the old deprecated junk is not there anymore. Unfortunately, I put the IE branding into the default domain and DC GPO's, so deleting them is not really an option.
What I need is a means to edit them, clean them up, etc.
P.S. I know they are there, because they appear in the settings tab of the GPO manager. But when you look for them in the editor, the items are completely absent...↧
Server 2003 GPO Password Never Expires Policy
I'm trying to seperate all of my outside users and configure them with a password never expires policy. Prior to my being here someone set this up by putting a check mark in "Password Never Expires" on about 150 user objects. I would like to change this for this one container so that the password policy is controlled through a group policy object to make password updates among other things easier to roll out.
I've already created a new policy for their container with the option Maximum Password Age = 0. According to what I've read this will tell the computer that the password should never expire. I've isolated this container down to just this one computer policy and no matter what I do my user is prompted to update the password when I try to log in. Output from the client is below:
#GP Results with only the Admin policy in place (Admin policy is where I get my password settings from)
C:\WINDOWS>gpresult
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 5/12/2010 at 3:16:58 PM
RSOP results for **Removed for post**\jhinkle on 28015081H : Logging Mode
------------------------------------------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: **Removed for post**
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\jhinkle
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=28015081H,OU=IT Administrators,OU=User Accounts,DC=IKDIST,DC=com
Last time Group Policy was applied: 5/12/2010 at 3:10:05 PM
Group Policy was applied from: **Removed for post**
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
Admin Polcies
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Accounts Group Policy
Filtering: Not Applied (Unknown Reason)
Local Group Policy
Filtering: Not Applied (Empty)
Accounts Group Policy
Filtering: Disabled (Link)
The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
28015081H$
Domain Computers
USER SETTINGS
--------------
CN=Joe Hinkle,OU=IT Administrators,OU=User Accounts,DC=IKDIST,DC=com
Last time Group Policy was applied: 5/12/2010 at 3:10:44 PM
Group Policy was applied from: **Removed for post**
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Admin Polcies
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
IT
Domain Admins
Exchange Organization Administrators
Exchange View-Only Administrators
Exchange Public Folder Administrators
Exchange Recipient Administrators
#This is what the domain policy is telling me about my password settings.
C:\WINDOWS>net user jhinkle /domain
The request will be processed at a domain controller for domain **Removed for post**.
User name jhinkle
Full Name Joe Hinkle
Comment
User's comment
Country code (null)
Account active Yes
Account expires Never
Password last set 3/2/2010 12:06 PM
Password expires 4/14/2010 10:54 AM
Password changeable 3/2/2010 12:06 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script **Removed for post**-mail_backup.bat
User profile
Home directory \\**Removed for post**\users$\jhinkle
Last logon 5/12/2010 3:12 PM
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *IT *Exchange Organization
*Domain Users *Domain Admins
The command completed successfully.
Can anyone tell me am I going the right route for applying password settings like this? As I understand it the changes I've made on Maximum password age should tell it not to try and change the password.
↧
Registry GPO fails to work
I created a GPO that is suppose to add a new Key to the registry of HKCU but I am having issues with the Computers adding in the key.
I am targeting the GPO to the Computers OU's for Laptops and Desktops because I do not want it slow down login on the servers. I am basically trying to add the Registry setting to DelegateSentItems for Outlook.
Our users are required to use Department Shared Mailboxes when emailing external contacts to reduce targeted Phishing/Spam and we need those emails being sent put into the Sent Items folder of the shared mailbox so they know what emails were responded to and what the contents of those communications were.
I do not want to do this manually to each machine due to time constraints so I tried multiple ways to do this via GPO. Please keep in mind that I have NEVER done this before so forgive my ignorance.
Here is what I tried so far:
1) Created a .reg file and tried the user config>Policies>Window Settings>Scripts>Logon
2) Computer Config>Policies>Window Settings>Scripts>Startup
3) Computer Config>Preferences>Windows Settings>Registry>Registry Wizard, added the Preferences Key with all it's sub-contents
4) User Config>Preferences>Windows Settings>Registry>Registry Wizard, added the Preferences Key with all it's sub-contents
Location: Laptops and Desktops OU
Security Filtering: Authenticated Users, Even tried Domain Users
Here is the Reg key I am trying to import into Registry:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Preferences]
"SyncDlgPos"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,e9,01,00,00,b9,01,00,00,dc,03,00,00,fd,02,00,00
"ABModalWidth"=dword:00000264
"ABModalHeight"=dword:000001a8
"ABColWidths"=hex:0a,00,00,00,c2,00,1d,0e,c2,00,01,30,24,00,02,30,c2,00,03,30,c2,00,fe,39,78,00,08,3a,c2,00,13,3a,78,00,16,3a,96,00,17,3a,78,00,19,3a
"LocationMRU"=hex:1f,10,01,00,00,00,00,00,0a,00,00,00,20,00,00,00,03,00,02,00,00,00,00,00,09,00,00,00,00,00,00,00,48,00,00,00,62,00,00,00,64,00,00,00,66,00,00,00,68,00,00,00,6a,00,00,00,6c,00,00,00,6e,00,00,00,70,00,00,00,72,00,00,00,4e,00,6f,00,72,00,74,00,68,00,20,00,43,00,6f,00,75,00,6e,00,74,00,79,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,42,00,4a,00,43,00,20,00,43,00,6c,00,69,00,6e,00,69,00,63,00,00,00
"ShowBcc"=dword:00000001
"CNPosX"=dword:000001b2
"CNPosY"=dword:0000014b
"CNWidth"=dword:0000019c
"CNHeight"=dword:00000141
"ShowFrom"=dword:00000001
"DelegateSentItemsStyle"=dword:00000001
I forgot to mention that I was able to manually import the .reg file into a couple of computers and it worked.
↧
↧
win server 2008 r2 OU
Hello, so I have this OU structure design, for a business with three offices at diffrent locations, and my question is where would the best place to put AD domain controllers be, for best availability, should they be placed locally at every office, or somewheregeographically in the middle? And what would be the best way toconfigureSites on the DC's for this business?
↧
Hosting Central Store Server 2008 (not R2) Domain Controller
Are there any issues with storing ADMX files in a central store on a Server 2008 DC, but then editing the GPOs on Windows 7 and Windows 8 workstations?
Apparently there are issues using Server 2008 R2 and then editing on an older OS such as Vista or XP.
So, I'm wondering if the same is true if it is reversed and the DC OS is older than rather than newer than the systems editing the GPOs?
↧
Group Policy Object Settings do not apply for some Users
I have a Group Policy created to set Internet Explorer proxy settings to computers. This is being done in User Configuration (due to an old GPO with Computer Configuration settings I'm working to retire, no proxy settings specified in that policy).
Some users are not going to the proper proxy settings.
When we look at Internet Explorer, some of these users do not have IE Connection Settings properly configured as the GPO is configured.
Others may have these settings correctly applied but the registry (either IE or policy) settings do not reflect the correct settings.
GPRESULT in verbose says the GPO is properly applied and shows the proper settings being applied.
USER SETTINGS
--------------
CN=Smith\, John,CN=Users,DC=domain,DC=com
Last time Group Policy was applied: 4/3/2013 at 12:32:44 PM
Group Policy was applied from: adserver.domain.com
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
Default Domain Policy
IE Local Intranet
Desktop IE Settings
Desktop Network Features
Desktop Security Options
Desktop Start Menu Features
Desktop IE Proxy
Desktop Outlook Junk Mail
Desktop Outlook Cached Mode
Local Group Policy
Resultant Set Of Policies for User:
------------------------------------
Administrative Templates
------------------------
GPO: Desktop IE Settings
Setting: Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
State: Enabled
GPO: Desktop IE Settings
Setting: Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
State: Enabled
Internet Explorer Browser User Interface
----------------------------------------
GPO: IE Local Intranet
Large Animated Bitmap Name: N/A
Large Custom Logo Bitmap Name: N/A
Title BarText: N/A
UserAgent Text: N/A
Delete existing toolbar buttons: No
Internet Explorer Connection
----------------------------
HTTP Proxy Server: N/A
Secure Proxy Server: N/A
FTP Proxy Server: N/A
Gopher Proxy Server: N/A
Socks Proxy Server: N/A
Auto Config Enable: No
Enable Proxy: No
Use same Proxy: No
HTTP Proxy Server: N/A
Secure Proxy Server: N/A
FTP Proxy Server: N/A
Gopher Proxy Server: N/A
Socks Proxy Server: N/A
Auto Config Enable: No
Enable Proxy: No
Use same Proxy: No
HTTP Proxy Server: proxy.domain.com:8080
Secure Proxy Server: proxy.domain.com:8080
FTP Proxy Server: proxy.domain.com:8080
Gopher Proxy Server: proxy.domain.com:8080
Socks Proxy Server: proxy.domain.com:8080
Auto Config Enable: No
Enable Proxy: Yes
Use same Proxy: Yes
Internet Explorer URLs
----------------------
GPO: IE Local Intranet
Home page URL: N/A
Search page URL: N/A
Online support page URL: N/A
Internet Explorer Security
--------------------------
Always Viewable Sites: N/A
Password Override Enabled: False
Always Viewable Sites: N/A
Password Override Enabled: False
Always Viewable Sites: N/A
Password Override Enabled: False
GPO: IE Local Intranet
Import the current Content Ratings Settings: No
Import the current Security Zones Settings: Yes
Import current Authenticode Security Information: No
Enable trusted publisher lockdown: No
Internet Explorer Programs
--------------------------
GPO: IE Local Intranet
Import the current Program Settings: NoMost users are not having a problem with this GPO. Those that are though, we can't find a solution other than nuking thier profile or reimaging thier workstations.
DNS Settings are fine. IPCONFIG /FLUSHDNS has no affect.
GPRESULT /FORCE and rebooting has no affect.
There's no place like 127.0.0.1
↧