Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Software restriction policy randomly block all for certain user

January 7, 2019, 6:44 am
$
0
0

Hello all, 

we are using Software restriction policy(SRP) with default block all and whitelisted files\paths. There is an issue that this settings sometimes(accidentaly) block all(legitime software) for some users. We turned on: "Process even if the Group Policy objects have not changed"

We used settings for laptops\computer and also for RDS Server. It is not related to specific users\computer\server because we noticed this settings for mlutiple enviroment(customers). 

We used SRP for quite long time but it is not so long that we setted up "Process even if the Group Policy objects have not changed."

I think that this issue is caused when group policy are reprocessed and explorer.exe is starting(user logon to RDS) during this time. It should be because of SRP registry aren't fully setted up(not complete)when  explorer.exe is starting. On one RDS server there are users which work without issue but one newly logged user has all apps blocked. It sometimes happend also on computers\laptops but not so often.

I give it 90% of probability, but I'm not sure about it and I don't know how to get rid it off.

Search

Windows Server 2008 AllUsers Desktop shortcut

April 15, 2010, 11:51 am
$
0
0
I'm trying to create an AllUsers Desktop shortcut on a Windows Server 2008 box.  I'm logged in as an Administrator and I've even tried running Explorer with the Run as Administrator option.  When I navigate to the c:\programdata folder, which according to this posting is the location of the new AllUsers profile I can access it fine.  However, certain sub folders including Desktop display a lock icon and when i attempt to paste a shortcut to the folder, or even just double click it i get an access denied message.

Group Policy reporting

January 7, 2019, 5:20 pm
$
0
0
I was wondering is there a way to identify all group policies that we have created that would have wmi queries or security group filtering instead of having to check each one that would contain it one by one?

Where is "Printer Connections set"?

May 18, 2009, 12:19 am
$
0
0
Apologies if I'm missing the point entirely, but I'm completely new to GP and I'm stumped with this one situation.

I added four printers from my 2008SP1 print server to be deployed via AD and a GPO (default domain policy). (This is done on the print server.)

When I look in the policy settings I see Computer Configuration->Policies->Windows Settings->Printer Connections-> <My four printers>

BUT when I edit the policy there is no "Printer Connections" under Windows settings! And looking through most of the GPO (why no search function?) I can't seem to find it anywhere.

From reading a bit on the forum I'd think perhaps it resided within a script (which is one of the child-objects to Windows Settings), but no.. there are NO scripts anywhere.

The thing I want to do was to change the \\SERVERNAME\Printer to \\ALIAS\Printer, simple as that... but not if I can't find where the heck in the GPO it is hiding.

While I'm at it... got any introductory articles or somesuch on Group Policy?

PS: Reposting since some MSFT mod moved my org post to the hungarian windows 7 forums and locked it! :)

How to remove printers from specific user's computer that were applied through group policy.

January 8, 2019, 8:47 am
$
0
0

Hello everyone, I am having a situation in which I added printers through group policy for a certain domain but I realized later that some people on that domain do not necessarily correspond to that domain site is there a way I can remove printers from group policy for those specific users? or is there a way I can remove printers that were applied through group policy manually on the specific users computer?

Can a Computer policy apply to User group Security filter?

January 8, 2019, 8:10 am
$
0
0

Hey Guys

I am attempting to apply a Computer policy to a specific User group via Security Filtering.

I have split the user and computer settings

However on gpresult /r the policy is not applied  "Due to Security Filter" (I have added authenticated users as read only )

If I add the computer to the security filter it does apply the policy, so my question is, Can computer policies only be applied to Computers/device using the Security Filter?

Thanks for any assistance.

Group Policy (Bug or I'm missing something)

January 8, 2019, 10:26 am
$
0
0

Can someone else try this and report back please.  I originally created the policy on a 2012 R2 DC and had the issue. I then tried to create the policy from the 2016 DC and had the same issue.

You will not have to deploy this policy or even set up the scope to see if it works or not.

Create a new GP. 

User Configuration\Policies\Windows Settings\Folder Redirection\Desktop  (Right click and choose properties from Desktop)

Setting: Advanced - Specify locations for various user groups

Add a security group (probably could be any group) and a UNC path to some share of your (\\servername\share$\)

Settings Tab: Probably does not matter what you choose here.

Click OK and apply.

For me, after doing this....there is no shown or editable policy under desktop.  Back over in the GP Management if you refresh the policy, it does show the configured settings.  And in fact, if you repeat the steps again there will be a 2nd configured policy.  The problem is, you can never go back and actually edit or change the policy.   You cant even remove it without deleting the entire Group Policy object.

AGPM - Creation / Import of GPO fails with "The user name or password is incorrect" (0x8007052E)

January 8, 2019, 12:58 pm
$
0
0

The example below shows what happens when creating a controlled GPO in AGPM, but the same is true of other operations as well...

Error in AGPM:

Create GPO: C-Server-Firewall Settings...Failed
The overall error was: The user name or password is incorrect. (Exception from HRESULT: 0x8007052E)
 Additional details follow.
[Error] Unable to cast object of type 'System.DBNull' to type 'Microsoft.Agpm.GroupPolicy.Interop.GPMBackup'.

Excerpt from %ProgramData%\Microsoft\AGPM\agpmserv.log(https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/agpm/configure-logging-and-tracing):

2019-01-08 00:41:16:8281 [pid=4812,tid=7] [Error] [Litware.com] GPO:{063B4D92-4EFD-4C80-9785-EA59A9B73DC0} Msg:GPO backup operation failed. System.Runtime.InteropServices.COMException (0x8007052E): The user name or password is incorrect. (Exception from HRESULT: 0x8007052E)
   at Microsoft.Agpm.GroupPolicy.Interop.GPMResultClass.OverallStatus()
   at Microsoft.Agpm.AgpmServer.backupGPO(IGPMGPO gpmGpo, String strComment, GPOVResult& msgResult)
2019-01-08 00:41:16:8906 [pid=4812,tid=7] [Error] [Litware.com] GPO:{063B4D92-4EFD-4C80-9785-EA59A9B73DC0} Msg:An error occured during empty GPO template creation. System.InvalidCastException: Unable to cast object of type 'System.DBNull' to type 'Microsoft.Agpm.GroupPolicy.Interop.GPMBackup'.
   at Microsoft.Agpm.AgpmServer.CreateEmptyGpoTemplate(IGPMDomain2 gpmDomain, ArchiveIndexFile stateFile, GPOVResult& msgResult)

Application Event Log:

Log Name:      Application
Source:        Group Policy Management
Date:          1/8/2019 12:41:16 AM
Event ID:      2004
Task Category: None
Level:         Error
Keywords:      Classic
User:          SYSTEM
Computer:      LitwareRootDC01.Litware.com
Description:
Backup of GPO failed. Error [The user name or password is incorrect.
].
 Details -
     Source GPO:
          DisplayName: <Empty GPO>
          ID: {063B4D92-4EFD-4C80-9785-EA59A9B73DC0}
          Domain: Litware.com
 
      Backup:
         Directory: C:\ProgramData\Microsoft\AGPM
         Instance : {35D9CD0C-6E33-4FE9-9490-1E214F79E154}
         Comment  :

System Event Log:

Log Name:      System
Source:        LsaSrv
Date:          1/8/2019 12:41:16 AM
Event ID:      40961
Task Category: None
Level:         Warning
Keywords:     
User:          SYSTEM
Computer:      LitwareRootDC01.Litware.com
Description:
The Security System could not establish a secured connection with the server cifs/LitwareRootDC01/Litware.com@Litware.com. No authentication protocol was available.


Search

Disable (deny) force logoff

December 27, 2018, 3:57 pm
$
0
0

Hi,

how can I disable the forced logoff?

thanks

Apply "Folder Redirection" on specified PC only

January 9, 2019, 1:29 am
$
0
0

Hi,

Currently, we have applied user policy "Folder Redirection" to all users.

But for some users, we would like to disable this policy for some users while they logon specified PC.

For example user - Peter logon

PC001 - Will apply Folder Redirection

NB001 - Folder Redirection will not apply

Thanks

How to prevent playing video to ignore screensaver policy

April 30, 2015, 1:13 am
$
0
0

Our company policy is to make the screensaver (with password) active after 5 minutes. This works fine.

But some employes found out to bypass the policy by playing a video in a loop.

How can we deal with these retards?

How to set Internet Explorer & Edge Home Page via GPO

December 13, 2017, 3:47 am
$
0
0

Hi,

This is regarding setting up default home page for IE and Edge.

Followed the documentation https://prajwaldesai.com/how-to-set-internet-explorer-home-page-via-gpo/ .

and it is working as expected but need help on below ;

1)  How do I configure same settings for MS Edge - I guess it not possible yet as I researched a lot but could not found anything on the same line (https://community.spiceworks.com/topic/1225709-microsoft-edge-no-way-to-set-homepage-via-gpo)

2) At present default page is opening with TAB browsing as well , it is possible to configure so it should only open at the time of new instance launching only.

3) Can I configure the same policy for non Microsoft Browsers as well like , Chrome,Mozilla etc..

-Atul

TheAtulA

Does AD Security group need to be in a specific OU for gpo to apply?

January 9, 2019, 6:59 am
$
0
0

Hi Guys

I have a Computer policy which I wanted to apply to specific Ad group (which had certain computers as members) 

The computers were individually in the OU where the policy was applied, but the Security group which also contained the computers was in a different OU.

When I ran gpresult /r it showed the policy was being applied, but the Computer was not showing as part of the security group, therfore the gpo setting was not being applied.

If I move the Security group to the OU, shows the computer as a member of the security group via gpresult /r and the gpo settings then also apply.

Could someone please clarify, if this behaviour is correct?, as I thought if the Computers were in the OU anyway, the security group/Ad folder could be in the usual groups location?

Help always appreciated.

drive mapping

December 26, 2018, 8:46 am
$
0
0
I am trying to change the drive mapping from one server(2008 R2) to another server(2016 standard). In the action space, I used Replace. The location points to the new server. Waited a couple of minutes, rebooted my test laptop, but I am still getting the drive mapping pointed to the old server. Did a gpupdate /force, still pointing to the old server. What am I missing in here?  Thanks..

having trouble with GPO

December 24, 2018, 6:58 am
$
0
0
okay i was able to force a test gpo to one of my machines, by tying gpupdate /boot on that machine. the policy worked after i restarted the machine but now my question is why did i have to do that(gpupdate /boot) and will i have to do this to all my other machines.
Search

Remote Desktop - User Mode - Windows Firewall Rule not found under GPO Settings

December 7, 2016, 2:11 pm
$
0
0

Need to add a new firewall rule to our Windows 10 Policy "Remote Desktop - User Mode (TCP-In).

But when I look under Pre-Definted Rules, it's not there, only Remote Desktop (TCP-In).

What am I missing, where can I find it?

Win10 hardening GPO support for SCIF using 2012 R2

January 10, 2019, 1:48 pm
$
0
0

Working on some hardening settings for Win10 desktop machines in a SCIF environment, there's 2 settings I've been wrestling with and haven't found a workaround. They are:

1. Disabling microphone jack/port 

2. Allow privileged users only write access to CD/DVD and prevent everyone else.

In group policy preferences not seeing anything for microphone under control panel\devices, there's a policy setting to disable sound completely, and a registry setting to turn off headphone, but nothing for microphone. Only real option i can see is disabling microphone in the BIOS, but that would require altering the image as i don't think BIOS settings can be managed by GPO. As for allowing only privilege users to write to CD/DVD, the only fix i can think of is first setting up a GPO to block CD/DVD access completely, then creating a second "exceptions" GPO to allow this setting and do a security filter to only select privileged users or a security group of users. But this will require two policies for just one setting which i would like to avoid. Thank you in advance for the help.


PC Log Off - GPO

January 6, 2019, 10:36 pm
$
0
0

Dear All,

In a Windows 2012 Environment, I want to apply GPO to LogOff Windows 7/10 Workstations if remain Idle of Certain Time.

Appreciate your Help 

Thanks and Regards,

KALEEMULLAH BILAL

copy a file from share to local filesystem

January 11, 2019, 12:10 pm
$
0
0

Ok, I’ve tried to use GPO to move the bginfo.exe and bgconfig.bgi files from the shared sysvol folder source:\\ZELDA\Windows\SYSVOL\sysvol\bginfo.exe to  C:\Users\ADMIN\ on each machine since they all have that tree structure, but it didn’t move any files. I also added to that same GPO to add the shortcut to shell:startup from bgconfig.bgi for target  C:\Users\ADMIN\bginfo.exe bgconfig.bgi /timer:0 /nolicprompt /silent

 

None of this worked, and I’m not sure why.

GPO to Delete User Profiles Not Working

January 12, 2019, 11:12 am
$
0
0

Hello,

I have Win 10 v1803 machines set with a domain level policy to delete profiles after 7 days via

Computer config -> admin templates -> system -> user profiles -> Delete user profiles older than (days)

Running GPresult on one of these machines shows the policy is applied to it. This policy also sets things like the desktop background for all users, which is set correctly. However, looking at the C:\Users folder on the same machine, I can see user profiles that have not been touched for up to two months...

The policy's scope includes OUs that contain these machines as well as the user AD accounts that have the profiles.

Any help?

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>