Dear Microsoft team,

i have been trying to config GPO to force minimum password length to 10 digit.

but user account can change password with 8 digit yet.

cloud you please tell me What the something wrong?

So, I have a question for more experienced in odd situations.  I have a Windows server 2012 and 2012 R2 Active Directory environment.  It was upgraded from 2008 R2 about 4 years ago under another admin.  At some point, my predecessor thought it was a good idea to completely disable all settings in the default domain policy and default domain controllers policy (which both had MANY other settings changed from default).  In their place(not at the domain level) are CIS Benchmark policies at the computer OU level that have been modified for our environment and this was also done for the domain controllers in place of the default policy.  I am not sure if that is causing my problem or not, but I recently discovered (just before a security audit) that our password policy is not applying for AD accounts even though the policy that sets that is being applied before other policies, so it should work....right?   The policy is supposed to require a 14 character minimum, but it will still let you do 8. 

I am making plans in the next few weeks to migrate everything from the current DCs to Server 2016 and I am thinking of bringing back the default domain policies, but not sure of the best way to accomplish that.  Should I delete those policies all together before I migrate, or could I migrate everything and then run the dcgpofix tool in Powershell to reset the policies back to default.  I also have a lot of other GP cleanup to do to remove old policies that are just sitting there disabled and possibly a restructuring since I have about 10 or so OUs with inheritance disabled.  (I inherited a mess!)  

David Hood

Hi,

Try to use gpo to cretae a TS which runs a script when user logins to delete user data from desktop, my documents ect...

The script works fine when running it self.

ts SETTINGS.

General

• Name : Delete Data - User
• When running the task, use the following user account: BUILTIN\USERS

Triggers

• At log on

Actions

• Start a program: "C:\Users\Data to delete.bat" (i try it with speech marks and without)
  

Condition/Settings/ Common: no changes made

The file does existed in C:\users\ folder

This is the error i get on PC.

The user 'Delete Data - User' preference item in the 'Test Security {xxxxxxxx}' Group Policy object did not apply because it failed with error code '0x80041318 The task XML contains a value which is incorrectly formatted or out of range.' This error was suppressed.

The user 'Delete Data - User' preference item in the 'Test Security {xxxxxx}' Group Policy object did not apply because it failed with error code '0x80041318 The task XML contains a value which is incorrectly formatted or out of range.' This error was suppressed.

SCRIPT:

@echo off

del %userprofile%\Desktop\*.* /s /q
del %userprofile%\My Documents\*.* /s /q
del %userprofile%\Downloads\*.* /s /q
del %userprofile%\Favourites\*.* /s /q
del %userprofile%\My Pictures\*.* /s /q

for /d %%x in (%userprofile%\Desktop\*) do @rd /s /q "%%x"
for /d %%x in (%userprofile%\My Documents\*) do @rd /s /q "%%x"
for /d %%x in (%userprofile%\Downloads\*) do @rd /s /q "%%x"
for /d %%x in (%userprofile%\Favourites\*) do @rd /s /q "%%x"
for /d %%x in (%userprofile%\My Pictures\*) do @rd /s /q "%%x"

On Server 2008 R2 Enterprise, I keep getting event id 1110 errors from Group Policy, indicating Windows cannot tell if the user and computer are in the same forest. I can't find any obvious issue on the domain controllers. I can ping the DCs and nltest /server:<dcname> against the DCs returns no error. When I have a  user execute gpresult /H GPOResult.html as suggested in Technet, it hangs. Reboot fixes the issue, but I need to find a better solution for the production environment. I also notice that if I go to add a user or group to the local Administrators group, it does not display the domain as a location from which to add users, just the local computer and  "Entire Directory". Interestingly enough, if I select "Entire Directory" and enter a samid, it resolves it fine. Can someone point me in the right direction to resolve this issue?

Thanks

I have a Remote Desktop Services host running Server 2008 R2, and I get a PrintService Event ID 513 almost every time a user logs in:

Group Policy was unable to add per computer connection \\KARFP1\MTL_Label_WHSE. Error code 0xbc4. This can occur if the name of the printer connection is incorrect, or if the print spooler cannot contact the print server.

My problem is that I don't know what is causing the connection to this printer, and I don't want it to connect except for a select few users.

Normally I use Group Policy on different security groups to assign printers; each group has a different GPO with different printers.  This is actually working correctly, and the users who need the printer get a connection to it.  But this error seems to be coming from a computer-level setting, applied to all users who log in to the host.  What's even more bizarre is that a handful of users actually get a successful connection to the printer, which I am trying to eliminate.

I've scoured all GPOs in my domain and I can't find any instance of this printer connection, except in the specific security group where I want it to be (and that's at user-level).  I've also looked at the local policies on the server, and it's completely empty (as expected).  So what could be attempting to connect this printer on login?

Hi all,

I'm new to this forum (and powershell in general) and created this account just to see if I can get an answer to this question. I'm running Windows 7 Professional and need a script to uninstall all nonpresent USB mass storage devices from device manager (and possibly some other devices). I tried using the Devcon.exe utility, but found that it can't uninstall nonpresent devices (only present ones). Essentially, I'm trying to find a way to emulate device manager's uninstall utility for nonpresent devices. Is there any way to uninstall these devices with a script? I'm hoping to deploy this to a larger environment eventually.

I've looked at this page http://blogs.technet.com/b/wincat/archive/2012/09/06/device-management-powershell-cmdlets-sample-an-introduction.aspx and many others like it, but none seem to be able to actually uninstall a nonpresent device. (pnputil.exe doesn't seem to update the registry properly, which leads to the devices reappearing in device manager)

Any help at all would be appreciated, and I apologize if I've missed something obvious in my search for an answer to this question.

Thanks!

Sam S.

Hello All,

I am trying to complete the setup in Group Policy for domain users desktop's Local Administrator password change. However i am unable to provide password in the password field. As it showing password option is Grayed out(Both Password and Confirm Password option is grayed out). How do i fix it. I would like to enable the password field to set password. Screenshot attached.

Thanks

Some of my Group Policy for users is not working with the below error when I run the command GPUpdate /Force.
For example, I am a member of the AD group called Permanent Corporate Users, and this is the result:

Computer Policy update has completed successfully. User Policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file \\MyDomain.com\SysVol\MyDomain.com\Policies\{65Ab29CD-B068-454A-BD31-73298424BC8}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 

a) Name Resolution/Network Connectivity to the current domain controller. 
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
c) The Distributed File System (DFS) client has been disabled.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

Upon looking at the existing group policy with the GUID 65Ab29CD-B068-454A-BD31-73298424BC8 it is because I have categorized the AD group called Permanent Corporate Users a DENY Read permission at the higher container.


So what to do to ensure the rest of the Users GPO under the OU tree is working again?
What to look in the HTML file generated by the command GPRESULT /H GPReport.html?

I need to make sure the other group policy is working or applied, but somehow not working due to this one particular GPO was DENIED to read.

/* Server Support Specialist */

Hello All,

I am trying to complete the setup in Group Policy for domain users desktop's Local Administrator password change. However i am unable to provide password in the password field. As it showing password option is Grayed out(Both Password and Confirm Password option is grayed out). How do i fix it. I would like to enable the password field to set password. Screenshot attached.

Thanks

Platform: Windows 10 Pro x64
Domain Functional Level: 2016

I am having an issue with Slow-Link Mode for Offline Files. I have set the below group policy to disabled:

• Computer Configuration\Administrative Templates\Network\Offline Files\Configure slow-link mode

Which means that a folder should never go in to Slow-Link mode while connected to a network share/resource. I only want the share/resource to go to Slow-Link mode (Work Offline / Offline Files) if the share/resource is inaccessible, not with a slow latency/connection. However I see the following log in the Event Viewer (Applications and Services\Microsoft\Windows\ Offline Files\Operational):

Event ID= 1004
Description:  Path \server\share$ transitioned to slow link with latency = 81 and bandwidth = 258888 

A folder that is not synchronized for offline use has a grey X on it so when I try to open the folder, it says

• "This file is currently not available for use on this computer."

I have also tried using the registry editor to add the Key and DWORD value with no success (supposedly only confirmed to apply up to Windows 8).

HKLM:\Software\Policies\Microsoft\Windows\NetCacheSlowLinkEnabled
REG_DWORD = 0

I can manually remove the "Work Offline" flag when I'm in the folder, but I don't want to make users do this, as it should never work offline unless there is NO network connectivity.


The network latency is only for users connected to VPN working from home, so as I understand Windows default value for transitioning to Slow-Link mode is 35ms round-trip latency, and the users go up to 100ms round-trip latency on VPN.

Also, I have made nearly all the same configurations as in this article: https://social.technet.microsoft.com/Forums/windows/en-US/ca9921e5-3fb8-41dd-b46e-eb4cf3f74a2d/on-slow-connections-automatically-work-offline-uncheck?forum=win10itpronetworking

Any suggestions or has anyone configured a similar scenario for Windows 10 environment?

Hi all,

today i try to modify IE10 Preference on group policy editor, but when i save my preference, console crashed. I try on remote console from my personal computer Win10 (up to date 25 Feb. 2019), from Win 2018R2 DC and from Win 2016 DC (up-to-date on 25 Feb. 2019), but the error is the same, mmc.exe crashed. I have the same problem also if i change e policy on default domain level and if i try to do this under 10 level of OU.

I check this error only for IE preferences, if i try to change any other options on any other policy i don't have problems.

On the Event viewer i have this Warning ONLY this:

Please can you help me?

Thank you

when a non-admin user try to run the Task Scheduler , the below message is showing .

your system administrator has blocked this program. for more information , contact your system administrator 

OS: windows 2012 R2.

Dear All,
I want to push screen savers weekly to all computers on my domain using group policy. How can I achieve this and what tools can I use to convert a *.jpg to <g class="gr_ gr_36 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="36" id="36">an  *</g>.scr

Regards,

Tony Mbogo

I am an administrator of Windows Server 2012 R2 that is one of memeber server in our domin. There is domain controller server which is Windows Server 2008 R2, and my member server got applied some group policy from the domain controller.

Recently I just found out that group policy configuration does not match between gpedit and regedit.

For example, when I open gpedit.msc and take a look at the following configuration, and it said "Not Configured"

Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Printer Redirection -> "Redirect only the default client printer"

However when I open regedit and take a look at the actual registory key that should be as same as on gpedit.msc, it said "Enabled"

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\
Value Name: RedirectOnlyDefaultClientPrinter
Type: REG_DWORD
Value: 1

Both of gpedit and regedit should be the same "Enabled" just as GPO sat up, but they are different.

I have confirmed the gpresult setting is applied by GPO by executing gpresult command. It is my understanding that if GPO is applied, the value will be forcely set up to member server, and gpresult and regedit supposed to be the same setting. I reboot the member server and execute gpupdate /force by command just in case, but it did not fix the difference. I really have no idea why gpedit and regedit show different configuration like this. Is there any possiblitiy that my cause of this situation?

Any advice will be greatefully appreciated. Thank you.. 

Hello everyone

We have installed the MCAfee Web Gateway (MWG) on all clients (Windows 10) in our organization. This controls the Internet access by means of a group from the AD. Now there were already several cases in which users were blocked, although they are in the group. The McAfee support believes that the MWG client does not recognize the group.

We also found that the group names are not resolved, or only partially resolved, if the client has no connection to the AD. After executing the command "whoami /groups" it looks like this (whole SID shortened/replaced with xxx):

GROUP INFORMATION
-----------------

Group Name                                               Type             SID                                              Attributes                                                     
======================================================== ================ ================================================ ===============================================================
Jeder                                                    Well-known group S-1-1-0                                          Mandatory group, Enabled by default, Enabled group             
VORDEFINIERT\Administrators                              Alias            S-1-5-32-544                                     Group used for deny only                                       
VORDEFINIERT\Event Log Readers                           Alias            S-1-5-32-573                                     Mandatory group, Enabled by default, Enabled group             
VORDEFINIERT\Users                                       Alias            S-1-5-32-545                                     Mandatory group, Enabled by default, Enabled group             
NT-AUTORITŽT\INTERAKTIV                                  Well-known group S-1-5-4                                          Mandatory group, Enabled by default, Enabled group             
KONSOLENANMELDUNG                                        Well-known group S-1-2-1                                          Mandatory group, Enabled by default, Enabled group             
NT-AUTORITŽT\Authentifizierte Benutzer                   Well-known group S-1-5-11                                         Mandatory group, Enabled by default, Enabled group             
NT-AUTORITŽT\Diese Organisation                          Well-known group S-1-5-15                                         Mandatory group, Enabled by default, Enabled group             
LOKAL                                                    Well-known group S-1-2-0                                          Mandatory group, Enabled by default, Enabled group             
                                                         Unknown SID type S-1-5-21-xxxxxx                                  Mandatory group, Enabled by default, Enabled group             
                                                         Unknown SID type S-1-5-21-xxxxxx                                  Mandatory group, Enabled by default, Enabled group             
                                                         Unknown SID type S-1-5-21-xxxxxx                                  Mandatory group, Enabled by default, Enabled group             
                                                         Unknown SID type S-1-5-21-xxxxxx                                  Mandatory group, Enabled by default, Enabled group       

The SID always remains in the cache, the group name does not. Is there a possibility (e.g. via GPO) to add these groups to the cache as well or are there other solutions?

Similar case:

https://social.technet.microsoft.com/Forums/ie/en-US/1112015a-52c4-4a8e-adc0-0ec24cff5845/whoami-groups-does-not-show-domain-groups?forum=windowsbackup

Information about MWG:

https://www.mcafee.com/enterprise/en-us/products/web-gateway.html

Hello

Everyday we are having some clients, that are not reachable via ping. The client is able to access every network ressource (fileshare, exchange and so on) normally. After forcing the group policy manually the client is reachable again. It wouldn't apply some of our GPO (for example: updating from our WSUS or blocking the Microsoft store) and the automatic update after 90 Minutes didn't work either.

We analysed the eventviewer logs and the only error we found was following:
Error: Bandwidth estimation failure: Failed to query Intranet capability. Error code 0x15.

That happend usually in the morning. After some researches we changed the GPO Processing mode to asynchrous (always wait for the network at computer startup and logon):
https://blogs.technet.microsoft.com/grouppolicy/2013/05/23/group-policy-and-logon-impact/ 

After this change it seemed to be better, there were cleary less clients that are having gpo problems. But we are still having cases, where clients are not applying the group policy correct. 

What could cause this problem with our group policy?

Further information about our environment:

Client OS: Windows 10 (1709)

DC OS: Windows Server 2012 R2 and Windows Server 2016

Hello,

I have created a Security Group in our AD (Windows Server 2012 R2) and I have added 3 computers (Windows 7 pro and Windows 10 pro) as members of the group. We want to apply a specific GPO to this group, so I added the new Security Group in the Security Filtering field of the GPO.

After running "gpupdate /force" on the computers in scope, the security setting was not applied. So running "gpresult /r" I realized that the 3 computers are not listed on the "The user is a part of the following security groups:".

After that, I first restarted the Windows 7 computer with no luck. Then, I disjoined it from the domain and join it back to it. Same result.

Our environment consists of 2 Domain Controllers and replication looks ok.

Can you please help me with the issue?