Hello All,
I am trying to complete the setup in Group Policy for domain users desktop's Local Administrator password change. However i am unable to provide password in the password field. As it showing password option is Grayed out(Both Password and Confirm Password option is grayed out). How do i fix it. I would like to enable the password field to set password. Screenshot attached.
Thanks
Platform: Windows 10 Pro x64
Domain Functional Level: 2016
I am having an issue with Slow-Link Mode for Offline Files. I have set the below group policy to disabled:
Which means that a folder should never go in to Slow-Link mode while connected to a network share/resource. I only want the share/resource to go to Slow-Link mode (Work Offline / Offline Files) if the share/resource is inaccessible, not with a slow latency/connection.
However I see the following log in the Event Viewer (Applications and Services\Microsoft\Windows\ Offline Files\Operational):
Event ID= 1004
Description: Path \server\share$ transitioned to slow link with latency = 81 and bandwidth = 258888
A folder that is not synchronized for offline use has a grey X on it so when I try to open the folder, it says
I have also tried using the registry editor to add the Key and DWORD value with no success (supposedly only confirmed to apply up to Windows 8).
HKLM:\Software\Policies\Microsoft\Windows\NetCacheSlowLinkEnabled
REG_DWORD = 0
I can manually remove the "Work Offline" flag when I'm in the folder, but I don't want to make users do this, as it should never work offline unless there is NO network connectivity.
The network latency is only for users connected to VPN working from home, so as I understand Windows default value for transitioning to Slow-Link mode is 35ms round-trip latency, and the users go up to 100ms round-trip latency on VPN.
Also, I have made nearly all the same configurations as in this article: https://social.technet.microsoft.com/Forums/windows/en-US/ca9921e5-3fb8-41dd-b46e-eb4cf3f74a2d/on-slow-connections-automatically-work-offline-uncheck?forum=win10itpronetworking
Any suggestions or has anyone configured a similar scenario for Windows 10 environment?
Hi Support,
I have two server one is domain controller and 2nd one is additional domain controller but now i want to transfer all domain controller roles to additional domain controller and discard the 1st domain controller.
Hi All,
I am missing Search folder under
Computer Configuration\Administrative Templates\Windows Components\
How to get the Search GPO folder.
Thanks and regards,
ram
Hello all,
I was wondering if someone could help me out or explain to me what I'm doing wrong. I just started playing around with GPO and loving it. I created a new GPO that will be pushing out a one-time software install agent. Took me days to figure out the software deployment using GPO. Now it's working perfectly with a glitch. The issue I'm having is I restart workstation win7. I log in as a domain user and I see the desktop. I go to the add/remove section to see if the software was installed. I don't see it anywhere.
While still logged in as the same user. I do a gpresult /r and I see the GPO applied to the computer. If I do a gpupdate /force it updated the policy and tells me to reboot (Y) and log out (Y). Once the machine restarts I notice it takes a while to log in. Once I log in I see the software installed.
I have about 200+ machines I need to update. If a computer is sitting there from my understanding if a user logs in it should look at the policy and install the software. Not wait for me to run the gpupdate /force once they log in. Double the work I would be doing. How can I get around this and make it work if the computer has been sitting there all weekend without a re-start? I want the software to install the first time someone logs in. From all the videos I have seen they create the software installation under the "Computer Configuration" and not the "User Configuration"
Hopefully, I explain it well if not let me know.
Here's my issue:
Windows 10, build 1803. Lenovo laptops.
Shiny new campus, wifi network *only* (no wired Ethernet.)
Users log into Windows, machine and user get authenticated via certs.
Once logged in, users aren't able to get to \\DOMAIN.COM\SYSVOL (without being challenged for credentials) for anywhere from 2-15 minutes, which makes me think that's how long the wireless is taking to get them *fully* authenticated. During this time GPO's aren't being applied (security settings, registry settings. No logon scripts.) I monitor my registry, and th esettings are not applied during this time.
Once users can successfully get to \\DOMAIN.COM\SYSVOL. if they run a GPUPDATE /FORCE the policy settings all apply.
(When I use a wired Ethernet connection in the lab, everything works as expected. All GPOs immediately apply at logon.)
Looking for options to get the GPO's to apply at logon when on wifi.
I feel like I'm missing something simple, but I'm at a dead end.
Hi folks!
I am hoping you can help me with this...
I am having an issue where I have disabled the Folder Redirection GPO on the Domain Controller (Server 2012 R2) but the policy entries still remains under "Folder Redirection" list after doing a gpresult via the logged in users domain account on their laptops.
This is only happening to users who previously had the folder redirection policy applied. For some reason the remenance of the folder redirection still applied to these effected users.
However, newly logged in accounts on the same machine do not pick up the folder redirection settings (as they have been disabled) and the folder redirection area of "gpresult /v" appears as below (as expected):
Folder Redirection
------------------
N/A
An example of the output of "gpresult /v" on the effected machines are similar to the below (ignore the arrow):
https://filedb.experts-exchange.com/incoming/2016/11_w46/1126504/FR-GPO.jpg
Is there any way I can remove these entries on the effected existing user accounts via registry entries or something else? (as I do not want to have to wipe their profiles!).
Please do let me know! Looking forward to your responses!
Thank you
Hi,
I have a customer that is rolling out Windows 10 desktops to their domain. They have a Server 2016 domain controller. They have asked me to create a GPO that will do the following.
1. Remove/hide various undesirable icons that come "out of the box" on the start menu and task bar.
2. Add the Internet Explorer Icon to the start menu and task bar.
3. Remove the Edge browser from the start menu and task bar.
4. Specify a specific Windows screen saver, along with a screen timeout and screen lock (password required).
5. Disable Microsoft OneDrive from being used.
Can someone tell me how to accomplish these items, assuming it is possible?
Regarding the screen saver, I have done it in the past with Windows 7 and had great success. But I have tried the same GPO settings against a Windows 10 machine and can't seem to get it to work. I assume something is different related to Windows 10 screen savers and its lock screen, etc. Thanks, Chris
I create group policy - Folder Redirect local "Document" folder to server folder.
Everything seems well, but now we need RENAME server (preparing to add server to new domain, but server is still in current domain).
IP address is without change, so I decided do this steps:
Note: previous redirected path was: \\OLD_sever_name\data\users
1) Change group policy redirected path to: \\IP_Address\data\users
2) Wait some time for apply policy to all comp/users
3) Rename server and change redirected path to \\NEW_sever_name\data\users
I did only setep "1". The only change was in the same GPO change OLD_server_name for IP_ Address (the same server).
After computers/users apply this new settings, user data on server DISAPPEARS. No "document" folder on server, no document folder on PC. I copied document folders from backup to server (Thanks god for backups.) and users woks fine with new policy.
This happens to all users affected by this policy.
Server: 2012R2, PC: Windows 10 64bit.
Where is problem? I only change server_name for its IP_address and user documents disappears.
We have folder redirection enabled in GPO, what is the easiest way to remove it from our environment? We would like to do this in a phased approach as we are moving away from network share to OneDrive. We would like to use the Onedrive Windows known folder option but the folder redirection GPO is in conflicting with it. Clients are Windows 10.
We were going to restrict the new onedrive GPO to a certain user group - https://social.technet.microsoft.com/wiki/contents/articles/2933.how-to-apply-a-group-policy-object-to-individual-users-or-computers.aspx
Does anyone have any good reference web sites ?
Thanks in advanced
Hi,
Is there a way to push a scheduled task from Server 2008 R2 Group Policy to windows 10 machines on the same network?
If there is please advise me on how to do so.
Thank you in advanced.
Britten Falcher
By default our GPO Settings for Internet Explorer is "Do Not allows users to enable or disable add-ons". This is fine except that for Adobe Reader DC there is the need to allow users to enable/disable so they can launch PDF inside browser or by firing up the application. With it enabled PDFs open in IE, disable and it it launches Adobe Reader. Great but the user boxes are greyed out because of the above policy. Can I override it to allow them specifically to enable/disable this add on only??
I'm looking under User settings/Admin settings/Windows Components/Internet Explorer/Security Features/Add-on Management
There is an item called Process List which I'm not sure if this would do the trick, but it implies it is a process. The active-x add on is a dll
Ian Burnell, London (UK)
We have created a GPO to install Firefox (version 63) through the User Settings (not Computer Configuration).
Domain - User Configuration - Policies - Software Settings - Software Installation - Firefox 63
Assigned
Uninstall this application when it falls out of the scope of management
Install this application at logon
Installation user interface options (maximum) - Make this 32bit X86 application available to Win64 machines
After setting the above settings - I replicate the policy across the DC's and did a gpupdate /force on the network pc.
When the computer rebooted - the software is not installed.
I check the GPRESULT /R /Scope Computer - and the GPO Firefox is listed there.
I check the GPRESULT /R /Scope User - and the GPO Firefox is not listed
Why is the GPO Management ignoring the "user settings"?
There is a reason why we want to get the software installed via User Settings.
The software have no problem being installed via Computer Configuration - but when we put the computer out in the field - the GPO - computer configuration is not able to deploy. Only User Settings is available out in
the field.
I appreciate any and all of your help on this matter.
Thanks Gil
Hi Team,
I have tried all possible case to find a solution here
there is one policy for a shortcut which is not applying to one user however when we run gpresult, it shows as applied.
Checked - Scope, Security filtering, WMI, permission, loopback.....nothing is causing the issue
I have run out of steps to follow now except GPSVC log, Is there anything I missed to check here ??
Is there any trace I can do to find out?
Hi,
Once if the LAPSx64.msi and Lapsx86.msi is copied to a share path. It is configured to install from group policy. But below message appears when updating the group policy in Windows 7 32 bit Enterprise edition.
The Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.
I followed the below suggestion and it did not work
Please help why the above error appears and how to solve it
Regards, Boopathi
Hello everyone
We have installed the MCAfee Web Gateway (MWG) on all clients (Windows 10) in our organization. This controls the Internet access by means of a group from the AD. Now there were already several cases in which users were blocked, although they are in the group. The McAfee support believes that the MWG client does not recognize the group.
We also found that the group names are not resolved, or only partially resolved, if the client has no connection to the AD. After executing the command "whoami /groups" it looks like this (whole SID shortened/replaced with xxx):
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
======================================================== ================ ================================================ ===============================================================
Jeder Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
VORDEFINIERT\Administrators Alias S-1-5-32-544 Group used for deny only
VORDEFINIERT\Event Log Readers Alias S-1-5-32-573 Mandatory group, Enabled by default, Enabled group
VORDEFINIERT\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT-AUTORITŽT\INTERAKTIV Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
KONSOLENANMELDUNG Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT-AUTORITŽT\Authentifizierte Benutzer Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT-AUTORITŽT\Diese Organisation Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOKAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-21-xxxxxx Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-21-xxxxxx Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-21-xxxxxx Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-21-xxxxxx Mandatory group, Enabled by default, Enabled group
The SID always remains in the cache, the group name does not. Is there a possibility (e.g. via GPO) to add these groups to the cache as well or are there other solutions?
Similar case:
https://social.technet.microsoft.com/Forums/ie/en-US/1112015a-52c4-4a8e-adc0-0ec24cff5845/whoami-groups-does-not-show-domain-groups?forum=windowsbackup
Information about MWG:
https://www.mcafee.com/enterprise/en-us/products/web-gateway.html
Hello
Everyday we are having some clients, that are not reachable via ping. The client is able to access every network ressource (fileshare, exchange and so on) normally. After forcing the group policy manually the client is reachable again. It wouldn't apply some of our GPO (for example: updating from our WSUS or blocking the Microsoft store) and the automatic update after 90 Minutes didn't work either.
We analysed the eventviewer logs and the only error we found was following:
Error: Bandwidth estimation failure: Failed to query Intranet capability. Error code 0x15.
That happend usually in the morning. After some researches we changed the GPO Processing mode to asynchrous (always wait for the network at computer startup and logon):
https://blogs.technet.microsoft.com/grouppolicy/2013/05/23/group-policy-and-logon-impact/
After this change it seemed to be better, there were cleary less clients that are having gpo problems. But we are still having cases, where clients are not applying the group policy correct.
What could cause this problem with our group policy?
Further information about our environment:
Client OS: Windows 10 (1709)
DC OS: Windows Server 2012 R2 and Windows Server 2016
hello
I have 2 domain controller in my domain, both of them are windows server 2008 R2 in past i lost my Default group policy files in some ransomware attack (attack was on other machine but sysvol folder and GPOs damaged),after that i rebuild default GPOs with "dcgpofix /target:both" and everything seems to be OK but few days ago i found that one of my DCs dose not apply any group policy even "default domain controllers policy" i didn't found any error or warning in event viewer and even when i run "gpupdate /force" it show "User and Computer Policy update has completed successfully" and even there is no error in "winlogon.log" file and i can't found root of problem after couple of hours.
for example i change the "Account lockout threshold" to "15 invalid logon attempts" in "default domain controllers policy" it dose not effect of one of my DCs but work fine in other, and even this change dose not show in "gpresult" and "rsop" in that DC
i even create a new GPO and link that to my DCs but the same result.
my winlogon.log:
*************************
Error 0 to send control flag 1 over to server.
Make a local copy of \\My.Domain\SysVol\My.Domain\Policies\{2F6E7BAA-5DD4-4123-829C-8297C6FCDBA3}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkSite GPO_INFO_FLAG_BACKGROUND )
Make a local copy of \\My.Domain\sysvol\My.Domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
Make a local copy of \\My.Domain\SysVol\My.Domain\Policies\{D03F35EE-2D52-4BCD-A785-8B4DD7D61F7D}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Make a local copy of \\My.Domain\sysvol\My.Domain\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
Process GP template gpt00000.inf.
This is not the last GPO : domain policy is ignored on DC.
-------------------------------------------
Sunday, March 10, 2019 5:24:23 PM
Copy undo values to the merged policy.
----Un-initialize configuration engine...
Process GP template gpt00001.dom.
This is not the last GPO.
-------------------------------------------
Sunday, March 10, 2019 5:24:23 PM
----Un-initialize configuration engine...
Process GP template gpt00002.inf.
This is not the last GPO : domain policy is ignored on DC.
-------------------------------------------
Sunday, March 10, 2019 5:24:23 PM
----Un-initialize configuration engine...
Process GP template gpt00003.inf.
This is the last GPO : domain policy is ignored on DC.
-------------------------------------------
Sunday, March 10, 2019 5:24:23 PM
----Un-initialize configuration engine...
-------------------------------------------
Sunday, March 10, 2019 5:24:23 PM
----Configuration engine was initialized successfully.----
----Reading Configuration Template info...
----Configure User Rights...
Configure S-1-5-20.
Configure S-1-5-19.
Configure S-1-5-32-549.
Configure S-1-5-32-551.
Configure S-1-5-32-544.
Configure S-1-5-32-559.
Configure S-1-5-32-554.
Configure S-1-5-11.
Configure S-1-1-0.
Configure S-1-5-32-550.
Configure S-1-5-32-548.
Configure S-1-5-9.
Configure S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420.
User Rights configuration was completed successfully.
----Configure Security Policy...
LSA anonymous lookup names setting : existing SD = D:(D;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS)(A;;0x1000;;;S-1-5-17).
Configure LSA anonymous lookup setting.
Configure machine\system\currentcontrolset\control\lsa\nolmhash.
Configure machine\system\currentcontrolset\control\lsa\scenoapplylegacyauditpolicy.
Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature.
Configure machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
Configure machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal.
Configure machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity.
Configuration of Registry Values was completed successfully.
Legacy audit settings are disabled. Skipped configuration of legacy audit settings.
Audit/Log configuration was completed successfully.
Kerberos Policy configuration was completed successfully.
----Configure available attachment engines...
Configuration of attachment engines was completed successfully.
----Un-initialize configuration engine...
*********************
and this is my "gpresult /z" there is no sing of Account lockout that i set: