Dear Team,

I want to create folder redirection from GPO, my scenario is user will save the date on user desktop and wherever he will login he has get same data on his desktop.

Thanks in advance.

Bhaskar

Hi,

I am looking at a setup which is as follows:

Client has an 2008R2 RDS server.

Roaming profile dir is : \\fs-01\roamingprofile$\   (via GPO)

Desktop redirects to \\fs-01\desktop\%USERNAME%\desktop (via GPO)

Downloads redirect to \\fs-01\downloads\%USERNAME%\Downloads (via GPO)

My Docs redirect to: \\fs-01\users\%username% (via GPO) Given the mydocs path every my documents folder in the users folder appears as my documents.

The GPO for roaming profile and folder redirection (old RDS GPO) has been applied at a top level OU.

We have set up a new RDS environment for them (Server 2016)

As the GPO for roaming profile and folder redirection has been applied at a top level OU, I've had to disable inheritance on the OU (new RDS) with the new 2016 RDS server and create new roaming profile and folder redirection GPOs. 

New paths are:

Roaming profile dir is : \\fs-01\Newroamingprofile$\   (via GPO)

Desktop redirects to \\fs-01\RedirectedFolder$\%USERNAME%\ (via GPO)

Downloads redirect to \\fs-01\RedirectedFolder$\%USERNAME%\ (via GPO)

My Docs redirect to: \\fs-01\RedirectedFolder$\%username%

Profiles redirect fine. However, I need to get the contents of the old desktop, my docs etc for each user over to the new folders. I have set the folder redirection options to grant exclusive rights and move contents. Other folder redirection settings are: Basic - redirect everyones folder to the same path and create a folder for each user under the root path.

The issue I have is that the contents of the old my docs, etc don't get copied over.

I have tried to get the old gpo to run and then apply the new gpo by:

-turning on inheritance (the old RDS GPO does not have loopback processing configured). Set loopback processing on the new RDS GPO to replace. Set the GPO ordering on the OU so that the old rds gpo runs first followed by the new rds gpo.

- Keeping inheritance on and create a copy of the old RDS GPO - don't configure loopback processing on this. Set loopback processing on the new RDS GPO to replace. Set the GPO ordering on the OU so that the copy of the old rds gpo runs first followed by the new rds gpo.

In both cases, the results are identical - the old rds gpo wins.

The only situation in which I am getting the results I want is if I first apply the old RDS GPO and then change the path in that. This successfully copied over the contents. However, in my case it would mean that I would have to:

1) Apply a copy of the old GPO to the new RDS and then once users have logged in, change the path in the GPO - Makes it difficult to move over users in small batches.

2) Make the change to the top level GPO now and change user path's before moving them to the new RDS server. Given that 400 users login every morning, this may cause chaos and is a bit risky.

Is the behaviour I have described above normal? That is, documents only get moved if you change the path in the original GPO? If not then any advice would be appreciated. The reason for the whole data move is the appearance of the my documents folders.

Thanks,

I'm currently working on a logon script that writes to the Event Viewer on the DC. Since logon scripts run as the user that just logged in, this only works for Domain Admins and other accounts that have permision to write to the event log. To work around this, i've changed to a scheduled task that runs the script at logon, but I can only run the script as a local user. 

How could I go around this? I'd really like to avoid giving permissions to the domain users. 

To give you further information, the script is a batch file that returns the hostname and the active session id and username and then passess those values as parameers to a PS script that writes them into the event log. 

Sokneang SAM

Hello,

We are currently using AGPM v4 SP3 on a Windows 2012 R2 member server in our domain.  Currently one of our policies has an error when attempting to view the settings/GPO history in HTML,  the error is :

 Failed to generate a HTML GPO settings report.

The following error occurred:
Extension functions cannot return null values.
System.Xml.Xsl.XslTransformException (80131942)

The HTML file that is created is cut short at the same place every time in Computer Configuration/Policies/Administrative Templates/Windows Components/App Privacy as can be seen in the image below : 

In Windows 10 Build 1607 the AppPrivacy ADMX changed some formatting which i believe caused this issue when added to our policies,  we've only just seen this issue as we've not needed to make many changes to this GPO till now (version history https://blogs.technet.microsoft.com/grouppolicy/2016/10/12/admx-version-history/) the settings are :

Could someone please test this?  Is this a known issue? (i couldn't find anything similar on google / this forum)

Thank you,

Chris

Hi, I was editing Default domain policy> user configuration > IE > add some local intrasite

And I got this error

----------------------------------------------------------------------------------------------------------------------------------------

See the end of this message for details on invoking 
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.IO.FileLoadException: The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)
   at Microsoft.GroupPolicy.AdmTmplEditor.IGPMAdmTmplEditorCallback.ApplyChanges()
   at Microsoft.GroupPolicy.AdmTmplEditor.Editor.SaveChanges()
   at Microsoft.GroupPolicy.AdmTmplEditor.Editor.buttonApply_Click(Object sender, EventArgs e)
   at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
   at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.ButtonBase.WndProc(Message& m)
   at System.Windows.Forms.Button.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Loaded Assemblies **************
mscorlib
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.18449 built by: FX451RTMGDR
    CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll
----------------------------------------
Microsoft.GroupPolicy.AdmTmplEditor
    Assembly Version: 6.2.0.0
    Win32 Version: 6.2.9200.16384 (win8_rtm.120725-1247)
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_64/Microsoft.GroupPolicy.AdmTmplEditor/v4.0_6.2.0.0__31bf3856ad364e35/Microsoft.GroupPolicy.AdmTmplEditor.dll
----------------------------------------
System
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.18045 built by: FX45RTMGDR
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Windows.Forms
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.18046 built by: FX45RTMGDR
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.18022 built by: FX45RTMGDR
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Xml
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.18058 built by: FX45RTMGDR
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
Accessibility
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.17929 built by: FX45RTMREL
    CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
    <system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.
-------------------------------------------------------------------------------------------------------------------------------

What I to troubleshooting

Now open up gpedit.msc on the problematic server.

User Configuration
Administrative Templates
System
Group Policy

Change the following policy

"Group Policy domain controller selection"

Enable this and set it to use "Use any available domain controller"

Close gpedit.msc and run gpupdate /force

And I still have the same error

----------------------------------------------------------

Can someone help me on this?

Hi Guys,

I have noticed that although this particular client is in an OU that should push out a computer policy that is Link Enabled on the OU when I run gpresult /r I do not see the GPO in the list of Applied Group Policy Objects, however, when I run the Group Policy Modelling Wizard for this specific client machine I see the GPO present in the GROUP POLICY OBJECT > Applied GPOs section of the results.

My questions is why when I do a gpresult /r on the client machine does it not show the GPO when it seems as if it does get applied when I run the Wizard.

Confusing??? Has anyone seen this before and does anyone have an explanation?

Any help or guidance would be greatly appreciated.

Regards.

I've got a group policy issue I can't figure out. I've got some users that have a laptop and also have access to our RDS servers. For RDS we have some user settings that prohibit the use of the power button and the network features are disabled. The problem is those users need those options for the laptop. Since these are user based group policy options it does it no matter which device they log into.

Is there an easy fix for this issue?

Thanks

Hello!

Have a task to install Windows SNMP service to a lot of my servers at once. Can i use Group Policy for this task?

Can i install Windows Feature to a lot of my servers via Group Policy? Can i configure this feature with GP? For example SNMP Security and other service option.

Thank you!

I am having trouble with getting a particular GPO to apply to a particular user account. I have created a folder redirection policy that redirects the desktop to a network location that the user has permission to.  The settings are:

The policy never seems to apply, and a GPResult on a client computer does not return this in the list of applied GPOs.

I ran a GP modeling query in GPMC and it shows that the policy should be applied to the user. However, if I run the same query in GP Results in GPMC it does not appear in the list of applied or denied GPOs. There are no other policies applied that perform redirection for the desktop, although there is another redirection policy in place for the documents folder.

When I run a GPUpdate /force when logged in as the affected user, I get the message that a folder redirection policy has been detected and this can only be applied with a logoff. I agree to the logoff but when I log back in I get the same result - no redirection and a subsequent GPUpdate /force gives me the same message again.

I applied another GPO to make sure that Fast Logon is disabled so that this will process policy synchronously. I can see via GPResult that this policy applied, but it has made no difference and the redirection policy still won't apply.

Affected client computers and my management workstation are both on Windows 8.1. Please let me know if you have any thoughts on why this may be happening or what else I can do to troubleshoot. Thanks!

Hi!

I set this query : Select * from CIM_DataFile where Name='C:\\Program Files\\bginfo\\startup_template.bgi' and LastModified='20100810145110.821214+120' in a WMI Query targeting. It's working fine but I would like to replace c:\\program files with the variable"programfilesdir". I've tried different syntax with no success.

Thanks for your help

Chris

Hi,

In our setup we had created three map drives through file server.

Users are login through active directory in system.

(1) User specific Map Drive 

(2) Department specific Map Drive (which shared for the departments IT, HR, Account)

(3) Common department map drive (which shared on the all the departments internal)

Now the issue users are remove the map drive from the system. Like right click and remove the map drive. Due to that issue we want to map the drive again. Is any way group policy or registry setting that we can permanent store the map drive in system.

If possible then please provide the suggestion.

Thank you in Advance.

Pravin Mori   

We have setup group policy on Windows 2012 Server to update all computers (Windows 10) to set homepage to a specific URL.

My 2 issues are:

1. The policy only works with Computer Configuration & not with User Configuration.
2. The Homepage opens on logon and or when we open Google Chrome. However, if we open a 2^nd Chrome window the Homepage does not open. If we close all the chrome windows and open chrome again the Homepage opens correctly – What I need is whenever user opens a chrome window be it 1^st 2^nd or 3^rd “window” the homepage URL must open in the 1^st tab.

The settings on both Computer & User Configuration policies are identical however the policy only applies to Computers and never for users

The Computer Configuration below

The User Configuration below

on the same machine i have 2 users one of them apply all group polices without any issue and the other one there is no policy applied for him.

i don't know why and how, the cause is computer or user ???

this the GPRESULT /R for both of them:

user how aplied all policies without any issue:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>gpresult /r

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 05/15/2019 at 00:36:58


RSOP data for domain\a.maher on ELF-LAP006-MRK : Logging Mode
---------------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   N/A
Roaming Profile:             N/A
Local Profile:               C:\Users\a.maher
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=ELF-LAP006-MRK,OU=PCs,OU=MARKETING,OU=HEAD OFFICE,OU=Domain.LOCAL,DC=ELF
ALEH,DC=LOCAL
    Last time Group Policy was applied: 05/15/2019 at 00:20:13
    Group Policy was applied from:      Domain-DC4.DOMAIN.LOCAL
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DOMAIN
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        CERTIFICATE
        FireWall
        USB
        FireWall
        Default Domain Controllers Policy
        DirectAccess Server Settings
        Local Group Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        CONTROL PANEL
            Filtering:  Disabled (GPO)

        DirectAccess Client Settings
            Filtering:  Denied (WMI Filter)
            WMI Filter: DirectAccess - Laptop only WMI filter

        Remote Desk Top
            Filtering:  Disabled (GPO)

        DirectAccess Client Settings
            Filtering:  Denied (WMI Filter)
            WMI Filter: DirectAccess - Laptop only WMI filter

        Print
            Filtering:  Disabled (GPO)

        Default Domain Policy
            Filtering:  Disabled (Link)

        Print
            Filtering:  Disabled (GPO)

        Client Push
            Filtering:  Disabled (Link)

        Driver MAP
            Filtering:  Disabled (GPO)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        ELF-LAP006-MRK$
        Domain Computers
        Authentication authority asserted identity
        System Mandatory Level


USER SETTINGS
--------------
    CN=Ahmed Maher,OU=Admin Accounts,DC=DOMAIN,DC=LOCAL
    Last time Group Policy was applied: 05/15/2019 at 00:25:28
    Group Policy was applied from:      DOMAIN-DC4.DOMAIN.LOCAL
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DOMAIN
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Remote Desk Top
        CERTIFICATE
        INTERNET POLICY
        Driver MAP
        Print

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        DirectAccess Client Settings
            Filtering:  Disabled (GPO)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        FireWall
            Filtering:  Disabled (GPO)

        DirectAccess Server Settings
            Filtering:  Disabled (GPO)

    The user is a part of the following security groups
    ---------------------------------------------------
        Enterprise Admins
        Everyone
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Administrators
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Domain Admins
        SCCM_ADMINS
        Authentication authority asserted identity
        Denied RODC Password Replication Group
        High Mandatory Level

==================

User have issues to apply any policy:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\abdelbaset>gpresult /r

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 15-05-2019 at 12:37:22 AM


RSOP data for DOMAIN\abdelbaset on ELF-LAP006-MRK : Logging Mode
------------------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   N/A
Roaming Profile:             N/A
Local Profile:               C:\Users\abdelbaset
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=Mahmoud AbdelBaset,OU=USERS,OU=MARKETING,OU=HEAD OFFICE,OU=DOMAIN.LOCAL,
DC=DOMAIN,DC=LOCAL
    Last time Group Policy was applied: 15-05-2019 at 12:20:34 AM
    Group Policy was applied from:      ELFALEH-DC4.DOMAIN.LOCAL
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DOMAIN
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Remote Desk Top
        CERTIFICATE
        CONTROL PANEL
        Print
        USB
        Default Domain Controllers Policy
        Driver MAP
        Print

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        FireWall
            Filtering:  Disabled (GPO)

        DirectAccess Client Settings
            Filtering:  Disabled (GPO)

        DirectAccess Client Settings
            Filtering:  Disabled (GPO)

        Default Domain Policy
            Filtering:  Disabled (Link)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        FireWall
            Filtering:  Disabled (GPO)

        DirectAccess Server Settings
            Filtering:  Disabled (GPO)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        ERP Remote
        Markting
        Authentication authority asserted identity
        Medium Mandatory Level

====================

first one is Administrator

second one is just Domain users

this issue existing with alot of usres PCs specially windows 7

Hi, Guys.

I recently created a antimalware policy in SCCM to temporarily disable SCEP/AV client in a server. It has been a week now since I deployed such policy but it hasn't taken effect yet. 

In the SCEP client on the server, I can't still manage it and the Real Time protection is still locked down/greyed out. And there is a message stating "For you protection, some settings are managed by your security administrator".

Could there be any other policy that manages it other than SCEP in SCCM? Can SCEP be managed by a GPO policy? If so, how is it? and how to find it via GPO? 

Thank you.

Hello dear gurus

Would like to ask you to help me to find a way to control "Block all incoming connections, including those in the list of allowed programs."section in Domain Network of Firewall via GPO

I control local Firewall settings of all my servers via GPO, but only "Block all incoming connections, including those in the list of allowed programs." stays unmanaged. 

I just want this check box to be grayed out too but cannot find a way to do this through GPO

I've deployed 3 printers via Group Policy and from the server I've set their default colour to be black and white.

Despite this. When I then check a client machine that has now installed this, their has switched to Auto Color

I've deleted said printer from my laptop and let Group Policy re-add it. Makes no difference. When I then check the settings again, it's still set to Auto Color despite the drivers on the server being set to Gray Scale.

Anyone got any ideas what is going on?

We have a domain environment, and we push out global settings via GPO to Windows 10 (and some Windows 7) machines.
GPO's specific to preventing the viewing or changing of network connection/adapter properties work as expected for users that are not Local Administrators on their machines.

Some of our users (ie developers) MUST have local admin rights on their machines due to some of our software requirements. 
Since Windows 7, Local Admins have access to view/change network settings/properties by default, regardless of any GPO being enforced.

Does anyone know whether any "new" functionality has been introduced since, which will allow us to prevent local admins from being able to view/change network adapter settings?... Or another way in which this could be enforced?
If not by group policy, maybe registry?

We ideally want to start preventing local admins from being able to view or change IP/DNS settings etc.

Unfortunately, not having these users as Local Admins is not an option for us.

Is there maybe an updated or equivalent GPO to the following which works with Windows 7 and above?:

User Configuration -> Administrative Templates ->
Network -> Network Connections -> "Enable Windows 2000 Network Connections settings for Administrators"

I created a user preference to show file extensions, using the registry.

The registry shows the setting is correctly configured -- HideFileExt = 1, but after running gpupdate /force, Windows Explorer does not show the file extensions, nor does it show in the view options.

I do have the registry setting running in the user's context, and item-level targeting for now to a specific computer group.

This is just one of several registry preferences that appears to be getting set, I can see the registry entry in regedit, but not applying or showing itself to apply.

Why would this happen??