I am receiving notice that I have anonymous proxy setting keeping me from Hulu and Netlix. How do I get swsthis removed?
↧
anonymous proxy setting
↧
Win10 1809 VM -- no group policies will apply, why??
I have a test VM of Win10 1809 within its own OU, 'Testing Computers.'
The computer itself is joined to the domain but is logged in for now with the local administrator account.
Some group policies are linked to only this OU and they don't apply.
Some group policies are linked to this OU *and* to the 'Domain Workstations' OU, which includes all our other Windows 7 PCs, notebooks, etc.
GPOs applied to the 'Domain Workstations' OU do apply as expected but not to the one computer in 'Testing Computers' OU.
The security group 'Domain Computers' has been given 'Read' permissions on all our GPOs in Delegation.
All our GPOs contain only 'Authenticated Users' in Security Filtering, the 'Testing Computers' OU is on the Scope tab.
No WMI filters are used, the Win10 VM has been activated with a MAK key and rebooted after being changed back to DHCP.
I've reviewed the '10 steps' for group policy troubleshooting and can't find that I've done anything wrong.
The Win10 1809 adml/admx files have been installed into the Central Store.
The domain controllers are Windows Server 2016.
Why are GPOs not applying?? Running gpresult /h /f on the computer gives me a report that says no GPOs are applying.
↧
↧
Start Layout and XML Editor
I created a start layout for users. In doing so an xml file was created by windows. According to the text.
I need to add "a <DefaultLayoutOverride> " element to my xml file. It seems the file I created needs to be edited. I have tried
XML Notepad, Notepad++ and Notepad. The xml file that was created either will not open or the text is unreadable and I cannot edit.
LINK HERE https ://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout
Please help.
↧
Scheduled Task as Domain Admin vía GPO.
I'm currently working on a logon script that writes to the Event Viewer on the DC. Since logon scripts run as the user that just logged in, this only works for Domain Admins and other accounts that have permision to write to the event log. To work around
this, i've changed to a scheduled task that runs the script at logon, but I can only run the script as a local user.
How could I go around this? I'd really like to avoid giving permissions to the domain users.
To give you further information, the script is a batch file that returns the hostname and the active session id and username and then passess those values as parameers to a PS script that writes them into the event log.
↧
This Operation has been Cancelled error when launching application
Hello,
I have a Windows 2012 R2 server that I am manage. It is a citrix xenapp server ( I have asked the same question in the citrix forums), but it is a windows component that is giving me the grief.
When users launch an application they are getting a message stating that 'This operation has been cancelled due to restirctions in effect on this computer'. I believe I am very proficient in the way GPO works, but just cannot find out what the policy that
is applied that is causing this issue. THis only applies to normal users, not admins. Admins dont have any policies applied to them.
I have ran procmon whilst one of the users with the issue & cannot see anything that is causing an issue.
All of the results that I can find on the internet relate to Outlook & resetting internet explorer. This is a fresh profile everytime a users logs in.
Thanks,
Matt
↧
↧
Block client-to-client SMB - Windows Firewall with Exclusions
This pains me to ask but I need assistance setting up a Group Policy to block client-to-client SMB traffic with a small list of exclusions. I can't seem to get this setup correctly. We can block all traffic over the ports below but can't see to find a way to exclude specific subnets. My idea is to use Windows Firewall to complete this task.
Action: Block
Traffic: Inbound
Scope: All
Exclusions: ~15 subnets
Ports: 445, 139
The idea is to apply this policy to all client devices (non-server) to block all inbound smb traffic to them. We do not support localized client shares. There are about 15 or so subnets that should be allowed, placed on a exception list.
The only successful way that I found to do this is to specifically block all other subnets ~(700 subnets) that we do not want to allow and keep the default action of the profile to "allow". If it has to be done this way, does anyone know of an easy way to bulk add subnets to group poilcy/domain firewall?
↧
Group Policy with specific Security groups under Security Filtering.
Dear Community,
I am currently testing Group Policy with some specifc small things as testing how and why things are not working accordingly.
I have read a few forums and also posts by microsoft:
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-072
https://support.microsoft.com/en-us/help/3163622/ms16-072-security-update-for-group-policy-june-14-2016
https://support.microsoft.com/en-us/help/3159398/ms16-072-description-of-the-security-update-for-group-policy-june-14-2
But to my despair none of these work.
My environment is very very simple and is just for testing purposes.
I have a VM running Windows Server 2016 Datacenter assigned roles are DC and DNS.
i have two VMs running Windows 10 Pro.
I have two users: Test1 and GPO1
I have a Specific OU created named TestGPO where i put all the security groups in. I use this for the purpose of maintaining an overview of which users or computers are assigned to those specific security groups to be using in conjunction with specific
Group policy settings i am testing are the basic and simplistic things.
One of them is the Power settings. I have set this under: User Configuration - Preferences - Control Panel Settings and Chosen Power Options. Add a new Power Plan and set the action on Update - Power settings set on High Performance and Ticked "Set as the Active Power Plan". In the Common tab i have ticked "Run in logged-on user's security context(user policy option) and i also have tried this with ticking on "item-level targeting" and set target to the specific Security Group.
After running gpupdate /force, 1: the group policy was not being added to the specific computer/user assigned to the specific security group( i changed from user to computer to see which it would apply to). Running RSOP i also concluded that the GPO was not being assigned neither by adding a Computer or User to the specific security group.
I have added the GPO named Power Settings to the TESTGPO OU and this still did not work eventhough the computer or user was added under that OU within a Specific Security Group.
Before people start asking but did you assign the Specific Security group to the Security filter and delegation. Answer: Yes i did. I First added the Security group to the delegation and gave it the "Read + Apply Group Policy" Rights. Keep in mind that authenticated user has the same rights. I have tried with + without removing the authenticated user group(from the delegation pane + the scope pane under security filtering).
I know i am not the only one experiencing this problem and Microsoft posted some help, but what they are suggesting did not help my case.
Did someone else figure it out why Security Groups under Security Filtering does not quiet work as predicted.
Stated by MS as a solution:
Resolution
- Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
- If you are using security filtering, add the Domain Computers group with read permission.
I have tried both but this did not help even when the Computer is added to the GPO with Read + Apply Group Policy
↧
GPO Replication Bad
I have (2) new 2016 domain controllers. One has DNS and one does not.
I have an existing 2012 domain controller.
GPO is not replicating from the 2012 to 2016 servers.
gpupdate /force works fine on the 2012 server but I am getting the following errors on the 2016 servers.
The processing of Group Policy failed. Windows attempted to read the file \\xxxxx.prv\SysVol\xxxxxxxx\Policies\{97650F49-8D70-4E2B-B335-1AFAC7C59F87}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be
applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
I have verified that I can ping the server names from each other.
I have also checked out a Health Report in DFS and not gotten any replication errors.
I see this Policy on the 2012 server but not in \\domainname\sysvol.
Can I just copy and paste it into the \\domainname\sysvol folder?
Thanks in advance for your help.
↧
Windows 10 "Engaged Restart Transition" GPO and Feature Updates Behavior
We are trying to transition to a GPO/Windows Update for Business based update model, but I am frustrated with the behavior of the Feature Updates with the GPO "Specify engaged restart transition and notification schedule for updates." I have the following configured:
-Specify the timing before transitioning from Auto-restart to Engaged restart (pending user schedule: 7 days
-Specify snooze for Engaged restart reminder notifications: 1 day
-Specify the deadline before a pending restart will automatically be executed outside of active hours: 14 days
For the normal monthly/security updates, this behaves as expected, and it's great.
However, for the "Feature Updates" it doesn't seem to respect the "deadline", and computers will be perpetually waiting (far past 14 days) for the user to manually run the Feature
Update. Is this normal behavior? Do Feature Updates not follow the same "deadline" as quality/security updates and never install automatically? Is there a way to force the Feature Updates to install while still maintaining the control/user friendliness
of the "engaged restart" GPO?
↧
↧
Group Policy Managment
I connected to synology AD via rsat tools for windows 10 ( www.youtube.com/watch?v=7EIO-nEIAY4 ) but I have a problem with the message "A Processing error occurs with the use of this domain controller." the base domain controller and try again." support.microsoft.com/en-us/help/2979923/processing-error-occurred-when-you-detect-status-of-active-directory-i I do not understand what to enter in "HKLM \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters \ Hostname."
Is the KB2975719 patch for Windows 8.1 I need for Windows 10.
↧
Group policy delay
Hi
after joining workstation to our domain its take near 20 second to load welcome page to enter user and password .
Please give me hand to fix the issue
* we do not have roaming profile
↧
GPO to remove shut down/restart issue
I have a GPO to remove the shutdown/restart options on Server 2016. It works fine on member servers, but it does not work on DCs. I know this is probably a permissions issue but I am wary of making changes without checking with others who may have had to do this themselves.
The GPO was introduced when we deployed 2012 servers because the layout of the power options made it too easy for someone in a hurry to restart or shut down a server. I created another GPO to do the same, just using a different WMI filter when we started to install 2016. We are in the process of upgrading the domain to 2016 and need to make sure the option to accidentally shut down a DC is removed.
Anyone encountered this issue and, more importantly, have a solution to it?
↧
Problem getting GPO to apply to anything besides one group
At my organization we have 3 account types. Regular user accounts, Domain admin accounts, and corporate only accounts. In AD we have it broken by Account type (Location>Computers, Groups, or Users). Each account has a security group to go along with it of course. Domain user group, Domain admin group, and corporate user group. Recently we've decided to do away with corporate accounts and simply put user accounts in the corporate user security group. In the corporate environment we've spun up a file server and set it to be mapped to users who A) Are members on the corporate users group and B) Computer is a part of the corporate computers group. When we created the gpo (we linked it to our corporate section>users>heading in GPM) to accomplish this we used user configuration>preferences>windows settings>drive maps and we specified the 2 rules to be what i mentioned before. The problem is the drive is only mapped on our corporate accounts only and not the standard accounts that are part of the corporate user group even though we have the targeted items to be the groups themselves. What would be the fix? I've tried linking the object to our desktop group or just the corporate group in itself without any headings but still get the same result.
Security Filtering has: User-A users, User-B users, Group A computers, Domain Admins, Authenticated Users.
To simplify it:
Group A with Security Group A has accounts named "User-A"
Group B with Security Group B has accounts named "User-B"
Group C with Security Group C has accounts named "User-C"
I've instructed GP to map drives for all users of Security Group A and User-B members that are members of Security Group A.
The drive mapping only works for User-A users and not User-B users that are part of Security Group A.
↧
↧
Restricted Number of Enable Account Unlock
Dear Forum, i am working on group policies to do account unlock. we have allow automatic unlock account for 30mn but i am looking for option that we can allow default account to be unlock for 2 times then let it locks account for ever until we manual unlock
it back. please kindly advise if any setting we can do that or we need any tool or script. thanks
Sokneang SAM
↧
GPO issue
Hi,
I'm facing this kind of error when run GPUPDATE /force at command prompt when trying to update our workstation.
.
C:\WINDOWS\system32>gpupdate /force
Updating policy...
Computer policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows attempted to read the file \\nta-monitor.ad.nta-monitor.com\SysVol\nta-monitor.ad.nta-monitor.com\Policies\{0A4D357F-E028-4E90-9A99-028DFBEDCFBA}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
User Policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows attempted to read the file \\nta-monitor.ad.nta-monitor.com\SysVol\nta-monitor.ad.nta-monitor.com\Policies\{0A4D357F-E028-4E90-9A99-028DFBEDCFBA}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
.
Any solution to fix it?I try to check the solution online,unfortunately it's not the same case with me.
.
Please advice.
I'm facing this kind of error when run GPUPDATE /force at command prompt when trying to update our workstation.
.
C:\WINDOWS\system32>gpupdate /force
Updating policy...
Computer policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows attempted to read the file \\nta-monitor.ad.nta-monitor.com\SysVol\nta-monitor.ad.nta-monitor.com\Policies\{0A4D357F-E028-4E90-9A99-028DFBEDCFBA}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
User Policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows attempted to read the file \\nta-monitor.ad.nta-monitor.com\SysVol\nta-monitor.ad.nta-monitor.com\Policies\{0A4D357F-E028-4E90-9A99-028DFBEDCFBA}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
.
Any solution to fix it?I try to check the solution online,unfortunately it's not the same case with me.
.
Please advice.
↧
how disable add account to mail with GPO
Hi
I can not find any article to show me how to disable "add account to mail" with GPO
i want to disable all except Exchange.
Thanks
↧
How to change the permissions of the registry key permissions on the GPO to HKCU(HKEY_CURRENT_USER)
From Group policy can set registry key permission for HKEY_LOCAL_MACHINE,
(Group Policy Management Editor - Computer Configuration - Policies - Windows Settings - Security Settings - Registry - Add Key...)
but Group policy cannot set registry key permission for HKEY_CURRENT_USER.
(Group Policy Management Editor - Computer Configuration - Policies - Windows Settings - Security Settings - Registry - Add Key...
Only HKEY_LOCAL_MACHINE & HKEY_USERS... Not HKEY_CURRENT_USER)
I want to change the permissions of registry key permission for HKEY_CURRENT_USER in the GPO.
you will be kind enough if you help me.
↧
↧
How to uninstall Snip and Sketch from multiple W10 workstations by using Active Directory Domain Controller.
We have an Active Directory Domain Controller setup in our organization. The number of workstations are approximately 300.
There is an urgency to restrict users to take any kind of screen shots by any means. We were successfully able to do that until the new option"Screen snip" at Action Center.
We have to allow the "Action Center" for other reason but have to restrict the users to get the access to "Screen snip" from there. We have to do this centrally from the Domain Controller to ease the load of this task.
We also have to restrict users to use the keyboard shortcut "Windows+Shift+S" as well to get access to this Snip and Sketch tool. We have tried our best but did not find any convenient way for doing that.
Is it possible to uninstall the "Snip and Sketch" by implementing some GPO or by any other ways centrally from Domain Controller?
There is an urgency to restrict users to take any kind of screen shots by any means. We were successfully able to do that until the new option"Screen snip" at Action Center.
We have to allow the "Action Center" for other reason but have to restrict the users to get the access to "Screen snip" from there. We have to do this centrally from the Domain Controller to ease the load of this task.
We also have to restrict users to use the keyboard shortcut "Windows+Shift+S" as well to get access to this Snip and Sketch tool. We have tried our best but did not find any convenient way for doing that.
Is it possible to uninstall the "Snip and Sketch" by implementing some GPO or by any other ways centrally from Domain Controller?
↧
AGPM Failed to generate a HTML GPO settings report
Hello,
We are currently using AGPM v4 SP3 on a Windows 2012 R2 member server in our domain. Currently one of our policies has an error when attempting to view the settings/GPO history in HTML, the error is :
Failed to generate a HTML GPO settings report.
The following error occurred:
Extension functions cannot return null values.
System.Xml.Xsl.XslTransformException (80131942)
The HTML file that is created is cut short at the same place every time in Computer Configuration/Policies/Administrative Templates/Windows Components/App Privacy as can be seen in the image below :
In Windows 10 Build 1607 the AppPrivacy ADMX changed some formatting which i believe caused this issue when added to our policies, we've only just seen this issue as we've not needed to make many changes to this GPO till
now (version history https://blogs.technet.microsoft.com/grouppolicy/2016/10/12/admx-version-history/)
the settings are :
Could someone please test this? Is this a known issue? (i couldn't find anything similar on google / this forum)
Thank you,
Chris
↧
Group policy not applying for users on TS
rsop /results says "The RSoP snap-in was unable to generate the computer's data due to insufficient permissions" When Rsop does pop up nothing is shown in user config. (Only for users)
When I run gpresult /r for all users it shows no applied group policies
We do have a logon banner that appears before logon that is generated from GP, but if I edit that policy to prevent users deleting icons on the desktop it doesn't work.
↧