Multiple instances of printers deployed through GPO
Start Menu and the Apps List
I am working on a Windows 2012 R2 server that is the DC for my network. The employees all use Windows 10 machines governed by Group Policy. We restrict what they see in their Start Menu as well as what is in their apps list. We updated a few computers to see how they would be affected, and while the Start Menu portion is showing the correct programs, the apps list next to that is now showing quite a few things that we don't want them to see. We have an .xml file on the server that determines what the start menu looks like, but that .xml file doesn't affect the apps list.
My question is this: How do I hide these new apps that are now in their apps list? I have scoured the internet for this answer and can find nothing. The only thing I can find is how to hide the apps list completely which I do not want to do.
Any suggestions?
Windows 10 Computer GPO not working but User GPO works fine.
Thank you for your input.
I'm attempting to deploy computer policy but am unable to. I am able to deploy user policy without issue.
Server 2012R2, Windows 10
I recently applied a GPO to a computer OU to schedule a task to have them shutdown at a specific time. I ensured to:
1. Link and enforce the policy at the specified computer OU.
2. Ensured the scope included Authenticated User, Domain Computers (ensured target computer is a member) and Domain Users and that all have Read and Apply Group Policy permissions.
3. Ensured the GPO Status was enabled.
4. Ensured that the computer was in the correct OU.
5. Ensured to create a GPO affecting the Computer Configuration not User Configuration.
However, when I run the Group Policy Modeling I receive the following error:
Group Policy Scheduled Tasks FailedGroup Policy Scheduled Tasks failed due to an error and failed to log Resultant Set of Policy information.
Additional information may have been logged. Review the application event log on the domain controller on which the simulation was run for events...
The event logs provides the following information:
Log Name: ApplicationSource: Group Policy Scheduled Tasks
Date: 2/4/2018 10:12:21 AM
Event ID: 8196
Task Category: (2)
Level: Error
Keywords: Classic
User: SYSTEM
Computer: ComputerName
Description:
The client-side extension caught the unhandled exception 'simulated execution of package to apply policy' inside: 'Access violation (0xc0000005) occurred at 0x86cd8c78; the memory at 0x000012e0 could not be read.' See trace file for more details.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Group Policy Scheduled Tasks" />
<EventID Qualifiers="34305">8196</EventID>
<Level>2</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-02-04T17:12:21.000000000Z" />
<EventRecordID>14937</EventRecordID>
<Channel>Application</Channel>
<Computer>ComputerName</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data>simulated execution of package to apply policy</Data>
<Data>Access violation (0xc0000005) occurred at 0x86cd8c78; the memory at 0x000012e0 could not be read.</Data>
</EventData>
</Event>
Running GPResult /R on a PC when policy is applied does not indicate policy was received.
Suggestions please.
Start Layout policy not reading XML file correctly
I'm using Group Policy to dictate what is on the Start Menu. I have enabled the Start Layout policy and linked and XML file that I exported from a test machine after I had configured that start menu the way I want it.
The problem is: the start menu isn't the way it's supposed to be. Some of the GP is working because I can't edit the start menu, but I'm not sure why it isn't correctly reading the XML file.
Any suggestions are quite welcome.
Thanks
AppLocker not preventing a service from running
Hello,
I'm new to implementing AppLocker. I do have it running with the default 'allow all' exe, packages, and installers. I can block packages like the "Network Speed Test" app that comes with Win10, and Valve/Steam applications. Those all seem to be working fine and appear in the eventviewer. However...
Next, I want to block a program from running as a service, for example the Chrome Remote Desktop service which gets installed as a service and has this path to executable in my computer:
"C:\Program Files (x86)\Google\Chrome Remote Desktop\76.0.3809.21\remoting_host.exe" --type=daemon --host-config="C:\ProgramData\Google\Chrome Remote Desktop\host.json"
So I go into my group policy and add a new EXE rule and deny the above remoteing_host.exe, even tried to make it more generic by not allowing the publisher. I do a GPUPDATE /FORCE. Then I see the service is still running. Try to restart the service and it stops/starts fine.
Why isn't it blocked from running? I dont even see it being logged in the event viewer as being allowed (or blocked) to run. Any tips on how to block the service?
Lock Screen GPO - multiple images
Hi
I found the following article regarding changing the lock screen to a specific image
https://docs.microsoft.com/en-us/windows/configuration/windows-spotlight
I have a few questions
- Instead of a single specific image, is there a way to have multiple lock screen images on rotation?
- Also based on the GPO, I would assume that all i need to do in order to change the lock screen image from one picture to another is to just change the picture file in the designated shared location?
Thanks for your time
Group Policy not automatically applying
Windows 10 Lock Screen GPO - Enterprise
Windows 10 GPO - Force a specific default lock screen image
First we copy all the necessary image files to C:\Windows\Web\Screen on all users computers - Policy then sets the lock screen image to the file located there
C:\Windows\Web\Screen\BackgroundDefault.jpg
The problem is that this only seems to apply once, if we change or replace the file then it does not update. This does not allow us to rotate the images as we have done in the past with previous versions of Windows.
Has anyone else experienced this/is there a solution? I know I have seen people who have come up with workarounds that essentially tell you to take ownership of the SystemData folder and basically just replace the files in there to 'force' it to update the images. However, this has never been a requirement before and it has always applied from the location specified in the GPO.
Bulk change of AD user passwords with Powershell script
Hi
I'm looking to reset in bulk AD user account passwords. I have this script:
# # Script: ResetPwd.ps1 # Description: Reset the password for bulk number of users, and # set the property to change passwrod required at next logon # # Written by: Anand Venkatachalapathy # Import-Module ActiveDirectory # Set the default password $password = ConvertTo-SecureString -AsPlainText “AwesomeP@ssw0rd” -Force # Get the list of accounts from the file on file # List the user names one per line $users = Get-Content -Path c:\MyScripts\UserList.txt ForEach ($user in $users) { # Set the default password for the current account Get-ADUser $user | Set-ADAccountPassword -NewPassword $password -Reset #If you need to set the property “Change password at next logon”, #leave the next alone. If not, comment the next line Get-ADUser $user | Set-AdUser -ChangePasswordAtLogon $true Write-Host “Password has been reset for the user: $user” } # ————- End ———–
Credit: http://anandthearchitect.com/2014/02/27/active-directory-bulk-user-password-reset-by-powershell/
This works, however it only lets me set each password to be the same. I'd like to have a second column in a source .csv which lists a unique password per user and have the script change the password as per the file. Can anyone assist with the necessary changes to the above? My experience with Powershell is very limited.
Any assistance is very much appreciated.
Paul
Problems with Wallpaper GPO
Hello.
I'm having some issues with the Wallpaper GPO in some terminals.
Scenario:
Server: Windows server 2012, completely updated.
Terminals: Windows 10 18362.
I make a copy of the wallpaper to a folder in the C of the machine, users have full permission to this folder.
I apply the GPO directed to this folder in C, so far everything is ok.
Some Windows 10 terminals are black, and do not apply to the GPO.
On these machines, I have already checked the permissions of the file, which are ok.
I also checked the HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System \ Wallpaper registry path that is directed to the correct folder and file, so that when I copy the path text and type in the run it normally opens.
I also checked the HKCU / Control Panel / Desktop \ Wallpaper registry, some machines were pointing to the path of the wallpaper in c, some were pointing to C: \ Windows \ web \ wallpaper \ Windows \ img0.jpg which is the image Windows 7 default, and in another it was pointing to C: \ Users \ gabriel.amaral \ AppData \ Roaming \ Microsoft \ Windows \ Themes \ TranscodedWallpaper that when I was running the file ia to the image file in the C folder.
I've tried manually putting the paths in the logs, but it did not work.
Would anyone have any tips?
Thank you!!
Multiple *.adml, *.opal files, why??
I downloaded and extracted the latest Office 2016/2019 admx files and corresponding adml files and opax/opal files.
I observed that now instead of one adml file, there's multiple numbered adml files. Same for the Office opal files.
e.g. access16.opal, access16.opal0, access16.opal1, access16.opal2, up to .opal9
e.g. access16.adml, access16.adml0, access16.adml1, access16.adml2, up to .adml9
Why is this?? What does this mean?? I assume all the adml files, numbered or not, should be put into the central store.
Also, where are opax/opal files installed??
Thank you, Tom
Deny USB storage on all systems - Allow USB storage for certain users
We have a Computer Config policy with 'All Removable Storage classes: Deny all access' enabled, this applies to the computers OU. This works as expected in that users are unable to use USB storage devices.
We also have a User Config policy with 'All Removable Storage classes: Deny all access' disabled, this applies to the users OU with security filtering on the 'USB-Allow' security group. This doesn't work as expected as members of said security group are unable to use USB storage devices.
I take it that Computer Config 'All Removable Storage classes: Deny all access' win over User Config 'All Removable Storage classes: Deny all access'?
How should we go about denying access to removable storage on ALL systems EXCEPT for certain users?
We want to disable removeable storage against the computer so it applies to both local and ADDS accounts.
Wallpaper group policy issues
Site added under a privacy tab of IE through GPO registry Not Showing in Sites Privacy Tab
I created the following GPO in Windows 2012r2, the registry setting and sites do get created. - However the Sites that are added to the registry don't get added to Internet Explorers Privacy Tab -Sites. - Even after a gpupdate /force.
Why don't the Sites show up in the Sites Privacy Tab example site introhive.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\introhive.com
and the key will be default and the DWORD value will be 1.
Outlook 2016 GPO Settings Not Being Applied
Hi All,
I am using Office 2016 downloaded via a Office 365 subscription. Operating in a Server 2012 R2 environment with Windows 8.1 client computers.
I am trying to setup a new GPO that will disable email alert notifications for all outlook users.
The setting in question is: software\policies\microsoft\office\16.0\outlook\preferences\newmaildesktopalerts
I have confirmed that the policy is being applied by checking gpresult /r and also the rsop.msc
I can see that the correct policy is applied and the correct settings are included in that policy via rsop.msc. No other policies are setup to conflict with these rules.
Any suggestions?
User group policy prevent addition of printers for one account and not all of them
Domain Administrator unable edit GPO
I am running a 2016 domain The I am unable to edit GPOs. Just a few weeks ago I was able to edit them with no problems. No I get the following error
This is happening will all of my GPOs not just one. I can navigate to the Windows\SYSVOL\domain\Policies folder and open any of the GPO folder with no problem.
Server 2008r2 upgrade to Server 2019 / are the new admx templates in central store?
Hey Guys
We have just upgraded our Domain controller from 2008r2 to 2019.
On 2008r2 we had a central store, that had legacy templates in it, I then added Windows 10 templates to it and chose "overwrite" for any that had the same name (windows\Sysvol\Domain\Policies\PolicyDefinitions) ...which has migrated over to 2019
My question is, now that the OS has been upgraded, how can I be sure that the templates for the Group Policy Management Editor are new?
I am concerned it is still reading from the old 2008r2 templates, as the graphics/icons look the same (old)? :
I would appreciate assistance please...thanks.
Group Policy to add network location
My client is having problem with Outlook dropout with PST files
PST are located on users home drive mapped as normal group policy
So H = \\server\share\%username%
PST listed as H:\Exchange\file.pst
This breaks outlook
f you setup a manual Add Network Location (windows 10) to \\server\share\%username%\Exchange and then reattach PST it shows as \\server\share\username\Exchange\file.pst rather that H:\Exchange\file.pst
Outlook now works fine
Regardless of the whys its easier to just try to have a GPO to replicate what Add network location does - can I do this ??
Ian Burnell, London (UK)
2008r2 upgraded to Server 2019/ GPP Scheduled task not showing option for Windows 10?
Hey Guys
We have recently upgraded our Domain controller from 2008r2 to Server 2019.
In group policy management editor, under GPP/ Scheduled tasks, I was expecting to see the option for Windows 10, but I only have the same options that I had for 2008r2 ?
Is this correct?