Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Where to get ADMX templates - 1903?

$
0
0

Hi All,

Successfully downloaded the brand new Windows 10 (1903) and want to deploy and poke around in the GPO options in my LAB.

But...

I can't find a download link to the ADMX templates?

Where do we get the ADMX templates for 1903 from to load into PolicyDefinitions?

Thanks in advance,

durrie.


GPO WMI Filter for laptops

$
0
0

Hi,

We were formally using Win32_Battery to find mobile devices but this has became a problem when desktop computers are connected to a UPC. The desktops are being wrongly identified as mobile devices and then mobile device policies are being applied to them.

I created a GPO with a WMI Filter:

Namespace: root\CIMv2
Query:  select * from Win32_SystemEnclosure where ChassisTypes = "{8}" or ChassisTypes = "{9}" or ChassisTypes = "{10}" or ChassisTypes = "{11}" or ChassisTypes = "{12}" or ChassisTypes ="{14}" or ChassisTypes = "{18}" or ChassisTypes = "{21}"

Although the WMI query examples that I have seen do not use { } in the query, when I used it without { }, I did not see the new GP applied to my test device. When I use PowerShell to get the ChassisTypes for my test device, it returns {9}. WMIC also returns {9}.

The status right now is that the new GP is not being applied with either version of the query above (with/without {}). What do I need to do to get a GPO to apply to mobile devices?

Applied GPO doesn't work

$
0
0

Hi there!

I have the following GPO, which is supposed to install a printer:

When I log on to an affected system and check the applied GPOs via...

GPRESULT /USER MYUSER /R

...I can also find the GPO:

What I can not find is the printer. However, if I enter the path to the printer in "Run", I have it immediately.

What did I do wrong?

Domain Administrator unable edit GPO

$
0
0

I am running a 2016 domain The I am unable to edit GPOs.  Just a few weeks ago I was able to edit them with no problems. No I get the following error

This is happening will all of my GPOs not just one.  I can navigate to the Windows\SYSVOL\domain\Policies folder and open any of the GPO folder with no problem.

I have fixed this problem once by changing permissions of the Sysvol folder to full control for the domain administrator.  That fixed the problem.  Now the problem is back and the permission for the Sysvol folder are still set to full control for the domain administrator.  I tried it directly from the server and using the remote admin tools.  The only GPO that I can edit is the default Domain.  I have 12 different GPOs set up for different things.

Update Putty GPO

$
0
0
Hi, I have a question, I need to UPDATE Putty (already installed) through my network I want to use GPO. 
It's Possible???
I've tried to use replace file, but when I run "wmic", the result is still the old installed version, only replaced the putty.exe file.
Can't use SCCM.

GPO - Delete User Profiles after X Days

$
0
0

What is the criteria that the user profile service looks at before deleting a profile on reboot.

I had an issue where a user stayed logged in for an extended amount of days without logging off and his computer rebooted. Upon logon again, he was given a completely new profile and the old profile was deleted.

I looking for what exactly is being queried to see if a profile should be deleted.

screen saver issues via GPO

$
0
0

Hi,

We currently have a GPO created as we want to disable a few systems where the screen saver does not appear on the screen and prompt for a password each time after 20 minutes. These are windows 10 computers.

I created a GPO to disabled Enable Screen saver, disable password protect the screen saver and screen saver timeout is set to 0 Seconds.

The issue is the GPO looks to be applying to the machine as I can see the password protect timeout is set to 0 but the system screen saver comes on and after I hit any key on the keyboard I have to type in the password. The system is getting the correct GPO but not sure exactly what I am doing wrong.

The GPO string is User configuration> Policies> Administrative Templates> Control Panel/Personalization

Hope someone can help me understand why this keeps happening.

IPSec - GPO

$
0
0
Good Morning All!

Background. My company has, A LOT, of internal domains/forests. Long story short, we're consolidating them all down to a single domain.

I have the honor of spinning up the brand new domain/forest that we're going to consolidate into. I have complete control on it's design and implementation. I'm really quite excited about it. As a part of spinning this up, I've opted to implement IPSec between domain controllers for a variety of reasons.

The last time I dealt with IPSec was back in my 2008 R2 days. Back then, IPSec was implemented via GPO in the following location: Computer Configuration > Policies > Windows Settings > Security Settings > IP Security Policies on Active Directory

This location exists now, in Server 2019, and when I goto configure it, SHA2 as an encryption algorithm, is not an option. Just DES and 3DES.

Googling has yielded that IPSec using SHA2 can be accomplished through the Windows Defender Firewall Advanced Security. The problem with this solution is: For good or ill, windows firewall on all internal assets is disabled and will not be changed. Considering this, and without testing, I don't think IPsec configured in this way, will work.

Is there any way to add SHA2 support for the older method of implementing IPSec?

dll that needs to be saved and registered on every client once

$
0
0

I have a dll that needs to be saved and registered on every client once  (20 computers).

How can this be done? do you have a step by step?

I read this can be done by adding a file this can be done under Computer Configuration> Windows Settings > Security Settings > File System


Roaming profiles

$
0
0

hi all 

i want to implement a new roaming GPO but i have a question abut ( enable roaming on primary computer ) 

if i assign group's in primary computer attribute on the domain (msDS-PrimaryComputer ) that mean the same user will have more than one primary computer this will effect the roaming GPO .

i work in a company that have a lot off users which they work also in shifts and they use every computer and im palning to delete profiles on non user primary computer ( the main case is my PC's Storage is full and i need roaming in same time )

Restrict user to save file on desktop,documents,and etc.

$
0
0

Dear Support,

Please guide us to restrict user to save files to desktop,documents and other folder through group policy.

Regards,

Itsupport

Remote Group Policy Update Result-The remote procedure call was cancelled.

$
0
0
Installed AWS Microsoft AD & Openvpn in ireland region in the same vpc.  Integrated openvpn and MicrosoftAD. I have connected to openvpn from my laptop inorder to add my laptop to Microsoft AD domain. My laptop added to Domain successfully. Later I tried to push a sample GPO on my laptop from the windows server(AD client) where i have configured MicrosoftAD to access AD domain. I have turned off antiviruses, opened all traffic firewalls, turned on firewalls etc from(From AD and everywhere but not use, still the same error. Need help on this.

WMI filter/security filter for non-TPM computers GPO

$
0
0

Hi

I'm sitting with a dilemma.  We have about 1500 computers on the network and about 500 of them have no TPM's (models e.g HP 4540s, HP 450 G0, HP 450 G1 to name a few.)  I have a WMI filter on the TPM GPO that works 100%.  The non-TPM computers shows access denied to this GPO when you do a "gpresult /r".  

Non-TPm computers uses: Recovery Key backed up to AD(Numerical Password) and Password(e.g "P@ssw0rd").

TPM computers uses: Recovery Key backed up to AD(Numerical Password) and TPM.

The TPM computers however starts with the wrong GPO.  90% of the time, the TPM computers starts encrypting with the non-TPM GPO.  I have been looking at WMI filters and still failing.

One example is: "SELECT * FROM Win32_SystemDriver where NOT Caption LIKE 'Trusted Platform%' ".

I need a WMI filter or powershell script to test for TPM presence(e.g "(Get-Tpm).TpmPresent") and thenNOT apply to the TPM group if the TPM is not present.

Thanks in advance.

Regards,

Shorty

GPO icon with replace create new icon

$
0
0

Hi,

I have on desktop icons created by GPO, some icons are configured as Replace some as Update and they are as system object to run C:\Program Files\Internet Explorer\iexplorer.exe specific www sites.
Now I would to edit these shortcuts to open it in default browser instead of Internet explorer, so I changed its as URL and saved.
Now the problem is these new icons are appear as new instead replace previous. So I have doubled every icons.
How to configure existing icons to edit its properties, but not to create new ones?

Local Group Policy Not Being Overwritten

$
0
0

I have about 30 workstations that require certain security standards. There are a few workstations that are not following the defined policy 100% (policies not being followed vary). You can not modify it locally so it knows there is a policy being applied, but it is not correct. gpresults shows a success with no issues. I moved the workstation into an OU with very few GPOs and then moved it back. It seemed to take affect for a few boots, but then returned to the incorrect policy. Perhaps I have a misunderstanding about Security Policies. Any help would be great. Thank you,


Policy Stop Working

$
0
0

I had GPO working nicely, but now they don't seem to apply.  The Group Policy Modelling Wizard gives the right results, but GPRESULT run from the users' account on the TS does not mention my policy objects in either the Applied or Denied sections.

As I said this was working perfectly - now suddenly stopped.  I've got nothing appearing in the event logs.  Running RSoP.MSC on the user's account does say

"The RSoP snap-in was unable to generate the computer's data due to insufficient permissions" 

But when I tried to run "GPRESULT /Z " it work normally and I can Run RSoP.MSC on the user's account and I have the report again.

GPRESULT /Z : Displays all available information about Group Policy. This includes detailed settings that were applied with a precedence of 1 and higher.

My question is :  how can Policy back to normal using "Gpresult /Z" 



Is it possible to set up a GPO to allow non-admin users to install signed software?

$
0
0

Hi everyone,

I have a cenario where users could request the installation of some whitelisted software.

I was wondering if it's possible to sign those softwares, maybe using Microsoft SignTool, and allowing installation using a GPO to verify the signature or certification.

Has anyone tried anything similar? 

Any thoughts?

Thanks in advance!

Samuel

Start Layout .xml

$
0
0

Ok so I have been working on this problem for almost two weeks now, I'm entry level and my boss is having me do this while he is busy upgrading some of our servers.  I've posted a few different questions here, and have gotten some answers, but after having worked on it for so long now I think I'll be able to pose my question better.

Currently we have two domains, a production domain, and a development domain. The production domain is the one all our employees computers and IP phones are on.  The dev domain is a somewhat replica of the production domain and it is our experimental environment.

I've been tasked with replicating the Group Policy of our production DC in our dev DC. I've gotten almost all of it, which has been quite the project because like I said it is a somewhat replica so I have had to alter some things to fit the dev environment.

Now this may not come as a surprise to you but the thing that has been giving me the most trouble has been dictating the Start Layout with group policy.  I have set up folder redirection to point to a list of apps, and I also have an xml file that I had exported on a test computer and used that on the DC.

The problem is this, when a new user logs into the computer, it doesn't load the xml file correctly. No matter how many gpupdate /force, restarts, etc. I do it doesn't matter, it won't load it. It has Notepad in one of the groups I have, and also all the apps in the taskbar that I have, but nothing else that is supposed to be there is there. 

But then if I add 1 line of white space onto the xml file and save that, then log off and log in on the test computer, boom the start layout looks exactly like it is supposed to. 

This happens with multiple different users, on multiple different test computers. They are all in the correct OU with the same policies being applied and the same permissions, I have removed all other polices to see if any are conflicting, and nothing.

I have scoured the internet over the past couple weeks, I have asked friends, I have posted here multiple times, I cannot find a solution to this problem. If anyone can think of a solution I will take any suggestion.

<LayoutModificationTemplate
	Version="1"
	xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
	xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
	xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
	xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"><LayoutOptions StartTileGroupCellWidth="6" /><DefaultLayoutOverride><StartLayoutCollection><defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"><start:Group Name="Applications" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"><start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="\\apr-dev-dc1\startmenus$\StartMenu\Latitude.lnk" /> <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="\\apr-dev-dc1\startmenus$\StartMenu\Internet Explorer.lnk" /></start:Group><start:Group Name="Microsoft Office" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"><start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="\\apr-dev-dc1\startmenus$\StartMenu\Outlook 2013.lnk" /><start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="\\apr-dev-dc1\startmenus$\StartMenu\Skype.lnk" /><start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationLinkPath="\\apr-dev-dc1\startmenus$\StartMenu\Excel 2013.lnk" />		  <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationLinkPath="\\apr-dev-dc1\startmenus$\StartMenu\Word 2013.lnk" /></start:Group><start:Group Name="Tools" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"><start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="\\apr-dev-dc1\startmenus$\StartMenu\notepad.lnk" /><start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="\\apr-dev-dc1\startmenus$\StartMenu\Calculator.lnk" /><start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationLinkPath="\\apr-dev-dc1\startmenus$\StartMenu\Snippingtool.lnk" /></start:Group></defaultlayout:StartLayout></StartLayoutCollection></DefaultLayoutOverride><CustomTaskbarLayoutCollection PinListPlacement="Replace"><defaultlayout:TaskbarLayout><taskbar:TaskbarPinList><taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" /><taskbar:DesktopApp DesktopApplicationLinkPath="\\apr-dev-dc1\startmenus$\StartMenu\Internet Explorer.lnk" /><taskbar:DesktopApp DesktopApplicationLinkPath="\\apr-dev-dc1\startmenus$\StartMenu\CRM.website" /><taskbar:DesktopApp DesktopApplicationLinkPath="\\apr-dev-dc1\startmenus$\StartMenu\Sharepoint.website" /><taskbar:DesktopApp DesktopApplicationLinkPath="\\apr-dev-dc1\startmenus$\StartMenu\Report Manager.website" /><taskbar:DesktopApp DesktopApplicationLinkPath="\\apr-dev-dc1\startmenus$\StartMenu\Outlook 2013.lnk" /></taskbar:TaskbarPinList></defaultlayout:TaskbarLayout></CustomTaskbarLayoutCollection></LayoutModificationTemplate>

Internet Explorer Security Settings – Local Intranet Zone

$
0
0

Hi

IE Security Settings – Local Intranet Zone
ActiveX controls and plug-ins
1 Allow ActiveX Filtering
2 Display video and animation on a webpage that does not use external media player

Miscellaneous
3 Allow webpages to use restrict protocols for active content.

I cannot locate the three polices under “User/or Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone/”

can someone please advice

GPO not working

$
0
0

Hi,

I want to remove all program from start layout by using GPO for that i have taken the Backup of empty start layout and copied the xml file in the path.But is not working and i want to disable Windows search by using GPO.

XML


Harsha

Viewing all 19997 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>