Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Group Policy & RSOP

July 22, 2019, 4:11 am
$
0
0

Hi all, I am setting up a new proxy, and in the Group Policy of my test group I have set a certificate to be installed, and the proxy IP to be added to Internet Options. 

When I log into one of my test machines, I can see that the certificate has been installed, but the IP has not been amended. 

I have run RSOP, and when I check the User Config section, all I see is Software Settings, Windows Settings, and Administrative Templates, ie the Preferences section is hidden completely. Has anybody ever come across this before? It is in this section in GP that the proxy IP is set up, so I am thinking that this particular subset of GP is somehow deactivated? 

Search

Internet Explorer IE lockdown by GPO

July 18, 2019, 8:04 pm
$
0
0
Hello, 

We have users getting an IE security alert when they click view a PDF file in an IE page: Your current security settings do not allow this file to be downloaded.

I have already add the website into COMPUTER CONFIGURATIONS>ADMINISTRATIVE TEMPLATES>WINDOWS COMPONENTS>INTERNET EXPLORER>INTERNET CONTROL PANEL>SECURITY PAGE>SITE TO ZONE ASSIGNMENT LIST, and set the value to 2.

Under the User Configuration>Policies>Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Security Page, I allow file downloaded in the following: 

Locked-down Trusted Sites Zone
Trusted Sites Zone

If someone knows how to fix this, please advise.  

Many thanks.

Roaming profiles

July 16, 2019, 1:36 am
$
0
0

hi all 

i want to implement a new roaming GPO but i have a question abut ( enable roaming on primary computer ) 

if i assign group's in primary computer attribute on the domain (msDS-PrimaryComputer ) that mean the same user will have more than one primary computer this will effect the roaming GPO .

i work in a company that have a lot off users which they work also in shifts and they use every computer and im palning to delete profiles on non user primary computer ( the main case is my PC's Storage is full and i need roaming in same time )

GPO for Scheduling Tasks not executed

July 17, 2019, 12:54 am
$
0
0

Hello,

I should make GPO to change one wallpaper at 07:00 AM and change other wallpaper at 03:00 PM.

I have made two bat files.

I want to execute them with schedules tasks via GPO. My DC is Windows Server 2008 R2 Standard, The client PC is Windows 10.

My bat file content following:

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /f /t REG_SZ /d  path
RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True
exit

I have executed it successfully local on client PC . I make GPO with following parameters:( see attached screenshot).

The task available in the tasks in client PC and ecuted sucssessfylly but nothing happen.

Could you help mi , please?

Problem with Group Policy - account lockout

July 18, 2019, 4:35 am
$
0
0

Hello, i have a problem with Active Directory, i have 2 servers(windows 2016 and windows 2008) with active directory(replication) and few others servers. I have setup(in Group Policy Management) account lockout after 10 invalid logon attempts, and for testing, lockout duration 1 min. (my policy is forced and first piority)

Now, if I enter the wrong password 3 times, AD blocks me, but does not unblock after a minute(im waiting few minutes).

Where do i have to change something, to block after 10 mistakes, and unlock after a set time? 

The LockoutStatus tool, say im locked after 3 bad pwd count.In resultant set of policy is old set-up with 5 invalid logon attempts, and 30min duration.(after 30 min still not unblocking me)



event id:4098 The computer 'RpcEptMapper' preference item in the 'Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}' Group Policy Object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.

April 21, 2019, 11:32 pm
$
0
0

I have a problem. when I installed and start service slidecars I can't running copy config file in graylog server to nxlog. collector installed in windows server 2012 R2.

here is logs file in sidecars
time="2019-04-22T10:14:05+07:00" level=info msg="Starting signal distributor" time="2019-04-22T10:14:15+07:00" level=info msg="No configurations assigned to this instance. Skipping configuration request." time="2019-04-22T10:14:35+07:00" level=info msg="Adding process runner for: nxlog" time="2019-04-22T10:14:35+07:00" level=info msg="[nxlog] Configuration change detected, rewriting configuration file." time="2019-04-22T10:14:37+07:00" level=error msg="[nxlog] Failed to update the created service: Access is denied." time="2019-04-22T10:14:37+07:00" level=info msg="[nxlog] Starting (svc driver)" 
when I checked logs on the windows event I find error event id 4098.
detail :
The computer 'RpcEptMapper' preference item in the 'Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}' Group Policy Object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.
and
The computer 'Administrator (built-in)' preference item in the 'Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}' Group Policy Object did not apply because it failed with error code '0x800706ba The RPC server is unavailable.' This error was suppressed.

can you help me ?

I have try solution in https://blogs.technet.microsoft.com/matthewms/2005/10/29/group-policies-and-access-denied/ but not working.

deploy software via GPO wich require admin right

July 19, 2019, 7:48 am
$
0
0

Hi!

I would like to deploy a program via GPO wich require admin right. I setting user policy, Software distribution\ and makeing the package Published (thats the ideal, tried assigned too). I am using UNC path at the package. The user (with no admin right) can access the share, and see in control panel\install from network location the new program. But still can not install, 'admin priviliges needed' error. 

I even enabled the following gpo:

User Configuration\Administrative Templates\Windows Components\Windows Installer \ "Always install with elevated privileges"

In the group AND computer policy too. Still no luck, restarted, forced gpo update a hundred times. 

Server: Win Server 2016 Standard Client: Win 10 pro x64

Problem is same as here: https://social.technet.microsoft.com/Forums/en-US/1aecdac4-c274-4d14-85ea-432a9674f70d/pushing-out-software-that-quotrequiresquot-admin-rights?forum=winservergen

Still none of here suggested working for me.

One more interesting thig: If i choose assign, the available program icons do not appear in desktop or start menu ( or i miss understanding something source : https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10) ). I do not choose install at logon, i would like to instal on demand.

Any help would be welcome. We do not have SCCM and i do not like to use intune. I know this is maybe the worst option, but i very like to make this work.

Thank you

How to create an Admx template that creates a custom keys

July 29, 2019, 4:16 am
$
0
0

I created the C# application and the settings are stored in the registry. I want to manage it through GPO, which I put on several times on user

How to create an Admx template that creates a custom key and these fields FileName, Path inside

HKCU\SOFTWARE\SampleApp\

HKCU\SOFTWARE\SampleApp\Settings\

HKCU\SOFTWARE\SampleApp\Test\

HKCU\SOFTWARE\SampleApp\Blabla\

HKCU\SOFTWARE\SampleApp\Demo\


Search

Enforcing lock screen for WIN10 Pro 1809 with July Cumulative update

July 29, 2019, 5:49 am
$
0
0

Hello Microsoft Community,

I have this issue with WIN10 Pro 1809 with July Cumulative update which wont accept the lock screen policy

Policy path: Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>SecuritySettings>Interactive logon: Machine inactivity limit > 900sec (15min)..

I have this issue only with this single machine..

I tried to gpupdate /force , restart the comp, re-enter to the domain..

this is the computer report:

https://1drv.ms/u/s!AmqLiXvrm2MTghK-GoaCkusqLexh?e=TL8ABf

Windows server 2012 R2 DC GPO is not applying on Windows 10 pro domain computers

July 25, 2019, 2:21 am
$
0
0

Hi Support,

Please help me with resolving GPO not applying on Windows 10 pro computers from Windows server 2012 R2 DC.

Let me give you a bit history on what I did and gpo's results. I've recently setup GPO on Windows server 2012 R2 DC to restrict some sites and linked it to Test OU with users and windows 10 pro computer accounts, but unfortunately wasn't applied properly as I was still able to access the restricted sites.

I did the following to get it fixed:

- added new Windows 10 admx files to the Group Policy Central Store onWindows server 2012 R2 DC and then deployed them (note: I can successfully browse\\mydcname\SYSVOL\mydomainname\Policies\PolicyDefinitions where the new Windows 10 admx files were copied to from windows 10 pc. I can also browse \\mydcname\NETLOGON folder from the same win 10 pc).

- did UNC hardening for netlogon and sysvol Shares in the registry on affected win 10 pc (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths

“\\*\SYSVOL” “RequireMutualAuthentication=0”

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths “\\*\NETLOGON” “RequireMutualAuthentication=0”)

I did some investigation and here are the results:

- GPO name was listed in Applied GPOs in user settings but not in computer settings, when I ran gpresult /v

- I can see all the restricted sites listed in IE's restricted sites zone

- checked win 10 pc event viewer and found that Event IDs 1500 & 1501 saying that the group policy settings for the computer and user were processed successfully.

Where else to look into to get this fixed?

Thank you in advance.

Regards

Enabling Face Recognition on a Domain connected Surface

December 26, 2016, 1:03 am
$
0
0

I hope everyone had a nice christmas,

I'm trying to get my new Surface Pro 4 to login to the domain with Face Recognition but something isen't correct.

Domain: DC: Windows 2012 R2, Domain and Forest level: Windows Server 2012

Surface: OS Version_ 10.0.14393, Build 14393

I modified a Group Policy with the following settings, also enforced it. (Only Computer Configuration)

Under System/Logon:
Allow users to select when a password is required when resuming from connected standby Disabled 
Show first sign-in animation  Disabled 
Turn off picture password sign-in Enabled 
Turn on convenience PIN sign-in Enabled

Windows Components/Biometrics:

Allow domain users to log on using biometrics Enabled 
Allow the use of biometrics Enabled 
Allow users to log on using biometrics Enabled

The Group Policy also contains the following settings that probable is irrelevant:

Local Policies/Security Options

User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
User Account Control: Run all administrators in Admin Approval Mode Enabled

Control Panel/Personalization

Force a specific default lock screen and logon image Enabled

I have run GPupdate /force on the surface multiple times and also restarted but no luck.

On the surface I still can't enable the setting, I attaced a image from the surface, I now it's in Swedish but I still think you can understand,

GPRESULT /H GPReport.html =>ERROR: Invalid pointer

February 13, 2012, 1:57 am
$
0
0

When I enter GPRESULT /H GPReport.html I get the following error...ERROR: Invalid pointer

With the syntax /X it´s possible to get an xml report. Any ideas?

Thanks in advance

Martin

LGPO.exe – Local Group Policy Object Utility

July 30, 2019, 1:20 am
$
0
0
Dear Team,
Currently I am using LGPO tool for Group Policy Backup and Restore. I need help me on Registry Settings Backup Parameters list.
 I need a complete list of Registry Settings which are getting Backed up during Group Policy Backup through LGPO tool.

May I request you to please do the needful.
Awaiting for your valuable response.
Thank you in Advance.

Best Regards,

Shantaram Gawade

I am accessing the URL login.microsoftonline.com but it showing White screen in IE

July 30, 2019, 3:08 am
$
0
0

I am accessing the URL https:\\login.microsoftonline.com but it showing White screen in IE

I have done the below steps from the Policy 

Allowed all cookies using rigistry

Added the URL to trusted sites

Disabled IEES

Added the site to allow cookies sites

Still facing the same issue, can someone help me on this issue, is anything I missed.

Create GPO with Powershell to add app shortcuts on desktop

July 30, 2019, 4:36 am
$
0
0

Hello,

I have a problem to create a group policy with Powershell to add a program shortcut on desktop. 

How can I use Powershell to create a GPO to set a Desktop Shortcut in the section "User Configuration\Settings\Windows-Settings\Shortcut"?

I can't find anything on registry, only the xml file in sysvol that created with the policy. Next possibility is to copy and edit the XML File, but that's no my target. I need this for several app deployment.

Thank you

Search

File History (GPO for Win. 10)

September 20, 2018, 3:10 am
$
0
0

Hi!

I can't find any Group Policies for controlling File History (on Windows 10) in a domain/AD... Is this not possible?

Best,

/LS

Group policy for EDGE browser settings

July 25, 2019, 8:29 am
$
0
0

Hi There,

There is a requirement that we are implementing the GPO for setting the home page for all the browser lie IE, Chrome and EDGE temporarily.

The home page is work fine in all the 3 browsers.

But issue is when I remove the user from the security filtering from the GPO both IE and Chrome browser are reverting to the original home page. But on EGDE it is not.

Is there a reason for it? Or the EDGE designed in such a way to not to revert to its previous settings?

Can someone explain me how we can implement this?


AppLocker Policy Application Error - Event ID 8000

February 4, 2013, 9:05 am
$
0
0

Hello,

I am using Server 2008 R2 to manage AppLocker policies for machines across my network.  The AppLocker policies themselves are working fine, but I am getting an error in the AppLocker logs of the AD server: it is event ID 800 and the message is: "Application Identity Policy conversion failed. Status Log space is exhausted".

I have the AppLocker log set to 2 MB instead of its default 1 MB, and it is set to roll over (overwrite new events).  I also have a subscription set up to forward AppLocker events to the Application Log so that our system SIEM can pull  the logs.  The Application Log is also set to roll over.  I have tried clearing out both logs and restarting the server, but the error message still appears.

What could be causing this?

Thanks!


How to restrict user from accessing C:\Programdata\ folder ? Can we remove permissions for user using iCACLS ?

July 30, 2019, 8:37 am
$
0
0

Hi ,

I would like to know if there is a method to use iCALCs command /anyother to restrict normal users from folders like the below

C:\ProgramData and its sub-folder ?

Why does Microsoft design allow the users to write data to this folder ?

What are the implications , if users are restricted to write data (creation or copy of files and folders) onto this folder.

Group Policy for Cache mode in Exchange

July 30, 2019, 9:09 am
$
0
0

We are running Outlook 2013 on our RDS servers. By default nobody's Outlook is in cache mode. Is there a GPO we can enable to put at least the last year or more of email in cache mode? If so when we apply this GPO will it do this for users who have already setup Outlook or only for new users?

Thank you

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>