Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Windows 10 "Engaged Restart Transition" GPO and Feature Updates Behavior

February 5, 2018, 2:16 pm
$
0
0

We are trying to transition to a GPO/Windows Update for Business based update model, but I am frustrated with the behavior of the Feature Updates with the GPO "Specify engaged restart transition and notification schedule for updates." I have the following configured:

-Specify the timing before transitioning from Auto-restart to Engaged restart (pending user schedule: 7 days

-Specify snooze for Engaged restart reminder notifications: 1 day

-Specify the deadline before a pending restart will automatically be executed outside of active hours: 14 days

For the normal monthly/security updates, this behaves as expected, and it's great.


However, for the "Feature Updates" it doesn't seem to respect the "deadline", and computers will be perpetually waiting (far past 14 days) for the user to manually run the Feature Update. Is this normal behavior? Do Feature Updates not follow the same "deadline" as quality/security updates and never install automatically? Is there a way to force the Feature Updates to install while still maintaining the control/user friendliness of the "engaged restart" GPO?





Search

Group Policy Error: A referral was returned from the server

January 27, 2017, 5:31 am
$
0
0

I'm stumped on this one.

I have an AD environment with five sites, ten domain controllers.  All DCs are running Server 2012 R2 and that is also the functional level of the domain.  I built up a new print server (running Server 2016 w/ full GUI) and when deploying a printer from print management, I get this error when browsing for the GPO to add the printer to:

"Failed to query for the list of Group Policy Objects linked to this container."  Details:  "A referral was returned from the server."

If I close the error and try browsing again, eventually it will show me all of my OUs and GPOs.  It usually takes about 4 attempts.  I have never seen this error appear anywhere other than print management.  It shows up regardless of whether I'm using print management from my desktop (connected to the print server) or from the print server directly.

I ran a dcdiag and everything passes.  Group policies are applied properly to clients.  At the site my desktop and the print server live in, I've powered off one DC at a time to see if I could isolate it to a request made to one or the other.  There was no change in the behavior when either one was shut down.

Any ideas?  Thanks!

GPO Settings revert to Not Configured after change

July 26, 2019, 10:46 am
$
0
0

Domain Function: 2012 R2

I have a strange occurrence lately where whenever I edit a GPO, all the settings in the Admin Templates revert to Not Configured.

Ex: I need to add a website to Trusted Sites via Site to Zone Assignment. There are already entries in the list for various zones.
I enter the site, apply and exit GP edit. A few minutes later I look in the GPMC on the domain controller and all the various settings that fall under Administrative Templates are changed to not configured. The site I entered and all the sites have been removed. The IE settings for Trusted Sites removed. Chrome settings, removed.

Note: the policy settings are all still there, they've been changed to "Not Configured". Don't have any replication issues and it's happened to multiple Techs trying to make changes.

How to push proxy exceptions via Group Policy.

July 23, 2019, 6:30 am
$
0
0

Hello Guys,

I just pushed the proxy settings via GPO. Created/Updated registry values like ProxyServer, ProxyEnable successfully via GPO but I am not able to push proxy Exceptions via GPO. When I created 'ProxyOverride' registry value (via GPO), it cleared the value of proxy address.

Please help to resolve this.

How would I exclude some users from "Do not allow storage of credentials" policy?

July 22, 2019, 2:45 pm
$
0
0

I need to have my environment set to not allow regular users to store their credentials for Apps or RDP. However, I need to have some accounts, mostly service accounts, be able to store credentials.

How would I be able to exclude them because AFAIK "Network Access: Do not allow storage of passwords and credentials for network authentication" is applied to computers and can only exclude computers, not users.

Deploying the ADMX template for Win10 1903

July 25, 2019, 8:31 am
$
0
0

Hi,

I have a query, If I deploy 1903 ADMX template,

1) What will happen to the existing template.

2) Is there any specific steps to deploy.

If we replace the new ADMX template in place of 1803, what will happed in the GPO settings which is already in production. Can somebody guide me through this process.

Group Policy not automatically applying

June 20, 2019, 10:51 am
$
0
0
Hello, I am testing out Windows 10 1903 in my environment and am having issues with some GPO's not automatically applying that have up until now.  When I log onto the computer and run gpresult it shows all the policies as it should, and when I manually run gpupdate /force the policies apply properly, but not automatically as in the past.  I have checked the wmi and security filtering on the policy and that is set correctly.  Domain controller is Server 2016.  Sorry for the kind of generic info but any info would be appreciated.  Thanks!

Internet Explorer Security Settings – Local Intranet Zone

July 16, 2019, 8:28 pm
$
0
0

Hi

IE Security Settings – Local Intranet Zone
ActiveX controls and plug-ins
1 Allow ActiveX Filtering
2 Display video and animation on a webpage that does not use external media player

Miscellaneous
3 Allow webpages to use restrict protocols for active content.

I cannot locate the three polices under “User/or Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone/”

can someone please advice

Search

screen saver issues via GPO

July 15, 2019, 12:10 pm
$
0
0

Hi,

We currently have a GPO created as we want to disable a few systems where the screen saver does not appear on the screen and prompt for a password each time after 20 minutes. These are windows 10 computers.

I created a GPO to disabled Enable Screen saver, disable password protect the screen saver and screen saver timeout is set to 0 Seconds.

The issue is the GPO looks to be applying to the machine as I can see the password protect timeout is set to 0 but the system screen saver comes on and after I hit any key on the keyboard I have to type in the password. The system is getting the correct GPO but not sure exactly what I am doing wrong.

The GPO string is User configuration> Policies> Administrative Templates> Control Panel/Personalization

Hope someone can help me understand why this keeps happening.

GPO icon with replace create new icon

July 12, 2019, 1:21 am
$
0
0

Hi,

I have on desktop icons created by GPO, some icons are configured as Replace some as Update and they are as system object to run C:\Program Files\Internet Explorer\iexplorer.exe specifis www sites.
Now I would to edit these shortcuts to open it in default browser instead of Internet explorer, so I changed its as URL and saved.
Now the problem is these new icons are appear as new instead replace previous. So I have doubled every icons.

Where i can download MDOB or AGPM?

July 30, 2019, 6:28 pm
$
0
0

Hi All , 

I'm planning to deploy Advanced group policy management but couldn't find a link to download it from MS , I knew it is part of MDOB but also cannot find it in MS 

where i can find a source for Advanced group policy management server and client ?

Thanks 


Slow copy file : Data encrypt

July 25, 2019, 5:26 am
$
0
0

Hi every body.

I have a Windows domain with a lot of servers (2012, 2016, 2019). All of the servers are virtual in vSphere 6.5

I have a 10 Gbps network and iSCSI 10 Gbps storage SSD and HD 10k. The SAN is new from 3 days :-) Before I had already 10 Gbps storage, no SSD.

When I copy file between 2 virtuals servers, I have ~300 Mo/s, not very good at all. It's better with this new SAN, but there is a problem.

I did many test and I find the problem. I use the security baseline GPO from Microsoft and the problem come from here !

In the MS security baseline, the data are encrypt, see capture :

If I disable all this value, my file copy increase to 700 Mo/s !

Can you explain me exactly what do these parameters please ? Is it very important to leave them enable ?

There is the same security baseline for the client computer in Wimdows 10 :-(

Many thanks for the explanation.

Best regards

Windows Server 2016 - remove and prevent access to the shut down restart sleep and hibernate commands - not working on Ctrl+Alt+Del screen

July 31, 2019, 6:36 am
$
0
0

Hello,

I need to disable the power button on the bottom-right of the Ctrl+Alt+Del screen, and i've already performed the following configuration on the policies:

User Configuration -> Administrative Templates -> Start Menu & Taskbar | "Remove and prevent Access to shutdown, restart, sleep & hibernates Commands" -> ENABLED.

But, just the options to shutdown the Server from the start menu has vanished, on the Ctrl+Alt+Del screen the power button it still there !

I don't know if there is some another policies that are inheriting/overwriting the configs.

System: Windows Server 2016 Datacenter

PS.: On the Windows Server 2008 R2, this config works fine! The problem apparently is just on Server 2016.

Please help.

Thanks,

GPO for Scheduling Tasks not executed

July 17, 2019, 12:54 am
$
0
0

Hello,

I should make GPO to change one wallpaper at 07:00 AM and change other wallpaper at 03:00 PM.

I have made two bat files.

I want to execute them with schedules tasks via GPO. My DC is Windows Server 2008 R2 Standard, The client PC is Windows 10.

My bat file content following:

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /f /t REG_SZ /d  path
RUNDLL32.EXE USER32.DLL,UpdatePerUserSystemParameters ,1 ,True
exit

I have executed it successfully local on client PC . I make GPO with following parameters:( see attached screenshot).

The task available in the tasks in client PC and ecuted sucssessfylly but nothing happen.

Could you help mi , please?

Weblink in Outlook emails are not displayed.

July 31, 2019, 12:48 pm
$
0
0

Hello, 

We recently deploy group policies to update our IE and Chrome starting page settings.  

We have users reporting WEB links in some of their legit emails are not being seen.  Clicking on it is okay.  

I am not sure if this is related to the deployed GPO.  

I am not familiar the requirements of web links to be displayed properly in Outlook.  

Someone who know what might happen please advice. 

Thanks. 


Search

Add IE Add-ons using Group Policy

July 31, 2019, 2:37 pm
$
0
0

Hello, 

I need to configure the IE add-ons to open PDF in our  IE browser - please see the attached.  

Would someone advise how to do it in GPO?

Thanks. 

 

How to start Edge browser on login automatically? GPO/Login Script

February 14, 2018, 2:06 am
$
0
0

I am trying to run edge on all client machines when the user logs in. This is easily done with IE as you just set iexplore.exe in the Startup section of Group Policy but not having much luck with Edge.

I tried using the User Configuration/Policies/Administrative Templates/system/Logon - 'Items to run at login'

start microsoft-edge:https://google.ie/ .. to no avail


I also have tried creating a .bat / .cmd and trying to call it

Code:

@echo off
start microsoft-edge:https://google.ie/

I know the above works as Edge opens up when i double click the cmd/bat

I am trying to call this from within a login.vbs script but am having no joy, any ideas? or alternatively if anyone has been able to get this working in Group policy? Thanks.

VBS Code:

Function Edge()
dim shell
set shell=createobject("wscript.shell")
shell.run "\\ipbdc3\SYSVOL\ipbdomain.local\scripts\edge.cmd"
set shell=nothing
End Function

If anyone has any tips or tricks for this let me know as there doesn't seem to be much info online as I see most people still prefer IE as the default browser.

Thanks,

David

Windows server 2012 R2 DC GPO is not applying on Windows 10 pro domain computers

July 25, 2019, 2:21 am
$
0
0

Hi Support,

Please help me with resolving GPO not applying on Windows 10 pro computers from Windows server 2012 R2 DC.

Let me give you a bit history on what I did and gpo's results. I've recently setup GPO on Windows server 2012 R2 DC to restrict some sites and linked it to Test OU with users and windows 10 pro computer accounts, but unfortunately wasn't applied properly as I was still able to access the restricted sites.

I did the following to get it fixed:

- added new Windows 10 admx files to the Group Policy Central Store onWindows server 2012 R2 DC and then deployed them (note: I can successfully browse\\mydcname\SYSVOL\mydomainname\Policies\PolicyDefinitions where the new Windows 10 admx files were copied to from windows 10 pc. I can also browse \\mydcname\NETLOGON folder from the same win 10 pc).

- did UNC hardening for netlogon and sysvol Shares in the registry on affected win 10 pc (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths

“\\*\SYSVOL” “RequireMutualAuthentication=0”

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths “\\*\NETLOGON” “RequireMutualAuthentication=0”)

I did some investigation and here are the results:

- GPO name was listed in Applied GPOs in user settings but not in computer settings, when I ran gpresult /v

- I can see all the restricted sites listed in IE's restricted sites zone

- checked win 10 pc event viewer and found that Event IDs 1500 & 1501 saying that the group policy settings for the computer and user were processed successfully.

Where else to look into to get this fixed?

Thank you in advance.

Regards

How to create an Admx template that creates a custom keys

July 29, 2019, 4:16 am
$
0
0

I created the C# application and the settings are stored in the registry. I want to manage it through GPO, which I put on several times on user

How to create an Admx template that creates a custom key and these fields FileName, Path inside

HKCU\SOFTWARE\SampleApp\

HKCU\SOFTWARE\SampleApp\Settings\

HKCU\SOFTWARE\SampleApp\Test\

HKCU\SOFTWARE\SampleApp\Blabla\

HKCU\SOFTWARE\SampleApp\Demo\


Enforcing lock screen for WIN10 Pro 1809 with July Cumulative update

July 29, 2019, 5:49 am
$
0
0

Hello Microsoft Community,

I have this issue with WIN10 Pro 1809 with July Cumulative update which wont accept the lock screen policy

Policy path: Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>SecuritySettings>Interactive logon: Machine inactivity limit > 900sec (15min)..

I have this issue only with this single machine..

I tried to gpupdate /force , restart the comp, re-enter to the domain..

this is the computer report:

https://1drv.ms/u/s!AmqLiXvrm2MTghK-GoaCkusqLexh?e=TL8ABf

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>