Hello Microsoft Community,

I have this issue with WIN10 Pro 1809 with July Cumulative update which wont accept the lock screen policy

Policy path: Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>SecuritySettings>Interactive logon: Machine inactivity limit > 900sec (15min)..

I have this issue only with this single machine..

I tried to gpupdate /force , restart the comp, re-enter to the domain..

this is the computer report:

https://1drv.ms/u/s!AmqLiXvrm2MTghK-GoaCkusqLexh?e=TL8ABf

Hello, 

We recently deploy group policies to update our IE and Chrome starting page settings.  

We have users reporting WEB links in some of their legit emails are not being seen.  Clicking on it is okay.  

I am not sure if this is related to the deployed GPO.  

I am not familiar the requirements of web links to be displayed properly in Outlook.  

Someone who know what might happen please advice. 

Thanks. 

Hello,

I try to enable the setting using GPO:

"use office 2016 to sync office files that i open"

but the Policy neither "Coauthor and share in Office desktop apps" nor the manual registry key work. I see in both cases that Registry key set is but the setting stays disabled.

I was moved to GPO Forum because OneDrive MS Support thinks that this a GPO issue is.

https://answers.microsoft.com/en-us/msoffice/forum/msoffice_onedrivefb-mso_win10-mso_o365b/group-policy-setting-coauthor-and-share-in-office/cc8068bf-ee3c-4d8b-9b92-dbb35e3ac4d3?messageId=53a3c4a3-c184-44de-8b7f-1b5cd4d133ec

Thanks in advance.

Hi 

I am trying to create an auto enrollment for my windows 10 desktops into Intune,I have already managed to build all the supported infrastructure and able to  register any windows system in our company AD by changing the Local policy using GUI. Now I need to make it automated. I  have identified the Registry settings which actually changed during the Local policy change .I created a script as below which will create a registry key and add the two corresponding key words as below.

New-Item -path  "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\" -Name MDM
New-Itemproperty  -path  "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM" -Name AutoEnrollMDM -Value 1 -Type DWord
New-Itemproperty  -path  "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM" -Name UseAADCredentialType -Value 1 -Type DWord

But Even after successful execution of this script my systems are not getting enrolled into  Intune 

Can someone please help me on this 

-Sachin

Hello, 

I need to configure the IE add-ons to open PDF in our  IE browser - please see the attached.  

Would someone advise how to do it in GPO?

Thanks. 

Hello,

I need to disable the power button on the bottom-right of the Ctrl+Alt+Del screen, and i've already performed the following configuration on the policies:

User Configuration -> Administrative Templates -> Start Menu & Taskbar | "Remove and prevent Access to shutdown, restart, sleep & hibernates Commands" -> ENABLED.

But, just the options to shutdown the Server from the start menu has vanished, on the Ctrl+Alt+Del screen the power button it still there !

I don't know if there is some another policies that are inheriting/overwriting the configs.

System: Windows Server 2016 Datacenter

PS.: On the Windows Server 2008 R2, this config works fine! The problem apparently is just on Server 2016.

Please help.

Thanks,

Hi,

We have shared folders on user's systems across AD.We want to disable the sharing through GPO so that we dont have to do for individual user.Is there a way we can achieve it through GPO?

So its a best practice to use a domain account for services .... ie backup software, SQL, exchange etc.

And if you have a service account that needs to hit the majority of computers in the network then you would use a group policy.

Problem that I have... is that when you use a group policy to add "Log on as a service" - then you cant add one to a server that only that server needs.  If I have one service account user that needs Log on as a Service on only one computer - I cant add it locally... and if I want to use a GPO - I would have to create a separate GPO and filter it to that one computer.

This doesn't make sense to me and feels limited.  Is there a policy that I can use for "Log on as a service" that can use item level targeting, and I can add multiple etc...

Any thoughts on how you have managed this would be helpful.  I like using the GPO for obvious reasons, but I don't want to grant "Log on as a service" for the account that really only needs to have that right on one server.

In my example - I created a managed service account for SQL 2014.  I only need that service account added to the SQL 2014 Server - no all servers in the domain.

Thanks
John

Alternatively - It would be nice if it was like Firewall rules..  I can create a GPO for the domain wide needs, and then add some locally as needed.  If you use a GPO to manage this, then the local GPEDIT.msc option is greyed out and you cant add them locally...

Hello

I simply need a way to add a local account to "log on as a service" ..whether its GPO or script.

What I've checked

http://me.go-unified.com/ssign-log-on-as-a-service-user-rights-to-a-local-system-account-via-gpo-using-wmi-filters/    The WMI query here does not work.  GP log says "The GPO does not pass the filter check and so will not be applied" 

Tried all of these:
https://www.morgantechspace.com/2013/11/Set-or-Grant-Logon-As-A-Service-right-to-User.html#ViaPowershell

Only works for DOMAIN accounts.  I have tried putting in .\accountname and it does not work in any script!

Can anyone please show how to do this and have tested and know that it works?!?!

Thanks

C

-C-

Hello Microsoft Community,

I'm using WS2016

I tried the next policies on 2 WIN 10 Pro PC's in my domain > both PC's were under TEST OU with disabled inheritance

PS: I configured lockscreen policy later on 

Both PC's applied the policy, and then 3 things happend:

1) The first PC applied the policy and didn't want to screen lock so I set the next 2 policies to Not configured: Prevent enabling lock screen camera & Prevent enabling lock screen slide show.

Which solved the lock screen problem on 1 PC.

2) The second PC wont accept the lock screen policy (Fresh installed 2 weeks ago), Even if I set the lock after 5 or 10sec

The power setting are set to default..

Then I tried to set all to Not Configured > Restart PC > Delete policy > Restart again > Change OU > GPUPDATE /FORCE>  check Local security policy on PC

the local security policy keeps the configuration of the deleted policy..

I tried to use cmd command to return the policy to default : 

 Restarted the computer and nothing changed..

3) I tried to set the PC to workgroup and add him again to the domain with the same name and it wont work as well..

Hello Folks,

My first questions here as it's the first time they have not been answered yet (at least I think so).

We are running Windows 2008 as File Servers and a group of associates is currently set as "Power Users" on these machines. This grants them everything they need  to do now, however, they will need to do File Transfers between these servers in the near future, NTFS and Share permissions are OK. As the transfers will sometime have a large amount of data and low bandwidth, we thought about creating batch files with robocopy and schedule tasks to run these batches. (Not sure if this is the best way but at least seems so)

On Windows 2003 we could simply change the permissions on C:\Windows\Tasks and Power Users would be able to create tasks. Now this solution does not work and I wonder if there's something in the local policy or through a global GPO that may change this scenario in the File Servers.

Just a few considerations:

- Granting them full admin privilege is out of question;

- Task Scheduler was preferred as it saves their credentials and keep the transfer going even after they disconnect from the servers. Simply starting a robocopy would fail as they would be logged off from RDP after the idle period. The AT command is also an option but I think it's pretty much the same thing.

- Maybe there's another way to execute these file transfers between the servers that would not stop after an idle period or something like that, but right now I'm having a hard time to allow power users to schedule tasks or even create a group in AD and somehow allow this group to schedule tasks. The idea of the AD group came as Power Users would grant the same access to more people and the group in question has just a few analysts.

Any help is highly appreciated.

Thank you!

Hi all, we're trying to set up the Group Policies that come with the OneDrive sync client, so that we can automatically sign users into OneDrive as well as enabling Files On-Demand for everyone, however we don't seem to be having much luck.

Following Microsoft's guide for configuring OneDrive policies doesn't seem to work - after adding the .admx and .adml files to our central store, trying to open the templates gives the below error:

"Resource '$(string.GPOSetUpdateRing)' referenced in attribute displayName could not be found.

File \\domain.co.uk\SysVol\domain.co.uk\Policies\PolicyDefinitions\OneDrive.admx, line 23, column 235"

We're somewhat at a loss as to how to continue, I've seen a few other threads that talk about editing the strings manually but this isn't really something we'd be comfortable doing - my manager much prefers to install GPOs using an .msi package so it was already quite difficult to persuade him to use the files provided with the sync client anyway!

I'd be grateful if anyone could offer any suggestions for this, thank you in advance!

Well, this is another fun day with Microsoft crapware.  I am trying to do something that appears to have worked in the past (the tasks were succesfully deployed): run a task that requires Administrator privileges from the SYSTEM account on the local computer.  Trying to use the wizard from RSAT on Windows 7 x86, it always references BUILTIN\SYSTEM as the name of the principal.  It is quite clear that is now working.  I get the same error over and over.

Log Name:      Application
Source:        Group Policy Scheduled Tasks
Date:          3/15/2011 1:00:46 PM
Event ID:      4098
Task Category: (2)
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:     hostname.addomain.adparent.domain.tld
Description:
The computer 'Daily Profile Cleanup' preference item in the 'OU Policies {3182C8BC-024A-48B4-B856-BE2446DFF53A}' Group Policy object did not apply because it failed with error code '0x80041316 The task XML contains an unexpected node.' This error was suppressed.

I noticed by looking at the raw XML the first time the runAs parameter had NT AUTHORITY unquoted.  I obviously was not so careful, and just wrote in NT AUTHORITY\SYSTEM, assuming it would work like before.  Unforunately, using the change User or Group functionality no longer allows me to pick the proper principal, or at least using a name that gives me the right SID.  I used the wizard, and it will only let me use BUILTIN\SYSTEM; it says NT AUTHORITY\SYSTEM is unknown.  However, the client now has a different type of error.

Log Name:      Application
Source:        Group Policy Scheduled Tasks
Date:          3/15/2011 2:04:23 PM
Event ID:      4098
Task Category: (2)
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:     hostname.addomain.adparent.domain.tld
Description:
The computer 'Daily Profile Cleanup' preference item in the 'OU Policies {3182C8BC-024A-48B4-B856-BE2446DFF53A}' Group Policy object did not apply because it failed with error code '0x80070534 No mapping between account names and security IDs was done.' This error was suppressed.

So, I used Sysinternals PsGetSID.  Not surprisingly, BUILTIN\SYSTEM does not return a SID.  What I really need is NT AUTHORITY\SYSTEM, which does (S-1-5-18). When I try adding this through the wizard "the old way" (opening up the Select User or Group wizard, changing the location from the domain to the technician workstation I use, input NT AUTHORITY\SYSTEM, and confirm with Check Names), this worked.  Now, it fails. If I just put in SYSTEM, it retrieves BUILTIN\SYSTEM, which obvious is not correctly translating to the proper SID.  Good thing this program allows me to input the desired user by SID.  Oh wait!  It doesn't.  I have now tried BUILTIN\SYSTEM, BUILTIN\Local Service, BUILTIN\Network Service (even though it is a local WMIC command in batch and does not need network access, theoretically).  None of them work.  I made a backup copy of the XML, then tried manually editing it to use NT AUTHORITY\SYSTEM.  The end result, yet another dead end.

So I reverted back to the original, and lo and behold the same old error.  Does anyone know how to achieve what I want to accomplish, or is the ability to do that long gone.  Below is the XML as it is now, which generates the SID mapping error.

Hi Guys,

I'm trying to create a automated method to make a change to the following settings in Group Policy:

GP:  Local Computer Policy> Computer Configuration> Administrative Templates> Control Panel> Setting Page Visibility

Settings:

Enable

Optional Settings: Settings Page Visibility "ShowOnly:Display"

What I'm trying to do is find a way to automate the process so that I can add it to my System Centre Configuration Manager's Task Sequence. 

Is anyone familiar with making GP changes within OSD Task Sequence? I'm fairly new to the SCCM, so I'm struggling to set this up. 

We have implemented LAPS into our network (over 400 machines) and it works well. The LAPS UI works just as it should  but the draw back is that we can only use the UI and help people remotely from our desk.

Is there anyway to get the admin password of a computer when out in the field and not at your desk with the LAPS UI?

Example: I am in building "D" that we maintain and it is 1/2 mile from my office. I am helping Joe Smith setup some new hardware (monitors, scanner, printer, docking station, lable printer.. whatever) in his office and once it is done, the computer requires admin credentials to install the software/drivers.  Since I am not at my computer I do not have access to the LAPS UI to get the random Administrator password and now I can not help him any further at this time. 

Often you go to a building for 1 job and people see you and grab you to help with their problem or questions, so I may need admin passwords for more than just the computer I came to work on.

So is there any App for a mobile device (iPad,Phone or other) that I can use to get that admin password when not at my desktop? or is the only real solution to tell the clients they need to wait until I walk back to the office and remote into their system to type the admin password?  

Thanks

Allen

even after this was disabled, the file path still shows, is any step missing in group policy after this?

I've added 2 new workstations to a windows server 2012r2 domain. Both Win 10, 1903.
After initial joining of domain, mapped drives which have been applied by GPO using "update" have appeared in file explorer.
After reboot they are no longer there. User is logged in with correct profile.
Using File Explorer there is only c: drive, mapped drives are not visible.
Switching to a dos prompt I can change to each drive letter (3 in total) h:, i:, u:,
I have run gpresult and it shows component status , Group Policy Drive Maps as Success.

Now if I change the Group Policy Drive Maps action to "replace" and run gpupdate/force on the workstation they reappear so this sort of solves the issue but …

Its and issue because I shouldn't have to delete and replace a drive map after each login?
Ideas? I have read other posts that this has occurred since Win 10, 1803 and various work arounds but none of them appear the solution. 

Thanks
S4

I am having an issue with creating an exception for a client workstation that needs a firewall exception defined.  The 2K8R2 AD is pushing GP down and applying the following rule on the Firewall Domain Profile;

Rule Name: Inbound Rules -> Remote Administration (NP-In)

Port:445

Protocol:TCP

Action:Block

The problem is I don't know where this is specifically in group policy.  I can see in the General tab of the rule properties that "This rule has been applied by the system administrator and cannot be modified".  I've been looking through Computer Configuration->Policies->Administrative Templates->Network->Network Connections->Windows Firewall->Domain Profile.  I have the following enabled with defined exceptions;

Windows Firewall: Allow local program exceptions - Enabled

Windows Firewall: Define inbound program exceptions - Not Configured

Windows Firewall: Protect all network connections - Not Configured

Windows Firewall: Do not allow exceptions - Not Configured

Windows Firewall: Allow inbound file and printer sharing exception - Enabled

Windows Firewall: Allow ICMP exceptions - Not Configured

Windows Firewall: Allow logging - Enabled

Windows Firewall: Prohibit notifications - Not Configured

Windows Firewall: Allow local port exceptions - Enabled

Windows Firewall: Define inbound port exceptions - Enabled

Windows Firewall: Allow inbound remote administration exception - Not Configured

Windows Firewall: Allow inbound Remote Desktop exceptions - Not Configured

Windows Firewall: Prohibit unicast response to multicast or broadcast requests - Not Configured

Windows Firewall: Allow inbound UPnp framework exceptions - Not Configured

Can someone please point me to the correct group policy entry that needs to be modified?  Thank you.

Hello, I have a Windows 2008R2 server (not a domain controller) running on VMware ESXi. The server had no issues up until now. The server was rebooted this morning and since then has been stuck on Applying Computer Settings screen, attempted few restarts but no improvement. Took it out of the OU and moved to an OU without any group policy, restarted the server and still stuck on the same screen. Can login to safe mode though so enabled GP diagnostic and the gpsvc.log has these lines, over and over again. I looked around but couldn't find anything useful.

I have got this update downloaded but can't apply as the server is stuck on that applying computer settings screen. Can someone please help with this? 

I create a group policy that change the Registry. This policy is for disabling Game bar. I need to disable game bar for a software .I have windows server 2012 R2 for AD. Below are the registry setting that have been changed 

Under HKEY_CURREN_USER

SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR - KGLRevision to 0

System\GameConfigStore -GameDVR_Enabled to 0 

I applied the policy for the users account in my organization.

I was testing the policy on one user. I was reviewing the report that I got from running gpresult /h gpreport.html on a CMD with admin privileges. Under both policy I see message "   The following settings have applied to this object. Within this category, Settings nearest the top of the report are the prevailing settings when resolving conflict" and for the result i have success. 

I tried to open the software but it did not open. Amessage pop out saying that game bar still active. Please advise.

Thank you.