Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Group Policy Setting "Coauthor and share in Office desktop apps" doesn't work (use office 2016 to sync office files that i open)

August 5, 2019, 3:01 am
$
0
0

Hello,

I try to enable the setting using GPO:

"use office 2016 to sync office files that i open"

but the Policy neither "Coauthor and share in Office desktop apps" nor the manual registry key work. I see in both cases that Registry key set is but the setting stays disabled.

Registry HiveHKEY_CURRENT_USER
Registry PathSOFTWARE\Policies\Microsoft\OneDrive
Value NameEnableAllOcsiClients
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

I was moved to GPO Forum because OneDrive MS Support thinks that this a GPO issue is.

https://answers.microsoft.com/en-us/msoffice/forum/msoffice_onedrivefb-mso_win10-mso_o365b/group-policy-setting-coauthor-and-share-in-office/cc8068bf-ee3c-4d8b-9b92-dbb35e3ac4d3?messageId=53a3c4a3-c184-44de-8b7f-1b5cd4d133ec

Thanks in advance.

Search

Where to get ADMX templates - 1903?

May 22, 2019, 12:37 am
$
0
0

Hi All,

Successfully downloaded the brand new Windows 10 (1903) and want to deploy and poke around in the GPO options in my LAB.

But...

I can't find a download link to the ADMX templates?

Where do we get the ADMX templates for 1903 from to load into PolicyDefinitions?

Thanks in advance,

durrie.

Editing Extra Registry Settings in GPO

August 15, 2019, 11:35 pm
$
0
0
Hi All,

Can anyone let me know how to edit below GPO:


Computer Configuration (Enabled)hide

Policieshide

Administrative Templateshide

Policy definitions (ADMX files) retrieved from the local computer.

Extra Registry Settingshide

Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.

Setting
    

State

Software\Policies\Microsoft\OneDrive\AllowTenantList\8a8efd4b-5dbd-49d6-90ba-378e8a388cb2
    

8a8efd4b-5dbd-49d6-90ba-378e8a388cb2

 



Can't seem to find "Extra Registry Settings"


Thanks in advance.

Automate GP Change for "Settings Page"

August 7, 2019, 8:04 am
$
0
0

Hi Guys,

I'm trying to create a automated method to make a change to the following settings in Group Policy:

GP:  Local Computer Policy> Computer Configuration> Administrative Templates> Control Panel> Setting Page Visibility

Settings:

Enable

Optional Settings: Settings Page Visibility "ShowOnly:Display"

What I'm trying to do is find a way to automate the process so that I can add it to my System Centre Configuration Manager's Task Sequence. 

Is anyone familiar with making GP changes within OSD Task Sequence? I'm fairly new to the SCCM, so I'm struggling to set this up. 


Group Policy Error: A referral was returned from the server

January 27, 2017, 5:31 am
$
0
0

I'm stumped on this one.

I have an AD environment with five sites, ten domain controllers.  All DCs are running Server 2012 R2 and that is also the functional level of the domain.  I built up a new print server (running Server 2016 w/ full GUI) and when deploying a printer from print management, I get this error when browsing for the GPO to add the printer to:

"Failed to query for the list of Group Policy Objects linked to this container."  Details:  "A referral was returned from the server."

If I close the error and try browsing again, eventually it will show me all of my OUs and GPOs.  It usually takes about 4 attempts.  I have never seen this error appear anywhere other than print management.  It shows up regardless of whether I'm using print management from my desktop (connected to the print server) or from the print server directly.

I ran a dcdiag and everything passes.  Group policies are applied properly to clients.  At the site my desktop and the print server live in, I've powered off one DC at a time to see if I could isolate it to a request made to one or the other.  There was no change in the behavior when either one was shut down.

Any ideas?  Thanks!

Disbaling access on Shared folder across AD

August 6, 2019, 3:31 am
$
0
0

Hi,

We have shared folders on user's systems across AD.We want to disable the sharing through GPO so that we dont have to do for individual user.Is there a way we can achieve it through GPO?

Install an MSI Package via GPO - Error 1925 - Insufficient Priviledge

August 16, 2019, 9:06 am
$
0
0

Hello,

I can't seem to fix this issue. I created a GPO to run a logon script to install an MSI package and I'm getting an error 1925 - You do not have sufficient privileges to complete this installation for all users of the machine.

I know we can install the MSI package using the Software Installation in Policy > Software Installation (or something like this) but our MSI package just couldn't get installed this way. 

I've tried the startup script to no avail. I"m almost at my wits end here. Any help would be appreciated.

Our script runs this way:

1. Check if the program already exists, if not, proceed to #2

2. msiexec /i \\file path in the network /qn /L C:\temp\logs.txt 

3. end

I can see that the gpo runs due to the Log it creates but returns an error as stated above. 

Configure Windows to use Specific TLS Cipher Suites in Client Hello Packet

August 16, 2019, 10:01 pm
$
0
0

Hi everyone, 

I want to Force only specific ciphersuites on windows in client hello packet. I have done many efforts to do it using windows registry key and powershell cmdlet (Disable-TlsCipherSuite, Enable-TlsCipherSuite) to disable all other ciphersuites and enable the list I need. But when I try to connect to an https service from my application, the list of ciphersuites that are sent in client hello packet are not what I set (using wireshark). 

Is that possible to do this? 

The powershell script I used is: 

get-tlsciphersuite > listciphers.txt
$ciphersuites = New-Object Collections.Generic.List[string]
$reader = New-Object System.IO.StreamReader("listciphers.txt")
$lines = @()
if ($reader -ne $null) {
    while (!$reader.EndOfStream) {
        $line = $reader.ReadLine()
        if ($line.Contains("TLS_")) {
            $newValue = $line -replace "Name", ""
			$newValue = $newValue -replace ":", ""
			$newValue = $newValue.Trim()
			$ciphersuites.Add($newValue)
        }
    }
}
foreach($c in $ciphersuites){
Try{
	$c = """" + $c + """"
	Disable-TlsCipherSuite -Name $c
	write-output $c
	}
	Catch{
		$ErrorMessage = $_.Exception.Message
		$FailedItem = $_.Exception.ItemName
		write-output $ErrorMessage + "Disable" + "  " + $c
	}
}
$preferedCiphersuites = New-Object Collections.Generic.List[string]
$preferedCiphersuites.Add("TLS_RSA_WITH_AES_128_CBC_SHA")
$preferedCiphersuites.Add("TLS_RSA_WITH_AES_256_CBC_SHA")
$preferedCiphersuites.Add("TLS_RSA_WITH_AES_256_CBC_SHA256")
$preferedCiphersuites.Add("TLS_RSA_WITH_AES_128_CBC_SHA256")
$preferedCiphersuites.Add("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")
$preferedCiphersuites.Add("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
$preferedCiphersuites.Add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384")
$preferedCiphersuites.Add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256")
foreach($p in $preferedCiphersuites){
Try{
	$p = """" + $p + """"
	Enable-TlsCipherSuite -Name $p
	write-output $p
	}
	Catch{
		$ErrorMessage = $_.Exception.Message
		$FailedItem = $_.Exception.ItemName
		write-output $ErrorMessage + "Enable" + "  " + $p
	}
}

Write-Host -NoNewLine 'Press any key to continue...';
$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
Thanks in advanced

Search

The following settings have applied to this object. Within this category, Settings nearest the top of the report are the prevailing settings when resolving conflict

August 8, 2019, 7:30 am
$
0
0

I create a group policy that change the Registry. This policy is for disabling Game bar. I need to disable game bar for a software .I have windows server 2012 R2 for AD. Below are the registry setting that have been changed 

Under HKEY_CURREN_USER

SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR - KGLRevision to 0

System\GameConfigStore -GameDVR_Enabled to 0 

I applied the policy for the users account in my organization.

I was testing the policy on one user. I was reviewing the report that I got from running gpresult /h gpreport.html on a CMD with admin privileges. Under both policy I see message "   The following settings have applied to this object. Within this category, Settings nearest the top of the report are the prevailing settings when resolving conflict" and for the result i have success. 

I tried to open the software but it did not open. Amessage pop out saying that game bar still active. Please advise.

Thank you.  

Block selected laptops connecting to the domain using GP

August 18, 2019, 4:04 am
$
0
0


I need to block all computers running windows 10 ,1703 from the network. From SCCM I can get the list of computers running this version and add them to a separate AD group.

But how I'm going to restrict domain connection for a specific group using group policy?
I only want the user to access the local physical drives but no other network resources such as other computers in the same network. 

Is that possible through group policy?

Please help me !

Thank you ..

Any domain user able to access Active Directory RDP

August 12, 2019, 3:53 am
$
0
0

Hello Team ,

Suddenly we started facing one issue .all domain users able to access AD server RDP from my network

i have checked AD server Remote desktop allow service and its restricted to access RDP for all users

please let me if you do you have any solution 

802.11 GPO Not Fully Applying

August 13, 2019, 12:42 pm
$
0
0

We have a strange issue where many newly configured Windows 10 devices are not able to connect to our wireless network.  These devices have the same image and applications, same model, and exist in the same OU.  Some connect fine, others do not.  Plugging the machines back in to a wired port and doing gpupdate /force will fix the issue, but I am curious as to what caused it.

On computers that do not connect, I can confirm that the 802.11 policy exists on the machine through gpresult and rsop.msc.  The profile exists at c:\windows\wlansvc\Policies\Polxxxx.tmp.  However, the registry entry pointing to that file are not there (HKLM\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy).  Copying the registry key from a working machine to a broken machine, changing the file name to match, and rebooting all without being connected allows the machine to connect to the network.

My question is, what would cause the policy to get onto the computer, but not update the registry entry?

Printers deployed using group policy preferences taking a long time - implemented by someone else

August 19, 2019, 1:04 am
$
0
0

My colleague is deploying printers in an Active Directory domain using Group Policy Preferences with Item Level Targeting.

The domain structure could be described as flat, all users are in one container (this is an inherited Active Directory)

The domain controllers are in the US and the UK and we have physical sites globally connected to those DC's using 2Mbps links.

The item level targeting is using the following type of WMI query to assign the printer based on IP gateway.

Select * from Win32 IP4Routetable where Destination = '0.0.0.0' and (NextHop = '10.100.100.1') OR (NextHop = '10.100.200.1') etc. etc.

There could be up to eight (8) additional IP's to check on that particular printer preference item for the printer queue.

However, that is not the only printer queue in the same policy using item level targeting.

There are currently five more and each one has the item level targeting with the WMI IP4Routetable query.

There are more being added using this method.

I have noticed that this section of the Group Policy is taking a long time to process when clients are connected on remote sites that do not have a domain controller, and I have said that this is because the policies are not being applied selectively to an organisation unit that contains the correct users for the locale due to the flat hierarchical structure but also due to the WMI query used.

I also suggested that the printer queues are split into individual GPO's and targeted using a security group and that while there is a cost in evaluating the user in the security group, it will be quicker than having all the printer queues in one GPO, the more printers that are added to this policy, the longer the processing will take as it evaluates every printer queue with the WMI IP4Routetable query.

What would people suggest?

many thanks

WMI FILTER FOR AD- LAPTOPS DESKTOPS Mini-Pc ..

August 19, 2019, 1:46 am
$
0
0

i search for a good wmi filter

to add my GPO in my AD

i want to find laptops OR desktops / mini PC ...

i try to use

DESTOPS:

select * from Win32_SystemEnclosure where ChassisTypes = "3" or ChassisTypes = "4" or ChassisTypes = "5" or ChassisTypes = "6" or ChassisTypes = "7" or ChassisTypes = "15" or ChassisTypes = "16"  or ChassisTypes = "35"

LAPTOPS:

select * from Win32_SystemEnclosure where ChassisTypes = "8" or ChassisTypes = "9" or ChassisTypes = "10" or ChassisTypes = "11" or ChassisTypes = "12" or ChassisTypes = "14" or ChassisTypes = "18" or ChassisTypes = "21"

but something is missing in the wmi

PLEASE ADVICE

I USE TO WORK WITH

Select * from Win32_PhysicalMemory WHERE (FormFactor != 12)

^ Desktop

Select * from Win32_PhysicalMemory WHERE (FormFactor = 12)

^ Laptop

but with this wmi min_pc- is marked as LAPTOPS

WMI FILTER FOR AD- LAPTOPS DESKTOPS Mini-Pc ..

August 19, 2019, 2:55 am
$
0
0

i search for a good wmi filter

to add my GPO in my AD

i want to find laptops OR desktops / mini PC ...

i try to use

DESTOPS:

select * from Win32_SystemEnclosure where ChassisTypes = "3" or ChassisTypes = "4" or ChassisTypes = "5" or ChassisTypes = "6" or ChassisTypes = "7" or ChassisTypes = "15" or ChassisTypes = "16"  or ChassisTypes = "35"

LAPTOPS:

select * from Win32_SystemEnclosure where ChassisTypes = "8" or ChassisTypes = "9" or ChassisTypes = "10" or ChassisTypes = "11" or ChassisTypes = "12" or ChassisTypes = "14" or ChassisTypes = "18" or ChassisTypes = "21"

but something is missing in the wmi

PLEASE ADVICE

I USE TO WORK WITH

Select * from Win32_PhysicalMemory WHERE (FormFactor != 12)

^ Desktop

Select * from Win32_PhysicalMemory WHERE (FormFactor = 12)

^ Laptop

but with this wmi min_pc- is marked as LAPTOPS
Search

Unable to create new Registry Key using GPO

August 19, 2019, 2:59 am
$
0
0

Hello Guys,

I am trying to create a Registry Key [[HKCU\SOFTWARE\Policies\Microsoft\OneDrive]"DisablePersonalSync"="dword:00000001"], using the below.

Computer Configuration -> Preferences -> Windows Settings -> Registry -> New Registry Item

For some reason, i was able to create the Key.

But when i assigned the GPO to an OU - the machines are not getting the registry keys even after forcing the gpupdate and restarting the machine.

Any suggestions would be much appreciated.

Regards,

Prasad

Hide System Drive

August 19, 2019, 3:26 am
$
0
0

Hi guys, 

pls for help... I'm trying to hide a system driver for domain users (Client PC), but GPO does not work... I'm 100% sure, GPO is applied.

gpresult /R show this GPO as Applied.

Users Configuration -> Policies -> Administrative Templates:Policy definitions -> Windows Component -> File explorer -> Hide these specified drives in My Computer -> Restrict C drive only. This GPO is enabled, but does not work... GPO does not hide any drive, for example D: drive....  

Domain and Forest funcional lvl is 2012R2

Client Windows is in version 1809 or 1903.

Some advice?

Thanks.


Why GPO stays on PC after moving the PC to another OU?

August 19, 2019, 6:02 am
$
0
0

Hello Microsoft Community,

I'm trying to understand this behavior

I have 1 PC in test OU with disabled inheritance, This OU has 2 GPO's:

1)UAC enabled 

2)Enforced lock screen after 15min.

after moving this PC in the active directory to another OU with different GPO's 

The GPO's from test OU staying with the PC local security settings even after restart..

This is how it suppost to be? I dont want to change local security settings manually everytime I test something.

How to disable Store in Win10 Pro workstations?

August 19, 2019, 6:11 am
$
0
0

Hello Microsoft Community,

I'm trying to disable the Store in Win10 Pro workstations..

turn off the store application policy is not working.

I also tried to disable the store with Software restriction policies by adding HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore < as disallowed, still not working..

I tried to block the store with blocking outbound connections in the firewall policy:

%ProgramFiles%\WindowsApps\Microsoft.WindowsStore_11906.1001.24.0_x64__8wekyb3d8bbwe\WinStore.App.exe

not working as well..

How do I block the Store?


Graying out Dynamic lock

August 19, 2019, 11:02 am
$
0
0
I was just talking with a Microsoft tech because I had Dynamic Lock;Allow Windows to automatically lock your device when you're away was grayed out and the tech set "Turn on Script Execution" toNot Configured and Allow Windows to automatically lock your device when you're awaywas no longer grayed out.  Why would setting Powershell Script execution to Not Configured in the Group Policy Editor re-enable that check box and not something under Windows Hello for Business?

Whitequill Riclo 57 68 69 74 65 71 75 69 6c 6c 20 52 69 63 6c 6f 87 104 105 116 101 113 117 105 108 108 32 82 105 99 108 111 01010111 01101000 01101001 01110100 01100101 01110001 01110101 01101001 01101100 01101100 00100000 01010010 01101001 01100011 01101100 01101111

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>