Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Setting registry audit settings System access control lists (SACLs) via GPO without modifying existing registry key Discretionary access control lists (DACLs)

December 25, 2016, 1:47 pm
$
0
0

Hello and Merry Christmas,

I want to be notified  via security eventlog when a new registry key is created under the following branch and some others 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates

What I first did was activating auditing via GPO

So far so clear no problems. 

Now I configured a new GPO with the System access control lists (SACLs) and  Discretionary access control lists (DACLs). The problem is I do not want to configure any DACLs. I just want to configure SACLs for audit and want the DACLs on the configured servers untouched. 

Here my configuration of the second GPO.

My Problem is I can not find a way to configute just the audit part in the GPO (red part in the screenshot), without setting any DACLs (green part in screenshot):


Search

Disabling OneDrive wizard / next->next end user guide

August 13, 2019, 11:17 am
$
0
0

OneDrive for Business is utilized without any restrictions, but we want to disable the Next->Next wizard from end users, so the would only enter they credentials, click once next and then it will be okay. Now there is long wizard by default appearing and not everyone understands new next->next arrows, many people just stear the first page and wait it to complete.

I updated last GPO templates to our AD domain for office 2016 / O365 and I cannot identify any of the settings being apropriate for this need.

MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

use software rendering instead of GPU rendering in ie9

July 7, 2011, 5:37 pm
$
0
0

Hi there,

I have copied the admx and adml files from my computer where I have ie9 installed to %systemroot%\sysvol\domain\policies\PolicyDefinitions and %systemroot%\sysvol\domain\policies\PolicyDefinitions\en-us.

 

However when I try and find the setting "use software rendering instead of GPU rendering" shown here: http://www.trishtech.com/internet/use_software_rendering_in_internet_explorer_9.php - I cannot find it.

Where do I look for that setting?

Thanks,

Steve.

 

gpo site to zone assignment list missing

August 20, 2019, 12:06 am
$
0
0

i have been searching the Internet for the past darn 3-4 hours looking for a way to add a site ( a web site that is) to my trusted sites under the Security tab in Internet Explorer on a Windows 2012 R2 Remote Desktop Session Host with no avail.

Everyone talks about group policy and adding the zone in the "site to zone assignment list".  There is not such a thing!!!  It is hilarious that when I type in the title, the search gives me the option for the last couple works, meaning others have searched for the same darn think, but NONE of the answers has anything to do with MISSING part.  It is really frustrating.

Does anyone know how to add a site that all of my 350 Remote Desktop users need in order to work to the trusted sites?  The "Add" button is grayed out, meaning that I cannot even add it to a single user, and I have full admin rights, but this is not what I want to do.  I want that site to be a trusted site for all 350 users.

ONCE AGAIN, THERE IS NO "ZONE ASSIGNMENT LIST" UNDER THE FOLLOWING:

USER CONFIGURATION/ADMIN TEMPLATES/WINDOWS COMPONENTS/INTERNET EXPLORER/INTERNET CONTROL PANEL/SECURITY PAGE/

I only have the following

Internet Zone, intranet Zone, Local Machine Zone, Locked-down Internet Zone, Locked-down Intranet Zone, Lockked-down Local Machine Zone, Locked-down Restricted sites zone, locked-down trusted sites zone, restriced sites zone, and Trusted Sites Zone.


GPO to Windows Autopilot

August 13, 2019, 10:22 am
$
0
0

Is there any way to move or copy entire currnet GPO settings to Windows autopilot.?

Configure Windows to use Specific TLS Cipher Suites in Client Hello Packet

August 16, 2019, 10:01 pm
$
0
0

Hi everyone, 

I want to Force only specific ciphersuites on windows in client hello packet. I have done many efforts to do it using windows registry key and powershell cmdlet (Disable-TlsCipherSuite, Enable-TlsCipherSuite) to disable all other ciphersuites and enable the list I need. But when I try to connect to an https service from my application, the list of ciphersuites that are sent in client hello packet are not what I set (using wireshark). 

Is that possible to do this? 

The powershell script I used is: 

get-tlsciphersuite > listciphers.txt
$ciphersuites = New-Object Collections.Generic.List[string]
$reader = New-Object System.IO.StreamReader("listciphers.txt")
$lines = @()
if ($reader -ne $null) {
    while (!$reader.EndOfStream) {
        $line = $reader.ReadLine()
        if ($line.Contains("TLS_")) {
            $newValue = $line -replace "Name", ""
			$newValue = $newValue -replace ":", ""
			$newValue = $newValue.Trim()
			$ciphersuites.Add($newValue)
        }
    }
}
foreach($c in $ciphersuites){
Try{
	$c = """" + $c + """"
	Disable-TlsCipherSuite -Name $c
	write-output $c
	}
	Catch{
		$ErrorMessage = $_.Exception.Message
		$FailedItem = $_.Exception.ItemName
		write-output $ErrorMessage + "Disable" + "  " + $c
	}
}
$preferedCiphersuites = New-Object Collections.Generic.List[string]
$preferedCiphersuites.Add("TLS_RSA_WITH_AES_128_CBC_SHA")
$preferedCiphersuites.Add("TLS_RSA_WITH_AES_256_CBC_SHA")
$preferedCiphersuites.Add("TLS_RSA_WITH_AES_256_CBC_SHA256")
$preferedCiphersuites.Add("TLS_RSA_WITH_AES_128_CBC_SHA256")
$preferedCiphersuites.Add("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")
$preferedCiphersuites.Add("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
$preferedCiphersuites.Add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384")
$preferedCiphersuites.Add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256")
foreach($p in $preferedCiphersuites){
Try{
	$p = """" + $p + """"
	Enable-TlsCipherSuite -Name $p
	write-output $p
	}
	Catch{
		$ErrorMessage = $_.Exception.Message
		$FailedItem = $_.Exception.ItemName
		write-output $ErrorMessage + "Enable" + "  " + $p
	}
}

Write-Host -NoNewLine 'Press any key to continue...';
$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
Thanks in advanced

Any domain user able to access Active Directory RDP

August 12, 2019, 3:53 am
$
0
0

Hello Team ,

Suddenly we started facing one issue .all domain users able to access AD server RDP from my network

i have checked AD server Remote desktop allow service and its restricted to access RDP for all users

please let me if you do you have any solution 

Server 2016 GPO - WMI filter False but application executes anyway

August 20, 2019, 5:48 am
$
0
0

A GPO for Windows 10 users / machines contains a setting to execute a particular application. Security filtering forAuthenticated Users and a group containing the Windows 10 clients. WMI filter for Windows 10. Works fine. I don't want this GPO applied to anything else but Windows 10 machines, hence the WMI filter. But if I log on to a Server 2016 machine, the application mentioned above DOES get executed.

So I run GPresult to find out what GPO's are applied and denied. Sure enough, the Windows 10 policy is denied (Machine and User) because of the WMI filter. Also, the setting defining the execution of the application isn't among the applied settings.

Looks like everything is ok, except for the unwanted program execution. Anyone a clue?

Simon Weel



Search

Group Policy Error: A referral was returned from the server

January 27, 2017, 5:31 am
$
0
0

I'm stumped on this one.

I have an AD environment with five sites, ten domain controllers.  All DCs are running Server 2012 R2 and that is also the functional level of the domain.  I built up a new print server (running Server 2016 w/ full GUI) and when deploying a printer from print management, I get this error when browsing for the GPO to add the printer to:

"Failed to query for the list of Group Policy Objects linked to this container."  Details:  "A referral was returned from the server."

If I close the error and try browsing again, eventually it will show me all of my OUs and GPOs.  It usually takes about 4 attempts.  I have never seen this error appear anywhere other than print management.  It shows up regardless of whether I'm using print management from my desktop (connected to the print server) or from the print server directly.

I ran a dcdiag and everything passes.  Group policies are applied properly to clients.  At the site my desktop and the print server live in, I've powered off one DC at a time to see if I could isolate it to a request made to one or the other.  There was no change in the behavior when either one was shut down.

Any ideas?  Thanks!

Disbaling access on Shared folder across AD

August 6, 2019, 3:31 am
$
0
0

Hi,

We have shared folders on user's systems across AD.We want to disable the sharing through GPO so that we dont have to do for individual user.Is there a way we can achieve it through GPO?

Windows firewall domain profile not obey GPO

August 8, 2019, 12:06 pm
$
0
0

Hi

I am looking to set windows defender firewall via group policy

I have configured the settings in group policy and can see that the Private and public profiles

are turned on and configured as expected.

The Domain policy though wont bite though and remains off !   Ive done a gpresult and see the policy has applied 

restarted the machine,   

Blocked inheritance,

enforced the policy,

moved the policy to highest precedence.

gpupdate /force   wait an hour repeat.


Double checked and the policy is definitely  set  to in in the GPO

Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security

Tried internet searches and now out of ideas

Anyone encounter ?




confuseis

Removing Group Policy Printers Catastrophic Error

August 20, 2019, 3:39 pm
$
0
0

Hi,

Removing old printers from an old server was working fine while the old server was still online, but as soon as I turned it off users who hadn't already logged on got the catastrophic error, any ideas?

Kind Regards,

John

Group Policy Status Page not correct

August 20, 2019, 3:49 pm
$
0
0

Hi,

I have just demoted a domain controller as I was replacing a single server domain...

The status page on the group policy update still says 1 server in sync unless I click change up the status page and select the server from there in lower case when it is otherwise in upper case.... so in lower case it shows up fine.

Any ideas?

Kind Regards,

John

Network drive issue "Local device name is already in use"

August 20, 2019, 4:05 pm
$
0
0

Hi All,

Many users keep getting the message "An error connecting to "specific drive". The local device name is already in use.

No "net use" command is used for the mapping and this issue happens to different users at random times. So i suspect there might some issue on the group management policy for network drives or in the AD ?  (The user PC's are in windows 10) . There is no such duplicate letters or alphabets and none of those users have any USB drive or hard drives plugged into their laptops... 

Please can somebody guide what can be done to resolve the issue ? 

Editing Extra Registry Settings in GPO

August 15, 2019, 11:35 pm
$
0
0
Hi All,

Can anyone let me know how to edit below GPO:


Computer Configuration (Enabled)hide

Policieshide

Administrative Templateshide

Policy definitions (ADMX files) retrieved from the local computer.

Extra Registry Settingshide

Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.

Setting
    

State

Software\Policies\Microsoft\OneDrive\AllowTenantList\8a8efd4b-5dbd-49d6-90ba-378e8a388cb2
    

8a8efd4b-5dbd-49d6-90ba-378e8a388cb2

 



Can't seem to find "Extra Registry Settings"


Thanks in advance.
Search

Software Restriction Policy GPO is applied but doesn't work

August 15, 2019, 7:40 pm
$
0
0

Hi guys, 

It doesn't work at all even in very basic implementation. 

Security Level is set to Disallowed.

Added just one rule.

GPO is applied to an OU with computer objects.

Below is the output of gpresult /scope computer /r command, Group Policy Results report and RSoP.

C:\WINDOWS\system32>gpresult /scope computer /r

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© 2018 Microsoft Corporation. All rights reserved.

Created on ‎16/‎08/‎2019 at 12:23:35 PM

RSOP data for  on YY-YYYYY : Logging Mode
------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  10.0.17134
Site Name:                   Office
Roaming Profile:
Local Profile:
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
    CN=YY-YYYYY,OU=Desktops,OU=Computers,OU=XXXXXXX,OU=XXXXXXXXXX,DC=XXXXXXXXXXX,DC=com
    Last time Group Policy was applied: 16/08/2019 at 12:14:26 PM
    Group Policy was applied from:      adsvr1.xxxxxxxxxx.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        XXXXXXXXXX
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Test CA Enrollment
        SRP - Desktops
        Application Hardening - Computer
        Bitlocker-Computer
        EventTracker-computer
        Local Group Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        XXXXXXXXXX
            Filtering:  Denied (Security)

        Sleep Mode for Desktops 
            Filtering:  Disabled (Link)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        YY-YYYYY$
        Domain Computers
        Authentication authority asserted identity
        System Mandatory Level

Referred to multiple articles and pretty sure that path is specified correctly.

Is there any log I can check to find out why is it so?

Thanks. 

Printer GPO - Per Computer - Not deploying printers

August 15, 2019, 2:38 am
$
0
0

Hi Fellow Technetters,

I am trying to deploy network printers to domain accounts and also local admin accounts that are logged in to domain machines.

My first per user GPO is linked to our entire UK OU which contains all our users and computers in Sub OU's. this GPO works well, any domain user has the printers automapped to their windows account.

Second GPO is linked to our computer OU and is item filtered to apply to this OU (not needed I think) this GPO is enforced. This GPO is setup to install TCP/IP printers and not shared printers. When running gpresult/r /scope computer I can see that the second per machine GPO is applied first but the second is also on the list.

I've set printer GPO options in the Per machine GPO to allow point and print without elevation and specified the FQDN of the print server.

The local admins are not seeing the printers automapped.

What is going wrong here?


OneDrive Sync Client Group Policy Difficulties

August 7, 2019, 7:28 am
$
0
0

Hi all, we're trying to set up the Group Policies that come with the OneDrive sync client, so that we can automatically sign users into OneDrive as well as enabling Files On-Demand for everyone, however we don't seem to be having much luck.

Following Microsoft's guide for configuring OneDrive policies doesn't seem to work - after adding the .admx and .adml files to our central store, trying to open the templates gives the below error:

"Resource '$(string.GPOSetUpdateRing)' referenced in attribute displayName could not be found.

File \\domain.co.uk\SysVol\domain.co.uk\Policies\PolicyDefinitions\OneDrive.admx, line 23, column 235"

We're somewhat at a loss as to how to continue, I've seen a few other threads that talk about editing the strings manually but this isn't really something we'd be comfortable doing - my manager much prefers to install GPOs using an .msi package so it was already quite difficult to persuade him to use the files provided with the sync client anyway!

I'd be grateful if anyone could offer any suggestions for this, thank you in advance!

Configure Automatic Updates Setting Enquire at GPO

August 21, 2019, 1:26 am
$
0
0
Hi all,

I got some question regarding GPO "Configure Automatic Updates" I have Enable it and apply the following setting.

Configure automatic updating : Auto download and schedule the install.
Install during automatic maintenance: unchecked 

Schedule install day: Every Wednesday (Note which today is Wednesday)

Schedule install time : 16:00 (which is 4pm)

if you have selected " 4 - Auto download and schedule the install for your schedule the install" for … : Every week

Install updates for other Microsoft product : I Tick the check box

______________________________________________________________

Here is the question: at 4pm I am not getting the update. the machine is show patched but is not up-to-date until I check it manually on the window setting " Download now". how should the behaviour be? will it start to download exact at 4pm or what?

Fyi , I am running window 10 pro 1903 version.

is there any log I can check.

Thanks

A GPO/Login Script Is Running, But I Cannot Find From Where

August 21, 2019, 4:41 am
$
0
0

I took over a network that had some AD issues, including GP.  We have cleared up the problem, it was a replication issue, and MS Tech support verified it as now working.  I can also create, and edit GPOs and they work.

There is a mish mosh of GPOs, a couple that call batch login scripts, but none of which relate to my issue.

The issue is this...  on every machine, for every user (in the domain), an error message pops up maybe a minute or two after Windows boots that says, "z:\tiremote.exe The system cannot find the drive specified."

In the login scripts, there WERE references to mapping of a Z:\ drive, and running this "tiremote.exe" (a remote control component of a very old version of "Track-IT!" helpdesk software).  But they are remarked out, in all batch scripts, and the sysvol of all DCs all have the same batch scripts.

In addition, I went over all Group Policy objects, including the default domain policy, and there are no references to a batch script in that one.

I know this is not a remnant that is existing on the computers themselves, as I have built brand new machines, and as soon as I add them to the domain, even when logging in just as the default domain admin, that "Z:\tiremote.exe" error comes up.  Every time, every machine.

When I look at RSOPs, I do not see anything that would be applying a script or policy that references this timremote.exe.  I have created a brand new user, in a brand new OU, that had a brand new test GPO (very vanilla, not scripts), and STILL, the error comes up upon boot.  I've also used the tool in the GPMC to test what applies when a user signs onto a given workstation, with several users, on several machines, and I do not see anything that calls this.  Unless the REM statments somehow are not working (I guess I could delete them), but this seems highly unlikely to me.

I am wondering if anyone has any ideas on troubleshooting tools I could use other than those I've mentioned, or have any ideas on what to try to get this very annoying remnant (been popping up on workstations since Track-IT! was decommisioned many years ago.  It would be nice to get rid of this ever present reminder to users that there's something not quite right with the login (even though it affects nothing).

Thank you very much.

T.Murray

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>