Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Disable Local Administrator Account Setting Not Working

August 13, 2019, 3:02 pm
$
0
0

The setting "Accounts: Administrator account status"  is not working in my Active Directory. (In  Computer Policy | Windows Settings | Security Settings | Local policies | Security Options)

I just learned this the hard way because somebody hacked into the server using the local administrator account and then encrypted all the files but I digress.

I confirmed that the setting is applied to the server in group policy modeling.

In that case I found it is caused by minimum password length set to disabled. This does not apply in my case.

Ideas?

Search

WMI FILTER FOR AD- LAPTOPS DESKTOPS Mini-Pc ..

August 21, 2019, 7:13 am
$
0
0

i need advice to find a wmi to auto tag laptops and desktop

"

Select * from Win32_PhysicalMemory WHERE (FormFactor = 12)

this is nice for laptops but it is the result of mini-pc

so for laptops the best option is

Select * from Win32_Battery WHERE (BatteryStatus <> 0)

and now i need a solid wmi for desktop + mini pc

please ADVICE

and THANKS

Not able to apply GPO to Individual User without moving it from current OU

August 21, 2019, 10:22 am
$
0
0

Dear Team, 

I have created one "Test OU" under parent Domain without any Inheritance. a GPO is created and linked to this Test OU. If i am moving any user into this OU, then GPO works really fine. But as per my requirement, I have to assign this GPO to present Users without changing their locations. 

I tried to add those users inside Security filter. Even i created one Security Group and made those users as its member. then I added this Security Group into this OU. Untick the “Apply this GPO” for  Auth. User and made tick on selected Security Group

i referred this article:-http://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/

But still it did not applied my GPO to individual. I tried to check on windows 8 and windows 10 client side, but I can only see the GPO’s applied on the Object Location OU.

Please help me if I have missed or mistaken somewhere.

Kunal Rane


Configure Windows to use Specific TLS Cipher Suites in Client Hello Packet

August 16, 2019, 10:01 pm
$
0
0

Hi everyone, 

I want to Force only specific ciphersuites on windows in client hello packet. I have done many efforts to do it using windows registry key and powershell cmdlet (Disable-TlsCipherSuite, Enable-TlsCipherSuite) to disable all other ciphersuites and enable the list I need. But when I try to connect to an https service from my application, the list of ciphersuites that are sent in client hello packet are not what I set (using wireshark). 

Is that possible to do this? 

The powershell script I used is: 

get-tlsciphersuite > listciphers.txt
$ciphersuites = New-Object Collections.Generic.List[string]
$reader = New-Object System.IO.StreamReader("listciphers.txt")
$lines = @()
if ($reader -ne $null) {
    while (!$reader.EndOfStream) {
        $line = $reader.ReadLine()
        if ($line.Contains("TLS_")) {
            $newValue = $line -replace "Name", ""
			$newValue = $newValue -replace ":", ""
			$newValue = $newValue.Trim()
			$ciphersuites.Add($newValue)
        }
    }
}
foreach($c in $ciphersuites){
Try{
	$c = """" + $c + """"
	Disable-TlsCipherSuite -Name $c
	write-output $c
	}
	Catch{
		$ErrorMessage = $_.Exception.Message
		$FailedItem = $_.Exception.ItemName
		write-output $ErrorMessage + "Disable" + "  " + $c
	}
}
$preferedCiphersuites = New-Object Collections.Generic.List[string]
$preferedCiphersuites.Add("TLS_RSA_WITH_AES_128_CBC_SHA")
$preferedCiphersuites.Add("TLS_RSA_WITH_AES_256_CBC_SHA")
$preferedCiphersuites.Add("TLS_RSA_WITH_AES_256_CBC_SHA256")
$preferedCiphersuites.Add("TLS_RSA_WITH_AES_128_CBC_SHA256")
$preferedCiphersuites.Add("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")
$preferedCiphersuites.Add("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
$preferedCiphersuites.Add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384")
$preferedCiphersuites.Add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256")
foreach($p in $preferedCiphersuites){
Try{
	$p = """" + $p + """"
	Enable-TlsCipherSuite -Name $p
	write-output $p
	}
	Catch{
		$ErrorMessage = $_.Exception.Message
		$FailedItem = $_.Exception.ItemName
		write-output $ErrorMessage + "Enable" + "  " + $p
	}
}

Write-Host -NoNewLine 'Press any key to continue...';
$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');
Thanks in advanced

Why GPO stays on PC after moving the PC to another OU?

August 19, 2019, 6:02 am
$
0
0

Hello Microsoft Community,

I'm trying to understand this behavior

I have 1 PC in test OU with disabled inheritance, This OU has 2 GPO's:

1)UAC enabled 

2)Enforced lock screen after 15min.

after moving this PC in the active directory to another OU with different GPO's 

The GPO's from test OU staying with the PC local security settings even after restart..

This is how it suppost to be? I dont want to change local security settings manually everytime I test something.

WMI FILTER FOR AD- LAPTOPS DESKTOPS Mini-Pc ..

August 19, 2019, 2:55 am
$
0
0

i search for a good wmi filter

to add my GPO in my AD

i want to find laptops OR desktops / mini PC ...

i try to use

DESTOPS:

select * from Win32_SystemEnclosure where ChassisTypes = "3" or ChassisTypes = "4" or ChassisTypes = "5" or ChassisTypes = "6" or ChassisTypes = "7" or ChassisTypes = "15" or ChassisTypes = "16"  or ChassisTypes = "35"

LAPTOPS:

select * from Win32_SystemEnclosure where ChassisTypes = "8" or ChassisTypes = "9" or ChassisTypes = "10" or ChassisTypes = "11" or ChassisTypes = "12" or ChassisTypes = "14" or ChassisTypes = "18" or ChassisTypes = "21"

but something is missing in the wmi

PLEASE ADVICE

I USE TO WORK WITH

Select * from Win32_PhysicalMemory WHERE (FormFactor != 12)

^ Desktop

Select * from Win32_PhysicalMemory WHERE (FormFactor = 12)

^ Laptop

but with this wmi min_pc- is marked as LAPTOPS

GPO Settings not changing to match DC

August 14, 2019, 6:33 am
$
0
0

I have a 2012 R2 DC1 and a Server 08 R2 standard secondary DC, I inherited a bear of a GPO with most policies in the default domain policy and 31 other policy objects, all set to enforced and working against each other. Also all are deployed domain wide with everyone in the same OU.

Here's the rub, I'm trying to setup encrypted backups, the GPO setting for fixed drives using bitlocker with smartcards had been set to enabled, I disabled it. I then waited about a day and ran an RSOP on our backup server and saw it still says the smartcard policy is enabled. However if I run a RSOP on the DC it says disabled following the same GPO. Tried running a RSOP on the secondary DC and it shows up as enabled as well. Something isn't allowing it to replicate, tried doing gpupdate, gpupdate /force and reboots of all three machines with no difference. Any ideas???

Disbaling access on Shared folder across AD

August 6, 2019, 3:31 am
$
0
0

Hi,

We have shared folders on user's systems across AD.We want to disable the sharing through GPO so that we dont have to do for individual user.Is there a way we can achieve it through GPO?

Search

ADMX Error 1903 V2 after updating sysvol central store

August 22, 2019, 1:35 am
$
0
0

After updating the syvol directory "PolicyDefinitions" with the lastest ADMX 1903 V2, I get an error on line 57 col 123 when expending  "administrative Template" in Group Policy Management Editor.

Error on line 57 col 123 for microsoftedge.admx

<definition name="SUPPORTED_INTERNET_BROWSER_RS5" displayName="$(string.SUPPORTED_INTERNET_BROWSER_RS5_DisplayName)">

microsoftedge.adml is present in both languages folder  fr-FR and en-US

Using The Microsoft documentation for updating central store.

ADMX 1903 v2




802.11 GPO Not Fully Applying

August 13, 2019, 12:42 pm
$
0
0

We have a strange issue where many newly configured Windows 10 devices are not able to connect to our wireless network.  These devices have the same image and applications, same model, and exist in the same OU.  Some connect fine, others do not.  Plugging the machines back in to a wired port and doing gpupdate /force will fix the issue, but I am curious as to what caused it.

On computers that do not connect, I can confirm that the 802.11 policy exists on the machine through gpresult and rsop.msc.  The profile exists at c:\windows\wlansvc\Policies\Polxxxx.tmp.  However, the registry entry pointing to that file are not there (HKLM\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy).  Copying the registry key from a working machine to a broken machine, changing the file name to match, and rebooting all without being connected allows the machine to connect to the network.

My question is, what would cause the policy to get onto the computer, but not update the registry entry?

Is Rule Merging Broken

August 22, 2019, 8:13 am
$
0
0

I have a GPO being properly applied to a Windows Server 2019 machine.  In the GPO I've configured Rule Merging to No for Apply local firewall rules an apply local connection security rules.  I've done this for all firewall profiles even though the machine is always using the domain profile.

However, if I create local rules they work.  Example:

All firewall rules in the GPO are scoped to remote address 10.10.10.0/24

Test RDP from a machine with address 10.10.11.1, fails.

Add rule to local server to allow all to 3389.

Test RDP from a machine with address 10.10.11.1, works.

-=Chris

Windows server 2019 Group policy for users is applied but not for computers

August 12, 2019, 5:49 am
$
0
0

Hi!
So we decided to start using Windows Server 2019 and Microsoft Active directory.  But I came to a problem. If I run gpresult I can see, that computer policy is not applied but user policies are. I tried changing security filtering but nothing changed. I removed the computer from the domain and tried again, but also nothing works. Weirdly, user policies are applied but not computers.
I get a warning in gpresult about Fast link detected. Could be this the problem?
And group policy is not enforced and Link enabled is checked.

Thank you for help!

GPO to Windows Autopilot

August 13, 2019, 10:22 am
$
0
0

Is there any way to move or copy entire currnet GPO settings to Windows autopilot.?

Default Domain & Default Domain Controller Policies missing

August 23, 2019, 12:20 am
$
0
0

Good morning all,

I hope i'm not asking a previously asked question, but i didn't find anything about the problem i'm facing with in a customer's Active Directory infrastructure.

They are missing all the content of SYSVOL\Policies content, including the default ones. If I run gpupdate /force on a client I receive the RsOP error, that states about the impossibility to reach the Default Domain Policy (I matched the Default Domain Policy's ID with the one I still can view in the Group Policy Management, probably because the IT administrator manually deleted the SYSVOL\Policies folder).

They are in this sitouation for three years, so my question is: 

What if I run the DCGPOFIX, restoring both Default Policies? 

In my opinion all clients will be asked for resetting their password, am I wrong? Which other problems could they face?

Thank you in advance!

Rick


auto moving computer in respective OU, when joined machine in to domain

April 23, 2019, 11:19 pm
$
0
0

we want move Computer account automatically in respective Ou when it join Domain i have some Poworshell script but it is use for manual movement "redircmp ou=newcomputerou,dc=domainname,dc=com"

so what i want, anyone in IT join system in Domain and it will automatically move right OU

Search

Wireless Policy not working correctly

August 23, 2019, 8:31 am
$
0
0

I set up a wireless policy to prevent computers from seeing any wireless networks except ours.  I have a Windows 2012 domain.   This was working fine.  I added a new wireless network so I added the new network to the Network Permissions list for Viewing and Connecting.  The new network will not show up in the list of WiFi devices on my device.  I then removed a device so the policy will not be applied.  I wanted to be able to see all the WiFis in the area.  This is not working either.  I can see that the policy is no longer being applied however, the only WiFi visible is the one I set up initially.

How can I get the device to see all the WiFis in the area...and then how can I get the device to see just our two WiFis?

Only "Create" Wireless Network (IEEE 802.11) Policies option is "Create A New Windows XP Policy"

August 23, 2019, 12:15 pm
$
0
0

I have Windows Server 2012 but I am missing the option to "Create A New Wireless Network Policy for Windows Vista And Later Release".  I only have the option to "Create A New Windows XP Policy".

How do I get this option to appear in my Group Policy Management Console?

Gpudate pulling from different domain in forest

August 23, 2019, 1:47 pm
$
0
0

I'm having an issue updating group policy on new workstations that have been deployed to a small business office. Their domain is part of a forest with one other domain for their other office and there is a domain trust between the two. For sake of anonymity we'll call them TDomain and KDomain. I joined the new computers to the Kdomain initially through Windows modules and tried using powershell as well, both times using the full KDomain.local name. When these new computers run gpupdate it returns:

The processing of Group Policy failed. Windows attempted to read the file \\TDomain.local\SysVol\TDomain.local\Policies\{B5A5AC74-7331-4BD8-B6D7-6DE0098AAE00}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
User Policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file \\TDomain.local\SysVol\TDomain.local\Policies\{00E3DC1A-87D8-45F6-B574-FF62586D517E}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

When I run gpresult /r I get

INFO: The user "KDOMAIN\ADMIN" does not have RSoP data.

And if I run gpresult /r /scope computer I get

COMPUTER SETTINGS
------------------
    CN=KCOMPUTER,OU=K-Computers,DC=KDomain,DC=local
    Last time Group Policy was applied: 8/23/2019 at 1:34:21 PM
    Group Policy was applied from:      KSERV.KDOMAIN.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DESKTOP-NDBTU57
    Domain Type:                        WindowsNT 4

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        NT AUTHORITY\Authenticated Users
        System Mandatory Level

At this point I'm really not sure where to check next and could use any assistance. I'd like to point out that it worked without an issue on the old workstations..




WSUS GPO not Applying to Computers

August 23, 2019, 6:22 pm
$
0
0

I'm doing the initial setup of a Windows Server Update Services WSUS (Server 2016 Datacenter). The setup of the WSUS was fine. 

I'm having an issue with the GPO applying to the computer (Win 10 Enterprise x64). I have attached the GPO to the correct OU that the computer is in but after reboot, gpupdate /force, wuauclt /detectnow nothing gets applied.

Verifying with the gpresult /r command shows NO GPO was applied.

This is how I have the forest setup. The computer is in the "Computers" OU. I tried "force" on the GPO to see if it would work as well...nothing. The "ZZZ Test GPO" is being blocked by any GPO coming down, as you can see the blue exclamation icon attached to that OU.

 Why is this GPO not applying correctly.


Windows firewall domain profile not obey GPO

August 8, 2019, 12:06 pm
$
0
0

Hi

I am looking to set windows defender firewall via group policy

I have configured the settings in group policy and can see that the Private and public profiles

are turned on and configured as expected.

The Domain policy though wont bite though and remains off !   Ive done a gpresult and see the policy has applied 

restarted the machine,   

Blocked inheritance,

enforced the policy,

moved the policy to highest precedence.

gpupdate /force   wait an hour repeat.


Double checked and the policy is definitely  set  to in in the GPO

Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security

Tried internet searches and now out of ideas

Anyone encounter ?




confuseis

Viewing all 19997 articles
Browse latest View live
Search