Hello there,

I'm getting this event every time I run gpupdate on my server:

The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

Where is the first place to look at?

I did the GPRESULT /H GPReport.html but it only shows an error with registry policies.

Thanks.

Recently we have pushed white background with company logo etc, post pushing it users started complaining their desktop shortcuts are not visible. Is there any way where i can change font color to black.

Any help in this regards is highly appreciated..

Hi guys, 

It doesn't work at all even in very basic implementation. 

Security Level is set to Disallowed.

Added just one rule.

GPO is applied to an OU with computer objects.

Below is the output of gpresult /scope computer /r command, Group Policy Results report and RSoP.

C:\WINDOWS\system32>gpresult /scope computer /r

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© 2018 Microsoft Corporation. All rights reserved.

Created on ‎16/‎08/‎2019 at 12:23:35 PM

RSOP data for  on YY-YYYYY : Logging Mode
------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  10.0.17134
Site Name:                   Office
Roaming Profile:
Local Profile:
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
    CN=YY-YYYYY,OU=Desktops,OU=Computers,OU=XXXXXXX,OU=XXXXXXXXXX,DC=XXXXXXXXXXX,DC=com
    Last time Group Policy was applied: 16/08/2019 at 12:14:26 PM
    Group Policy was applied from:      adsvr1.xxxxxxxxxx.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        XXXXXXXXXX
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Test CA Enrollment
        SRP - Desktops
        Application Hardening - Computer
        Bitlocker-Computer
        EventTracker-computer
        Local Group Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        XXXXXXXXXX
            Filtering:  Denied (Security)

        Sleep Mode for Desktops 
            Filtering:  Disabled (Link)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        YY-YYYYY$
        Domain Computers
        Authentication authority asserted identity
        System Mandatory Level

Referred to multiple articles and pretty sure that path is specified correctly.

Is there any log I can check to find out why is it so?

Thanks. 

Hi,

I want to install few applications whenever new user join his computer to domain. please guide.

Regards

Hello all,

I need to put a shortcut to an internal website on all user's desktops. I want this shortcut to use a specific icon I created. I know you can specify a specific icon when creating the shortcut in GPP, but I am wondering where do I actually place the icon file?

Do I have to deploy the icon to each client machine as well? For example, if I specify the path to the icon as C:\Icons\myicon.ico, does that instruct the preference item to look for the icon on the C:\ of the client machine or from the server where I created the preference?

Thank you for any help.

Dear Team, 

I have created one "Test OU" under parent Domain without any Inheritance. a GPO is created and linked to this Test OU. If i am moving any user into this OU, then GPO works really fine. But as per my requirement, I have to assign this GPO to present Users without changing their locations. 

I tried to add those users inside Security filter. Even i created one Security Group and made those users as its member. then I added this Security Group into this OU. Untick the “Apply this GPO” for  Auth. User and made tick on selected Security Group

i referred this article:-http://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/

But still it did not applied my GPO to individual. I tried to check on windows 8 and windows 10 client side, but I can only see the GPO’s applied on the Object Location OU.

Please help me if I have missed or mistaken somewhere.

Kunal Rane

Hi All,

We are being invaded.  One application has decided that it is so totally and completely cool that is must be on EVERY.  SINGLE.  COMPUTER. In the domain.

This application installed itself on our domain controller, our SQL Server, our Remote Desktop Server, our Remote Desktop Gateway Server, and every workstation we have.

Every time someone logs on to any computer, that someone is greeted with this application that DEMANDS attention because this application truly believes it is the CENTER OF THE UNIVERSE.

That application is Microsoft Teams.  And it snuck in through Windows Update (what we affectionately call Windows Hijack).

So, tell me, how do I tame this unruly beast with its cartoonish icons and constant nagging wanting us all to stop what we are doing to play with it?  

HOW DO I USE GROUP POLICY TO UNINSTALL TEAMS FROM ALL THE COMPUTERS IN OUR DOMAIN?

James

I am trying to install a Revit plugin via Group Policy.  The policy worked great on my computer but I am an local administrator.
It looks installed on non-admin computers but does not appear as a plugin in Revit.  All of the options under Deployment tab are greyed out except Assigned and Uninstall this application when it falls outside of scope of management.

Is that why it is not installing on non-admin computers?

I have a 2012 R2 DC1 and a Server 08 R2 standard secondary DC, I inherited a bear of a GPO with most policies in the default domain policy and 31 other policy objects, all set to enforced and working against each other. Also all are deployed domain wide with everyone in the same OU.

Here's the rub, I'm trying to setup encrypted backups, the GPO setting for fixed drives using bitlocker with smartcards had been set to enabled, I disabled it. I then waited about a day and ran an RSOP on our backup server and saw it still says the smartcard policy is enabled. However if I run a RSOP on the DC it says disabled following the same GPO. Tried running a RSOP on the secondary DC and it shows up as enabled as well. Something isn't allowing it to replicate, tried doing gpupdate, gpupdate /force and reboots of all three machines with no difference. Any ideas???

I need to block all computers running windows 10 ,1703 from the network. From SCCM I can get the list of computers running this version and add them to a separate AD group.

But how I'm going to restrict domain connection for a specific group using group policy?
I only want the user to access the local physical drives but no other network resources such as other computers in the same network. 

Is that possible through group policy?

Please help me !

Thank you ..

So it would seem that I have a somewhat unique problem because I cannot find anything about it online. 

I have an xml file that is dictating users start layout on Windows 10 machines.  Upon log in only 1 application in 1 group shows up.  All the gpupdate /force and restarts in the world will not get it to read the xml file correctly.  But if I go in and just slightly change the xml file on our DC server, and log out and log back in on the Windows 10 machine, it loads the xml file correctly from there on out.  I figured this out by deleting the user profile and logging back in to mimic this user logging into this machine for the first time, and that's when I noticed this problem.

I will need to find some way to fix this because I don't want to have to do this every time we get a new user or have users switch machines for some reason.

I was wondering if there is maybe a logon script I could use that would force it to read the xml file anew on every log in, or if maybe there is some other issue here. I've attached

<LayoutModificationTemplate
	Version="1"
	xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
	xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
	xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
	xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"><LayoutOptions StartTileGroupCellWidth="6" /><DefaultLayoutOverride><StartLayoutCollection><defaultlayout:StartLayout GroupCellWidth="6" xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"><start:Group Name="Applications" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"><start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="C:\Collect2000\Latitude.exe" /> <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk" /></start:Group><start:Group Name="Microsoft Office" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"><start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE" /><start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="C:\Program Files (x86)\Microsoft Office\Office15\lync.exe" /><start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationLinkPath="C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE" />		  <start:DesktopApplicationTile Size="2x2" Column="2" Row="2" DesktopApplicationLinkPath="C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" /></start:Group><start:Group Name="Tools" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"><start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="C:\Windows\System32\notepad.exe" /><start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="C:\Windows\System32\calc.exe" /><start:DesktopApplicationTile Size="2x2" Column="0" Row="2" DesktopApplicationLinkPath="C:\Windows\System32\SnippingTool.exe" /></start:Group></defaultlayout:StartLayout></StartLayoutCollection></DefaultLayoutOverride><CustomTaskbarLayoutCollection PinListPlacement="Replace"><defaultlayout:TaskbarLayout><taskbar:TaskbarPinList><taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" /><taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk" /><taskbar:DesktopApp DesktopApplicationLinkPath="\\apr-dev-dc1\startmenus$\StartMenu\CRM.website" /><taskbar:DesktopApp DesktopApplicationLinkPath="\\apr-dev-dc1\startmenus$\StartMenu\Sharepoint.website" /><taskbar:DesktopApp DesktopApplicationLinkPath="\\apr-dev-dc1\startmenus$\StartMenu\Report Manager.website" /></taskbar:TaskbarPinList></defaultlayout:TaskbarLayout></CustomTaskbarLayoutCollection></LayoutModificationTemplate>

the xml file as well so you can take a look.

Any help would be greatly appreciated.

***Update***

Maybe some additional information will help. When these users log in to the machine for the first time, their taskbar is showing the pinned items dictated in the xml file, but the start layout is only showing 2 of the 9 apps that should be pinned to their start menu. 

I'M SO CONFUSED.

I have these settings set in Group Policy, linked at the domain level, filtered to Authenticated Users.

GPRESULT shows the policy applied.

But in Windows 10 settings, it still shows enabled.

Am I missing something?

Thanks,

-Matt

There's no place like 127.0.0.1

Hello !

I am looking for a GPO I could apply on Windows 7 computers so that network discovery is disabled... I tried a few:

this one :

Enable: User Configuration | Administrative Templates | Windows Components | Windows Explorer --- No "Entire Network" in my network places AND No "Computers near me" in My Network Places

 is not applicable for Windows 7

this one : Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\

should work but it doesnt, when I browsed through the registry of the client, I did not find the registry key "HKLM\Software\Policies\Microsoft\Windows\LLTD" that this GPO is supposed to change...

Constraint : i cant enable the Windows Firewall, it ll have to be by reg key ...

Thank you for your help

Hi There,

We've had this issue for a while now with 2012 R2 servers, but as we are currently migrating our remaining 2008 servers to Server 2016, this is increasingly becoming an issue. We've never had a problem with scheduling updates for 2008 servers so that they update and restart out of production hours. However, servers from 2012 onward appear to ignore this setting.

The standard Group Policy setting we've had until now has been -

Configure Automatic Updates, option 4 selected with a scheduled time set weekly for 2am

Allow automatic updates immediate installation - Disabled

Reschedule automatic updates - Disabled

Set intranet updates service location - set to our local WSUS server

We've had numerous server restarts during production hours which have had a serious impact on the business and as a result of this, we've had to resort to manual updates only for critical servers, which is not really a practical solution going forward.

Questions -

1. Should Configure automatic updates option 4 work on 2012 and 2016 servers, and if not, why not?

2. What Group Policy configuration can we apply to 2012/ 2016 servers that will produce predictable restart behaviour?

3. Should we manage different servers with different OSs on different Group Policy configurations?

4. Do we need to test Group Policy for updates on all future iterations of Windows servers?

5. The setting Configure Automatic updates option 4 appears to force the setting for Turn off auto-restart for updates during active hours to the default setting of 08:00-17:00 - should this be the case?

6. Should the active hours setting actually work on 2012 Servers?

I appreciate any help you can give on this.

Regards,

Richard

Is there any way to move or copy entire currnet GPO settings to Windows autopilot.?

Hi,

I just want to make sure that I'm on the right track. So if a group policy object is not ticked or 'Linkenabled' not checked, it should not run for the OU, right?

Coz for some reason this GPO is linked to the OU but not enabled, I even did a gpresult and I don't see that policy running but for some reason it still installs printers automatically. 

Sorry for the incomplete info, I'm trying to troubleshoot on a printer installation issue where sometimes it doesn't install the printer or incomplete printers. So I wanted to disable this policy and manually connect printers as a test and set a default printer, once I signed out and signed back in, it should retain since there's no policy once login and I confirmed there's no scripts running as well. 

Not sure what other things needs to check. 

Thanks

Jeff

Hi,

I was wondering how the gpo settings for folder redirection work when trying to move over to using OneDrive KFM? Which settings are required to be disabled, enabled or changed in the following setting:

Desktop Properties:

• Grant the user exclusive rights to Desktop
• Move the contents of Desktop to the new location
• Policy Removal
• - Leave the folder in the new location when policy is removed
• - Redirect the folder back to the local user profile location when policy is removed

Any other gotchas to be aware of?

Thanks.

Hi

I am looking to set windows defender firewall via group policy

I have configured the settings in group policy and can see that the Private and public profiles

are turned on and configured as expected.

The Domain policy though wont bite though and remains off !   Ive done a gpresult and see the policy has applied 

restarted the machine,   

Blocked inheritance,

enforced the policy,

moved the policy to highest precedence.

gpupdate /force   wait an hour repeat.

Double checked and the policy is definitely  set  to in in the GPO

Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security

Tried internet searches and now out of ideas

Anyone encounter ?

confuseis

I'm having an issue updating group policy on new workstations that have been deployed to a small business office. Their domain is part of a forest with one other domain for their other office and there is a domain trust between the two. For sake of anonymity we'll call them TDomain and KDomain. I joined the new computers to the Kdomain initially through Windows GUI, and tried using powershell as well, both times using the full KDomain.local name. When these new computers run gpupdate it returns:

The processing of Group Policy failed. Windows attempted to read the file \\TDomain.local\SysVol\TDomain.local\Policies\{B5A5AC74-7331-4BD8-B6D7-6DE0098AAE00}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
User Policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file \\TDomain.local\SysVol\TDomain.local\Policies\{00E3DC1A-87D8-45F6-B574-FF62586D517E}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

When I run gpresult /r I get

INFO: The user "KDOMAIN\ADMIN" does not have RSoP data.

And if I run gpresult /r /scope computer I get

COMPUTER SETTINGS
------------------
    CN=KCOMPUTER,OU=K-Computers,DC=KDomain,DC=local
    Last time Group Policy was applied: 8/23/2019 at 1:34:21 PM
    Group Policy was applied from:      KSERV.KDOMAIN.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        DESKTOP-NDBTU57
    Domain Type:                        WindowsNT 4

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        NT AUTHORITY\Authenticated Users
        System Mandatory Level

At this point I'm really not sure where to check next and could use any assistance. I'd like to point out that it worked without an issue on the old workstations..