Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Software not Installing

October 6, 2019, 10:45 am
$
0
0

Hi

I have deployed some software "laps" msi installer  using group policy > computer settings   > assign software

This works on some machines and not others.   All machines are windows 10

On all machines I can see the policy has taken effect

On some machines however when I run rsop.msc    I can a see an exclamation mark over the assigned software

When I run the install manually using admin creds it installs fine each time, seem to only fall down when using group policy.

I would have thought that permissions would not be a factor for software installs if this has been assigned by a domain admin using group policy.

Didnt see anything in the event logs using filters msi install etc.

The gpresult command on the machine confirms the policy has taken effect.

Not sure where to troubleshoot next.


confuseis

Search

Registry.pol not updating

October 4, 2019, 12:01 am
$
0
0
Hi everyone I am currently using Ansible to control multiple Windows Server machines to export their registry.pol under the machine folder of group policy and convert it to .txt using LGPO.exe before sending it to my Ansible Server. The Ansible Server will then read line by line and change the registry.txt file according to the CIS standards. After changing the registry.txt the Ansible Server will then send the registry.txt to each Windows Server machines and call out the LGPO.exe to convert these .txt files back into registry.pol and use "gpupdate /force". I have test 2 settings and I have noticed that the registry keys will be updated. However I notice that doing this messes up the registry.pol in a sense that in the future whenever I would like to use the Group Policy Editor to edit the changes, it would update the registry keys but the registry.pol would not store the settings. May I know if there is any issue with my idea? So far it has been working except for this issue on my automation somehow bricking the GUI.

GPO StartUp script, bcdedit and Windows 10- A required privilege is not held by the client.

October 11, 2019, 2:42 am
$
0
0

Hi,

I'm trying to run StartUp script using GPO on my Windows 10 (latest version) machine to adjust some settings using bcdedit. The script finishes successfully when I run it in cmd as administrator. However when using GPO and computer StartUp script (as far as I understood it should run as SYSTEM user with administrator privileges) it starts successfully but in logs I can see following:

"The boot configuration data store could not be opened.

A required privilege is not held by the client."

Could somebody advise me haw to get it working please?

After login in Domain system taking too much time

October 4, 2019, 5:06 am
$
0
0

Hi,

150 system(Windows 10, Windows 7) connected in LAN through different VLAN.

Setup to AD Server(Windows 2016) created Primary Domain and Additional domain. Also, DNS role included in itself.

System configuration Min: Core I3 and 4 GB RAM.

The below issue received.

1) Once computer power ON. After received CTRL+ALT+DELETE. After given the username and password user system taking too much time to login approx (1 to 2 min).

2) After 2 min click to google chrome also takes 2 to 3 min. 

I have to try all the stuff regarding the OS level but didn't find any solution. If same time login in local user work normally as per compare to domain users.

Can anyone help me with this issue? 

Pravin Mori

pravinsinhmori.bmc@gmail.com

Disable Pinch Zoom for Microsoft Edge

October 8, 2019, 11:47 pm
$
0
0

Hello! 

I need to be able to disable pinch zoom in Windows 10 kiosk mode with Microsoft Edge.
Im using a HP ProOne 400 G4 with touchscreen configured with Windows 10 Pro verison 1903 (OS-verison 18362.418) in kiosk mode as a Digital sign or Interactive display with Microsoft Edge.

The problem is that users can pinch zoom the website I am pointing to. (I do not have access to change the HTML of the site itself)
They should not be able to do this.
I cannot find a setting in Microsoft Edge to disable this.
I can't find any group policy or registry key to disable this either.
In Internet Explorer you could fix this by going to Settings > Internet Options > Accessibility > User style sheet and pointing to a CSS file with the proper code.
This does not appear to apply to Microsoft Edge and I cannot find any similar options for it.
I cannot use any other browser than Microsoft Edge as Windows 10 kiosk mode enforces the use of it.
The only way i have been able to get any kind of effect is to open the developer tools for Microsoft Edge and adding "-ms-content-zooming: none;" to the html, but again I don't have access to permanently edit the website.

This setting really should be core Microsoft Edge functionality especially for kiosk mode.
Would it be possible to get a GPO to disable Pinch Zoom in Microsoft Edge?

Help would be greatly appreciated,
Best regards// Mikael

Designation of an Existing Local Printer as the Default

September 26, 2019, 4:02 pm
$
0
0

I work at a library and we have computers for our patrons. I have manually installed 2 local printers, "a" and "b", on these public computers. They both use LPT1 as their port and they are not shared.


I have created entries in Group Policy to delete unneeded printers, such as "Fax" and "Microsoft Print to PDF", on the public computers. I created these entries in Computer Configuration-Preferences-Control Panel Settings-Printers and these entries have deleted the unneeded printers.


I now simply want to use Group Policy to designate printer "a" as the default printer on the patron computers. I suppose that I should create an entry for "a" in User Configuration-Preferences-Control Panel Settings-Printers and use the "Update" action but I want to be sure.


How do I use Group Policy to designate a local printer as the default printer?

GPO Settings revert to Not Configured after change

July 26, 2019, 10:46 am
$
0
0

Domain Function: 2012 R2

I have a strange occurrence lately where whenever I edit a GPO, all the settings in the Admin Templates revert to Not Configured.

Ex: I need to add a website to Trusted Sites via Site to Zone Assignment. There are already entries in the list for various zones.
I enter the site, apply and exit GP edit. A few minutes later I look in the GPMC on the domain controller and all the various settings that fall under Administrative Templates are changed to not configured. The site I entered and all the sites have been removed. The IE settings for Trusted Sites removed. Chrome settings, removed.

Note: the policy settings are all still there, they've been changed to "Not Configured". Don't have any replication issues and it's happened to multiple Techs trying to make changes.

Startup Scripts not running from Server 2016

April 28, 2017, 2:52 am
$
0
0

Hi

I have created an additional Domain Controller on a Windows Server 2016. The old Domain Controller run on a Windows Server 2012 R2.

I have a GPO with a vbs startup script.

On computers connected to the old DC the script runs well. But on computers connected to the new DC, the script is not running.

In the gpresut it tells that "This script has not yet been executed.

Is there any restriction on startup scripts on Windows Server 2016?

Jørn


Search

Failed to open Group Policy Object

October 11, 2019, 11:19 am
$
0
0

Hello all,

I am receiving a strange error message that I have never seen before in Group Policy. I am attempting to edit a GPO and I receive the following message:

"Failed to open the Group Policy Object. You might not have the appropriate rights."

"Details: The volume for a file has been externally altered so that the opened file is no longer valid."

I have looked online and have found very little about this message. Most of the things I come across relate to the local group policy, but my issue is occurring in the GPMC on a domain controller.

I have three domain controllers - Server 2008 R2, Server 2012 Standard, and Server 2016 Standard. I can edit this GPO on my Server 2008 R2 domain controller, but receive the error message on the other two.

I have tried this solution from my research, but it seemed to cause more problems than it fixed and didn't remedy the original issue:

  • Get GPO GUID: from Group Policy Management Console (GPMC) –> choose GPO –> from right pane go to Details tab –> go to Unique ID field.
  • Open the path: C:\Windows\SYSVOL\sysvol\<Domain>\Policies\<GPO GUID>\User
  • Delete “registry.pol” file.

Has anyone see this before?

Thank you!

SMB Signing Behavior in GPOs

October 4, 2019, 10:11 am
$
0
0

The company I work for is looking into configuring SMB signing between our clients and our servers. However, we want to handle this with extreme care, as from what I've read, just charging in and enabling AND enforcing it can cause some issues. My biggest question though is, if we set the GPO setting "Microsoft network client: Digitally sign communications (always)" to enabled on CLIENTS (ie, enforce SMB on clients), but set the GPO setting "Microsoft network server: Digitally sign communications (if client agrees)" to enabled on SERVERS (ie, enabling it but not enforcing it), will this force the use of SMBv3 between our clients and servers? Ideally, we would apply the GPO setting to the SERVERS first, and then once done we would begin applying the CLIENT GPO setting to specific OUs to make sure they can still communicate. My hope is that by doing this, we can start to roll out SMB signing without any major impacts to the applications our company uses (which is quite a few).

Is my assumption on this accurate, or will proceeding to roll it out in this way cause massive issues?

Thanks in advance.

Edit, just to add some info on our environment: All of our domain controllers, and various application servers are Server 2012 or Server 2012 R2. Our File server however, which we have user home directories saved in, is Server 2008. All workstation clients are on Windows 10.

<style><br _moz_dirty="" /></style>


<style></style>

GPO Application on specific OU

October 9, 2019, 7:55 am
$
0
0

Hello,

I have an OU that contains my new Windows 10 computers.

I had create a GPO for this specific OU.

However, when I do a "gpresult / r" on my Windows 10 client, it does not apply this GPO but one located higher in the tree.

At the security screening level, I have "authenticated users".

Thanks for your help.

Disable Pinch Zoom for Microsoft Edge

October 8, 2019, 11:47 pm
$
0
0

Hello! 

I need to be able to disable pinch zoom in Windows 10 kiosk mode with Microsoft Edge.
Im using a HP ProOne 400 G4 with touchscreen configured with Windows 10 Pro verison 1903 (OS-verison 18362.418) in kiosk mode as a Digital sign or Interactive display with Microsoft Edge.

The problem is that users can pinch zoom the website I am pointing to. (I do not have access to change the HTML of the site itself)
They should not be able to do this.
I cannot find a setting in Microsoft Edge to disable this.
I can't find any group policy or registry key to disable this either.
In Internet Explorer you could fix this by going to Settings > Internet Options > Accessibility > User style sheet and pointing to a CSS file with the proper code.
This does not appear to apply to Microsoft Edge and I cannot find any similar options for it.
I cannot use any other browser than Microsoft Edge as Windows 10 kiosk mode enforces the use of it.
The only way i have been able to get any kind of effect is to open the developer tools for Microsoft Edge and adding "-ms-content-zooming: none;" to the html, but again I don't have access to permanently edit the website.

This setting really should be core Microsoft Edge functionality especially for kiosk mode.
Would it be possible to get a GPO to disable Pinch Zoom in Microsoft Edge?

Help would be greatly appreciated,
Best regards// Mikael

Having the error 0x80070569 when adding new VM on Hyper V

October 5, 2019, 10:45 pm
$
0
0

Hi Guy's, I'm having this error when I try to create VM on Hyper V (windows server 2016).

The server (in fact this error happens in all of my servers), is in a domain.

My user name is in the administrator group. When I enter "gpupdate /force " it fix that problem but in the next day again i'm receiving that error.

When I enter to the Default Domain Policy (in the DC), I can see my user name in (moti-ya)

Local Policies/User Rights Assignment  and I'm a part of Administrator group:

in the servers itself when I enter to "gpedit.msc"  in log on as a batch job my user name is in.

What isn't working as it should?


GPO's not getting applied with 1903

October 9, 2019, 12:31 am
$
0
0

I have an MDT for 1809 and 1903 configured. When I push an 1809 deployment all works well and all policies get applied. When I push a 1903 deployment my GPOs don't seem to work. I have checked out everything and all seems to be in place. GPOs are the same for 1803 so it points directly to the 1903 setup. Has anyone else had issues like this? If I run a gpresult /H I realise that the Admin template do not appear. They only appear after a gpupdate /force. 

An example of my issue is that when we deploy a device the computer object goes to a specific OU which keeps the local admin password. This is due to the autologin part of the MDT. Once this object moves to a different OU then the LAPS policy kicks in and changes the local admin password. With 1903 the LAPS policy kicks in and changes the password which then stops the MDT as its a different password than the password file.  If I deploy an 1809 device then I have no problems at all. 

Disable SMBv1 without using startup script

October 9, 2019, 6:13 am
$
0
0

Hi,

In our current Group Policy, we have power shell startup script for disabling SBMv1. So this is enabled in our entire organizational OU which I believe will run every time a user logs in. I think this is causing us log on delays and complaints from users.

Kindly suggest any other recommended method to do this permanently via registry or any other setting.

Thanks in advance,

Sanjai

Search

cross-domain GPO performance

October 10, 2019, 2:48 pm
$
0
0

I'm trying to figure out why it is claimed that cross-domain GPO is not recommended due to performance concerns.  The primary source seems to be this blog:

Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object

If \\Domain1DC\sysvol & \\Domain2DC\sysvol are on the same vlan in the same data center and user in Domain1 has a policy (or several) linked from Domain2, I'm having a hard time measuring the performance difference.  The org actually has users in Domains 1-11 and the real trouble was keeping the user policies consistent (all of the workstations are now in Domain1 now, so computer policies are no problem).

I guess the question is, why can it be a very slow process?

  In the case of a cross-domain GPO, the client will need to pull content from a DC in the neighboring domain which can be a very slow process.  For this reason, cross-domain GPOs are not generally recommended.

Thanks,
J

Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator, MCITP: Enterprise Administrator

user profile picture

October 10, 2019, 12:35 am
$
0
0

How I can set user picture in GPMC

for example anywhre in Forest a user want's to login it's profile picture to be displayed.

Remove Archive button from Outlook 2016

October 9, 2019, 11:49 am
$
0
0
How can I disable / grey out or remove Archive button in Outlook 2016 via group policy?  We do not want user to use this feature.

Neil O'Connor

Windows 10 1809 - group policies not applying from 2012 R2 DC using either 1809 or 1903 templates

October 9, 2019, 6:51 am
$
0
0

Hi,

I am unable to apply any group policy on windows 10 devices on corp network. I have created a test policy and linked to OU with security filtering for specific devices to receive policy - Computer Config > Admin Templates > Windows Components> Microsoft Edge > Allow InPrivate Browsing AND Computer Config > Admin Templates > Windows Components > MDM > Enable automatic MDM enrollment...

I have tried using 1809 and most recent 1903 admx templates in central store. 

Appreciate any help.

Change Local Administrator Password thru GPO

August 9, 2008, 11:10 am
$
0
0
Is there a way that thru GPO, all Local Administrator password will be changed?
Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>