Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Windows 10 1809 "Search Preview" removal via group policy

December 5, 2018, 5:09 am
$
0
0

Hi,

I'm currently trying to update my OSD image to 1809 from 1607, however, I've come across the new search preview. The new section of search that automatically gives you "Run as Administrator" etc. I work in an education environment and, even though they can't do it, I don't want students getting any ideas about trying to run programs as admins etc. I don't want them to be able to open file location either as we use redirected shortcuts and they could see the whole DFS structure.

Is there any way of removing this via group policy? If not, are there any other methods?

Thanks


Search

Manage trusted add-ins for Outlook 2010.

October 18, 2019, 2:44 am
$
0
0

hi all,

I need to control trusted add-in of outlook 2010, so users can not edit add in ,so I installed a virtual macine with windows 7 32 bit i nstalled the the Office Outlook 2007 Security Hash Generator Tool and i was able to generate hash value for the following add-in :

Value Name: C:\tempaddin\BCSAddin.dll
Value     : OFINILHKBODHOEJHODPDKJPCMDNMFKILIJIAKIKM
Value Name: C:\tempaddin\ColleagueImport.dll
Value     : AMILBJFABNOFLEIOAJHAKONFBGEDIEEABMPBIJPO
Value Name: C:\tempaddin\ONBttnOL.dll
Value     : HLKOHHOJLJMLLKMKBNIOEBHILDCHIAJECINCLBJF
Value Name: C:\tempaddin\SOCIALCONNECTOR.DLL
Value     : HEHOEAHNAGGCGDHHOIFOOLMALPFHHPAOGMOAEDNO
Value Name: C:\tempaddin\UmOutlookAddin.dll
Value     : DDHIAANLCDPBPFOAFDPEIOBHNAOPPJDDLKPCMNGB

and I edited the defaut domain policy 

  1. Configuration\Administrative Templates\Microsoft Outlook 2010\Security\Security Form Settings\Programmatic Security\Trusted Add-in 

  2.   as shown below  but users still can change the add in in outlook ,what sould i do 

Screen lock policy

October 18, 2019, 5:34 am
$
0
0

Hi

Would appreciate ANY help or direction!

So to put some context into it we have some machines running automated processes. They need to be left running and not have the screen lock. I have done a policy for these unique machines as outlined below

Interactive login: Do not require ctrl + alt + del ENABLED

Message title for users attempted to log on: EMPTY

Message test for users attempted to log on: EMPTY

Do not display the lock screen ENABLED

This however doesn't work so I BLOCKED inheritance and it started working. The GPO above for our normal user computers does have the lock facility but I was told if there are conflicting policies that the machines will adhere to the closest GPO but this doesn't seem to be the case. Can anyone please give any suggestions on what I can do. I don't really want to leave it on blocked inheritance as it should probably inherit some policies from the main baseline GPO above.

Thanks in advance

 

gpo does not apply to security group

October 18, 2019, 6:47 am
$
0
0
hello, im trying to force install a chrome extension for a group of users that are in an active directory security group. i have security filtering set to only the security group and my delegation is in the picture below. is there any glaring mistakes i have made to cause the extension to not auto-install? i have it configured as a computer configuration rather than a user configuration. thanks

GPO - Software and Games - INSTALL OR RUN PROGRAM FROM YOUR MEDIA

October 15, 2019, 10:56 pm
$
0
0

Hi,

We are implementing a USB management solution, that the USB has a software can be running to insert a Password before start using it.

The software can be automatically running if INSTALL OR RUN PROGRAM FROM YOUR MEDIA is selected under Software and Game.

Control Panel\All Control Panel Items\AutoPlay

I tried to dig into GPO, but could not find any thing specifically related to this setting, I only found the following:

but these settings did not help me, as these settings only enables Autoplay. So this has the following effect:

the issue, the end-users need to manually click on these windows (1) and (2), to run the App, and most of them dont know how.

So is there a CMD, Registry, or GPO settings I can use to change this option for all users?

thanks,




لوحة التحكم \ جميع عناصر لوحة التحكم \ تشغيل تلقائي

GPPreferences, Local Users and Groups, Group Name drop-down options..

October 9, 2019, 10:28 am
$
0
0

Hello all --
I'm curious about the other groups in the Group Name drop-down in GPP->Control Panel Settings->Local Users and Groups.  I've gone as far as the fifth page of search results (which is further than any sane person should go) and cannot find any mention of the other options in the drop-down (ie.- "Network (built-in)", "Batch (built-in)", "Services (built-in)", etc); the only option I've seen utilized is "Administrators (built-in)". 

What inspires the question is the assumption that using the "Services (built-in)" group will grant the user the right to Logon as a Service, without the hassle of creating multiple GPOs per config, since the GPO setting is not cumulative. (but this is just an assumption, based on the name of the group in the drop-down).

Do these other groups serve any purpose, or are they just remnants from the original Win2003 days when GPP was introduced? 

Thanks


Home Drive Intemittent map issue

October 16, 2019, 6:07 am
$
0
0

Some of our users are having issues where the home drive disappear in the morning.

We have got the folder redirection enabled and the home drive is setup in the active directory.

We had an old server 2008 R2 and migrated the home drive to Server 2019.

I have checked the group policy and there is not conflict. Has anyone come across this issue?

Thanks,


Group policy to change lock screen and screen saver image every day.

September 30, 2019, 10:56 am
$
0
0

HI All,

           Is there is any way to change the lock screen and screen saver image every day? if there is any way then how we achieved this through group policy?

Day 1 – Slide1.JPG (lock screen and screen saver)
Day 2 – Slide2.JPG (lock screen and screen saver)
.
.
.
Day 29 – Slide29.JPG (lock screen and screen saver)
Day 30 – Slide1.JPG (lock screen and screen saver)
Day 31 – Slide2.JPG (lock screen and screen saver)and so on…

Search

I need to be exported data from edb to pst for Exchange Server

October 1, 2019, 12:55 am
$
0
0

Pleas  share some Advance idea about freeware edb to pst file converter.

I need to be exported data from edb to pst for Exchange Server

Regards

Bitcal

when item-level targeting does not work

April 30, 2017, 10:44 pm
$
0
0

Windows Server 2008 R2

i have a gpo that applies certain things to an OU i belong. among the things it does is set a proxy and proxy exclusions for IE. in the part of the gpo where this IE proxy is being set, i did an item level targeting to NOT apply it if the user is my domain account and computer name. it doesn't work.

the other posts i've read about exclusions only offer exclusion from the gpo level meaning exclusion from the whole policy. what i'm after is exclusion from part of the policy.

How to allow a computer time to get a network connection before running a startup script without affecting the user too much??

October 16, 2019, 12:26 pm
$
0
0

I have a startup script that will need access to network paths to run so I need the computer (Windows 7 and 10) to have a network connection before it runs or it will fail.

I have fiddled around with setting 1 of these group policies at a time with various results as well as setting both of them like below. I have set  “Startup policy processing wait time” to 10 seconds, 60 seconds, 1 second, and still it says "Please Wait" (as shown in screenshot below) for varying amounts of time, mostly much longer than the time I have set. If I set it for 10 seconds it will take anywhere from 20-30 seconds before it actually displays the login screen. 

Keep in mind, I have not even placed my startup script in the GPO yet because I am strictly testing these 2 settings to make sure the user isn't sitting there seeing "Please Wait" for over 10-15 seconds each time they start their computer up.

At first when I tested this it seemed to work correctly and if the computer (wired or wireless connection) got a network connection before 10 seconds the "Please Wait" screen would go away and a login screen would be presented to the user as normal. Now it does not matter what I set the time to, where it is 10 seconds or 40 seconds it takes up to 52 seconds sometimes to present the login screen.

Anyone have experience with these settings? I am pretty upset that it is not working as advertised and have spent several days fiddling around with these trying to get it to work right. I want the computer to wait up to 10 seconds for a network connection and if it doesn't have one by then it should run the startup script and present the login screen. The startup script will fail since it didn't have a network connection when it ran and I'm okay with that as long as the user is not staring at a "Please Wait" screen forever.

If you need any further information please let me know and I will provide whatever I can, I need to get this working.

FYI, the goal is to run Jason Sandys' SCCM Startup Script so every time a computer starts up it will check to see if the SCCM client is on the computer and, if not, it will install it.


d

This is what the user sees while the computer waits for a network connection to run the startup script:

Change inactivity timeout to logon screen in windows server 2012

October 21, 2019, 7:33 am
$
0
0

Hi, 

I have a windows server 2012 serving as AD Server and GP Server. Right now, if a user does not touch the computer for 1 minute it will go to windows lock screen. It doesnt force logout, your session is still active, you only need to insert the password again. Where, in the group policy, can I change theese settings?

GPO will not update...

October 16, 2019, 8:44 am
$
0
0

Hello,

I created a new GPO for an OU.  When trying to update it I get these errors.

"The RPC Server is unavailable"

"The remote procedure call was cancelled."

Does anyone know how to resolve this?

Thanks!

GPO to update host file

July 20, 2011, 1:40 am
$
0
0

How can I make use of the GPO to update the drvers\etc\hosts file of my domain users ?

Can it be done ?

 

How to run a program automatically when log in as a specific account?

October 19, 2019, 12:36 pm
$
0
0

Hi,

We have 2012 domain. We are upgrading Windows 7 to Windows 10. Is it possible to run Windows 10 upgrade installer when we log into any domain computers with a local account by GPO? The installer is located in a network shared folder.

Need help!

Thanks in advance!

Grace

Search

SMB Signing Behavior in GPOs

October 4, 2019, 10:11 am
$
0
0

The company I work for is looking into configuring SMB signing between our clients and our servers. However, we want to handle this with extreme care, as from what I've read, just charging in and enabling AND enforcing it can cause some issues. My biggest question though is, if we set the GPO setting "Microsoft network client: Digitally sign communications (always)" to enabled on CLIENTS (ie, enforce SMB on clients), but set the GPO setting "Microsoft network server: Digitally sign communications (if client agrees)" to enabled on SERVERS (ie, enabling it but not enforcing it), will this force the use of SMBv3 between our clients and servers? Ideally, we would apply the GPO setting to the SERVERS first, and then once done we would begin applying the CLIENT GPO setting to specific OUs to make sure they can still communicate. My hope is that by doing this, we can start to roll out SMB signing without any major impacts to the applications our company uses (which is quite a few).

Is my assumption on this accurate, or will proceeding to roll it out in this way cause massive issues?

Thanks in advance.

Edit, just to add some info on our environment: All of our domain controllers, and various application servers are Server 2012 or Server 2012 R2. Our File server however, which we have user home directories saved in, is Server 2008. All workstation clients are on Windows 10.

<style><br _moz_dirty="" /></style>


<style></style>

Win10 does not get the computer policy in the 2016 domain group policy.

October 17, 2019, 7:24 pm
$
0
0
Win10 does not get the computer policy in the 2016 domain group policy.

I then use windows2016 as a domain controller.

At the same time use win7 win10 terminal computer.

Some group policies are configured in the domain control.

Use the same account to log in to different computers belonging to different operating systems of the same OU.

The win7 group policy can be obtained.According to the OU to decide whether it will take effect.

The win10 group policy only obtains the user policy in the group policy, and cannot obtain the computer policy.Even the default Default Domain Policy is included.

Sorry, my English is poor.

Enforcing updates (the big ones 1903 or 1909)

October 17, 2019, 5:05 am
$
0
0

Hello,

Some of the updates have to be confirmed manually by the user (for example 1903 may update). I've heard they are installed automatically after 30 days.

Is there any GPO which allows to enforce installing this kind of updates without bothering users to confirm them manually or without waiting 30 days ? I have installed the newest 1903 admx templates.

Best regards, Stefan

What disabled SSDP and UPnP on all network computers? Symantec or Server 2019?

October 22, 2019, 6:44 am
$
0
0

Hello,

In the past 24 hours we installed a secondary domain controller 2019 and Symantec Antivirus.  Between the two additions, SSDP discovery services and UPnP were disabled domain wide.   All network shares were inaccessible.   I am trying to figure out which  would have done this.  We’ve manually turned on the SSDP and UPnP services so we can connect to the shares.  But are afraid another symantec update or gpupdate will turn them back off.

I can find very little documentation on what Windows Server 2019 does or does not do with SSDP and UPnP. 

Any ideas?


New sub menu missing selections after GP applied

October 22, 2019, 6:45 am
$
0
0

Hi.

Trying to do some server hardening for Server 2012 R2.

After applying the hardening, the New submenu, when right clicking in a folder just gives me the option to create a folder. Lost including creating a text file, create a shortcut, create a bitmap image, etc.

Any idea what setting would affect this?

Thanks

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>