Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

cross-domain GPO performance

October 10, 2019, 2:48 pm
$
0
0

I'm trying to figure out why it is claimed that cross-domain GPO is not recommended due to performance concerns.  The primary source seems to be this blog:

Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object

If \\Domain1DC\sysvol & \\Domain2DC\sysvol are on the same vlan in the same data center and user in Domain1 has a policy (or several) linked from Domain2, I'm having a hard time measuring the performance difference.  The org actually has users in Domains 1-11 and the real trouble was keeping the user policies consistent (all of the workstations are now in Domain1 now, so computer policies are no problem).

I guess the question is, why can it be a very slow process?

  In the case of a cross-domain GPO, the client will need to pull content from a DC in the neighboring domain which can be a very slow process.  For this reason, cross-domain GPOs are not generally recommended.

Thanks,
J

Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator, MCITP: Enterprise Administrator

Search

Force reinstall of applications deployed by software GPO after uninstall

March 22, 2010, 12:24 pm
$
0
0

In testing one of our first software deployments using a GPO, a rather glaring issue seems to have appeared.  It appears that if a user uninstalls an application that was deployed by GPO, the application is not reinstalled unless an update for that software is applied to the GPO.  For example:

1.)  Application gets installed to client machine via software group policy (Computer policy, assigned install)

2.)  User of client machine uninstalls application that was installed via GPO

3.)  When restarted, the client machine does NOT reinstall the removed software. 

Is this expected behavior?  Ideally, we'd like to have applications that are deployed by GPO either, a.) automatically reinstalled if they are removed or b.) prohibited from being uninstalled in the first place. 

Any suggestions?

Thanks!

Aaron P.

2nd Script never run when called via GPO

October 19, 2019, 2:03 pm
$
0
0

Hi All , 

I'm running a powershell logon script via GPO  , this powershell script runs and I see event viewer logs I set to be added , but when this powershell script runs it is supposed to call another hta script and that never happens . 

I'm calling the hta script using the function "Invoke-item"

Surprisingly everything runs fine when I launch it manually but never run when I set as logon script.

no administrative permissions are required and paths exist and working. , I think something else is blocking launching hta , probably another GPO setting that i need to configure

I tried to set a delay for running scripts but that didn't help 

thoughts ?



suddenly unable to install xps viewer with gpo enabled

October 15, 2019, 10:23 am
$
0
0

hello,

a few weeks ago i had users requesting to install xps viewer so i enabled the following gpo   "Computer Configuration\Administrative Templates\System\Specify settings for optional component installation and component repair" with the "download repair content and optional featues from wsus" option checked. it fixed the issue and they were able to install. now, another user wants it and they are unable to install. all prior installations still work. i can upload the dism.log to another platform if someone wants to examine it. i appreciate your time.

add an option with a link on Locked screen

October 23, 2019, 12:43 am
$
0
0

Hi,

Please guide me how to create a GPO to provide an option with link (https://aka.ms/sspr) to reset/unlock user account on Windows locked screen.

Regards

GPO Settings

October 23, 2019, 12:51 am
$
0
0

Hi,

How can I quickly reach to a GPO Settings to view/make changes?

Regards

Deploying Powershell Script via GPO

October 23, 2019, 2:40 am
$
0
0

Hi Everyone,

I'm trying to deploy a PS script via GPO. 

I've tried to deploy it as a logon script and separately as a startup script.

It does not seem to execute the script.

When I try to run the script on my own machine I receive the following message:

Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by
a policy defined at a more specific scope. Due to the override, your shell will retain its current effective
execution policy of RemoteSigned. Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more
information please see "Get-Help Set-ExecutionPolicy".
At line:1 char:46
+ ... -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & '\ ...
+                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo         : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException
    + FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand

When I elevate the permissions to admin, it works and I can run the script manually on the machine.

Is there any way in which I can deploy this so that it runs with elevated admin permissions?

Or is there something I need to change or add in order for this to run?

Thanks

D

Applying group policy issue

October 23, 2019, 2:58 am
$
0
0

Greetings,

Sometimes, when I want to apply a group policy through gpupdate /force, I am getting the message below:

C:\Users\m.mugabe>gpupdate /force
Updating policy...

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file \\rihamgroup.com\SysVol\rihamgroup.com\Policies\{8A470213-D0DF-4200-B462-6906614715F8}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
User Policy update has completed successfully.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

The GPRport.html is giving me warning about Fast Links Detected which is not clear to me.

Search

gpo does not apply to security group

October 18, 2019, 6:47 am
$
0
0
hello, im trying to force install a chrome extension for a group of users that are in an active directory security group. i have security filtering set to only the security group and my delegation is in the picture below. is there any glaring mistakes i have made to cause the extension to not auto-install? i have it configured as a computer configuration rather than a user configuration. thanks

GPO - Software and Games - INSTALL OR RUN PROGRAM FROM YOUR MEDIA

October 15, 2019, 10:56 pm
$
0
0

Hi,

We are implementing a USB management solution, that the USB has a software can be running to insert a Password before start using it.

The software can be automatically running if INSTALL OR RUN PROGRAM FROM YOUR MEDIA is selected under Software and Game.

Control Panel\All Control Panel Items\AutoPlay

I tried to dig into GPO, but could not find any thing specifically related to this setting, I only found the following:

but these settings did not help me, as these settings only enables Autoplay. So this has the following effect:

the issue, the end-users need to manually click on these windows (1) and (2), to run the App, and most of them dont know how.

So is there a CMD, Registry, or GPO settings I can use to change this option for all users?

thanks,




لوحة التحكم \ جميع عناصر لوحة التحكم \ تشغيل تلقائي

Computer policy could not be updated successfully

August 9, 2012, 10:42 pm
$
0
0

I have Windows 7 Enterprise and cannot update computer policy, user policies updates succesfully. Event viewer gives an event id 1097.

Actual error message is this :

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not determine the computer account to enforce G
roup Policy settings. This may be transient. Group Policy settings, including computer configuration
, will not be enforced for this computer.

Any ideas?

Screen lock policy

October 18, 2019, 5:34 am
$
0
0

Hi

Would appreciate ANY help or direction!

So to put some context into it we have some machines running automated processes. They need to be left running and not have the screen lock. I have done a policy for these unique machines as outlined below

Interactive login: Do not require ctrl + alt + del ENABLED

Message title for users attempted to log on: EMPTY

Message test for users attempted to log on: EMPTY

Do not display the lock screen ENABLED

This however doesn't work so I BLOCKED inheritance and it started working. The GPO above for our normal user computers does have the lock facility but I was told if there are conflicting policies that the machines will adhere to the closest GPO but this doesn't seem to be the case. Can anyone please give any suggestions on what I can do. I don't really want to leave it on blocked inheritance as it should probably inherit some policies from the main baseline GPO above.

Thanks in advance

 

How to disable Store in Win10 Pro workstations?

August 19, 2019, 6:11 am
$
0
0

Hello Microsoft Community,

I'm trying to disable the Store in Win10 Pro workstations..

turn off the store application policy is not working.

I also tried to disable the store with Software restriction policies by adding HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore < as disallowed, still not working..

I tried to block the store with blocking outbound connections in the firewall policy:

%ProgramFiles%\WindowsApps\Microsoft.WindowsStore_11906.1001.24.0_x64__8wekyb3d8bbwe\WinStore.App.exe

not working as well..

How do I block the Store?


Logoff Idle Users

August 7, 2017, 11:12 pm
$
0
0
Hi, I am trying to figure out a way to log idle users off of workstations after 5 - 10 minutes of no use. We have 6 computers available to the public but people seem to have some sort of resistance to logging off the workstations when they are done. any suggestions? 

NT AUTHORITY\SYSTEM Modified Default Domain Policy

May 24, 2012, 11:45 am
$
0
0

We changed our account lockout policy back in March and our password policy the first week of April. Today, we realized the changes weren't being enforced and when reviewing the settings in the default domain policy, we noticed the password and account lockout policy settings were reverted back to the original values we had set for years. After some research we found that the computer account (NT AUTHORITY\SYSTEM) on our PDC modified the settings one week to the day after we modified the password policy. No AD restore was done.

What would cause the computer account on the PDC to change the password policy and account lockout policy settings back to the original settings we've been using for years?

I've been combing through logs, forums, blogs, etc. for hours looking for an answer to this and no luck as yet, so I'm hoping someone on here may have some insight.


Search

GPO for Start Menu layout and taskbar modifications

October 23, 2019, 2:50 pm
$
0
0

Im trying to implement a customer start menu layout and place some items on the taskbar for windows server 2016 RDS Server.

I have read- and re-read, implemented and re-implemented. I can Export-startlayout fine. I can place it in a folder that is readable by everyone but cannot get the policy to actually work even though gpo modeling and results say its implemented. 

I am referred by microsoft article to look for xml errors but the log referrenced just doesnt exist.

How do I trouble shoot this?

When logging on as the test user I can notice that the start menu is locked down for changes, which tells me the policy  is there but the custom set of tiles int there and no taskbar items.

Grateful.

Failed to open Group Policy Object

October 11, 2019, 11:19 am
$
0
0

Hello all,

I am receiving a strange error message that I have never seen before in Group Policy. I am attempting to edit a GPO and I receive the following message:

"Failed to open the Group Policy Object. You might not have the appropriate rights."

"Details: The volume for a file has been externally altered so that the opened file is no longer valid."

I have looked online and have found very little about this message. Most of the things I come across relate to the local group policy, but my issue is occurring in the GPMC on a domain controller.

I have three domain controllers - Server 2008 R2, Server 2012 Standard, and Server 2016 Standard. I can edit this GPO on my Server 2008 R2 domain controller, but receive the error message on the other two.

I have tried this solution from my research, but it seemed to cause more problems than it fixed and didn't remedy the original issue:

  • Get GPO GUID: from Group Policy Management Console (GPMC) –> choose GPO –> from right pane go to Details tab –> go to Unique ID field.
  • Open the path: C:\Windows\SYSVOL\sysvol\<Domain>\Policies\<GPO GUID>\User
  • Delete “registry.pol” file.

Has anyone see this before?

Thank you!

set IP with gpmc

October 10, 2019, 12:24 am
$
0
0

Hi there my friends.

I want to know how I can set ip for client by gpmc console without dhcp server.

THANKS


Creating a Central Store in the existing domain

October 23, 2019, 7:56 pm
$
0
0

Hi all, hope someone could point me into the right direction. We have a single domain with 10 sites, 15 domain controllers ranging from 2008 r2 to 2016 and about 15 GPOs. The master is 2008 r2 and I believe that all GPOs were created on this master. We are looking to create a central store and also migrate the master to 2019. 

My question is after creating a PolicyDefinitions folder inside the SYSVOL folder should I be copying all ADMX/ADML templates into that folder from the PolicyDefinitons folder on the 2008 r2 master and then adding newer templates into the central store when the need arises? 

Or should we migrate the master to 2019 first, decommission the old master, create central store folder and copying ADMX/ADML templates from Policy Definitions folder on the new 2019 master? 

What might be some possible repercussions of creating the central store having already number of active GPOs in the domain?

Thanks! 

OneDrive Move Known Folders Error 0x8007065e

October 23, 2019, 11:18 pm
$
0
0

Hi Guys.

Im trying to migrate our user profile files (Documents, Desktop etc.) to OneDrive.

I configured it like I thought it would work but when rolling out the group policies for OneDrive I have a few errors.

1) When manually trying to configure the "Move Known Folders" in my OneDrive Client I receive the "Unknown Error Code 0x8007065e" by clicking on "Backup Now" 

I already used Google to find a proper solution for this but I really didn't find anything for this. Has anyone ideas regarding this problem?

2) The second thing is, that I see that the Group Policies for Know Folder Movement are not applied correctly (in my oppionion). I cannot see the needed registry keys which are set by the Group Policy option.

Configuration of the test client:

Windows 10 Version 1903 (Build 18362.418)

GPO is configured like this

"Prevent users from ridirecting their Windows known folders to their PC" -> Enabled

"Set the sync client update ring" - "Update Ring: Enterprise"

"Silently move known folders to OneDrive" -> Enabled with Tenant ID and "Show notification to users after folders have been redirected" to Yes

Silently sign in users to the OneDrive sync client with their Windows credentials -> Enabled

Use OneDrive Files On-Demand -> Enabled

When I do a "gpupdate /force" I see the Group Policy applying, but I cannot see the settings when doing an "RSOP" on my client.

The auto login to OneDrive is working fine, just all other things not. I already tried to configure it with SCCM too, but the same result. Login is OK but the Know Folder Movement isn't working as it should.

So I think its all related to the error described above.

Its the first time I really have no idea what I can do know. Please help :)

Viewing all 19997 articles
Browse latest View live
Search