Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

GPO Settings are Applied but not showing up/show error

December 3, 2019, 3:37 am
$
0
0

Hello everybody

I defined a few Settings, Account Policies, Security Options...

These seem to be applied if i change something and use the Local Security Policy Editor to check it, it's set.

However if I run this: Get-GPResultantSetOfPolicy -ReportType Xml -Path "C:\Users\user\Desktop\host.xml" -Computer "host.contoso.com"
 or use rsop.msc the report doesn't contain some of the settings. in RSOP it's telling me "The policy engine did not attempt to configure the setting. For more information, see %windir%\security\logs\winlogon.log on the target machine.

<as soon as I am verified, I'll add a picture.>

So I did...

----Configure Security Policy...
  Start processing undo values for 3 settings.
  There is already an undo value for group policy setting <MinimumPasswordLength>.
  There is already an undo value for group policy setting <PasswordHistorySize>.
  There is already an undo value for group policy setting <PasswordComplexity>.
 Configure password information.
  Start processing undo values for 3 settings.
  There is already an undo value for group policy setting <LockoutBadCount>.
  There is already an undo value for group policy setting <ResetLockoutCount>.
  There is already an undo value for group policy setting <LockoutDuration>.
  There is already an undo value for group policy setting <ForceLogoffWhenHourExpire>.
 Configure account force logoff information.
  There is already an undo value for group policy setting <EnableGuestAccount>.
 Guest account is disabled.

diagnosis.log shows this:

  RSOP logging information.  Error Code 0 - MinimumPasswordLength.
  RSOP logging information.  Error Code 0 - PasswordHistorySize.
  RSOP logging information.  Error Code 0 - LockoutBadCount.
  RSOP logging information.  Error Code 0 - ResetLockoutCount.
  RSOP logging information.  Error Code 0 - LockoutDuration.
  RSOP logging information.  Error Code 0 - PasswordComplexity.
  RSOP logging information.  Error Code 0 - ForceLogoffWhenHourExpire.
  RSOP logging information.  Error Code 0 - LSAAnonymousNameLookup.
  RSOP logging information.  Error Code 0 - EnableGuestAccount.
.

.
.
  RSOP diagnosis information. Error Code 1168 - for instance MinimumPasswordAge.
  RSOP diagnosis information. Error Code 1168 - for instance MaximumPasswordAge.
  RSOP diagnosis information. Error Code 1168 - for instance MinimumPasswordLength.
  RSOP diagnosis information. Error Code 1168 - for instance PasswordHistorySize.
  RSOP diagnosis information. Error Code 1168 - for instance ClearTextPassword.
  RSOP diagnosis information. Error Code 1168 - for instance PasswordComplexity.
  RSOP diagnosis information. Error Code 1168 - for instance RequireLogonToChangePassword.
  RSOP diagnosis information. Error Code 1168 - for instance LockoutBadCount.
  RSOP diagnosis information. Error Code 1168 - for instance ResetLockoutCount.
  RSOP diagnosis information. Error Code 1168 - for instance LockoutDuration.
  RSOP diagnosis information. Error Code 1168 - for instance ForceLogoffWhenHourExpire.
  RSOP diagnosis information. Error Code 1168 - for instance EnableGuestAccount.
  RSOP diagnosis information. Error Code 1168 - for instance LSAAnonymousNameLookup.

However if i run a gpupdate /force + restart the computer + again gpupdate /force it's visible in the xml report and also in rsop.msc until I run another gpupdate /force then i get the scenario described above.

Can someone explain me this?

Search

Windows 10 USb hub Power management setting

December 9, 2019, 4:34 am
$
0
0

Hello,

I wanted to read the status of the check box "Alloe the computer to turn off this device to save power " under properties-->Power Management of the USB hub.

For USb Root Hub (USB3.0) i could get the changes via 

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\ROOT_HUB30\4&36e5125b&0&0\Device Parameters\WDF

IdleInWorkingState=0 or 1 is getting updated.

but for other USB hubs i could not find the key and its value.

Kindly do the need full.

Block Windows Update and Feature Updates

December 9, 2019, 5:43 am
$
0
0

Hi,

We have SCCM setup which push the updates to user PC but when user are click on windows update button its download and install feature updates.

I would like to create two policy.

1. To block of windows updates for every user in domain but allow some user (Through security group) to run Windows Update online.

2. Block Feature updates for every user within the domain.

How can i setup these two policy to achive this.

Screensaver settings per computer account?

January 27, 2011, 3:05 am
$
0
0

Hello,

I need to create GPO's so that user is forced to use screensaver after 10 minutes of inactivity  with password prompt on his own workstation but not when he logs on to a conference room PC. Can this be donewith GPO's? One user account with different screensaver scenarios depending which desktop is used for login. Screensaver setting are in the user part of GPO's and that's giving me the headache...

Thanks for all input!

 

Installing keyboards/ languages via Group Policy

December 2, 2019, 1:42 pm
$
0
0

Hello, I am currently working on getting 11 languages installed via group policy.

I have successfully installed a majority of the keyboards via adding registry keys to "HKEY_CURRENT_USER\Keyboard Layout\Preload"

However, some of the Asian languages do not install via this method, and I had to create an XML file and batch to add them.

Here is where I got the information to make the XML file.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/1d698961-b605-496f-80ee-23da319f16a7/gp-install-ime-japanese-across-network?forum=winserverGP

I pulled the keyboard identifiers from here:

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-language-pack-default-values

Using this, I am able to install the Japanese keyboard, the Chinese(simplified, China) . however I am also trying to install "Chinese(traditional,Macao SAR)" But I do not see a keyboard identifier code under "Input Method Editors" to install this lang/keyboard.

Here is my XML at the moment

<!--Keyboard Language Change--><gs:GlobalizationServices xmlns:gs="urn:longhornGlobalizationUnattend"><!--User List--><gs:UserList><gs:User UserID="Current" CopySettingsToDefaultUserAcct="true" CopySettingsToSystemAcct="true"/></gs:UserList><!--input preferences--><gs:InputPreferences><!--en-AU--><gs:InputLanguageID Action="add" ID="0c09:00000409" Default="true"/><!--JP-Japanese--><gs:InputLanguageID Action="add" ID="0411:{03B5835F-F03C-411B-9CE2-AA23E1171E36}{A76C93D9-5523-4E90-AAFA-4DB112F9AC76}"/><!--CN-Chinese--><gs:InputLanguageID Action="add" ID="0804:{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}{FA550B04-5AD7-411f-A5AC-CA038EC515D7}"/><!--CN-Chinese--><gs:InputLanguageID Action="add" ID="0404:{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}{037B2C25-480C-4D7F-B027-D6CA6B69788A}"/>               </gs:InputPreferences></gs:GlobalizationServices>

Does anyone know the method/identifier to install "Chinese(traditional,Macao SAR)" on my XML file, or any other method via GPO? This is the only keyboard I am missing to finish this project.

Thank you!


Bulk change of AD user passwords with Powershell script

December 9, 2014, 3:06 am
$
0
0

Hi

I'm looking to reset in bulk AD user account passwords.  I have this script:

#
# Script: ResetPwd.ps1
# Description: Reset the password for bulk number of users, and 
# set the property to change passwrod required at next logon
#
# Written by: Anand Venkatachalapathy
#

Import-Module ActiveDirectory

# Set the default password
$password = ConvertTo-SecureString -AsPlainText “AwesomeP@ssw0rd” -Force 
 
# Get the list of accounts from the file on file
# List the user names one per line
$users = Get-Content -Path c:\MyScripts\UserList.txt
 
ForEach ($user in $users) 
{
    # Set the default password for the current account
    Get-ADUser $user | Set-ADAccountPassword -NewPassword $password -Reset
    
    #If you need to set the property “Change password at next logon”, 
    #leave the next alone. If not, comment the next line
    Get-ADUser $user | Set-AdUser -ChangePasswordAtLogon $true
    
    Write-Host “Password has been reset for the user: $user”
}

# ————- End ———–

Credit: http://anandthearchitect.com/2014/02/27/active-directory-bulk-user-password-reset-by-powershell/

This works, however it only lets me set each password to be the same. I'd like to have a second column in a source .csv which lists a unique password per user and have the script change the password as per the file.  Can anyone assist with the necessary changes to the above?  My experience with Powershell is very limited.

Any assistance is very much appreciated.

Paul


Group Policy to request admin user and pass

December 6, 2019, 4:01 am
$
0
0

Hello everyone
I need to create a group policy on my corporate network so that ordinary users will get the credential prompt to remove a program or change a setting, thus requesting administrative access with an admin user.

In imgem I send my problem.
Disabling Firewall on ordinary users solves my problem, but that's not what I want to do.

DisAllowRun Registry For a machine

December 5, 2019, 10:10 pm
$
0
0
How to block applications for a complete machine instead of specific users using Registry. not using group policy editor 
Search

Group Policy processing error. Event ID 1030

June 11, 2012, 5:43 pm
$
0
0

We are getting event ID 1030, error code 58 appearing on all domain joined computers, including domain controllers.

Event Description:

The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.

Event Detail:

System

  - Provider

   [ Name]  Microsoft-Windows-GroupPolicy
   [ Guid]  {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
   EventID 1030
   Version 0
   Level 2
   Task 0
   Opcode 1
   Keywords 0x8000000000000000
 
  - TimeCreated
   [ SystemTime]  2012-06-12T00:19:31.734258300Z
   EventRecordID 191165
 
  - Correlation
   [ ActivityID]  {464CBB72-656C-4632-A2AA-31E797F0A8DE}
 
  - Execution
   [ ProcessID]  908
   [ ThreadID]  2368
   Channel System
   Computer DC1.domain.local
 
  - Security
   [ UserID]  S-1-5-18

- EventData

  SupportInfo1 1
  SupportInfo2 2070
  ProcessingMode 0
  ProcessingTimeInMilliseconds 515
  ErrorCode 58
  ErrorDescription The specified server cannot perform the requested operation. 
  DCName \\DC1.domain.local

I've followed http://technet.microsoft.com/en-us/library/7e940882-33b7-43db-b097-f3752c84f67f and everything is looking good up to event ID 5311 and then Group Policy processing fails.

I've run GPLOGVIEW -m and it shows processing fail for the currently logged on user as well as the computer.

The computer in question (that I want to resolve first) is one of three domain controllers in the AD domain. It is hosting DNS, and IP settings are pointing to itself (127.0.0.1) for DNS.

I have tried/checked:

  • pointing at another DNS (DC), running ipconfig /flushdns and nbtstat -R with no improvement.
  • DCDIAG/test:dns comes back clean on all DCs.
  • I can ping by host name all DCs.
  • I can ping the domain name and a DC responds.
  • DNS SRV records have been checked and are all present, as are CNAMES and A records.
  • AD replication (as per DCDIAG) is fine as well.

THere are no logon issues, problems with Exchange or other applications. It is just GrouP Policy Processing that is failing across the board.

It therefore does not look like a connectivity failure, but I can't find any more useful information from the logs. Any help would be greatly appreciated.

Domain Users machine time changes automatically

December 4, 2019, 4:27 am
$
0
0

using hyper V server for domain and FTP.

All the server time changed automatically after some months.

GPO Server 2019

December 10, 2019, 5:06 am
$
0
0

Hey all. My company is currently updating some servers from Server 2008 R2 to Server 2019. We were wondering:
1) What are the changes in GPO from 2008 R2 to 2019?
2) What are the suggestions for managing intranet sites since Internet Explorer Maintenance was taken away in 2003?

Thank you.

Windows 10 Computer Printer GPO not applying properly

December 10, 2019, 8:13 am
$
0
0

I have read a fair number of forums in various places to try to aid this issue and have come across others with similar problems and all fixes we have tried so far do not work.

Issue: Computer GPO deployed printer from printserver not applying on client machines

From everything I have found so far, its not possible to replicate 100% and on a test machine, we were unable to replicate the issue.

Some symptoms are below and also some of the actions we have tried.

Environment

  • Our domain controllers are Windows 2016
  • Our client machines are all Windows 10 LTSB
  • Our printers are Sharp MFD's mostly but this affects other standalone printers (Dell mostly) too

Changes

There are a few adjustments to the registry we have tried to fix which have all failed, one of which is adding an "attribute"=1 dword to one of the affected printers.

We have also tried running a gpupdate after login, using printer isolation, enabling the printers preference extension policy processing gpo. 

Existing setup

Point and print has been active throughout. The issue does not appear to affect users who login and have printers applied to the user rather than the computer. This also applies correctly to computer based printers for those users, strangely. 

Troubleshooting

The event viewer has given a few error codes, one of which is 0x57

We have applied printers via GPO preferences>control panel>printers which sometimes adds them but cannot be removed at all! Item level targetting does not work using this method either.

I have noticed that the registry fills up with a lot of users printer connections, each login giving them a new GUID.

HKLM>Software>Microsoft>Windows NT>Current Version>Print>Printers>CSR~####

HKLM>Software>Microsoft>Windows NT>Current Version>Print>Providers>Client Side Rendering Print Provider

The users affected mostly have mandatory profiles so no printer data is saved to their profile.

How to reset Applocker to nothing?

July 4, 2017, 3:21 am
$
0
0

Stupidly for testing I applied Applocker policy to a workstation.

After finding that it behaves in most undesirable way, I wanted to remove policies, but it seems to be way more complicated than necessary

Followed:

https://technet.microsoft.com/en-us/library/ee791822%28v=ws.10%29.aspx

Seems I am not the only person with this issue

No matter what I do I still get the set presented (as not configured), but entries in log exists like:

%SYSTEM32%\NOTEPAD.EXE was allowed to run.

Re-read this

https://www.microsoftpressstore.com/articles/article.aspx?p=2228450&seqNum=11

Obliterated each & every instance of SrpV2

Still the Applocker seems to interfere & I can not reset it to state as if never existed!

Anybody any ideas?

Seb

WSUS Policies for Feature Upgrade System Tray Notifications

December 10, 2019, 10:26 am
$
0
0

Hi,

I need help understanding which GP settings control which of these notifications. Lately, I haven't really been able to get any of them to pop up, and if I do, I don't understand which setting is governing the notification. Could someone help me associate the following notifications with the GPO setting that controls them?

#1

#2

#3

#4

#5

#6

Change Subnet via group policy

December 3, 2019, 7:59 am
$
0
0

Hey,

I am in the process of getting ready to re-subnet my DHCP server to expand my usable IP Addresses. What would be the best way to handle my static assigned servers/ client machines. Is there a way to set them all via group policy or will I have to walk around a change them all manually. I have very little experience with Group Policy so please explain this to me like I am five.

Thanks in advance

Search

Create GPO to deploy shortcut in desktop folder

December 5, 2019, 11:40 am
$
0
0

Hello GPO guru,

I like to know how to create GPO to publish shortcut in a folder on user desktop.

For example, I have a folder on my desktop called "NetworkApp" I want to create a GPO to deploy a "Helpdesk" URL inside the 

"NetworkApp" folder.

Thanks for your help.

Users are unable to save files on desktop

December 6, 2019, 4:18 am
$
0
0

Hi Team,

In my environment users are having separate GPO, they are unable to save the files on desktop. Please help me out where i have to modify GP.

Thanks in advance,

Bhaskar G R

Changing the path of folder redirection

December 6, 2019, 12:03 pm
$
0
0

Hi there,

I have a group policy for redirecting users home folders (Desktop ,Documents,... ) to our shared network drives. the current group policy has the following setting:

Basic - Redirect everyone folders to the same location

Target Folder location:  Create a folder for each user under the root path

Root path: \\old-server\Users

I am using dfs replication from old server to the new server. since the Users folder have been replicating from the old server to the new server so users folder already exist on the new server. so now I want to change the above group policy to redirect users home folder to \\new-server\Users. I wonder how the above policy can be adjusted?  just simply rename the old server to the new server, any change to the choice for Target folder location?

Thanks,

Registry patches for trusted locations

December 4, 2019, 9:35 am
$
0
0
We install these registry patches for our msAccess and Word users so they don't get the trusted locations message when launching our accde files, and so they don't get the merge warning when we merge msAccess tables with a Word template. Can these patches be modified to go to an "all user" registry key instead of HKEY_CURRENT_USER?  If a new user profile is made on a machine, I'd like to not have to reinstall these patches every time a new user profile is made on a machine. If so, would I change [HKEY_CURRENT_USER\Software...]  to [HKEY_USERS\.DEFAULT\Software...] ? or would I change it to [HKEY_LOCAL_MACHINE\Software...] ? or what?

Create a GPO to schedule restart and check windows services

November 20, 2019, 7:24 pm
$
0
0

Hello, 

I need to script and create a GPO to schedule restart of computers in a specific OU on every Sunday@4AM.  Additionally, upon starting up of the computers, I need to check if 2 windows services are up and running.  Start them if they are not running. 

Please advise how to do that. 

Many thanks...

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>