dears,
is there any gpo that we can apply in order to make a user signout from his desktop following certain rules ( example 15 mins of no activity) ? with having login and logout information logs?
it is a bit urgent
thank you in advance
↧
log on/log off
↧
Group policy applied result
Hi Team,
I need report for applied group policy
Report for bulk machines. I need only
The applied police name. Any script?
↧
↧
Disabling IPV6 and renaming domain clients computer name using GPO - windows server 2016
Hi,
How can disable IPv6 and renaming computers using GPO in windows 2016, we are using windows 7 & 10
Thank you
↧
Applying Advanced Audit Policies
Is there any way to apply Advanced audit policies on Server 2008 R2, 2012 R2 and 2016, outside of "Default Domain Policy" scope?
In a separate gpo?
The purpose is to avoid applying these settings on users' workstations.
↧
Log off idle sesion does not work on Windows server 2008
Hi
I have enabled 2 policies on Windows Server 2008 R2 with terminal services role.
Administrative Templates> Windows Components>Remote Desktop Services> Remote Desktop Session Host >Session Time Limits. "Set time limit fo active but idle..." and " End session when time limits..."
I tried both Computer and User templates
From "rsop -r" commande everything looks OK policies applied
No errors?
Works OK on different servers 2012, 2016 and 2008 but not for that one with terminal services role?↧
↧
GPO Software Publish results in "Fatal error during installation"
Hi everyone.
As the title already says, I am trying to use GPOs to publish software packages to domain clients.
For that, I created a GPO that has a software installation package set in the user configuration.
However, when I try to install such a package from the control panel, I get a "Fatal error during installation" message. I can't find any related entries in the event log and theres no further information either.
- Permissions on the share are correct, I can manually connect to it
- Running the msi manually also works, the msi is not corrupted
- Error occurs on any package published so far
- Missing permissions on the client are not the issue, I have the same error when logging in as administrator
- I removed all GPOs except for default domain policy and the GPO in question, no change. Default policy is untouched
- The error is not specific to one machine, it doesnt work on any other machine either
- Deploying software as an assigned package in computer config (forced installation) does work, but is not what I intended
- When performing the same steps on a virtual test setup with another dc and client, everything works as expected
I have no idea what causes this. The DC was installed recently from scratch and while AD is still in implementation phase, the server is already used by productive systems (mainly DNS, DHCP and CA) and cannot just be scrapped and started over (Thanks, corona budget cuts)
The server is also running the ESET Security Management Console server, though I dont know how that could possibly cause the error.
↧
GPMC - show/hide links gone
I am seeing occurrences under the Settings tab in GPMC (mainly Server 2012 R2 but also 2008 R2) where the expand/collapse show/hide link buttons do not show.
I tried enabling and disabling IE ESC per some articles. Also tried adding the about:security_mmc.exe to trusted sites. Still does not work, even on brand new installs of the snap-in.
↧
GP not applying to users in a security group.
Hi.
Wondering if someone can help me with an issue I have with a set of Printer GPs I have created.
Setup:
AD =
OU called Users (contains user accounts)
OU called Security Groups, contains a security group called Technical Printer Group with a set of users accounts added.
GPO =
Group Policy Object created to map shared printer. Linked GPO to the OU - Users.
All works fine when the Scope > GPO Security Filter is set to Authenticated Users but this applies the printer to all users.
If I change the Security Filtering to the Security Group (Technical Printer Group) I see the following error when I run gpresult/r when logged in as a user which should have access :
PRINT : Technical Printer Deployment
Filtering: Denied (Security)
Authenticated Users is set in Delegation to Read Only (not apply) - I am not to sure if this is required but if I remove I am presented with the same error as above.
If I remove the Security Group from the GPO Security Filtering and directly apply individual users accounts it works fine.
I cannot see a reason why the GPO will not apply to users in the Security Group
I have recreated the Security Group, created it in a different OU but I keep getting the same error.
Any advice would be apprecaited. I really do not want to leave the Security Filter as just a list of user account.
Many thanks, Dan Hargrove
↧
Logon locally for non-admin
I would like to allow non-admin(helpdesk) acces to DC's. They need to login locally through rdp at dc's and memberservers. I thought the logon locally policy would do the trick, but that didt.
Anyone who can explain to me how to give non-admins acces to dc's and file servers through rdp?
Thank you very much.
↧
↧
Lock Screen Timeout policy
When in a lab environment, the screen of a server times out after a few secs and one needs to enter ctrl-alt-delete and login again.
Is it possible to disable this? I tried several tutorials but none of them work.
Am using 2016 and 2019 in the lab.
Many thanks.
↧
GPOs do not apply on Windows 10 Enterprise x64
Hi there,
When booting a Windows 10 machine (Lenovo laptop) GPOs are not loaded. Of course I can apply them later on via gpupdate /force.
When I have a look into the system log I get always an error in there with the ID 1058. Checking the error code in the details says: Network access is denied (error code 65).
It tries to access a gpt.ini file from the policies but does not get through.
When I restart the computer, click the link in the error message I get an error that the file cannot be accessed. Nevertheless after about 30 seconds the access to the file just works.
For me it seems that there is a service pending start which is needed for the domain access. I bet it has to do with DFS as the GPO access works via DFS path(namespace).
This is quite annoying as the machine policies are not loaded neither the user policies.
Here the details from the error message:
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 10.9.2015 13.19.02
Event ID: 1058
Task Category: None
Level: Error
Keywords:
User: xxxxxxx\xxxxxxx
Computer: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Description:
The processing of Group Policy failed. Windows attempted to read the file \\my.domain.com\SysVol\my.domain.com\Policies\{3933BE19-C3FF-4C22-9434-B64C654C8B06}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
<EventID>1058</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T10:19:02.977910800Z" />
<EventRecordID>1318</EventRecordID>
<Correlation ActivityID="{9C0C77C4-AFC1-4A0E-9BFE-BE698091D73C}" />
<Execution ProcessID="932" ThreadID="3588" />
<Channel>System</Channel>
<Computer>xxxxxxxxxxxxxxxxxxx</Computer>
<Security UserID="S-1-5-21-1410795398-2781916069-518169928-1178" />
</System>
<EventData>
<Data Name="SupportInfo1">4</Data>
<Data Name="SupportInfo2">912</Data>
<Data Name="ProcessingMode">1</Data>
<Data Name="ProcessingTimeInMilliseconds">421</Data>
<Data Name="ErrorCode">65</Data>
<Data Name="ErrorDescription">Network access is denied. </Data>
<Data Name="DCName">\\xxxxxxxxxxxxxxxxxxxxxxxxxxx</Data>
<Data Name="GPOCNName">cn={3933BE19-C3FF-4C22-9434-B64C654C8B06},cn=policies,cn=system,DC=xxx,DC=xxxxxxxx,DC=xxxxx</Data>
<Data Name="FilePath">\\my.domain.com\SysVol\my.domain.com\Policies\{3933BE19-C3FF-4C22-9434-B64C654C8B06}\gpt.ini</Data>
</EventData>
</Event>
↧
Windows 10 clients ignoring WSUS GPO to contact it every hour
I'm not sure if this is a GPO issue\Win10\WSUS....I did post in the WSUS forum. The actual process of delivering patches to clients from WSUS works fine. The issue is the "Last Contact" time in WSUS, the clients seem to ignore the GPO they are getting (and they are getting the GPO).
I have 1 WSUS server, it is fully patched (Server 2012 R2). Single forest and domain. DC's are 2016 with up-to-date admx files. Our GPO tells the clients to contact the WSUS server every hour. The Windows 7 clients (we have very few left) contact WSUS correctly. The Windows 10 clients (we only have 1809 and 1909) randomly contact the WSUS server. They all do it at least a few times a day...none do it every hour like they are supposed to according to the GPO, not even close. It doesn't matter if the machine is a brand new build from SCCM or an in-place upgrade from Windows 7 or 1809. I have gone through the process of deleting the contents of the Windows\Software Distribution folder even though the machines are brand new in some cases, so that can be ruled out. The machines are getting the GPO, I've run a gpresults and it comes back correctly on each machine I look at. Has anyone else run into this?
I regularly "clean" the WSUS database.
Jason
↧
NoPreviousVersionsPage TAB missing
Hi,
All of our corp systems were deployed from an image that had NoPreviousVersionsPage value set to 1 in the registry under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer. Instead of doing a registry hack again to switch the value to 0 we would like to update all systems using a GPO. So the question is does "Hide Previous Versions List for Remote Files" setting under Computer Configuration / Administrative Template / File Explorer / Previous Version do the same thing ?
We are not seeing the TAB getting enabled on our test systems after Disabling Hide Previous Versions List for Remote Files.
Thanks
↧
↧
Windows WebDAV client authentication policies
There is a problem on domain computers, on which a domain controller is not available, when integrated webdav clients cannot use any other authentication method except Negotiate. On a non-domain computer, fallback to basic authentication working perfect,
and with the computer in domain authentication breaks. What parameter of the GPO can control that?
↧
Windows Search Disable
Hello Experts,
I am trying to disable Windows Search fully (both Web search and local search). After reading couple of blogs I have successfully disabled Web search by adding few registries. However I am still not able to disable the Local Search completely. I have tried the following options to disable the local search
1. Apply App locker polices to block the path "C:\windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy" - This didn't work
2. Apply Software restriction policies to block the path "C:\windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy" - This didn't work
3. Tried creating the Reg Key " Windows Search" and add value "0" - didn't work
Can you please suggest how I can completely block the Windows Search(especially "Local Search" functionality).
Thanks
Narasimha
Narasimha Reddy K
↧
Issue with GPOs
I created a GPO to turn off the notification and action center. I link it to the folded containing all domain computers and enforce it and it doesn't work. If put the same info in the default domain policy and it works. Can anybody explain why this would happen? I have several other GPOs that don't work as well. I don't want to put everything in the default domain GPO
↧
Applied Group Policies Report and Audit
Hi,
On a standalone Windows 10 computer (not joined to domain), I would like to generate report (html) of a specific area only. For example, I want to generate a report for the (this is just example, I would consider both computer and user configuration).
1) Computer Configuration | Administrative Templates | Windows Component \Add Features to Windows 10
gpresult.exe /Scope Computer /H C:\GPO.html
Have given a try to GPResult utility and generated a report (as above) but for looking for something to achieve as shown in screenshot above, possible somehow?
Next question related to the same area I want to make a comparison i.e. before applying some group policies and after applying the policies (difference highlighted or similar)?
↧
↧
Exporting Group Policies
Hi,
Assuming a standalone computer has some group policies configured (applies to both computer and user configuration). Can we export those settings and apply to another computer?
↧
GPO compliance reporting across an estate
What is the best way to report on a specific GPO to see how far it has been applied (or not applied) across a domain, OU or group of computers?
Basically we just want to be able to query one GPO and find out all the machines where it has been applied (and hopefully the machines that it hasn't been applied to but should have been).
I know SCCM has some tools to report on this and there are some 3rd party tools but what are the other Microsoft options and what do others use?
↧
GPP drivemaps item level targeting security group / more groups
Some while we have gpp's with drivemaps for users who are in a particilar security group. If user is member of.
For some reason, i think someone has made a mistake and has deleted the if user is member of so everyone did get the same T drive, although the users which are not in the list of access did get the drive and share but not access. I have set the item level targeting again for that drivemapping but now several people which are member of more groups het one drivemapping. I do not know why they get that drivemapping because they are in both groups.
Example:
user a is member of: marketing and sales security group
There is a drive mapping for sales (T) and a drive mapping for Marketing (also T).
User a gets the sales mapping at T but he wants drivemapping T to be Marketing.
The GPP's with drivemappings are all Replace, and still when with some users still showing the name of the old drive mapping but the content is of the new drivemapping (caching somewhere)?
I thought maybe we can make T when user is in security group but only when primairy group but then i must go through al users to see what the primairy group is.
How can i arrange it that user a gets Marketing as T and not Sales? the user is in both security groups. and immediatly set it?
freddie
↧