Applied Group Policies Report and Audit

May 14, 2020, 11:44 am

≫ Next: GPO compliance reporting across an estate

≪ Previous: Log off idle sesion does not work on Windows server 2008

$

0

0

Hi,

On a standalone Windows 10 computer (not joined to domain), I would like to generate report (html) of a specific area only. For example, I want to generate a report for the (this is just example, I would consider both computer and user configuration).

1) Computer Configuration | Administrative Templates | Windows Component \Add Features to Windows 10

gpresult.exe /Scope Computer /H C:\GPO.html

Have given a try to GPResult utility and generated a report (as above) but for looking for something to achieve as shown in screenshot above, possible somehow?

Next question related to the same area I want to make a comparison i.e. before applying some group policies and after applying the policies (difference highlighted or similar)?

---

GPO compliance reporting across an estate

May 12, 2020, 10:16 am

≫ Next: Issue with GPOs

≪ Previous: Applied Group Policies Report and Audit

$

0

0

What is the best way to report on a specific GPO to see how far it has been applied (or not applied) across a domain, OU or group of computers?

Basically we just want to be able to query one GPO and find out all the machines where it has been applied (and hopefully the machines that it hasn't been applied to but should have been).

I know SCCM has some tools to report on this and there are some 3rd party tools but what are the other Microsoft options and what do others use?

Issue with GPOs

May 14, 2020, 10:20 am

≫ Next: GPO with Schedule Task problems

≪ Previous: GPO compliance reporting across an estate

$

0

0

I created a GPO to turn off the notification and action center.  I link it to the folded containing all domain computers and enforce it and it doesn't work.  If put the same info in the default domain policy and it works.  Can anybody explain why this would happen?  I have several other GPOs that don't work as well.  I don't want to put everything in the default domain GPO

GPO with Schedule Task problems

May 18, 2020, 8:43 am

≫ Next: GPO TO disable the account after password expiry

≪ Previous: Issue with GPOs

$

0

0

Hi,

I have create a GPO with an schedule task have to run an executable file (.exe) from a network folder.

The task execute at logon (that works), but the problem is the users runs on that computers are not administrators of it.
 (I set  run with highest privilegest), but it fails. I try setting NT AUTORITY\SYSTEM for run GPO but still does not work (does not appear the task on task  scheduler and either does not run).

Any suggestion for ste that task and that user without administrator privileges run it?

GPO TO disable the account after password expiry

May 18, 2020, 9:47 am

≫ Next: GPO to prioritize the LAN NIC card on the Wi-Fi network card

≪ Previous: GPO with Schedule Task problems

$

0

0

Hi All,

We have domain controller running on WS 2012 R2 and have certain requirement that if the user doesn't change there password in 90 days the account should be disabled.

So is there any GPO for the same?

Thanks,

Roshan Kumar

GPO to prioritize the LAN NIC card on the Wi-Fi network card

May 18, 2020, 9:22 pm

≫ Next: I'm Pushing batch file through group policy at logon to remove unwanted application from program files.

≪ Previous: GPO TO disable the account after password expiry

$

0

0

Hello ,
I would like to know if there is a GPO which allows to prioritize the ethernet connection over the wifi connection for a computer. Or a script that can do it.
I know the windows are coming in a little more balanced.

I'm Pushing batch file through group policy at logon to remove unwanted application from program files.

May 18, 2020, 10:02 pm

≫ Next: GP not applying to users in a security group.

≪ Previous: GPO to prioritize the LAN NIC card on the Wi-Fi network card

$

0

0

When we run batch file locally through CMD, it working successfully but it was not apply through group policy. It shows policy link to computer but when we run gpupdate /force and after restart the machine, it does not work.

Batch file contain command to stop & delete service then delete the program files & registry.(working locally but not through GPO). Any solution, we need to remove multiple programs on multiples system.

GP not applying to users in a security group.

May 13, 2020, 8:19 am

≫ Next: how to create a registry based policy as the .admx does with program

≪ Previous: I'm Pushing batch file through group policy at logon to remove unwanted application from program files.

$

0

0

Hi. 

Wondering if someone can help me with an issue I have with a set of Printer GPs I have created. 

Setup: 

AD = 

OU called Users (contains user accounts)

OU called Security Groups, contains a security group called Technical Printer Group with a set of users accounts added. 

GPO = 

Group Policy Object created to map shared printer. Linked GPO to the OU - Users. 

All works fine when the Scope > GPO Security Filter is set to Authenticated Users but this applies the printer to all users. 

If I change the Security Filtering to the Security Group (Technical Printer Group) I see the following error when I run gpresult/r when logged in as a user which should have access : 

PRINT : Technical Printer Deployment
            Filtering:  Denied (Security)

Authenticated Users is set in Delegation to Read Only (not apply) - I am not to sure if this is required but if I remove I am presented with the same error as above. 

If I remove the Security Group from the GPO Security Filtering and directly apply individual users accounts it works fine. 

I cannot see a reason why the GPO will not apply to users in the Security Group 

I have recreated the Security Group, created it in a different OU but I keep getting the same error. 

Any advice would be apprecaited. I really do not want to leave the Security Filter as just a list of user account. 

Many thanks, Dan Hargrove

---

how to create a registry based policy as the .admx does with program

May 19, 2020, 2:25 am

≫ Next: Local Group Policy Editor Navigation

≪ Previous: GP not applying to users in a security group.

$

0

0

as some documentations mentioned here, https://docs.microsoft.com/en-us/archive/blogs/dsadsi/working-with-group-policy-objects-programmatically-determining-registry-values-to-enabledisableset-a-specific-policy, when we import the admx and adml and click the enable button, some files will be created.

can we just use a program to do this process? I mean create a registry value about enable and bind/link to the GPO.

Local Group Policy Editor Navigation

May 19, 2020, 3:12 am

≫ Next: Reducing password age value on the default domain policy

≪ Previous: how to create a registry based policy as the .admx does with program

$

0

0

Hi,

Is it possible to navigate to local GP via command line?

For example, can I open a specific GP setting directly via command line?

Reducing password age value on the default domain policy

May 19, 2020, 5:29 am

≫ Next: log on/log off

≪ Previous: Local Group Policy Editor Navigation

$

0

0

Reducing password age value on the default domain policy


current password age policy for our domain is 90 days. i wanted to change this to 60 days. what would be the impact if i do it domain wide ? 

eg, 

user A whose password age is 60...   after this policy, do they need to change the password immediately on logon ?

user B whose password age is 61... what will happen if this user try to logon to domain  ?

---

JG

log on/log off

May 4, 2020, 5:08 am

≫ Next: How to App Locker GPO to disable powershell.exe

≪ Previous: Reducing password age value on the default domain policy

$

0

0

dears,

is there any gpo that we can apply in order to make a user signout from his desktop following certain rules ( example 15 mins of no activity) ? with having login and logout information logs?

it is a bit urgent

thank you in advance

How to App Locker GPO to disable powershell.exe

May 19, 2020, 11:52 am

≫ Next: Group Policy not updating multiple member server

≪ Previous: log on/log off

$

0

0

Hello GPO guru,

I've been tasked with creating GPO to disable powershell on all windows 10 computer.  I create a new GPO, then configure GPO to denied "Path" to powershell.exe, but it doesn't seems like it working.

Thanks for your help.

Group Policy not updating multiple member server

May 16, 2020, 12:57 am

≫ Next: policy for every user applied to only one computer

≪ Previous: How to App Locker GPO to disable powershell.exe

$

0

0

Hi Guys,

I'm having problem to execute "gpupdate /force" on multiple member servers. getting variety of error and not able to figure this problem.

Error 1:

The Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon, 

Error 2:

Computer Policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempt to read the file \\domain.com\sysvol\domain.com\Policies\{GUID}\.gpt.ini

Error 3:

User/Computer Policy update failed.

I'm struggling to fix this types of error from DC and member server side.

DC side verified the replication and DC reach ability is fine. Still, I'm looking some troubleshooting steps. can you please help on this

policy for every user applied to only one computer

May 19, 2020, 9:56 pm

≫ Next: Laptop GPO for users in and out of office

≪ Previous: Group Policy not updating multiple member server

$

0

0

I'm newbie in group policy and I'd like to apply policy (e.g. to set font size) for every user which logononly to specific computer.

Policy is created for user settings, updating <current-user> registry key, so I thought I have to apply it tousers entries, It's right?

I need this policy was applied for every user which access to this specific computer, suggestions please?

---

Laptop GPO for users in and out of office

May 15, 2020, 7:25 am

≫ Next: Windows Hello With Domain Account

≪ Previous: policy for every user applied to only one computer

$

0

0

Hi all, with the IT changing for remote users, I have a site that just purchased a number of new laptops that are going to be working primarily from home but will come into the office for a day, that sort of thing. I’ve joined them to the domain. At this point, I created a ‘Laptop’ OU and put all the laptops in there.

For the rest of the network, I have folder redirection turned on for all local folders (except for downloads).

Folder redirection is not a problem for the workstations but for the laptops, I don’t want gobs of sync files on the laptops since they will be VPN’ing into our terminal servers for everything. Also, I've nightmares in the past with it.

What I want to do is to sync JUST their desktop and nothing else. This way, I can create icons for them for the FortiClient and RDS icon and any other shortcut that they may need.

How do I do this with the current folder redirection GPO set to Domain Users? I’m thinking that I will need to create a new group called Folder Redirected and move everyone into that group and remove Domain Users. Then all the laptop users, add to a new GPO called ‘Laptop Users’.

Anyway, as you can see, I’m all over the place flailing. Just need some direction.

One more thing, if these laptops are created as part of AD, how long can they be away from the domain before they expire?

Windows Hello With Domain Account

May 15, 2020, 5:37 pm

≫ Next: Issue with GPOs

≪ Previous: Laptop GPO for users in and out of office

$

0

0

Hello,

I would like to sign into my PC with Windows Hello using my laptop's fingerprint sensor. However, I sign into Windows using a domain account, not a local or Microsoft account. Apparently, Windows Hello is not enabled by default for domain accounts. I am curious as to how I can enable it. Should I check the Group Policy on my Domain Controller? If so, where would I find it in Group Policy? I have already tried enabling "Enable PIN sign-on" in Group Policy, but that did not work. My laptop is running Windows 10 1909 and my DC is running Windows Server 2012 R2.

Any suggestions would be appreciated.

Issue with GPOs

May 14, 2020, 10:20 am

≫ Next: Applying Advanced Audit Policies

≪ Previous: Windows Hello With Domain Account

$

0

0

I created a GPO to turn off the notification and action center.  I link it to the folded containing all domain computers and enforce it and it doesn't work.  If put the same info in the default domain policy and it works.  Can anybody explain why this would happen?  I have several other GPOs that don't work as well.  I don't want to put everything in the default domain GPO

Applying Advanced Audit Policies

May 13, 2020, 1:32 am

≫ Next: Migrate Active Directory to a New Domain Controller

≪ Previous: Issue with GPOs

$

0

0

Is there any way to apply Advanced audit policies on Server 2008 R2, 2012 R2 and 2016, outside of "Default Domain Policy" scope?

In a separate gpo?

The purpose is to avoid applying these settings on users' workstations.

Migrate Active Directory to a New Domain Controller

May 15, 2020, 5:33 pm

≫ Next: Default Domain Policy and maximum password age

≪ Previous: Applying Advanced Audit Policies

$

0

0

Is it possible to migrate Active Directory Users to a new Server? 

Look like the SYSVOL folder is corrupted and Group Policy isn't working properly. I want  to create a new domain controller, but im not sure how to get users onto the new server.

Regards

KP