Quantcast
Channel: Group Policy forum
Viewing all 19997 articles
Browse latest View live

Switch Software Installation GPOs from computer to user assignment?

May 10, 2013, 8:06 am
$
0
0

We only use computer based software installation policies, but would like to convert to user assignment for laptop users who mostly use their laptops out of the office.

They have admin rights, so software installation won't be restricted by lack of installation rights.

Since they are going to using these laptops outside of the office, even with VPN, they cannot get computer assigned software installed because the VPN connection cannot be started until the computer boots to the login prompt.  Assigning software to the user should allow the software to install over the VPN connection if they start the VPN connection prior to logging in to Windows.  Mandatory software can be assigned and optional software can be published.

Not assigning software to the workstation should allow us to re-enable fast login optimization so the users don't have to deal with painfully slow boot times when out of the office while their laptops attempt and then fails to connect to the non-existent domain network during every startup.

The only issue I see is that we need to make sure the software only installs once and does not install on other computers they may log into that are not assigned to them.

I assume this can be accomplished by assigning the GPO to the workstation and then using group policy loopback processing to assign it the user when they are on that specific computer only.

Is anything else needed?  Are there other problems with assigning software to users vs computers?

Search

Creating scheduled task via gpo

December 29, 2012, 12:16 am
$
0
0

Hi

i have created a scheduled task via gpo in computer configuration on windows 2008 r2 and i need to deploy it to windows xp and windows 7 clients.

on the windows xp clients i have already deployed the client side.

when i enforce the policy on the clients, the normal domain users do not receive the task.

However when i log in with admin rights wether domain or local admin, the task is created.

How can that be solved? ANY IDEAS?

How to audit a Server's local account policies and settings?

May 15, 2013, 5:14 am
$
0
0
Learning how to script currently.  Have been tasked to come up with a script that will audit a server's local Account Policies and Security Options.  I was hoping someone may be able to assist me in finding the best way to script this audit.

Site to Zone Assignment List

June 21, 2011, 1:51 am
$
0
0

Hi,

We have configured our Group Policy for Internet Explorer site zone assignment. Basically when a new user starts with our company a minor bug bear was that we had to keep adding our Intranet site to the the list of Intranet Zones in IE.

To get round this we have configured the Site to Zone Assignment List in GPO under "User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List and added our Intranet to this Zone.

This works fine as when you open IE and go to Internet Options > Security ? Local Intranet Sites > Advanced the new zone is displayed but when you try to add to zones (sites) manually the option is greyed out. This is also the case for the trusted sites.

Can you advise how we can keep the GPO setting but allow users to have the option of manually added zones (Sites) to their trusted sites in IE?

 

Many thanks

 

Graeme

Drive Map GPO and Item-Level targeting using DNS Computer Name not working as expected

April 17, 2013, 12:35 pm
$
0
0

I've run into a snag trying to move from logon script based drive mappings, to a GPO based Drive map solution and I'm hoping somebody can shed some light on the problem that I am seeing.  We started down the GPO based drive mappings because we have a handful of Windows 8 client computers which don't run the logon script based drive mappings.

I put together a basic Drive Maps GPO.   I'm mapping 3 drives, I've linked the GPO to a computer container OU for testing and everything is working just fine.  I have 3 different Windows 8 client PC, all domain joined, and all 3 run the GPO as expected.

The problem is when I attempt to apply Item-level targeting.   I've found that if I define item-level targeting to use the NetBIOS name of the computer, I can either apply the GPO at an individual computer level, or I can exclude the GPO for that individual computer by toggling between IS and IS NOT.   However, when I choose to define the computer name by choosing the DNS option, the GPO does not apply as expected.

So, if I say "the DNS computer name is example1.mydomain.com" and I apply the GPO, it applies to example1, example2 and example3.   And if I instead say, "the DNS computer name is not example1.mydomain.com", then it doesn't apply to example1, example2 or example3.     Obviously, I would expect it to apply or not apply only to example1.mydomain.com.

If instead, I say "the NetBIOS computer name is example1", and apply the GPO, then example1 gets it, and example2 and example3 do not.   If I say, "the netBIOS name is not example 1", then example1 does NOT get the drive mapping, but example 2 and example3 do.   < This is exactly what I want and I can continue to just use NetBIOS names...but I don't understand why DNS isn't working in the same manner.

My clients are all using DHCP and using domain controllers for DNS.   All 3 machines are in the mydomain.com namespace.  The mydomain.com namespace is an active directory integrated zone.   We have reverse zones in place for the dns records. I can ping the machines from the DC's as well as the machines themselves.  I can run nslookup and resolve the computer name for each host using the FQDN.  I can also run a ping -a IP_ADDY and get the FQDN back.  The DC's themselves are running Server 2008 R2.   I honestly don't see any issues from a name resolution standpoint on the network itself.   

So, any suggestions as to why defining the shortened NetBIOS name works just fine, but using DNS with a FQDN does not?   (I've tried the DNS name using just the name, the name., as well as name.mydomain.com and name.mydomain.com.)

WMI filter for < IE10

May 15, 2013, 2:31 am
$
0
0

Hi,

Anyone know if I can create a WMI filter for pre IE10 machines only which we can then use to target a Software installation GPO.

Reason being that with IE10 Adobe Flash Player is built-in and a separate install of Flash is not allowed but we do want that separate install of Flash on any machines which do not already have it built-in.

I have to admit to having never used WMI filters before.

Thanks,
  Nick

Deploying Printers using GP Error 0x704

May 15, 2013, 4:41 am
$
0
0

Hello,

We are deploying printers using Server 2008 and Group Policy deploying to Windows 7 Pro machines. The printers are deployed per machine so any of our users can get printers depending on what room they are currently in. Everything has been working fine then we started to get reports the a few machines had no printers. I have confirmed that Group policy is working on the machines but only about 75% of the machines are mapping the printers. Every machine has the same software image on it (different IP, PC name etc). 

The machines that don't map the printers are giving the following error in event viewer.

Log Name:      Microsoft-Windows-PrintService/Admin
Source:        Microsoft-Windows-PrintService
Date:          15/05/2013 10:59:15
Event ID:      513
Task Category: Routing print spooler command(s)
Level:         Error
Keywords:      Router,Classic Spooler Event
User:          [Domain]\[User]
Computer:      [computer].[domain].local
Description:
Group Policy was unable to add per computer connection \\[server]\[printer]. Error code 0x704. This can occur if the name of the printer connection is incorrect, or if the print spooler cannot contact the print server.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-PrintService" Guid="{747EF6FD-E535-4D16-B510-42C90F6873A1}" />
    <EventID>513</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>39</Task>
    <Opcode>12</Opcode>
    <Keywords>0x8000000000002800</Keywords>
    <TimeCreated SystemTime="2013-05-15T09:59:15.686886400Z" />
    <EventRecordID>953</EventRecordID>
    <Correlation />
    <Execution ProcessID="1576" ThreadID="1584" />
    <Channel>Microsoft-Windows-PrintService/Admin</Channel>
    <Computer>[compuer].[domain].local</Computer>
    <Security UserID="S-1-5-21-3093010814-3523569038-1612450742-15176" />
  </System>
  <UserData>
    <RouterError xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events">
      <Name>\\[server]\[printer]</Name>
      <Error>0x704</Error>
    </RouterError>
  </UserData>
</Event>

After doing as much research as I can on this, I am stumped. Has anyone else had this or have any idea how to look further into this?

Thanks,

Dave

create a shared folder via GPO

May 15, 2013, 4:18 am
$
0
0

Hello all,

We are trying to use GPO to share a local folder on client machines. All the clients have the same folder structure. We would like to be able to share the folder and add certain permissions to that folder. Everything we have tried with the GPO have failed. Any assistance on this would be greatly appreciated.

We are running server 2008 for the DC and have a mix of XP and 7 for clients.

Search

GPO applying to a computer in another domain

May 15, 2013, 3:27 am
$
0
0

Hi all,

Let's say I have a forest in which I have two child domains.

I found a GPO in one child domain that is applying to a computer in the other child domain.

Is this by design? Can I do anything to stop this happening?

IE - Preserve Favorites Website Data

May 15, 2013, 1:35 pm
$
0
0

One of the users here uses a website that periodically causes problems when they try to login to it.  And the tech support for that web app always suggests to clear "favorites website data".  Which works.  The problem is, in IE under Delete Browsing History the option for Preserve Favorites Website Data is grayed out for all users.  I ran rsop on that computer and couldn't find a GPO that locks that setting.  I did a bunch of research on the web and couldn't find a GPO that locks that setting.
Anyone happen to run across this in the past and know what GPO setting locks that down?

Group policy to save credentials in RDP not work

May 15, 2013, 2:12 am
$
0
0

I've set local policy "Allow Delegating Saved Credentials" on my Windows 7 domain computer. When i am connecting via RDP to my home non-domain machine i am asked for credentials every time. (I use local account on home PC for authentication).

How to change this behaviour?

Remove or Disable the Start Menu Search box in Windows 2008 Server

September 16, 2010, 9:16 am
$
0
0
Is there a way to remove or disable the Start Menu Search box in Windows 2008 Server for a specific user?

How to Restrict Ping, Network Access of Domain Computers from Workgroup

May 11, 2013, 4:19 am
$
0
0

Hi All,

I am facing the following scenario to implement in our enviroment.

         1. Restrict Ping, Network share access from Workgroup Computer to Domain Computers. The same should allow only for Domain Computers.

I have implemented Deny ping from workgroup using IPsec group policy and it's pinging for Domain Computers.

For Network Share access i have configured All IP Traffic and choosedIP traffic in Filter list. If i use\\PDCfrom client machine, it's blocking all network access even for Domain Computers.

My DC is WS2012, Workgroup Machine: Windows 7, Domain Joined Machine: Windows 7

I used Group policyIp Security Policies on Active Directory to implement the scenario.

Please help me to solve this.

Regards, Loganathan V

Problem with saving users settings.

May 14, 2013, 1:05 am
$
0
0
Hey guys,

after restart my computer with Windows Server 2012, when i log in my desktop is completely empty. I lost all settings. It's the same on another accounts on this server. All settings, files on hard drive exists, and this isn't problem. Only this one connected with users.

I changed domain group policy, could i made there something wrong ?

GPO To Suppress Windows 7 Warning Messages About Roaming Profile Sync Failure At Logoff

May 14, 2013, 2:52 pm
$
0
0

We are setting up mobile laptop users to automatically sync their roaming profiles hourly in the background.  So, it should sync every time they are on VPN.

However, the roaming profile still tries and fails to sync on every logoff (VPN will not be connected during logoff) so it displays a large message on the screen saying to contact their system administrator because the roaming profile is not syncing.

How can we either disable the warning message or configure these laptops to not even try to synchronize during logoff and only sync hourly using the setting:

"Set the schedule for background upload of a roaming user profile's registry file while use is logged on."

Search

member of administrator

May 14, 2013, 11:12 pm
$
0
0

hi

when i member of the user in administrators group in active directory, this membership remove automatically.i work with window server 2003.please help me

GPO Deployed Scheduled Task in Server 2008 R2 x64 Permissions

May 14, 2013, 8:03 am
$
0
0

Weird situation, if I deploy a Scheduled task as either a Windows 2008 or as XP classic, the task gets created properly on every system, it runs properly on every XP, 2003 and Win 7 machine.  It fails for lack of permissions on the 2008 R2 machines.  All other machines have Full Control for local administrators on the Security tab for the task C:\windows\System32\Tasks\taskname for Win 7.  The 2008 R2 machines only have Read/Write, not execute when the task gets deployed.  If I manually change it to Full or Read & Execute the task runs properly until the update task GPO comes out and it sets the permissions back.  I am sure this is a security issue for 2008 R2 but how can I overcome this?  How can I get different permissions on a Scheduled Task that is pushed out via GPO?

Process GPP before Software Install in same GPO

May 16, 2013, 5:16 am
$
0
0

Hi

I want to process some registry changes by GPP before the software install msi runs.  Ideally I'd like all of this in the same GPO, but can't see a way to change order, or by default does the polices process before the software installs?

If there isn't a way to do it in one GPO, I'll have to seperate the GPP and the software install and then use ordering.

windows server 2008 password complexity

May 26, 2009, 2:53 am
$
0
0

The option is dim when I go to

 

1. Click Start> Run, type gpedit.msc> click OK
2. Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy

3. The option for disable "Password must meet complexity requirement" is dim and cannot be changed from enabled,

Server 2008 ent x86
primary domain controller,    Complexity removed for domain users, Help

 

Please advise.

Windows 8, set default application for example adobe reader, customize the start screen

February 4, 2013, 3:21 am
$
0
0

I have two questions, Im going to deploy Windows 8 to our company, but have 2 big issues.

1) I need to customize the start screen, but cant find anywhere in the gpo´s? How can I do this without sysprepping etc (deploying with SCCM2012 SP1)
2) I need to set the default programs for adobe reader, mspaint etc, how can I do this? It doesnt work with the GPP and folder options, anyone have done this?

Thanks in advance

Viewing all 19997 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>