GPO Loopback processing of user policies started failing
- We have a Server 2003 domain with only Server 2003 DCs. The affected clients are XP.
There is no Windows 2000 or NT involved and there is only one domain.
I noticed some user settings for a steadystate gpo started failing. It has user settings that we want to apply only when the users are logged into specific computers, so the policy is applied to the computer's OU with loopback processing enabled in the GPO.
I checked logs on the XP client and I see:
Event 1086. Windows cannot do loopback processing for downlevel or local users. Loopback processing will be disabled.
I was not logging in with a local user account. Why is this faling now? I did a Google search and found old info referring to using NT and Windows 2000 http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=1086&EvtSrc=Userenv&LCID=1033
(This does not apply to us).
It used to work fine. What could be the cause now?
All Replies
- Howdie!
Are you in the process of migrating the user/machine from one domain to another? Are there other events logged in event viewer?
Cheers,
Florian
Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog) - There is no other domain involved. The computers and users are on the same domain and have always been on the same domain.
The only reason I checked the group policy events log and saw the 1086 event is because the user policies in the gpo were not working reliably. Sometimes they would work and then they not work the next time. I checked the log when it wasn't working and then saw the event 1086.
I will have to wait until Monday to check the logs again to see if there are other error events. Hi MyGposts,
According to your description, I understand that the GPO Loopback processing is not working on your XP client.
If I have misunderstand you, please do not hesitate to let me know.
To isolate the issue, please collect the following information for research.
1. Enabled UserEnv logging on the workstation via the following KB article:
221833 How to enable user environment debug logging in retail builds of Windows
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833Set UserEnvDebugLevel to 0x00030002, the most verbose details are logged in the Userenv.log file.
The log file is written to the %Systemroot%\Debug\UserMode\Userenv.log file.2. Logon as an Domain Admin account, click start and run “cmd”, Enter. Type in “gpresult /Z >c:\gpresult.txt ” and Enter.
Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the Userenv.log and gpresult.txt file and then give us the download address.
Best Regards,
Wilson Jia
This posting is provided "AS IS" with no warranties, and confers no rights.I am unable to get gpresult when the computers have the problem. The message says the user does not have RSOP data even though the user is a domain admin and admin on the computer.
- Hi MyGposts,
Could you please let us know the error message WORD by WORD when you run the gpresult /z with administrative privilege token?
However, you may try rejoin this problematic computer into domain to see if the issue persists.
Best Regards,
Wilson Jia
This posting is provided "AS IS" with no warranties, and confers no rights. - It simply says "The user "domain\xxx" does not have RSOP data."
It is a short one line message with no further details.
It is not a problem with one single computer. One of the problem PCs in the OU was freshly imaged and joined to the domain today and others have been on the domain for some time. Hi MyGposts,
Thank you for your response.
To isolate the root cause of this issue, please confirm the following information:
1. How many DCs in your environment? Please run a “repadmin /showreps >c:\repadmin.txt” from your DC.
2. Does the problematic client point the correct DNS server in your domain?
3. Can you access the SYSVOL and NetLogon folder of your domain on the problematic client? Eg: Try access \\domain.com\SYSVOL\ and \\domain.com\NETLOGON
4. If that succeeds let’s take a network capture of the failure by following these steps:
Microsoft Network Monitor 3.3
Please capture the network packets on the client computer, In Windows system, you can install Netmon3.3 to capture the network packet:
1) Download and Install the Netmon3.3 on the computers:Microsoft Network Monitor 3.3
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=983b941d-06cb-4658-b7f6-3088333d062f2) Log onto the machines, right-click the Netmon icon and select Run as Administrator to launch NetMon3.3.
3) In the Microsoft Network Monitor 3.3 window, click Create a new capture tab.
4) In the new tab, select all the Network Adapters in the Select Networks window.
5) Press F10 to start NetMon on all machines.
6) Perform the “gpupdate /force” again to reproduce the issue.
7) After that, go back to the NetMon window and press F11 to stop the NetMon.
8) Press Ctrl+S to save the Netmon files and upload them to the following space:
5. Run GPMC’s group policy result report on the domain controller for and send the report to us for analyzing.
1) Download GPMC snap-in from the following link.
2) http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887
3) Install GPMC snap-in on your domain controller.
4) Start GPMC via typing “gpmc.msc” into “Start Menu” and “Run”, right click the Group Policy Results, chose Group Policy Results Wizard, select which server name and user name that you want to run.
5) Save the report file to a html file.
6. Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the netmon, gpreport.html and repadmin.txt file and then give us the download address.I’m glad to provide further assistance as soon as I get the information from you. Thanks for your cooperation again.
Best Regards,
Wilson JiaI did the repadmin and the results say all attempts were successful.
The DNS is correct and is automatically supplied by DHCP.
Unfortunately, we have a circular problem because the main purpose of the policies is to restrict user access to the computer and those policies are partially working meaning we can only access the command line or install software if we login to the computers using the local administrator account. All domain user accounts have a limited desktop and if we disable the restricting GPO, then we can't test if they are working.- Hi MyGposts,
Could you please let us know the exact GPO setting which is not applied to the client? Have you run the Group policy result report on the domain contreller? If so, what's the result?
Best Regards,
Wilson Jia
This posting is provided "AS IS" with no warranties, and confers no rights. Sometimes rebooting the workstation an extra time resolves it and sometimes not.
Here is GP results report on one of the DCs
Not available
Group Policy Results
domainname\administrator on domainname\domainROOT2
Data collected on: 11/6/2009 1:41:19 PMSummary
Computer Configuration Summary
General
Computer name domainname\domainROOT2
Domain domainname.local
Site company-domain
Last time Group Policy was processed 11/6/2009 1:38:43 PMGroup Policy Objects
Applied GPOs
Name Link Location Revision
New Regular office Users domainname.local AD (7), Sysvol (7)
Password Policy domainname.local AD (27), Sysvol (27)
WSUS - Domain Wide domainname.local AD (67), Sysvol (67)
Security domainname.local AD (195), Sysvol (195)
Default Domain Policy domainname.local AD (224), Sysvol (224)
Manage Endpoint Client domainname.local/company-domain/Servers AD (8), Sysvol (8)
domainSMTP.domainname.local Certificate Import domainname.local/company-domain/Servers AD (4), Sysvol (4)
Disable AutoPlay/Autorun domainname.local/company-domain/Servers AD (1), Sysvol (1)
Terminal Services domainname.local/company-domain/Servers AD (26), Sysvol (26)
CC22-XP SP2 Settings domainname.local/company-domain/Servers AD (2), Sysvol (2)
wait for network before login domainname.local/company-domain/Servers AD (1), Sysvol (1)
WSUS - Servers domainname.local/company-domain/Servers AD (4), Sysvol (4)
Security - Servers domainname.local/company-domain/Servers AD (24), Sysvol (24)
Default Domain Controllers Policy domainname.local/company-domain/Servers/Main/Domain Controllers AD (125), Sysvol (125)Denied GPOs
Name Link Location Reason Denied
Local Group Policy Local Empty
DFS MSOffice2003 SP3 domainname.local/company-domain/Servers Access Denied (Security Filtering)
Black Desktop domainname.local/company-domain/Servers/Main/Domain Controllers Access Denied (Security Filtering)Security Group Membership when Group Policy was applied
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
BUILTIN\Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
domainname\domainROOT2$
domainname\domain2009Access
domainname\Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
WMI Filters
Name Value Reference GPO(s)
NoneComponent Status
Component Name Status Last Process Time
Group Policy Infrastructure Success 11/6/2009 1:38:43 PM
EFS recovery Success (no data) 10/15/2009 11:50:43 AM
Registry Success 10/22/2009 8:09:17 AM
Scripts Success 10/30/2009 8:20:27 AM
Security Success 10/15/2009 11:50:43 AM
Software Installation Success 10/20/2009 8:16:14 PM
Wireless Group Policy Success 10/15/2009 11:50:33 AMUser Configuration Summary
General
User name domainname\administrator
Domain domainname.local
Last time Group Policy was processed 6/29/2009 12:00:16 PMGroup Policy Objects
Applied GPOs
Name Link Location Revision
Regular Office Users domainname.local AD (10), Sysvol (10)
WSUS - Domain Wide domainname.local AD (8), Sysvol (8)
Security domainname.local AD (74), Sysvol (74)
Default Domain Policy domainname.local AD (49), Sysvol (49)Denied GPOs
Name Link Location Reason Denied
Local Group Policy Local Empty
Password Policy domainname.local/company-domain Empty
domainSMTP.domainname.local Certificate Import domainname.local/company-domain/Servers Empty
Disable AutoPlay/Autorun domainname.local/company-domain/Servers Empty
Terminal Services domainname.local/company-domain/Servers Empty
CC22-XP SP2 Settings domainname.local/company-domain/Servers Empty
wait for network before login domainname.local/company-domain/Servers Empty
DFS MSOffice2003 SP3 domainname.local/company-domain/Servers Access Denied (Security Filtering)
WSUS - Servers domainname.local/company-domain/Servers Empty
Security - Servers domainname.local/company-domain/Servers Empty
Default Domain Controllers Policy domainname.local/company-domain/Servers/Main/Domain Controllers EmptySecurity Group Membership when Group Policy was applied
domainname\Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Remote Desktop Users
NT AUTHORITY\REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
LOCAL
domainname\IPSEC Service Admins
domainname\Domain Admins
domainname\domain2009Access
domainname\Group Policy Creator Owners
domainname\Schema Admins
domainname\Enterprise Admins
domainname\WinSCP (R)
domainname\PrintFile (R)
domainname\MQZoom (R)
domainname\PMOffice (R)
domainname\Offer Remote Assistance Helpers
domainname\PitneyBowes_Finalist (R)
domainname\DEVServer (R)
WMI Filters
Name Value Reference GPO(s)
NoneComponent Status
Component Name Status Last Process Time
Group Policy Infrastructure Success 6/29/2009 12:00:16 PM
Internet Explorer Branding Success 6/29/2009 10:12:16 AM
Registry Success 6/29/2009 10:12:14 AMComputer Configuration
Policies
Windows Settings
Scripts
An error has occurred while collecting data for Scripts.The following errors were encountered:
An unknown error occurred while data was gathered for this extension. Details: Not foundSecurity Settings
An error has occurred while collecting data for Software Restriction Policies.This error impacts the following settings:
Software Restriction Policies
Software Restriction Policies/Security Levels
Software Restriction Policies/Additional Rules
The following errors apply to all of the above settings:
An unknown error occurred while data was gathered for this extension. Details: Unable to cast object of type 'System.String[]' to type 'Microsoft.GroupPolicy.Reporting.Extensions.Registry.UnknownType'.
Account Policies/Password Policy
Policy Setting Winning GPO
Enforce password history 8 passwords remembered Password Policy
Maximum password age 90 days Password Policy
Minimum password age 1 days Password Policy
Minimum password length 8 characters Password Policy
Password must meet complexity requirements Enabled Password PolicyAccount Policies/Account Lockout Policy
Policy Setting Winning GPO
Account lockout duration 0 minutes Security
Account lockout threshold 5 invalid logon attempts Security
Reset account lockout counter after 30 minutes SecurityAccount Policies/Kerberos Policy
Policy Setting Winning GPO
Maximum lifetime for service ticket 600 minutes Security
Maximum lifetime for user ticket 10 hours Security
Maximum lifetime for user ticket renewal 7 days Security
Maximum tolerance for computer clock synchronization 5 minutes SecurityLocal Policies/Audit Policy
Policy Setting Winning GPO
Audit account logon events Failure Default Domain Controllers Policy
Audit account management Success, Failure Default Domain Controllers Policy
Audit directory service access Success, Failure Default Domain Controllers Policy
Audit logon events Failure Default Domain Controllers Policy
Audit object access Failure Default Domain Controllers Policy
Audit policy change Failure Default Domain Controllers Policy
Audit privilege use Failure Default Domain Controllers Policy
Audit process tracking Failure Default Domain Controllers Policy
Audit system events Failure Default Domain Controllers PolicyLocal Policies/User Rights Assignment
Policy Setting Winning GPO
Access this computer from the network domainname\IUSR_domainPRINT, Everyone, Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS, Pre-Windows 2000 Compatible Access Default Domain Controllers Policy
Act as part of the operating system domainname\Administrator, domainname\domainwebuser, domainname\db2admin, domainname\veritas Default Domain Controllers Policy
Add workstations to domain domainname\Domain Admins Default Domain Controllers Policy
Adjust memory quotas for a process domainname\db2admin, LOCAL SERVICE, NETWORK SERVICE, Administrators Default Domain Controllers Policy
Allow log on locally Server Operators, Print Operators, domainname\Domain Admins, Backup Operators, Administrators, Account Operators, domainname\IUSR_domainPRINT Default Domain Controllers Policy
Allow log on through Terminal Services domainname\Domain Admins, domainname\TermServ Default Domain Controllers Policy
Back up files and directories Administrators, Backup Operators, Server Operators Default Domain Controllers Policy
Bypass traverse checking Everyone, Administrators, Authenticated Users, Pre-Windows 2000 Compatible Access Default Domain Controllers Policy
Change the system time LOCAL SERVICE, Administrators, Server Operators Default Domain Controllers Policy
Create a pagefile Administrators Default Domain Controllers Policy
Create a token object domainname\veritas, domainname\db2admin Default Domain Controllers Policy
Create permanent shared objects Default Domain Controllers Policy
Debug programs Administrators Default Domain Controllers Policy
Deny access to this computer from the network Default Domain Controllers Policy
Deny log on as a batch job Default Domain Controllers Policy
Deny log on as a service Default Domain Controllers Policy
Deny log on locally Default Domain Controllers Policy
Enable computer and user accounts to be trusted for delegation Administrators Default Domain Controllers Policy
Force shutdown from a remote system Administrators, Server Operators Default Domain Controllers Policy
Generate security audits LOCAL SERVICE, NETWORK SERVICE Default Domain Controllers Policy
Increase scheduling priority Administrators Default Domain Controllers Policy
Load and unload device drivers Administrators, Print Operators Default Domain Controllers Policy
Lock pages in memory Default Domain Controllers Policy
Log on as a batch job domainname\ntbackup, domainname\domainbatman, domainname\rcabutage, domainname\IIS_WPG, LOCAL SERVICE, domainname\Administrator, domainname\veritas, domainname\domainaudit, domainname\IUSR_domainPRINT, domainname\hazel Default Domain Controllers Policy
Log on as a service NETWORK SERVICE, domainname\veritas, domainname\o2, domainname\IUSR_domainPRINT, domainname\db2admin, domainname\domainwebuser, domainname\Administrator Default Domain Controllers Policy
Manage auditing and security log Administrators Default Domain Controllers Policy
Modify firmware environment values Administrators Default Domain Controllers Policy
Profile single process Administrators Default Domain Controllers Policy
Profile system performance Administrators Default Domain Controllers Policy
Remove computer from docking station Administrators Default Domain Controllers Policy
Replace a process level token domainname\db2admin, LOCAL SERVICE, NETWORK SERVICE Default Domain Controllers Policy
Restore files and directories Administrators, Backup Operators, Server Operators Default Domain Controllers Policy
Shut down the system Administrators, Backup Operators, Server Operators, Print Operators, domainname\rcabutage Default Domain Controllers Policy
Synchronize directory service data Default Domain Controllers Policy
Take ownership of files or other objects Administrators Default Domain Controllers PolicyLocal Policies/Security Options
Accounts
Policy Setting Winning GPO
Accounts: Guest account status Disabled Security
Accounts: Rename administrator account Administrator SecurityDomain Controller
Policy Setting Winning GPO
Domain controller: LDAP server signing requirements None Default Domain Controllers PolicyDomain Member
Policy Setting Winning GPO
Domain member: Digitally encrypt or sign secure channel data (always) Enabled Default Domain Controllers PolicyInteractive Logon
Policy Setting Winning GPO
Interactive logon: Do not require CTRL+ALT+DEL Enabled Security
Interactive logon: Prompt user to change password before expiration 7 days SecurityMicrosoft Network Server
Policy Setting Winning GPO
Microsoft network server: Digitally sign communications (always) Enabled Default Domain Controllers Policy
Microsoft network server: Digitally sign communications (if client agrees) Enabled Default Domain Controllers PolicyNetwork Access
Policy Setting Winning GPO
Network access: Let Everyone permissions apply to anonymous users Disabled New Regular office UsersNetwork Security
Policy Setting Winning GPO
Network security: Force logoff when logon hours expire Disabled Security
Network security: LAN Manager authentication level Send NTLM response only Default Domain Controllers PolicyEvent Log
Policy Setting Winning GPO
Maximum application log size 24960 kilobytes Security
Maximum security log size 2097152 kilobytes Security - Servers
Maximum system log size 24960 kilobytes Security
Retain application log 90 days Security
Retain security log 90 days Security - Servers
Retain system log 90 days Security
Retention method for application log By days Security
Retention method for security log By days Security - Servers
Retention method for system log By days SecuritySystem Services
Application Management (Startup Mode: Automatic)
Winning GPO WSUS - Domain Wide
Permissions
No permissions specifiedAuditing
No auditing specified
Background Intelligent Transfer Service (Startup Mode: Automatic)
Winning GPO WSUS - Domain Wide
Permissions
No permissions specifiedAuditing
No auditing specified
Windows Installer (Startup Mode: Automatic)
Winning GPO Default Domain Policy
PermissionsType Name Permission
Allow BUILTIN\Administrators Full Control
Allow NT AUTHORITY\Authenticated Users Full Control
Allow domainname\Domain Admins Full Control
Allow domainname\Domain Computers Full Control
Allow domainname\Domain Users Full Control
Allow NT AUTHORITY\INTERACTIVE Full Control
Allow NT AUTHORITY\SYSTEM Full Control
AuditingType Name Access
Failure Everyone Full ControlRemote Procedure Call (RPC) (Startup Mode: Automatic)
Winning GPO Default Domain Policy
PermissionsType Name Permission
Allow BUILTIN\Administrators Full Control
Allow NT AUTHORITY\Authenticated Users Full Control
Allow domainname\Domain Admins Full Control
Allow domainname\Domain Computers Full Control
Allow domainname\Domain Users Full Control
Allow NT AUTHORITY\INTERACTIVE Full Control
Allow NT AUTHORITY\SYSTEM Full Control
AuditingType Name Access
Failure Everyone Full ControlWindows Update (Startup Mode: Automatic)
Winning GPO WSUS - Domain Wide
Permissions
No permissions specifiedAuditing
No auditing specified
Public Key Policies/Certificate Services Client - Auto-Enrollment Settings
Policy Setting Winning GPO
Automatic certificate management Enabled [Default setting]
Option Setting
Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates Disabled
Update and manage certificates that use certificate templates from Active Directory Disabled
Public Key Policies/Encrypting File System
Certificates
Issued To Issued By Expiration Date Intended Purposes Winning GPO
Administrator Administrator 8/14/2006 3:46:34 PM File Recovery Default Domain PolicyFor additional information about individual settings, launch Group Policy Object Editor.
Public Key Policies/Trusted Root Certification Authorities
Properties
Winning GPO [Default setting]
Policy Setting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory onlyCertificates
Issued To Issued By Expiration Date Intended Purposes Winning GPO
domainSMTP.domainname.local domainSMTP.domainname.local 9/21/2013 7:28:00 AM <All> domainSMTP.domainname.local Certificate Import
domainSMTP.domainname.local domainSMTP.domainname.local 3/3/2028 3:44:53 PM Server Authentication, Client Authentication domainSMTP.domainname.local Certificate ImportFor additional information about individual settings, launch Group Policy Object Editor.
Administrative Templates
Policy definitions (ADMX files) retrieved from the local machine.Network/DNS Client
Policy Setting Winning GPO
DNS Suffix Search List Enabled Default Domain Policy
DNS Suffixes: domainname.local,companydmz.ds
Network/Network Connections
Policy Setting Winning GPO
Prohibit use of Internet Connection Firewall on your DNS domain network Enabled CC22-XP SP2 SettingsSystem/Group Policy
Policy Setting Winning GPO
Group Policy refresh interval for computers Enabled Default Domain Policy
This setting allows you to customize how often Group Policy is applied
to computers. The range is 0 to 64800 minutes (45 days).
Minutes: 30
This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes: 30
Policy Setting Winning GPO
User Group Policy loopback processing mode Enabled Password Policy
Mode: Replace
System/Logon
Policy Setting Winning GPO
Always wait for the network at computer startup and logon Enabled wait for network before loginSystem/Remote Assistance
Policy Setting Winning GPO
Offer Remote Assistance Enabled Default Domain Policy
Permit remote control of this computer: Allow helpers to remotely control the computer
Helpers:
domainname\domain admins
Windows Components/AutoPlay Policies
Policy Setting Winning GPO
Turn off Autoplay Enabled Disable AutoPlay/Autorun
Turn off Autoplay on: All drives
Windows Components/Internet Explorer
Policy Setting Winning GPO
Turn off pop-up management Enabled CC22-XP SP2 SettingsWindows Components/Internet Information Services
Policy Setting Winning GPO
Prevent IIS installation Enabled New Regular office UsersWindows Components/Remote Desktop Services/Remote Desktop Session Host/Connections
Policy Setting Winning GPO
Allow users to connect remotely using Remote Desktop Services Enabled Terminal Services
Limit number of connections Enabled Terminal Services
RD Maximum Connections allowed 3
Type 999999 for unlimited connections.
Policy Setting Winning GPO
Restrict Remote Desktop Services users to a single Remote Desktop Services session Enabled Terminal ServicesWindows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection
Policy Setting Winning GPO
Allow audio and video playback redirection Enabled Terminal Services
Do not allow COM port redirection Enabled Terminal Services
Do not allow drive redirection Enabled Terminal Services
Do not allow LPT port redirection Disabled Terminal Services
Do not allow smart card device redirection Enabled Terminal ServicesWindows Components/Remote Desktop Services/Remote Desktop Session Host/Printer Redirection
Policy Setting Winning GPO
Do not allow client printer redirection Disabled Terminal ServicesWindows Components/Remote Desktop Services/Remote Desktop Session Host/Session Time Limits
Policy Setting Winning GPO
Set time limit for disconnected sessions Enabled New Regular office Users
End a disconnected session Never
Policy Setting Winning GPO
Terminate session when time limits are reached Disabled New Regular office UsersWindows Components/Remote Desktop Services/Remote Desktop Session Host/Temporary folders
Policy Setting Winning GPO
Do not delete temp folder upon exit Disabled Terminal ServicesWindows Components/Windows Installer
Policy Setting Winning GPO
Enable user control over installs Disabled Default Domain Policy
Turn off creation of System Restore Checkpoints Disabled Default Domain PolicyWindows Components/Windows Media Player
Policy Setting Winning GPO
Prevent Desktop Shortcut Creation Enabled Default Domain Policy
Prevent Quick Launch Toolbar Shortcut Creation Enabled Default Domain PolicyWindows Components/Windows Messenger
Policy Setting Winning GPO
Do not allow Windows Messenger to be run Enabled Default Domain Policy
Do not automatically start Windows Messenger initially Enabled Default Domain PolicyWindows Components/Windows Update
Policy Setting Winning GPO
Allow Automatic Updates immediate installation Enabled WSUS - Domain Wide
Allow non-administrators to receive update notifications Enabled WSUS - Domain Wide
Automatic Updates detection frequency Enabled WSUS - Domain Wide
Check for updates at the following
interval (hours): 4
Policy Setting Winning GPO
Configure Automatic Updates Enabled WSUS - Servers
Configure automatic updating: 3 - Auto download and notify for install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day: 0 - Every day
Scheduled install time: 03:00
Policy Setting Winning GPO
Delay Restart for scheduled installations Enabled WSUS - Domain Wide
Wait the following period before
proceeding with a scheduled
restart (minutes): 30
Policy Setting Winning GPO
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box Enabled WSUS - Domain Wide
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Disabled WSUS - Domain Wide
Enable client-side targeting Enabled WSUS - Servers
Target group name for this computer Servers
Policy Setting Winning GPO
Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates Enabled WSUS - Domain Wide
No auto-restart with logged on users for scheduled automatic updates installations Enabled WSUS - Domain Wide
Re-prompt for restart with scheduled installations Enabled WSUS - Domain Wide
Wait the following period before
prompting again with a scheduled
restart (minutes): 360
Policy Setting Winning GPO
Reschedule Automatic Updates scheduled installations Enabled WSUS - Domain Wide
Wait after system
startup (minutes): 5
Policy Setting Winning GPO
Specify intranet Microsoft update service location Enabled WSUS - Domain Wide
Set the intranet update service for detecting updates: https://domainutils.domainname.local:8531
Set the intranet statistics server: https://domainutils.domainname.local:8531
(example: http://IntranetUpd01)
Extra Registry Settings
Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.Setting State Winning GPO
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{677fb2e0-3a5c-4b12-b645-8a27398026a1}\Description Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{677fb2e0-3a5c-4b12-b645-8a27398026a1}\ItemData C:\Program Files\mIRC\mirc.exe Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{677fb2e0-3a5c-4b12-b645-8a27398026a1}\LastModified 127706101078880003 Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{677fb2e0-3a5c-4b12-b645-8a27398026a1}\SaferFlags 0 Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\Description Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\ItemData %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\LastModified 127706098698003455 Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{191cd7fa-f240-4a17-8986-94d480a6c8ca}\SaferFlags 0 Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{7272edfb-af9f-4ddf-b65b-e4282f2deefc}\Description Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{7272edfb-af9f-4ddf-b65b-e4282f2deefc}\ItemData %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{7272edfb-af9f-4ddf-b65b-e4282f2deefc}\LastModified 127706098698003455 Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{7272edfb-af9f-4ddf-b65b-e4282f2deefc}\SaferFlags 0 Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{8868b733-4b3a-48f8-9136-aa6d05d4fc83}\Description Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{8868b733-4b3a-48f8-9136-aa6d05d4fc83}\ItemData %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\*.exe Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{8868b733-4b3a-48f8-9136-aa6d05d4fc83}\LastModified 127706098698003455 Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{8868b733-4b3a-48f8-9136-aa6d05d4fc83}\SaferFlags 0 Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\Description Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\ItemData %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\LastModified 127706098698003455 Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{d2c34ab2-529a-46b2-b293-fc853fce72ea}\SaferFlags 0 Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\DefaultLevel 262144 Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ExecutableTypes ADE
ADP
BAS
BAT
CHM
CMD
COM
CPL
CRT
EXE
HLP
HTA
INF
INS
ISP
LNK
MDB
MDE
MSC
MSI
MSP
MST
OCX
PCD
PIF
REG
SCR
SHS
URL
VB
WSC Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\PolicyScope 0 Default Domain Controllers Policy
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled 1 Default Domain Controllers PolicyUser Configuration
Policies
Windows Settings
Security Settings
Public Key Policies/Certificate Services Client - Auto-Enrollment Settings
Policy Setting Winning GPO
Automatic certificate management Enabled [Default setting]
Option Setting
Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates Disabled
Update and manage certificates that use certificate templates from Active Directory Disabled
Show certificate expiry notifications Disabled [Default setting]Internet Explorer Maintenance
Browser User Interface/Customized Title Bar
Title Bar Text Winning GPO
company (company domain) Default Domain PolicyConnection/Automatic Browser Configuration
Policy Setting Winning GPO
Automatically detect configuration settings Disabled Default Domain Policy
Automatic Browser Configuration Not configured N/A
Administrative Templates
Policy definitions (ADMX files) retrieved from the local machine.Control Panel
Policy Setting Winning GPO
Always open All Control Panel Items when opening Control Panel Enabled Default Domain PolicyControl Panel/Personalization
Policy Setting Winning GPO
Password protect the screen saver Enabled Security
Screen saver timeout Enabled Security
Number of seconds to wait to enable the screen saver
Seconds: 900
Desktop
Policy Setting Winning GPO
Hide Internet Explorer icon on desktop Enabled Default Domain PolicyStart Menu and Taskbar
Policy Setting Winning GPO
Add "Run in Separate Memory Space" check box to Run dialog box Enabled Default Domain Policy
Add Logoff to the Start Menu Enabled Default Domain Policy
Remove Default Programs link from the Start menu. Enabled Regular Office Users
Remove Music icon from Start Menu Enabled Default Domain Policy
Remove Pictures icon from Start Menu Enabled Default Domain PolicyWindows Components/NetMeeting/Audio & Video
Policy Setting Winning GPO
Prevent receiving Video Enabled Default Domain Policy
Prevent sending Video Enabled Default Domain PolicyWindows Components/Windows Messenger
Policy Setting Winning GPO
Do not allow Windows Messenger to be run Enabled Default Domain Policy
Do not automatically start Windows Messenger initially Enabled Default Domain Policy
