Group Policy Forum

Server 2003 'my documents' folder redirection not working after roaming profile error

Wed, 25 Nov 2009 18:49:11 Z

Server 2003 SP2 and all clients are XP pro SP3.
Recently encountered a problem that prevented some users roaming profiles from loading correctly. That has been resolved and all RP issues seem to be working just fine.

However, previously working redirected folders are not working for these same users. It is looking to the local drive for folders/files that are still on the server share.

I've checked all permissions and everything looks correct.

I've tried enforcing the GPO for redirected folders but it made no difference.

I've done a gpupdate /force on all the workstations with no luck.

It seems the roaming profile has just lost the redirected folders GP. I'm tempted to just stop folder redirection for these users (policy is set to return folders/files to the users local drive) and then restart folder redirection, but that will be a very large file transfer for many of these users.

Any ideas?

Thanks!

Specify Different Homepages depending on relationship to the Firewall

Mon, 16 Nov 2009 21:36:24 Z

I am an OU manager in a W2k3 AD setup within a single domain for a city government. I currently use GP to enforce our department's SharePoint portal as a homepage. The portal is not available outside the city's Firewall. Is there a way that I can configure the Group Policy for the homepage to NOT be enforced when the computer is outside the firewall? When users launch IE from outside the FW, the get an error page, since the local ISP's DNS servers have no way to get to my portal. Somebody from MS mentioned something about using sites to me last year at a conference, but I don't remember any specifics. I appreciate any suggestions.

-Darryl

SCE uninstall

Fri, 13 Nov 2009 15:46:39 Z

Hello everyone,

After an uninstall of SCE 2007 I have a policy that I just can't find. According to my report it's located in "Application Error Reporting/Corporate Error Reporting". However, when I search for it, the entire Application Error Reporting" is not listed. Any clues?

Windows firewall rule

Tue, 10 Nov 2009 14:01:15 Z

Hi,

I created a GPO for my 2 Servers that have Windows Firewall enable. Am trying to set the "Define Port Exception" in my Domain Profile GPO and it's not getting applied. What is strange is that I have other settings under the same GPO that are getting applied.

Windows 2003 SP2 DC's

Help please.

Windows XP and VPN Client

Tue, 27 Oct 2009 11:06:27 Z

We are trying to get an Windows XP SP3 client to work when it is on our network with group policy/drive mapping but when it is on an external network we would like no group policy or drive mappings. We found one web resource that said to delete the GPO registry settings on logoff or shutdown.

Have anyone ever done this and if so could you give us some direction.

deploy intermediate certificate via GPO

Wed, 25 Nov 2009 14:37:47 Z

Trying to install an intermediate certificat with Group Policy managment console and am only allowed to deploy root cersts with the wizard. Is there some place where step by step instructions exist in order to accomplish this with gpo on plain ole windows 2003 server?

intermediate certificate deployment via gpo win2k3 server

Tue, 24 Nov 2009 14:54:50 Z

We have deployed a trusted root cert with gpo on windows 2003 server. We would like to deply the intermediate certifcate in the same manner. is there an addon or othe sttep by step process that can be used to do this with GPO editor?

Wallpaper via Group Policy and Windows 7

Thu, 27 Aug 2009 13:50:21 Z

My organization has recently deployed Windows 7 Professional (RTM, VLK) to our two computer labs. Users who log onto these machines get a wallpaper that has my organizations name and logo, deployed via group policy. After the upgrade to Win7 Pro, the wallpaper does not apply correctly. I began troubleshooting whether this was a result of conflicting policies, but even after making a new user, and placing him in a test OU with only the wallpaper GPO applied, this still happens.

IE8 Group Policy not applied at logon

Wed, 25 Nov 2009 16:32:39 Z

Hi

I have a group policy with IE-specific settings. The problem I have is that the policy does not get applied at logon. It only gets applied if I run a gpupdate / force or if I make a change to the policy settings. I have had a read through this post (http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/a698c5b2-4889-487d-be49-1320901efa82) but it does not quite resolve my issue.

The Group Policy I have configured has computer settings disabled and gets applied to all users. Apart from the IE settings, this GPO also has the following setting:

User Configuration -> Administrative Templates -> System/Group Policy:-

Group Policy refresh interval for users: Enabled

I then have another group policy which has the user settings disabled and gets applied to all computers. Amongst other settings this GPO has the following options set:

Computer Configuration -> Administrative Templates -> System/Group Policy:-

Internet Explorer Maintenance policy processing: Enabled
Process even if the Group Policy objects have not changed: Enabled

Would I need to enable these computer configuration settings in the IE policy as well?

Thanks

RDP Login of domain user on vista and 2k8 fails in domain with one way trust

Fri, 20 Nov 2009 01:40:47 Z

To be honest I don't know if this is a GP issue or not But I suspect it is. I have a 2K8 domain setup with 4 DC's with a one way trust to the corp domain. (see nltest results below)
So far every vista and 2008 client that I have tried to RDP into fails with.

"The security database on the server does not have a computer account for this workstation trust relationship."

So far I have added domain users (from the domain we trust) to the remote desktop group and insured they had terminal services logon right. I have also tried adding them to the administrators group.
I have also created groups on the DC with the domain user names. Added them with FULL privledges on the computer account in the domain and then added that group to both the remote desktop users and administrators group and still RDP fails. when using the domain\user information

At this point I have had my fingers in almost every GP I can find dealing with terminal services etc so If you need me to pull additional information just let me know

I did see this FAQ
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df#_Q1:_Windows_Server
However Deleting and rejoin the domain have had no affect on any of the machines. Also running nltest /domain_trusts shows
0: XXXROOT xxxcorp.net (NT 5) (Direct Outbound) ( Attr: 0x8 )
1: ESCE.adapps.XX.com (NT 5) ( Forest Tree Root ) (Primary Domain) (Native)

GPO Best Practice (Apply Permissions to folders on Domain Controllers)

Tue, 11 Aug 2009 17:46:46 Z

Guys, I’m just looking for a bit of advice on GPO good\best practice.

I have a Windows 2003 SP2 domain. Our security people have asked us to apply various settings to the DC’s which include some of the following folders. There’s many more but this is a reasonable sample.

%systemroot%

%systemroot%\repair

%systemroot%security

%systemroot%system

%systemroot%system32

I plan to configure these settings as a GPO as we have multiple DC’s. Is it good practice to use a GPO here or should we really be applying these permissions to the folders manually?

The settings they require are around general users (i.e. Everyone, Users, Authenticated Users)

If you need any more information then please feel free to ask.

Thanks in advance.

Windows Server 2008 X64 - gpupdate takes 10min - svchost.exe (gpsvc) pid logs 8.5 million events in procmon

Wed, 25 Nov 2009 16:54:28 Z

Hello,

We've seen that on our 2008 x64 servers the svchost.exe that holds gpsvc in it takes up alot of CPU-time. Upon further investigation I saw that when it refreshes policies it holds 1 core for 10 minutes. I setup a procmon and filtered it on the pid off the gpsvc-svchost and saw that it logged 8.5 million events.

It keeps looping events where it seems to be checking history-data under "C:\ProgramData\Microsoft\Group Policy\History\<GUIDS>".

We are using GPPreferences. Has anyone seen anything like this before?

I have the .PML-file from procmon, however its 350MB zipped so I dont know how to attach it to case.

lock computers after say 30 minutes of inactivity

Wed, 25 Nov 2009 00:21:48 Z

I am new to GPO's and I need to know if there is a GPO that will lock computers (desktops) after 30 minutes of inactivity. Thank you in advance for your help.

Greg

certificate autoenrollment Settings with citrix and certificate-based authentication

Mon, 16 Nov 2009 21:06:50 Z

I have a citrix environment with a serious lag time for citrix logon. In the citrix forums (thread http://forums.citrix.com/thread.jspa?threadID=252740 ), there has been much discussion regarding the Computer Config\Windows Settings\Security Settings\Public Key Policies\Autoenrollment Settings. It appears that if that setting is edited, whether to enable or disable it, it will add significantly to the citrix logon time.

It has been demonstrated that if the policy is recreated without editing this setting, the logon time drops from 35 plus to around 10 seconds. My question is what affect would this have on certificate-based authentication for the wireless and e-mail encryption capabilities that we may be using int the future if we do not actively enable this setting?

Karon W

IE, Disable 'Automatically Detect Settings' Via GPO

Mon, 09 Nov 2009 03:10:59 Z

Hi guys,

We have recently been having a small problem with IE, whereby the 'automatically detect settings' check box will get ticked - resulting in our users not being able to traverse our proxy server.

I use the User Configuration > Policies > Windows Settings > IE Maintenance > Connection to set up our proxy settings, however I can't see an option to explicitly disable the 'automatically detect settings' check box.

Is this located somewhere else in an admin template, or am I simply missing an option that is right in front of me?

Thanks.

Glen

New Canon Plotter added to environment users can map to it but when you look at the Properties of the Plotter its showing Hewlett-Packard not canon

Tue, 24 Nov 2009 02:44:33 Z

Please forgive me if this is not the correct place to ask this but I am stumped. Here is the situation we have users that are using roaming profiles. They map to and connect to a newly installed canon IFP3000 plotter among alot of other Hewlet-Packard 8150DN printers. The Plotters reside on a separete print server than the HP printers. But when you look at the Printing Preferences of the newly mapped Plotter its says Hewlett-Packard not Canon like it should.

I had user log into another PC and map this plotter its fine you can see the correct properties of it does not have the HP printing preferences from their own PC its only from their PC. I can map it and its fine. Its only on certain HP xw6400 workstations that its not working it seems .I had this user log in and unmap ALL printers and then log out and back in and then remap the plotter same thing. So we thought it was a profile issue renamed his profile so now user is using a " clean" profile same issue on his PC. Had user log in and I opened the Registry and unmap each printer and see it is disappearing from each reg entry in HKLM/Printers.

So I am thinking its a local Registry setting that is not deleting. I reimaged this user's machine and they are fine now go figure but I have other having this issue and I do not want to have to reimage anymore PC to fix this problem. On this one PC its like after we map this plotter its not bringing the drivers for the canon and using the HP ones for some reason and I cannot tell where in the registry or in windows XP Pro SP2 I need to look.

Any Ideas where in the registry to look for a fix I have never ever seen this problem before and now its happening with another users I would rather not have to reimage and reinstall all their applications? Anyone else seen this before? Maybe if I localize this user that is having the issue then unmap ALL printers and remap then put back to roaming then restart that might fix it I am not sure the thing is its only on certain machines so i don't think its a profile issue.

Canon and HP forums not much help either

Help!!!

Windows 7: Changes in GPO user configuration only applies once (and it's not a preference setting)

Tue, 24 Nov 2009 15:56:54 Z

I'm currently trying to set up a test environment for Windows 7. I have problems with the user settings, though - the machines applies the policies OK (as far as I can can tell by running gpresult). When a user logs on for the first time, the current settings are applied. But if I make a change in the settings, for instance setting a theme, that setting won't apply unless the user profile is deleted on the PC and the user logs on again, thus recreating the profile. At that point the user profile has the new changes.

any ideas?

plug and play

Fri, 20 Nov 2009 16:43:33 Z

Ok, so this is probably an incredibly stupid question, but since i don't feel like googling for hours to find out i thought i would ask here. I am wanting to use a Blackberry device for tethering but the network is locked down so that plug and play is disabled. Is it possible that if the software/drivers are installed on the machine that i will be able to use the device or will the device itself also have to be installed by an admin? I am trying to figure a good alternative out on this one. Thanks for any help and sorry for such a newbie question!!!

802.1x Wired Auto Config / Machine authentication mode

Wed, 25 Nov 2009 00:34:15 Z

Hi All,
I am in the process of configuring 1500 machines with 802.1x authentication. We are running Windows XP SP3 on all machines.

For our test device the following needed to occur for 802.1x to authenticate successfully:

- In the Services, Wired Auto Config had to be started and set to Automatic

- In the Local Area Connection Properties (Authentication tab)

- Enable IEEE 802.1x authentication (selected)
- Choose a network authentication method: Smart card or other Certificate
- Use a certificate on this computer (Use simple certificate selection (Recommended) - selected)

However, after using the above settings still had no luck with 802.1x authentication.
The following line of code had to be inserted into the Local Area Connection XML file and then copied back to the original LAN XML file for it to work:

<authMode>machine</authMode>

Does anyone know a way in which the settings listed above:

- Wired Auto Config Service: Started and set to Automatic

- Local Area Connection properties as above

- Local Area Connection Authentication mode: Machine

Can be set via Group Policy?

Not allowing searching for people

Fri, 20 Nov 2009 14:23:13 Z

Hi all,

We run Active Directory on Windows 2003 servers with Windows XP clients. I do not want my users to be able to go to Start -> Search -> For People. Is there a group policy setting to disallow that?

Internet Explorer language settings

Fri, 20 Nov 2009 07:10:58 Z

Hi,
Can i configure Internet Explorer Language settings with group policy (version 6 or 7)
(IE - Tools - Internet Options... -Languages)

i have try to make registery based adm, but somewhy it's allways replaced on logon with
english settings, have run rsop, policy is apply okay.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International]
"AcceptLanguage"="fi"

Is that possible to configure language settings, if so, how?
Thanks for advice

Error while deploying printers to XP from 2K8 server using User Preferences (Client Side Extensions) - Error 0x8000ffff

Mon, 23 Nov 2009 01:01:52 Z

Hi All,

When trying to deploy a printer via the user preferences in a gpo the client event log has event id 4098.

Client machine is a XP SP3 machine fully patched via WSUS2 SP3. The user logging on has no local account privileges on the workstation and the Client Side Extensions are installed.

In the GPO I have a shared printer from the directory, set it as default and also tried targeting the users of the OU that the Policy is linked to.

From everything I have researched this should be a straight forward task - what am I missing ??

Cheers,

Lee.

Group Policy - Computer startup scripts- logging success and failures

Thu, 19 Nov 2009 19:54:43 Z

I am trying to creating and testing group policy software installations for .exe files. I have them running in the startup script of computer configuration in Group Policy. They are running fine. However I am wondering how I can generate a report that shows all the computers that the group policy ran on and whether or not the software installation was successful or not. I can use GPinventory for .msi file installs, which is ok but not great, but it does not show successful .exe installs. I am trying not to purchase any 3rd party software as I only need this for a few applications. Any help would be greatly appreciated.

Not able to access ADD Remove programmes in Windows Sever 2003

Fri, 20 Nov 2009 06:05:44 Z

i am not able to access add remove programmes.

The user rights are:

C:\winnt\system32\INETSRV>net user administrator

User name Administrator

Full Name

Comment Built-in account for administering the computer/domain

User's comment

Country code 000 (System Default)

Account active Yes

Account expires Never

Password last set 7/21/2009 12:16 PM

Password expires Never

Password changeable 7/23/2009 12:16 PM

Password required Yes

User may change password Yes

Workstations allowed All

Logon script

User profile

Home directory

Last logon 11/20/2009 10:05 AM

Logon hours allowed All

Local Group Memberships *Account Operators *ACSADMG

*ACSUSRG *Administrators

*AESADMG *AESUSRG

*APIOADMG *APIOUSRG

*APLOCG *APZADMG

*APZUSRG *Backup Operators

*CDHFTPUSRG *CPSUSRG

*CPUSRG *DHCP Administrators

*DnsAdmins *EVENTVIEWERG

*FMSADMG *FMSUSRG

*FTPUSRG *IIS_WPG

*MASADMG *MASUSRG

*MCSADMG *MCSUSRG

*MTS Impersonators *Pre-Windows 2000 Comp

*Replicator *SECUREADMG

*Server Operators *SGSADMG

*SGSUSRG *STSADMG

*STSUSRG *Terminal Server Licen

*Windows Authorization

Global Group memberships *Domain Admins *Group Policy Creator

*Domain Controllers *Schema Admins

*Enterprise Admins *Domain Users

The command completed successfully.

kindly Suggest.

Sunny

"other user" account picture in Windows 7

Thu, 19 Nov 2009 13:41:33 Z

hi there,

id like to force a user acc default picture for the "other user" when i change the user on the logon by clicking "other user" - the user pic frame is empty... can i change that, resp. where is the picture for the "other user" located or where should it be saved?
registry hack?

thanks - dominic

Server Core

Thu, 19 Nov 2009 12:32:56 Z

Does DC on server core support Group Policy Modeling?.
i'm running group policy modelin from a member serer via group policy management tool but getting the following error:
"The domain controller you have selected does not have the RSoP planning mode functionality available. Please select a different domain controller."

Is there a way to list local group policy settings

Sat, 21 Nov 2009 19:05:27 Z

I am helping a school implement Group Policy. Currently they lock down XP machines by using gpedit on the Local Group Policy; but they have not documented what settings they have used. This is a Windows Server 2003 AD with XP domain computers to I have downloaded the Server 2003 Group Policy Excel document and plan to open Local GP on a few workstations and checkoff what I see.
But is there a script or tool that I could run to create a txt or Excel file that has the status of Local GP settings? Or could I copy the local pol file and play it back on another computer?

GPO Settings Revert back to Original Settings after gprefresh

Thu, 19 Nov 2009 02:34:49 Z

Hello,

I am trying to update some audit settings on my default domain controllers policy. I make the changes, hit OK close the window, do a gprefesh, and they are back to what they originally were. I checked inherit settings and there are none, and no block settings. If it were a save error, I think I would get a permissions error or something to that effect.

Any suggestions?

GPO is not applying in Win 7 when the user act as a part of local admin in client machine.

Wed, 18 Nov 2009 09:05:42 Z

Hi All,

I am facing one big problem in win 7, when the user part of local admin in win 7 client the GPO is not applying. If they are not into local admin the GPO is working properly

Anyone help help me to troubleshoot this problem?

Editing the same GPO in Windows Server 2008 and Windows 7 --> confusion

Tue, 03 Nov 2009 10:49:34 Z

Hi,

I came over this while testing the BitLocker Recovery Password feature, but it is not a BitLocker-realted but a Group Policy-related question:
I have got a domain with Windows Server 2008 DCs only and Windows Vista and Windows 7 clients.

I created a Group Policy Object using GPMC on Windows Server 2008 and configured the setting "Control Panel Setup: Enable advanced startup options" to be enabled. The explanation to this setting states "Requirements: at least Windows Vista". This setting only workd for my Vista clients but not for the Windows 7 clients (although the policy definetely applied to the Windows 7 machines).

I installed RSAT on a Windows 7 machine and opened exactly the same GPO and it showed different configuration options (the ones which are new to Windows Server 2008 R2 and Windows 7). The "Require aditional authentication at startup" setting still exists but the explanation says: "Requirements: Windows 7 familiy". However, in Windows 7 RSAT I can see the changes made in Windows Server 2008 but to make the setting available for both Windows Vista and Windows 7 I have to open the GPO from both systems (or configure two GPOs)?

Is this behavior by design? Is it documented somewhere?

Kind regards,
Dagmar

Group policy lockdown for Windows Server 2008 Terminal Servers

Mon, 20 Oct 2008 11:22:53 Z

Hi,

I have a mixed Windows Server 2003/2008 environment where terminal servers exist (both 2003 and 2008 terminal servers). We would like to prevent users from being able to view the contents of the navigation pane, i.e. folders and favourite links, etc when opening the save as, open or Windows Explorer as this environment requires to be completely locked down. We would like the users accessing remote apps to only be able to navigate to their My Documents folder (redirected to their home directory) and other areas such as mapped drives, etc.

We have been able to lockdown the menus in Windows Explorer for all 2003 Terminal Servers but cannot do the same for the 2008 servers. I realise that you can remove the Navigation Pane manually by going to Organize>Layout and un-checking Navigation Pane, but is there anyway of permanently setting this so a user would be unable to re-check it? Ideally we would like to do this using Group Policy but so far have been unable to find any settings related to remove this from Windows Explorer in 2008.

The domain controller is running Windows Server 2003 Ent Edition R2 SP2 with the 2008 group policy extensions installed. One of the 2008 terminal servers has the Group Policy Management Console feature enabled and is being used to configure the group policy extensions available for the 2008 Servers.

Thanks in advance

Remove 'Network' access button from Explorer in Windows 2008 R2

Mon, 09 Nov 2009 07:03:47 Z

Good day!
We have: Windows Server 2008 R2 with "Remote Desktops" role installed. (DC is also under Windows Server 2008 R2)
We need: to remove (or disable) "Network" access button in browser in Navigation pane for a group of users with Group Policy.
We could not find such parameter in Group Policy Editor.
Can anybody help us to solve the problem?
Any help is appreciated.
P.S. If it cannot be done, please, tell us how to make computers in "Network" invisible (hide) to this group of users.

Group Policy Preference - Computer Configuration, Shortcuts

Thu, 19 Nov 2009 22:23:27 Z

I'm attempting to create a shortcut using Preferences under Computer Configuration. My target is on a share on a clustered 2008 file server. The application of the preference fails with Error suppressed. [ hr = 0x80070002 "The system cannot find the file specified." ]. When I apply the same shortcut using User configuration instead, it applies fine. I want the shortcut to apply to a group of computers rather than users, and I'd rather not use loopback. Is there something I'm missing?

Add search criteria to AD Users, Contacts and Groups search.

Wed, 11 Nov 2009 17:09:03 Z

Hello,

I need to add search criteria to the AD Users, Contacts and Groups Search Utility? I want to add an attribute to the search list (facsimileTelephoneNumber). Would this involve modifying the AD schema? We have some users that manage our AD accounts (Account Operator role status) that need to update Fax Numbers. Can someone help me with this? Thank you.

Original Question asked here:
http://social.microsoft.com/Forums/en-US/whatforum/thread/ce51f3e4-31ba-40b2-8382-404273509c14/

Remove Desktop/My Documents Link

Fri, 20 Nov 2009 22:43:59 Z

Hi Everyone,

Could you please advise whether a GPO exists to remove the shortcuts to the Desktop and My Documents links when you are in a File-Open or File-Save screen?

Thanks,
D

Group Policy Object Help

Wed, 18 Nov 2009 13:46:57 Z

Hello. The company I work for has decided that all workstations and users must use the company logo as their desktop background. Rather than do this manually...which is a LOT of users I have tried to define this via GPO. We are running Windows Server 2000 and the client machines are Windows XP Pro. I have specified in the domain default GPO that 1) Active desktop is enabled 2) users are prevented from making changes 3) specified the path of the relevant file and made certain that this path is accessible to client machines. In this case \\server-name\desktops\logo.bmp but there appears to be no change in any of the desktop settings.

I have done numerous restarts and gpupdate /force and the nothing seems to be working. Gpresult seems to suggest that everything is working as intended. I've run out of ideas to try to get the image to display. I am not even getting a blank desktop with no image, just whatever background the user has set. If it would be helpful, I could provide screen shots of my GPO settings to see if I've done something wrong and not picked up on it.

Thanks,
Fraser

Group policy resetting

Sun, 22 Nov 2009 01:09:18 Z

is there a way to take a hard drive out of a 2000 server and delete a file or folder to force a reset for all group policy's i have all the privilages of administratoradministrator to run and install but i disabled scripting and access to the gp editting also i have taken this out of the domain

Folder Redirection and Offline folders

Mon, 16 Nov 2009 16:07:41 Z

I am running a 2003 Native Active Directory with all XP SP 3 clients.

I have setup folder redirection for just the My Documents folder. Which is working fine. I have also setup offline folder sync so the users can access files while offline.

The problem is when a user who is setup for folder redirection, which includes offline folder sync, logs into a computer that isn't there "main" computer, the sync happens. So, I am looking for a way to limit just the offline sync to happen on either the users "main" computer or at least a group of computers.

Thanks, Chris

network path not found

Fri, 20 Nov 2009 14:34:27 Z

you might not have permissions to access this network resource.contact the administrator

vittal reddy

Blocking ICMP can affect the Group Policy Implementation...

Fri, 20 Nov 2009 14:43:29 Z

Good day guys,

     Any explanation, information and some links that blocking ICMP (ping command) from some firewall which is not to ping the A.D. Domain Controller where the Group Policy Settings resides for all clients computers?

     Any experience and information and related links that will discuss, and requirements is highly appreciated.

     Thank you guys...