Search Results

Search found 252 results on 11 pages for 'gpo'.

Page 4/11 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 11  | Next Page >

• Add site to trusted sites through GPO

  - by Matt Bear

  I need to add a site to trusted sites on all computers in my domain. I can do it with the "site to zone assignment list", however when I do, it locks trusted sites on the client computer "this setting is managed by your administrator". What I need is a way to add the site, make it persistant, and not affects the users ability to add trusted sites of thier own. (It's a development enviroment, sites are created and tested regularly, they need that ability.)

  Read the article

• GPO result test

  - by George

  Running gpresult,from computer policy we are getting computer components access denied. We try : nslookup %USERDNSDOMAIN% net view %USERDNSDOMAIN% cd \%USERDNSDOMAIN%\SYSVOL\%USERDNSDOMAIN%\ and check file permissions in folders: Policies and scripts delete registry key: reg delete HKLM\SOFTWARE\Policies /f reg delete HKCU\Software\Policies /f delete folder: RD /S /Q %windir%\System32\GroupPolicy

  Read the article

• How to add a startup/shutdown script to the GPO from the command line

  - by thomasjames

  I need to add startup and shutdown scripts from a CLI through a Powershell/Python/CMD script. Ideally, I would like to have the same functionality as gpedit.msc, but it is important that the tasks of adding and removing such scripts do not require user interaction and can be done entirely within the context of a script. Currently, the scripts here seem to be in the same category, but none of them explicitly address editing startup and shutdown scripts: http://msdn.microsoft.com/en-us/library/aa814151(v=vs.85).aspx Let me know if anyone has any ideas and thanks in advance.

  Read the article

• Active Directoy GPO

  - by Phillip R.

  I am looking into some weird issues with active directory and group policy. This domain has been upgraded from windows NT and has a few different administrators over the years. I am looking through the Default Domain group policy and Default Domain Controller group policy. In the security areas and I will use the log on locally area as an example, it shows SIDes that begin with asterisks and are quite long they look sort of like the following *S-1-5-21-787626... Normally, when I see something like this I would think that the User account was no longer there and this was never cleaned up. Am I wrong in my assumption? Thanks in advance

  Read the article

• Make C# application Group Policy aware

  - by Stefan Koell

  I want to make my app GPO aware. I know that it's basically just reading from a specific registry path but I still have some questions: How do I detect GPO refreshes? There's RegisterGPNotification here: http://msdn.microsoft.com/en-us/library/aa374404(VS.85).aspx but is there anything ready baked for C# out there or at Microsoft? What's considered best practice: is the machine policy stronger than the user policy or is the user policy overruling the machine policy? Anyone, who wants to share some experience in that area? Thanks, Stefan

  Read the article

• Active Directory Password Policy Problem

  - by Will

  To Clarify: my question is why isn't my password policy applying to people in the domain. Hey guys, having trouble with our password policy in Active Directory. Sometimes it just helps me to type out what I’m seeing It appears to not be applying properly across the board. I am new to this environment and AD in general but I think I have a general grasp of what should be going on. It’s a pretty simple AD setup without too many Group Policies being applied. It looks something like this DOMAIN Default Domain Policy (link enabled) Password Policy (link enabled and enforce) Personal OU Force Password Change (completely empty nothing in this GPO) IT OU Lockout Policy (link enabled and enforced) CS OU Lockout Policy Accouting OU Lockout Policy The password policy and default domain policy both define the same things under Computer ConfigWindows seetings sec settings Account Policies / Password Policy Enforce password History : 24 passwords remembered Maximum Password age : 180 days Min password age: 14 days Minimum Password Length: 6 characters Password must meet complexity requirements: Enabled Store Passwords using reversible encryption: Disabled Account Policies / Account Lockout Policy Account Lockout Duration 10080 Minutes Account Lockout Threshold: 5 invalid login attempts Reset Account Lockout Counter after : 30 minutes IT lockout This just sets the screen saver settings to lock computers when the user is Idle. After running Group Policy modeling it seems like the password policy and default domain policy is getting applied to everyone. Here is the results of group policy modeling on MO-BLANCKM using the mblanck account, as you can see the policies are both being applied , with nothing important being denied Group Policy Results NCLGS\mblanck on NCLGS\MO-BLANCKM Data collected on: 12/29/2010 11:29:44 AM Summary Computer Configuration Summary General Computer name NCLGS\MO-BLANCKM Domain NCLGS.local Site Default-First-Site-Name Last time Group Policy was processed 12/29/2010 10:17:58 AM Group Policy Objects Applied GPOs Name Link Location Revision Default Domain Policy NCLGS.local AD (15), Sysvol (15) WSUS-52010 NCLGS.local/WSUS/Clients AD (54), Sysvol (54) Password Policy NCLGS.local AD (58), Sysvol (58) Denied GPOs Name Link Location Reason Denied Local Group Policy Local Empty Security Group Membership when Group Policy was applied BUILTIN\Administrators Everyone S-1-5-21-507921405-1326574676-682003330-1003 BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NCLGS\MO-BLANCKM$ NCLGS\Admin-ComputerAccounts-GP NCLGS\Domain Computers WMI Filters Name Value Reference GPO(s) None Component Status Component Name Status Last Process Time Group Policy Infrastructure Success 12/29/2010 10:17:59 AM EFS recovery Success (no data) 10/28/2010 9:10:34 AM Registry Success 10/28/2010 9:10:32 AM Security Success 10/28/2010 9:10:34 AM User Configuration Summary General User name NCLGS\mblanck Domain NCLGS.local Last time Group Policy was processed 12/29/2010 11:28:56 AM Group Policy Objects Applied GPOs Name Link Location Revision Default Domain Policy NCLGS.local AD (7), Sysvol (7) IT-Lockout NCLGS.local/Personal/CS AD (11), Sysvol (11) Password Policy NCLGS.local AD (5), Sysvol (5) Denied GPOs Name Link Location Reason Denied Local Group Policy Local Empty Force Password Change NCLGS.local/Personal Empty Security Group Membership when Group Policy was applied NCLGS\Domain Users Everyone BUILTIN\Administrators BUILTIN\Users NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users LOCAL NCLGS\MissingSkidEmail NCLGS\Customer_Service NCLGS\Email_Archive NCLGS\Job Ticket Users NCLGS\Office Staff NCLGS\CUSTOMER SERVI-1 NCLGS\Prestige_Jobs_Email NCLGS\Telecommuters NCLGS\Everyone - NCL WMI Filters Name Value Reference GPO(s) None Component Status Component Name Status Last Process Time Group Policy Infrastructure Success 12/29/2010 11:28:56 AM Registry Success 12/20/2010 12:05:51 PM Scripts Success 10/13/2010 10:38:40 AM Computer Configuration Windows Settings Security Settings Account Policies/Password Policy Policy Setting Winning GPO Enforce password history 24 passwords remembered Password Policy Maximum password age 180 days Password Policy Minimum password age 14 days Password Policy Minimum password length 6 characters Password Policy Password must meet complexity requirements Enabled Password Policy Store passwords using reversible encryption Disabled Password Policy Account Policies/Account Lockout Policy Policy Setting Winning GPO Account lockout duration 10080 minutes Password Policy Account lockout threshold 5 invalid logon attempts Password Policy Reset account lockout counter after 30 minutes Password Policy Local Policies/Security Options Network Security Policy Setting Winning GPO Network security: Force logoff when logon hours expire Enabled Default Domain Policy Public Key Policies/Autoenrollment Settings Policy Setting Winning GPO Enroll certificates automatically Enabled [Default setting] Renew expired certificates, update pending certificates, and remove revoked certificates Disabled Update certificates that use certificate templates Disabled Public Key Policies/Encrypting File System Properties Winning GPO [Default setting] Policy Setting Allow users to encrypt files using Encrypting File System (EFS) Enabled Certificates Issued To Issued By Expiration Date Intended Purposes Winning GPO SBurns SBurns 12/13/2007 5:24:30 PM File Recovery Default Domain Policy For additional information about individual settings, launch Group Policy Object Editor. Public Key Policies/Trusted Root Certification Authorities Properties Winning GPO [Default setting] Policy Setting Allow users to select new root certification authorities (CAs) to trust Enabled Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only Administrative Templates Windows Components/Windows Update Policy Setting Winning GPO Allow Automatic Updates immediate installation Enabled WSUS-52010 Allow non-administrators to receive update notifications Enabled WSUS-52010 Automatic Updates detection frequency Enabled WSUS-52010 Check for updates at the following interval (hours): 1 Policy Setting Winning GPO Configure Automatic Updates Enabled WSUS-52010 Configure automatic updating: 4 - Auto download and schedule the install The following settings are only required and applicable if 4 is selected. Scheduled install day: 0 - Every day Scheduled install time: 03:00 Policy Setting Winning GPO No auto-restart with logged on users for scheduled automatic updates installations Disabled WSUS-52010 Re-prompt for restart with scheduled installations Enabled WSUS-52010 Wait the following period before prompting again with a scheduled restart (minutes): 30 Policy Setting Winning GPO Reschedule Automatic Updates scheduled installations Enabled WSUS-52010 Wait after system startup (minutes): 1 Policy Setting Winning GPO Specify intranet Microsoft update service location Enabled WSUS-52010 Set the intranet update service for detecting updates: http://lavender Set the intranet statistics server: http://lavender (example: http://IntranetUpd01) User Configuration Administrative Templates Control Panel/Display Policy Setting Winning GPO Hide Screen Saver tab Enabled IT-Lockout Password protect the screen saver Enabled IT-Lockout Screen Saver Enabled IT-Lockout Screen Saver executable name Enabled IT-Lockout Screen Saver executable name sstext3d.scr Policy Setting Winning GPO Screen Saver timeout Enabled IT-Lockout Number of seconds to wait to enable the Screen Saver Seconds: 1800 System/Power Management Policy Setting Winning GPO Prompt for password on resume from hibernate / suspend Enabled IT-Lockout

  Read the article

• Active Directory Restricted Group confusion

  - by pepoluan

  I am trying to implement Restricted Group policy for my company's AD infrastructure, namely standardizing the local "Administrators" group. The documentation (and various webpages) said that the "Members of this group" policy will wipe out the "Administrators" group. However, an experiment made me confused: I created 2 GPOs: GPO-A replaces the Local Administrators with a list of domain users (e.g., "Alice" and "Bob") GPO-B inserts a domain user (e.g., "Charlie" -- not part of GPO A) into the Local Administrators Experiment 1: GPO-A gets applied first (link order 2) Everything happens as expected: GPO-A cleans out Local Admins and add "Alice" & "Bob" gets added; GPO-B adds "Charlie". Experiment 2: GPO-B is applied first What happens: "Charlie" gets added to the Local Admins group (which also contains 2 local users) The local users on the PC gets deleted, and "Alice" and "Bob" gets added. Result: Local Admins contain "Alice", "Bob", and "Charlie" My confusion: In Experiment 2, I thought GPO-A will totally erase the Local Admins group, including users added by GPO-B (since GPO-A gets applied after GPO-B). As it happens, it only erase local users from the Local Admins, but keeps the domain users. So, is that the way it should be? Or am I doing something incorrectly?

  Read the article

• Deploy .net 4 via Acrive Directory group policy or WSUS

  - by Terence Johnson

  Is there a way to automatically deploy .net 4 using Active Directory group policy or WSUS? I want to push it out to lots of machines without having to go around to each one. Background: I have a VSTO ClickOnce application I want to deploy to non-admin users, but it uses .net 4, which won't install without admin rights, so ClickOnce fails for non-admins unless .net 4 is already installed.

  Read the article

• Active Directory Group Policy: Script Errors

  - by ToreTrygg

  Hello all. Anyone having issues with AD group policy script errors when enabling VMware Fusion's "Sharing" feature? I've run into this problem in version 2.0 and 3.0. I have a logon script applied on an AD OU. It works fine on all Windows client workstations and in VMware Fusion only when the "Sharing" feature is NOT enabled. Any ideas would be much appreciated. Thanks.

  Read the article

• Change Win7 desktop background via Win2k3 Group Policy

  - by microchasm

  I'm experiencing some strange behavior: I have set the following policies: User Configuration\Administrative templates\Desktop\Active Desktop Enable active desktop [enabled] Active Desktop Wallpaper [set to local path -- quadruple checked; path is correct] Allow only bitmap wallpaper [disabled] gpupdate /force, log out, log back in, and the background is just black. If I go into themes, and select Windows 7, the appointed background then shows (it also flashes when logging out). gpresult I've tried: http://social.technet.microsoft.com/Forums/en/winserverGP/thread/a1ebfe81-421e-4630-8c1f-8068222ee533 http://support.microsoft.com/default.aspx?scid=kb;EN-US;977944 http://social.technet.microsoft.com/Forums/en/w7itproui/thread/5b9e513a-d504-451d-a121-b4f94893d96d and a few other things, but nothing seems to be working :/ Thanks for any help/tips/advice.

  Read the article

• Task Scheduler : Logon as Batch Job Rights

  - by Brohan

  I'm trying to set up a scheduled task which will work under the Network Administrators account, whether the account is logged in or not (on a specificed computer) According to the Task Scheduler, I need 'Logon as batch job rights'. Attempting to change this setting in the Local Security Policy window has it the option to add the Administrator account to the groups greyed out. Currently, only LOCAL_SERVICE may Logon as Batch job. Attempting to add administrator to this group hasn't worked. How do I make it able to set this permission so that I can run tasks if I'm logged in or not?

  Read the article

• Installing Office 2010 through group policy without an msi

  - by Ri Caragol

  I have been breaking my head for several days now trying to install Microsoft office 2010 through group policy. Unfortunately Microsoft decided it would be fun to release office without an MSI and so I either Need to create an msi for it or Need to install it through a logon script that would run the setup.exe from a network location. Any advise would be greatlly appreciated. I tried to create a script but even though I double click it and it runs properly, it does not seem to kick in when users log in or when the machine is turned on. Also is there an easy way to create an msi?

  Read the article

• custom adm file for IE search providers on Windows 2003

  - by filipv

  Hi, I have been stumped by this issue for some time, I created a custom ADM template for a customer to populate the search providers in Internet Explorer 7 and 8. The custom ADM works fine and I have set 3 search providers, the problem is that I cannot change them (the customer wants to change the entry for wikipedia from EN to NL), I edited the ADM file but the clients seem to keep on using the old settings. Removing/replacing the adm file has no effect either, the settings remain. I used the following article as a base: http://support.microsoft.com/kb/918238 For IE8 you need to work with a name instead of a UID for the default entry, that works as expected. but there seems to be no way to change the setting once in place.

  Read the article

• Remote running program from server

  - by Armen Khachatryan

  Hello, I have Windows serrver 2008 and more computers in it domain. all i need is to run program from server in all comps , for example install kaspersky for all comps. can i do it? thanks

  Read the article

• Which GPO is making my Domain Controller my clients' DNS server?

  - by Harry Muscle

  I maintain a small domain (about 20 clients) and we need to make some changes to the DNS server that's being used by the clients. All the clients have been hard coded to use the domain controller as their DNS. Since these are new machines, and I never changed their DNS settings, I'm guessing there must be a GPO that's causing them to use the domain controller as their DNS. Since we don't have any GPO other than the default one yet, it's got to be the default GPO, however, I have looked through all the GPO settings and none of them refer to anything related to DNS. So I'm wondering if there's anything else that might be causing this. Any help or advice is highly appreciated. Thanks, Harry

  Read the article

• Time until Members added to Group Policy is Replicated

  - by Kyle Brandt

  If I have a group policy, and add a group/user/machine etc to that group policy, how long is it until all domain controllers have that change in effect? This is a Windows 2003 Domain set up with controllers at different geographic locations (Each with a different L3 network). I realize it probably depends, but how do I figure out how long it generally takes for my given setup? Also, is there an event I can check to see if it has a reached a particular domain controller?

  Read the article

• Group Policy dealing with IE zone assignment not sticking!

  - by Brandon

  I have a group policy (which ONLY deals with the zone assignment) -that is continually switching on and off with reboots. I thought it was a conflicting group policy but when I run group policy modeling report it doesn't show any descrepancies that I can see. I thought it may be an issue with one domain controller wasn't replicating my policy change to the other one, but this isn't the case. I checked both domain controllers and they show the same information. The assignment is on a user basis and is in: user configuration > administrative templates > windows components > internet explorer > internet control panel > security and is site to zone assignment.

  Read the article

• GPO refresh error - Policy Refresh has not completed in the expected time. Exiting...

  - by Albert Widjaja

  Hi All, I'm having problem with my GPO changes, that I'd like to force to my terminal server users here's what I've done: I've made some necessary changes in one of the Domain Controllers to disable the GPO which applies to my Terminal Server user OU and then I go to the Terminal Server mstsc /admin console to perform the GPo refresh by using /force parameter, however I got this error instead: C:\Documents and Settings\Adminisratorgpupdate /force Refreshing Policy... User Policy Refresh has not completed in the expected time. Exiting... User Policy Refresh has completed. Computer Policy Refresh has not completed in the expected time. Exiting... Computer Policy Refresh has completed. but then the changes still got no effect yet as I logged in to the terminal server ? is there any way of how to make it in effect immediately please ? Thanks

  Read the article

• Configuring only one Internet Explorer zone (IntranetZone) thru GPO without affecting other zones?

  - by MadBoy

  I need to deploy some trusted intranet sites into Intranet Zone in Internet Explorer. It works fine when using GPO at: Setting Path: Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page Supported On: At least Internet Explorer 6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1 Problem is this settings also affect other zones making it impossible for people in company to add sites to other zones themselves. Is there a way to fix this so that Intranet Zone is deployed thru GPO and rest of settings stay in gesture of users?

  Read the article

• How do I set a service startup type to be 'Automatic (delayed)' using GPO?

  - by growse

  A Windows service has 4 different startup types that can be configured: Automatic, Automatic (delayed), Manual and Disabled. I have a service running on a combination of Windows 7 and Server 2008 R2 Desktops that I need to set as 'Automatic (delayed)' using a GPO setting, but from what I can see in the GPO editor, the delayed option is missing: Have I missed something obvious, or is this a rather basic omission from Microsoft?

  Read the article

• Why does a group policy not applied to the domain administrator account?

  - by Saariko

  I have a working policy on my entire domain. I just found out, when logging with the domain administrator, that this policy is not applied (EDIT: Running : gpresult shows that the GPO's are applied - but, this GPO is for Drive Mappings, and the actual drive mappings are NOT shown) The administrator account - does not have any login script on his profile tab. My GPO's are mainly small/atomic settings: single GPO to handle each settings: UAC, Firewall, printers. GPO status for the object is enabled That's an overview of the Drive Maps: Reading on MS support site, I checked the delegation tab, and it is marked as applied to domain and enterprise admins. Every user gets these policies correctly. The OU that is set is the root of the domain. (for testing purpose - I did that to eliminate hierarchy issues - did not help) Block Inheritance is disabled. (never used it anyway) GPO link GPO Security Filterings

  Read the article

• How to disable Tcp/Ip settings in windows 7 via GPO?

  - by Akash Kava

  I have enabled following policies, "Prohibit TCP/IP advanced connection" "Prohibit access to properties of components of a LAN connection" "Enable Windows 2000 Network Connections setings for Administrators" after doing all these, all machines running windows xp, 2000 and vista have network settings properties button disabled as expected. However all machines running windows 7 have no effect, I believe there are few more steps, all Windows 7 machines are on domain and we want to control this via Domain Controler's GPO. Please let me know, what I need to do to have Windows 7 disable the properties of network connection, I am not network expert, I read few articles about what new has been added in GPO of windows 7 but I am blank. Everything works fine on Windows XP, Vista, 2003 Server. Only Windows 7 is a problem.

  Read the article

• Why are group policy preference drive mappings not applied to the domain administrator account?

  - by Saariko

  I have a working policy on my entire domain. I just found out, when logging with the domain administrator, that this policy is not applied (EDIT: Running : gpresult shows that the GPO's are applied - but, this GPO is for Drive Mappings, and the actual drive mappings are NOT shown) The administrator account - does not have any login script on his profile tab. To note: The mappings were applied before the GPO with a login script using the : net use ... command - all was working perfectly and correctly for the domain administrator user as well - That removes sharing and security problem (IMO) My GPO's are mainly small/atomic settings: single GPO to handle each settings: UAC, Firewall, printers. GPO status for the object is enabled That's an overview of the Drive Maps: Reading on MS support site, I checked the delegation tab, and it is marked as applied to domain and enterprise admins. Every user gets these policies correctly. The OU that is set is the root of the domain. (for testing purpose - I did that to eliminate hierarchy issues - did not help) Block Inheritance is disabled. (never used it anyway) GPO link GPO Security Filterings

  Read the article

• "log on as a batch job" user rights removed by what GPO?

  - by LarsH

  I am not much of a server administrator, but get my feet wet when I have to. Right now I'm running some COTS software on a Windows 2008 Server machine. The software installer creates a few user accounts for running its processes, and then gives those users the right to "log on as a batch job". Every so often (e.g. yesterday at 2:52pm and this morning at 7:50am), those rights disappear. The software then stops working. I can verify that the user rights are gone by using secedit /export /cfg e:\temp\uraExp.inf /areas USER_RIGHTS and I have a script that does this every 30 seconds and logs the results with a timestamp, so I know when the rights disappear. What I see from the export is that in the "good" state, i.e. after I install the software and it's working correctly, the line for SeBatchLogonRight from the secedit export includes the user accounts created by the software. But every few hours (sometimes more), those user accounts are removed from that line. The same thing can be seen by using the GUI tool Local Security Policy > Security Settings > Local Policies > User Rights Assignment > Log on as a batch job: in the "good" state, that policy includes the needed user accounts, and in the bad state, the policy does not. Based on the above-mentioned logging script and the timestamps at which the user rights are being removed, I can see clearly that some GPOs are causing the change. The GPO Operational log shows GPOs being processed at exactly the right times. E.g.: Starting Registry Extension Processing. List of applicable GPOs: (Changes were detected.) Local Group Policy I have run GPOs on demand using gpupdate /force, and was able to verify that this caused the User Rights to be removed. We have looked over local group policies till our eyes are crossed, trying to figure out which one might be stripping these User Rights to "log on as a batch job." We have not configured any local group policies on this machine, that we know of; so is there a default local group policy that might typically do such a thing? Are there typical domain policies that would do this? I have been working with our IT staff colleagues to troubleshoot the problem, but none of them are really GPO experts... They wear many hats, and they do what they need to do in order to keep most things running. Any suggestions would be greatly appreciated!

  Read the article

• Update Windows Defender schedule via command line or gpo?

  - by Zenox

  I'm looking to find a way to update some Windows Defender settings via command line, gpo etc. From my research it looks like windows defender creates a hidden scheduled task named 'MP Scheduled Scan', but modifying this task does not seem to make a difference as to what shows up in the Windows Defender UI. I have also done some process monitoring to see what data Windows Defender uses and I can see that it reads/writes to the 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Scan' ScheduleDay key, but if I attempt to modify this key, I get an "Error Writing the new values contents" error message.

  Read the article

< Previous Page | 1 2 3 4 5 6 7 8 9 10 11  | Next Page >