Apply Group Policy to external clients
Is it possible to apply GPO's to clients on external networks such as their own personal networks. I'm looking at solutions such as authenticating them through a proxy on the perimeter network and are pushed to the Domain Controller to force these policies.
As it stands, the clients use a VPN client to gain access to the corporate network, and I know that group policy will use the Network Location Service to detect the Domain Controller, but the VPN connection is not mandatory and most be established by the client,
if this connection is not required for their job, the may never connect and not get updated GPO's.
Hi,
I agree with Joseph. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections are designed to connect automatically as soon as the computer connects to the Internet.
Regarding DirectAcces, the following articles can be referred to for more information.
Using DirectAccess
http://technet.microsoft.com/en-in/windows/dn168168.aspx
Windows Server 2012 Direct Access – Part 1 What’s New
http://blogs.technet.com/b/meamcs/archive/2012/05/03/windows-server-2012-direct-access-part-1-what-s-new.aspx
In addition, for this question mainly focuses on network, in order to get more and better help, we can also ask for suggestions in the following forum.
Network Access Protection
https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNAP
Best regards,
Frank Shen
Similar Messages
-
Servers take an endless time at applying group policy settings
We have some Windows 2008R2 RDS servers that have been given a syspreped image. After a few day in production, and several nightly reboots, the servers start to hang at applying group policy setting. I have created a gpsvc.log file. What can be wrong with
these servers?
When i reboot the server without network connection, the reboot time is fine. The user login still takes forever.
GPSVC(fc.4ec) 08:38:21:227 MachinePolicyCallback: Setting status UI to Beleid Group Policy Services toepassen...
GPSVC(fc.4ec) 08:38:21:227 ProcessGPOList: No changes. CSE will not be passed in the IwbemServices intf ptr
GPSVC(fc.1a4) 08:38:21:227 Message Status = <Beleid Group Policy Services toepassen...>
GPSVC(fc.1a4) 08:38:21:227 Setting GPsession state = 1
GPSVC(fc.5b4) 08:38:21:820 ProcessGroupPolicyCompletedExInternal: Entering. Extension = {827D319E-6EAC-11D2-A4EA-00C04F79F83A}, dwStatus = 0x0
GPSVC(fc.5b4) 08:38:21:867 GetWbemServices: CoCreateInstance succeeded
GPSVC(fc.4ec) 08:38:22:475 ProcessGroupPolicyCompletedExInternal: Entering. Extension = {91FBB303-0CD5-4055-BF42-E512A681B325}, dwStatus = 0x0
GPSVC(fc.4ec) 08:38:22:491 GetWbemServices: CoCreateInstance succeeded
GPSVC(5dc.5e0) 08:38:24:285 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x2a0
GPSVC(5dc.5e0) 08:38:24:285 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.1b0) 08:38:24:285 Target = Machine
GPSVC(5dc.5e0) 08:38:24:285 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(5dc.5e0) 08:38:24:285 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(fc.1b0) 08:38:24:285 Target = Machine, ChangeNumber 0
GPSVC(5dc.5e0) 08:38:24:285 CGPNotify::RegisterForNotification: Entering with target S-1-5-18 and event 0x3d4
GPSVC(5dc.5e0) 08:38:24:285 Client_InitialRegisterForNotification: User = S-1-5-18, changenumber = 0
GPSVC(fc.1b0) 08:38:24:285 Target = S-1-5-18
GPSVC(fc.1b0) 08:38:24:285 Could not find user by sid, finding user by session id
GPSVC(fc.1b0) 08:38:24:285 Caller requesting for user notification/lock is from session 0
GPSVC(5dc.5e0) 08:38:24:285 Client_RegisterForNotification: User = S-1-5-18, changenumber = 0
GPSVC(5dc.5e0) 08:38:24:285 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(fc.1b0) 08:38:24:285 Could not find user by sid, finding user by session id
GPSVC(fc.1b0) 08:38:24:285 Caller requesting for user notification/lock is from session 0
GPSVC(62c.64c) 08:38:25:330 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x1d4
GPSVC(62c.64c) 08:38:25:330 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.1b0) 08:38:25:330 Target = Machine
GPSVC(62c.64c) 08:38:25:330 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(62c.64c) 08:38:25:330 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(298.2c0) 08:38:28:310 CGPNotify::RegisterForNotification: Entering with target Machine and event 0xab0
GPSVC(298.2c0) 08:38:28:310 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.1b0) 08:38:28:310 Target = Machine
GPSVC(298.2c0) 08:38:28:310 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(298.2c0) 08:38:28:310 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(fc.1b0) 08:38:28:310 Target = Machine, ChangeNumber 0
GPSVC(fc.7c0) 08:38:39:401 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x93c
GPSVC(fc.7c0) 08:38:39:401 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.95c) 08:38:39:401 Target = Machine
GPSVC(fc.7c0) 08:38:39:401 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.7c0) 08:38:39:401 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(fc.95c) 08:38:39:401 Target = Machine, ChangeNumber 0
GPSVC(53c.580) 08:40:20:755 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x608
GPSVC(53c.580) 08:40:20:755 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.1c4) 08:40:20:755 Target = Machine
GPSVC(53c.580) 08:40:20:755 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(53c.580) 08:40:20:755 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(53c.580) 08:40:21:098 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x64c
GPSVC(53c.580) 08:40:21:098 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.1c4) 08:40:21:113 Target = Machine
GPSVC(53c.580) 08:40:21:113 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(53c.580) 08:40:21:113 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(53c.564) 08:40:21:238 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x67c
GPSVC(53c.564) 08:40:21:238 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.1c4) 08:40:21:238 Target = Machine
GPSVC(53c.564) 08:40:21:238 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(53c.564) 08:40:21:238 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(200.f6c) 08:41:11:501 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x350
GPSVC(200.f6c) 08:41:11:501 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.1c4) 08:41:11:501 Target = Machine
GPSVC(200.f6c) 08:41:11:501 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(200.f6c) 08:41:11:501 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(fc.1c4) 08:41:11:891 Target = Machine
GPSVC(fc.1c4) 08:41:11:891 Target = Machine, ChangeNumber 0
GPSVC(fc.7d0) 08:41:11:985 Target = Machine
GPSVC(fc.7d0) 08:41:11:985 Target = Machine, ChangeNumber 0
GPSVC(fc.7d0) 08:41:11:985 Sid = (null), dwTimeout = 600000, dwFlags = 268435456
GPSVC(fc.7d0) 08:41:11:985 LockPolicySection called for user <Machine>
GPSVC(fc.7d0) 08:41:11:985 Async Lock called
GPSVC(fc.7d0) 08:41:11:985 Reader has to wait for lock. ReaderID : 1.
GPSVC(fc.7d0) 08:41:11:985 Registering wait for lock notification
GPSVC(fc.9d8) 08:41:13:015 CGPNotify::RegisterForNotification: Entering with target Machine and event 0xcbc
GPSVC(fc.9d8) 08:41:13:015 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.7d0) 08:41:13:015 Target = Machine
GPSVC(fc.9d8) 08:41:13:015 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.9d8) 08:41:13:015 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(fc.9d8) 08:41:13:015 CGPNotify::RegisterForNotification: Entering with target Machine and event 0xd24
GPSVC(fc.9d8) 08:41:13:015 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.7d0) 08:41:13:015 Target = Machine
GPSVC(fc.9d8) 08:41:13:015 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.9d8) 08:41:13:015 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(200.1060) 08:43:10:223 CGPNotify::UnregisterNotification: Entering with event 0x350
GPSVC(200.1060) 08:43:10:223 CGPNotify::AbortAsyncRegistration: No asyn registration is pending
GPSVC(200.1060) 08:43:10:223 CGPNotify::UnregisterNotification: Canceling pending calls
GPSVC(200.1060) 08:43:10:223 Client_CompleteNotificationCall: failed with 0x71a
GPSVC(200.1060) 08:43:10:223 CGPNotify::UnregisterNotification: Cancelled pending calls
GPSVC(200.1060) 08:43:10:223 CGPNotify::UnregisterNotification: Exiting with dwStatus = 0x0
GPSVC(fc.1054) 08:43:16:252 Target = Machine
GPSVC(fc.1054) 08:43:16:252 Target = Machine, ChangeNumber 0
GPSVC(fc.1138) 08:43:24:188 CGPNotify::RegisterForNotification: Entering with target Machine and event 0xeac
GPSVC(fc.1138) 08:43:24:188 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.7d0) 08:43:24:188 Target = Machine
GPSVC(fc.1138) 08:43:24:188 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.1138) 08:43:24:188 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(fc.1054) 08:43:29:418 Target = Machine
GPSVC(fc.1054) 08:43:29:418 Target = Machine, ChangeNumber 0
GPSVC(fc.1054) 08:43:50:304 Target = Machine
GPSVC(fc.1054) 08:43:50:304 Target = Machine, ChangeNumber 0
GPSVC(fc.1374) 08:51:06:327 Found the Waiting Rpc Reader in the waiting list. Removing it...
GPSVC(fc.1374) 08:51:06:327 Lock timeout
Gert MCITP SA, EA & VAHi,
From the log you submit, I found the following error:
GPSVC(f0.13fc) 03:00:18:665 Client_CompleteNotificationCall: failed with 0x525
GPSVC(2f0.baf4) 03:00:18:665 CGPNotify::OnNotificationTriggered: Completenotification failed with 1317
GPSVC(518.e980) 03:00:18:665 Client_CompleteNotificationCall: failed with 0x6ba
GPSVC(f0.13fc) 03:00:18:665 CGPNotify::OnNotificationTriggered: Trying to recover from error 1722
GPSVC(518.e980) 03:00:18:665 CGPNotify::RegisterNotificationAsynchronously: Starting async registration
GPSVC(3b8.3e0) 03:04:19:034 Client_RegisterForNotification: CheckRegisterForNotification returned error 0x6d9
GPSVC(3b8.3e0) 03:04:19:034 CGPNotify::RegisterForNotification: Service not RUNNING. waiting
GPSVC(3b8.3e0) 03:04:19:034 CGPNotify::RegisterForNotification: Trying to recover from error 1753
GPSVC(3b8.3e0) 03:04:19:034 CGPNotify::RegisterNotificationAsynchronously: Starting async registration
GPSVC(100.4c8) 03:05:07:753 ProcessGPOs: OpenThreadToken failed with error 1008, assuming thread is not impersonating
GPSVC(100.13f4) 07:54:09:864 GetOldSidString: Failed to open profile profile guid key with error 2
GPSVC(658.2354) 09:52:41:726 Client_ProcessRefresh: ProcessRefresh returned error 0x5b4
GPSVC(658.2354) 09:52:41:726 GetGPOList: Client_ProcessRefresh failed with 0x5b4.
GPSVC(658.2354) 09:52:41:726 Exiting RefreshPolicyForPrincipal with status = 1460
GPSVC(100.1a7c) 10:48:26:711 CGPAdminEventInitFailure::Initialize(): FormatMessage failed to look up error code (0x4005) due to error 317. Can not log error description.
GPSVC(100.219c) 10:48:26:711 ProcessGPOList: Extension Internet Explorer Branding was not able to log data. Error = 0x80004005, dwRet = 1252,leaving the log dirty
GPSVC(100.19b4) 10:48:27:491 ProcessGPOList: Extension Internet Explorer Branding was not able to log data. Error = 0x80004005, dwRet = 1252,leaving the log dirty
1. Please try to renamed the files on the folder c:\windows\system32\GroupPolicy to .old and ran Gpupdate /force.
2. Please verify the DNS set correctly and DNS Client Service is enabled. Restart the DNS Client Service.
Hope this helps!
Best Regards
Elytis Cheng
TechNetSubscriber
Support
If
you are TechNetSubscription user
and have any feedback on our support quality, please send your feedback here.
Elytis Cheng
TechNet Community Support -
Stuck at Applying Group Policy Printers Policy on Windows 2008 Servers
xp clients seem to be fine and map all printers at logon. The 2k8 servers all hang at logon for 30min or more at the Applying Group Policy Printers Policy. The print server is a DC in the same domain and it does not experience the issues at logon and gets to the desktop immediately.
a DHCP workstation
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
U:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : CP0030621
Primary Dns Suffix . . . . . . . : us.tms.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : us.tms.local
us.tms.local
tms.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : us.tms.local
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-19-BB-5F-EE-75
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.1.10.165
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.1.10.1
DHCP Server . . . . . . . . . . . : 10.1.10.27
DNS Servers . . . . . . . . . . . : 10.1.10.27
10.1.10.28
Lease Obtained. . . . . . . . . . : Monday, August 24, 2009 8:24:12 AM
Lease Expires . . . . . . . . . . : Saturday, August 29, 2009 8:24:12 A
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Net
ork)
Physical Address. . . . . . . . . : 00-0D-3A-A6-BA-28
win2k3 web server which logs in successfully
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
U:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : wlfdweb01
Primary Dns Suffix . . . . . . . : us.tms.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : us.tms.local
tms.local
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC7782 Gigabit Server Adapter #2
Physical Address. . . . . . . . . : 00-14-C2-C3-DA-3A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.10.29
Subnet Mask . . . . . . . . . . . : 255.255.254.0
IP Address. . . . . . . . . . . . : 10.1.10.30
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.1.10.1
DNS Servers . . . . . . . . . . . : 10.1.10.27
10.1.10.28
Print Server that logs in fine (also a DC and DNS Server)
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
U:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : wlfddc02
Primary Dns Suffix . . . . . . . : us.tms.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : us.tms.local
tms.local
Ethernet adapter Local Area Connection 4:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC373i Multifunction Gigabit Server Ad
apter #2
Physical Address. . . . . . . . . : 00-1C-C4-EF-B7-A4
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.1.10.28(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.1.10.1
DNS Servers . . . . . . . . . . . : 10.1.10.28
10.1.10.27
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{9FB5C233-FB93-471F-873E-6DFDFCFED
2AE}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
server that hangs at applying group policy printers (the other dc and dns server for the domain)
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
U:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : wlfddc01
Primary Dns Suffix . . . . . . . : us.tms.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : us.tms.local
tms.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-0F-1F-68-D6-42
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.1.10.27(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.1.10.1
DNS Servers . . . . . . . . . . . : 127.0.0.1
10.1.10.25
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{C0EEED04-498A-42FC-9C42-86A37BD4D
8D5}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes -
Good morning,
I have two policies for WSUS, one that auto-reboots the client and one that allows for manual reboots. I'm sure this is very obvious, but i'm wanting to make sure I do this correctly.
What's the easiest way to apply the policy for manual/auto reboots without having to go through my entire active directory tree and link it to each OU containing mixed computers?
I hope this makes sense, but I know i can set security groups and then set it for the scope, but if I go that route is there a way to apply it to all Domain Computers, EXCEPT those who are a member of security group "MPS - WSUS Manual" for example?
Any input here is greatly appreciated
Thank youIf all the machines that you want to have the manual option are in a few select OUs then you could apply the auto reboot GPO to the root of the domain, and then link the manual GPO just to those GPOs containing the relevant machines. As explained here
http://technet.microsoft.com/en-gb/library/cc785665(v=ws.10).aspx a policy applied to an OU overrides a policy applied to the domain as a whole.
While I'm not sure, from your description I'm guessing that's the case, and they're actually mixed in throughout the domain? In which case, the other option might be to make use of group policies order or precedence. As described here
http://blogs.msdn.com/b/muaddib/archive/2012/08/22/determine-gpo-precedence-with-gpmc-gpresult.aspx you'll see that the order that the GPOs are listed makes a difference to the order that they are applied, and the last to be applied takes precedence over
those that come before. Therefore using that, if you applied the reboot policy to everyone, and then applied the manual one with a security filter so it only applied to your "MPS - WSUS Manual" group such that it had a higher precedence, all machines would
receive the first GPO, but those machines in that group would have that overridden by the second policy. -
Windows Server 2008 - Group policy for domain client to start/stop services installed on it
Hello Experts
I am a newbie to windows server administration , though did a Google , but ended up with these question with my requirements
I have created a new domain and 2 client/computer (A & B namely) to domain . Now A & B has tomcat server running with port 8080 , 9090 which i have installed
domain ADMIN account .
&& now i am want to start/stop/restart services enabled for domain users !! How do i achieve this !!
basic question : How can i access A & B tomcat services on DOMAIN CONTROLLER server to create a GPO and that are on (A & B)
what is the easiest way to achieve the same , (if not using GPO)???
similarly I am looking for many features : where I want to control the permission to user on (A & B ) like : If the binaries of tomcat is available on machine say : A , if the user can install (now
it ask for ADMIN credentials)
Thanks
Mike~EdControlling services with Group Policy is done under Computer Configuration\Policies\Windows Settings\Security Settings\System Services.
The limitation is that system services can only see the services the computer running the Group Policy management console. To access other services, you will either need to create the services on your computer (install the software the adds the service)
or install the remote server administration toolkit (RSAT) on the computer with the service already on it.
If my answer helped you, check out my blog:
Deploy Happiness -
Domain Group Policy changes causes clients to be unable to connect to WSUS for Windows Updates
Domain Controller is Windows Server 2008 R2 64-bit, Group Policy Management version 6.0.0.1. WSUS server is Windows Server 2008 Enterprise 32-bit, Update Services version 3.2.7600.226. Client machines are Windows 7, some are 64-bit and some are 32-bit.
Every time we make any changes to any of our Group Policies most of our clients stop getting their Windows Updates from the WSUS server within 2-3 days. This occurs when we add a new policy for a group of users, temporarily disable a policy or edit a policy.
Check of the WindowsUpdate.log on affected client machines shows:
2014-06-25 13:40:44:976 760 1610 PT WARNING: GetAuthorizationCookie failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2014-06-25 13:40:44:977 760 1610 PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: PopulateAuthCookies failed: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: RefreshCookie failed: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: RefreshPTState failed: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: PTError: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 Report WARNING: Reporter failed to upload events with hr = 80072ee2.
A further check of the log files shows:
2014-06-21 19:36:06:995 156 1b0c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <proxy server name:8080> Bypass List used : <(null)> Auth Schemes used : <>
We do not use a proxy except for Internet connections. We configure IE with a pac file. This is set through Group Policy since we restrict user accounts from being able to set it.
The clients that are connecting to the WSUS server have these entries instead:
2014-06-24 09:12:16:779 992 270 Agent Setting download properties on call A20329BC-3467-4B7E-B9F4-6AC6ACBA23E1: priority=3, interactive=1, owner is system=0, proxy settings=1, proxy session id=2
I have a routine that will fix the problem but it is time-consuming and pulls me away from other things I should be doing:
Run registry files on client machine (WindowsUpdate and AU) This is not always necessary and is already set by Group Policy and the affected clients already have the registry settings. No idea why it is necessary to do but it the steps below don't always
work unless it is.
netstop bits and netstop wuauserv
ipconfig /flushdns
Delete qmgr*.* files from Downloader folder
Delete Software Distribution folder
Run from command prompt:
sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
netstart bits and netstart wuauserv
wuauclt /resetauthorization /detectnow
Run Windows Updates again from Control Panel
This routine always fixes the problem but I've found that I must do each step to guarantee success.
How or where is the proxy setting being changed for WSUS that we see in the WindowsUpdate logs and how do I prevent this from happening? It is also curious that it happens to most but not all of the client machines. When it does happen it's not always the
same client machines.You're right - the WSUS server is on the inside and does not need a proxy server. Tried running the netsh winhttp reset proxy command but was still not able to connect to the WSUS server. After running the netsh winhttp reset proxy command received response:
Current WinHTTP proxy setting: Direct access <no proxy server>.
Ran the command at 13:49 and then tried Windows Updates again. Here's snippet from the log file:
2014-06-27 13:49:56:889 548 f6c AU Triggering AU detection through DetectNow API
2014-06-27 13:49:56:890 548 f6c AU Triggering Online detection (interactive)
2014-06-27 13:49:56:890 548 4b8 AU #############
2014-06-27 13:49:56:890 548 4b8 AU ## START ## AU: Search for updates
2014-06-27 13:49:56:890 548 4b8 AU #########
2014-06-27 13:49:56:893 548 4b8 AU <<## SUBMITTED ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
2014-06-27 13:49:56:893 548 1260 Agent *************
2014-06-27 13:49:56:893 548 1260 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
2014-06-27 13:49:56:893 548 1260 Agent *********
2014-06-27 13:49:56:893 548 1260 Agent * Online = Yes; Ignore download priority = No
2014-06-27 13:49:56:893 548 1260 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1
or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
2014-06-27 13:49:56:893 548 1260 Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2014-06-27 13:49:56:893 548 1260 Agent * Search Scope = {Machine}
2014-06-27 13:49:56:893 548 1260 Setup Checking for agent SelfUpdate
2014-06-27 13:49:56:893 548 1260 Setup Client version: Core: 7.6.7600.256 Aux: 7.6.7600.256
2014-06-27 13:49:56:894 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2014-06-27 13:49:56:901 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:927 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2014-06-27 13:49:56:934 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:936 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2014-06-27 13:49:56:943 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:956 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2014-06-27 13:49:56:962 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:974 548 1260 Setup Determining whether a new setup handler needs to be downloaded
2014-06-27 13:49:56:974 548 1260 Setup SelfUpdate handler is not found. It will be downloaded
2014-06-27 13:49:56:974 548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256"
2014-06-27 13:49:56:976 548 1260 Setup Setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2014-06-27 13:49:56:976 548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
2014-06-27 13:49:56:989 548 1260 Setup Setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2014-06-27 13:49:56:989 548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
2014-06-27 13:49:57:007 548 1260 Setup Setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2014-06-27 13:49:57:007 548 1260 Setup SelfUpdate check completed. SelfUpdate is NOT required.
2014-06-27 13:49:57:165 548 1260 PT +++++++++++ PT: Synchronizing server updates +++++++++++
2014-06-27 13:49:57:165 548 1260 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =
http://(FQDN of WSUS server)/ClientWebService/client.asmx
2014-06-27 13:49:57:175 548 1260 PT WARNING: Cached cookie has expired or new PID is available
2014-06-27 13:49:57:175 548 1260 PT Initializing simple targeting cookie, clientId = 6be4a1ae-3313-4855-bdb1-57e3312f03ec, target group = AGENCIES, DNS name = dpk2.clear-rcic.rcc.org
2014-06-27 13:49:57:175 548 1260 PT Server URL =
http://(FQDN of WSUS server)/SimpleAuthWebService/SimpleAuth.asmx
2014-06-27 13:50:57:280 548 1260 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(proxy server):8080> Bypass List used : <(null)> Auth Schemes used : <>
2014-06-27 13:50:57:281 548 1260 PT + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
2014-06-27 13:50:57:281 548 1260 PT + Caller provided proxy = No
2014-06-27 13:50:57:281 548 1260 PT + Proxy list used = webgate.rcc.org:8080
2014-06-27 13:50:57:281 548 1260 PT + Bypass list used = <NULL>
2014-06-27 13:50:57:281 548 1260 PT + Caller provided credentials = No
2014-06-27 13:50:57:281 548 1260 PT + Impersonate flags = 0
2014-06-27 13:50:57:281 548 1260 PT + Possible authorization schemes used =
2014-06-27 13:50:57:281 548 1260 PT WARNING: GetAuthorizationCookie failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2014-06-27 13:50:57:281 548 1260 PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: PopulateAuthCookies failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: RefreshCookie failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: RefreshPTState failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: Sync of Updates: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: SyncServerUpdatesInternal failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 Agent * WARNING: Failed to synchronize, error = 0x80072EE2
2014-06-27 13:50:57:282 548 1260 Agent * WARNING: Exit code = 0x80072EE2
2014-06-27 13:50:57:282 548 1260 Agent *********
2014-06-27 13:50:57:282 548 1260 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
2014-06-27 13:50:57:282 548 1260 Agent *************
2014-06-27 13:50:57:282 548 1260 Agent WARNING: WU client failed Searching for update with error 0x80072ee2
2014-06-27 13:50:57:302 548 e04 AU >>## RESUMED ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
2014-06-27 13:50:57:302 548 e04 AU # WARNING: Search callback failed, result = 0x80072EE2
2014-06-27 13:50:57:302 548 e04 AU # WARNING: Failed to find updates with error code 80072EE2
2014-06-27 13:50:57:302 548 e04 AU #########
2014-06-27 13:50:57:302 548 e04 AU ## END ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
2014-06-27 13:50:57:302 548 e04 AU #############
2014-06-27 13:50:57:303 548 e04 AU Successfully wrote event for AU health state:0
2014-06-27 13:50:57:303 548 e04 AU AU setting next detection timeout to 2014-06-27 22:50:57
2014-06-27 13:50:57:304 548 e04 AU Setting AU scheduled install time to 2014-06-28 05:00:00
2014-06-27 13:50:57:304 548 e04 AU Successfully wrote event for AU health state:0
2014-06-27 13:50:57:305 548 e04 AU Successfully wrote event for AU health state:0
2014-06-27 13:51:02:285 548 1260 Report REPORT EVENT: {BD25B39C-6570-454C-A046-AF3AF2DEBDD4} 2014-06-27 13:50:57:282-0400 1 148 101 {00000000-0000-0000-0000-000000000000} 0 80072ee2 AutomaticUpdates Failure Software
Synchronization Windows Update Client failed to detect with error 0x80072ee2.
2014-06-27 13:51:02:295 548 1260 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
2014-06-27 13:51:02:295 548 1260 Report WER Report sent: 7.6.7600.256 0x80072ee2 00000000-0000-0000-0000-000000000000 Scan 101 Managed
2014-06-27 13:51:02:295 548 1260 Report CWERReporter finishing event handling. (00000000)
2014-06-27 13:51:48:184 548 4b8 AU ########### AU: Uninitializing Automatic Updates ###########
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 Report CWERReporter finishing event handling. (00000000)
2014-06-27 13:51:48:252 548 4b8 Service *********
2014-06-27 13:51:48:252 548 4b8 Service ** END ** Service: Service exit [Exit code = 0x240001]
2014-06-27 13:51:48:252 548 4b8 Service *************
2014-06-27 13:51:53:002 548 160c Misc =========== Logging initialized (build: 7.6.7600.256, tz: -0400) ===========
2014-06-27 13:51:53:002 548 160c Misc = Process: C:\Windows\system32\svchost.exe
2014-06-27 13:51:53:002 548 160c Misc = Module: c:\windows\system32\wuaueng.dll
Ran a batch file which resets the AU and WindowsUpdate registry keys and then runs the steps listed above:
regedit /s C:\WindowsUpdate.reg
regedit /s C:\AU.reg
net stop bits
net stop wuauserv
Ipconfig /flushdns
del C:\ProgramData\Microsoft\Network\Downloader\qmgr*.*
del /F /Q C:\Windows\SoftwareDistribution\*.*
sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
net start bits
net start wuauserv
wuauclt /resetauthorization /detectnow
After this runs, am able to connect to WSUS server for updates. I mentioned Group Policy changes because this only breaks after the Group Policy changes. It doesn't affect every client machine but most of them. Was wondering how the proxy gets reset from
none to the proxy server for Windows Updates? -
Group Policy causes novell client to never show up windows XP
Hello,
I've been having a problem for the last couple of months that I have no
idea how to fix. I'm using Windows XP SP1, Novell Client 4.91, and
Zenworks 3.2 (included in Novell Client 4.90 SP2). This is a Netware 6
server. I am running E-trust Antivirus 7.1.192. I am having a problem
where the novell client will not show up after restarting the workstation.
An hourglass comes up for a couple of seconds, disappears, and then I'm
left with a blank screen and a mouse curser. The only thing I can do is
power the machine down manually, no keystrokes work at that point. It
doesn't happen all the time, it's completely random, but it occurs often
enough for the users to complain.
The source of the problem seems to be the group policy that is in effect
for students (this is a K-12 school district). If I disable the group
policy for students, the problem appears to go away (this is not an
option). If the login screen shows up, then everything else on the
computer functions perfectly (including policy after login). Are there are
group policy updates available that may solve this problem? Please let me
know if I've left out any important information. I appreciate any help
provided as I've been at this for the past couple months!
Thanks,
PatrickPat,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
- Check all of the other support tools and options available at
http://support.novell.com.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://support.novell.com/forums)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://support.novell.com/forums/faq_general.html
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
How can I apply group policy but exception some users like administrator?
Hello all.
How can I set a group policy and apply it to users exception the administrator ?
Cheers.Hello,
please see
http://www.grouppolicy.biz/2015/03/how-to-stop-local-administrators-from-bypassing-group-policy/if you talk about local administrator accounts. In shortyou CAN'T.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
Using WMI Filter to apply group policy to users on computers in a security group
Hello all,
I've got a bunch of computers that I want to apply some user side polices that affect all users that log on to these specific computers (they are used for exams).
Unfortunately it is company policy to have a flat OU structure and as such moving these computers into their own OU is out of the question. Which brings me to wanting to create a WMI filter to limit the policy to running on computers only within the security
group and then set the security filtering to "Authenticated Users". The policy will be linked to the all student computers OU where a few thousand machines sit, but will only apply to 20 or so machines (I know it's messy).
Anyway that brings me to my question, can someone point me in the right direction for how I would go about creating this WMI query?
Cheers> I've got a bunch of computers that I want to apply some user side
> polices that affect all users that log on to these specific computers
> (they are used for exams).
That's what "Loopback" initially was designed for. Nowadays, we can use
some other tricks :)
http://evilgpo.blogspot.de/2012/02/loopback-demystified.html
http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Hi this is my first time to ask a question here in this community.
I am a system administrator here at my work and we are having some issues on some servers that we handle. Network in our office is stable and we have determined it is not a problem on the connection.
First issue - One of our domain controller consistently drops out on our Directory Server and saying it's unavailable.
Second issue - Unable to ping hostname but IP address works fine. (Sometimes hostname is ok but very intermittent)
Third issue - Since connection is unstable map drives causes to disconnect
If someone can provide any assistance on this matter it would be a great help. If screenshots needed for proper assistance would be appreciative.
Just to add that this only happen after a power failure last April of this month and a few weeks bluescreen started to show. It is a hazy version wasn't able to get any code that may lead to a hardware failure.
Now our main RDC.local is also affected so we are trying to isolate this issue and exhauted my brain since we cannot determine what causes it. Need external assistance just to give us a lead on where we can get this resolved.Hi Ryan,
Before going further, would you please let me confirm something more? Thanks for your understanding.
1. For first issue, would you please let me know OS edition information of the problematic DC? Was it Windows Server 2008 R2 or Windows Server 2012 or any other?
à
One of our domain controller consistently drops out on our Directory Server and saying it's unavailable.
Would you please let me know the complete error message or provide a screenshot of it?
(Please hide all protected or private information.) Meanwhile, please log on the problematic DC and check if find relevant events or errors in Event Viewer.
2. For the second issue, it seems to be a DNS issue. Did you run
ipconfig /flushdns and ipconfig /registerdns command? Any find? Meanwhile, please use
ipconfig /all to display full TCP/IP configuration and check. Or you can post the
ipconfig result here. It may help us to go further analyze. By the way, would you please let me know error message that you can get when be unable to ping via hostname?
3.
àSince connection is unstable map drives causes to disconnect
May be a cause.
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu -
Group Policy Pref - Mapped Drives Not Applying to One User
Hi All,
I’m new to this list, so please excuse any etiquette slip ups.
I have three users at a site. All their machines are running Windows XP Service Pack 3 and have client side extensions installed. I created a group policy to map their default drives using GP User Preferences.
Each of the drives is set to "update".
As an example of the policy created XML is as follows:
<Drive clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="H:" status="H:"
image="2" changed="2009-11-25 05:13:58"
uid="{8A44D2F4-AAE5-4F43-AEEC-D36F08EA619C}" desc="Maps the users H drive to
ServerName\users$\%username%" bypassErrors="1"><Properties action="U"
thisDrive="NOCHANGE" allDrives="NOCHANGE" userName=""
path="\\ServerName\users$\%username%" label="Home (ServerName)"
persistent="1" useLetter="1" letter="H"/></Drive>
and
<Drive clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="J:" status="J:"
image="0" changed="2009-11-30 03:52:58"
uid="{535CD462-A45D-4363-ADA1-2316D5ECC703}" desc="Maps J drive for users to
\\ServerName\apps" bypassErrors="1"><Properties action="C"
thisDrive="NOCHANGE" allDrives="NOCHANGE" userName=""
path="\\ServerName\Apps" label="Apps (ServerName)" persistent="1"
useLetter="1" letter="J"/></Drive>
The group policy is applied to an OU for that site.
All three users are in the same OU.
All three users are also in the same “xxsitecode Users” group.
2 of the users log into their pc and get the mapped drives with no issue, but one user doesn’t.
There are no other login scripts and the user has no manually mapped drives.
He does have a H drive mapped using the profile field in his AD object as a temp measure. But every 90 mins any other manually mapped drives are removed by the policy.
We don’t use roaming profiles
To trouble shoot I have tried
- Reinstalling client side extensions
- Re-joining the pc to the domain
- Running gpupdate from the command prompt to see if any event logs are generated (none are)
- Manually mapping the drives to make sure there is network access etc – I can manually map them/he can access them.
- Creating the user a new account, when he logs in using that account he gets his mapped drives on all PC’s
- Getting the user to log into a different pc, when he does this he doesn’t get his drives – so it’s not his machine or profile
- Manually checking the security on the user object in AD against one of the users who gets their drives mapped
I'm sure the GP is fine because it works for two other users and the testing isolates his user account as the issue.
The Policy I’m having issues with is xxxx Mapped Drives/ Printers
I have posted this issue on the tech net GP discussion groups page, but haven’t had any replies.
Any suggestions would be appreciated.
SimoneWhat's interesting is that I applied a new GP to users - it has one policy setting and one preferences setting. He only gets the policy setting.. aka he gets the wallpaper but not the homepage.
Also, Jorke asked me to post the gpresult /z .
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 10/02/2010 at 2:19:34 PM
RSOP results for DOMAIN\USER on MACHINENAME : Logging Mode
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: DOMAIN
Domain Type: Windows 2000
Site Name: SITECODE
Roaming Profile:
Local Profile: C:\Documents and Settings\USER.DOMAIN
Connected over a slow link?: No
COMPUTER SETTINGS
CN=MACHINENAME,OU=Laptops,OU=SITECODE,DC=DOMAIN,DC=com,DC=au
Last time Group Policy was applied: 10/02/2010 at 1:06:38 PM
Group Policy was applied from: XXXXXADC.DOMAIN.com.au
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
Allow Remote Assistance
au-mdwsus
Default Domain Policy
Legal Notice
Proxy Settings
Logon as service, operating system
AU-WSUS
Desktop Background & Home Page
Reg Permissions for default desktop
Local Admin & Local Power Users
The following GPOs were not applied because they were filtered out
SITECODE Mapped Drives/ Printers
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
AVD Rollout
Filtering: Disabled (GPO)
The computer is a part of the following security groups:
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
MACHINENAME$
Domain Computers
CERTSVC_DCOM_ACCESS
Resultant Set Of Policies for Computer:
Software Installations
N/A
Startup Scripts
GPO: Desktop Background & Home Page
Name: image.bat
Parameters:
LastExecuted: 7:55:34 PM
Name: swiftdesktop.vbs
Parameters:
LastExecuted: 7:55:35 PM
Shutdown Scripts
N/A
Account Policies
Audit Policy
User Rights
Security Options
Event Log Settings
Restricted Groups
System Services
Registry Settings
File System Settings
Public Key Policies
N/A
Administrative Templates
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: au-mdwsus
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: au-mdwsus
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\CurrentVersion\Winlogon
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: au-mdwsus
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: Desktop Background & Home Page
Setting: Software\Policies\Microsoft\Internet Explorer\Security
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: au-mdwsus
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: au-mdwsus
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
USER SETTINGS
CN=Matthew Luhrs,OU=Users,OU=SITECODE,DC=DOMAIN,DC=com,DC=au
Last time Group Policy was applied: 10/02/2010 at 1:54:53 PM
Group Policy was applied from: XXXXXADC.DOMAIN.com.au
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
Allow Remote Assistance
**** SITECODE Mapped Drives/ Printers - has Gp Pref's that should apply
Default Domain Policy
Proxy Settings
**** Desktop Background & Home Page - has Gp Pref's that should apply
Local Admin & Local Power Users
The following GPOs were not applied because they were filtered out
AU-WSUS
Filtering: Not Applied (Empty)
Legal Notice
Filtering: Disabled (GPO)
Reg Permissions for default desktop
Filtering: Not Applied (Empty)
Logon as service, operating system
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
au-mdwsus
Filtering: Not Applied (Empty)
AVD Rollout
Filtering: Disabled (GPO)
The user is a part of the following security groups:
Domain Users
Everyone
Offer Remote Assistance Helpers
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
Computer Account Operators
Internet Users
SITECODE Users
DOMAIN-Public Folders Administrators
All Email Users
DOMAINSWIFTEMAIL
Domain Admins
Offer Remote Assistance Helpers
WSUS Administrators
DHCP Administrators
CERTSVC_DCOM_ACCESS
Resultant Set Of Policies for User:
Software Installations
N/A
Public Key Policies
N/A
Administrative Templates
N/A
Folder Redirection
N/A
Internet Explorer Browser User Interface
GPO: Proxy Settings
Large Animated Bitmap Name: N/A
Large Custom Logo Bitmap Name: N/A
Title BarText: N/A
UserAgent Text: N/A
Delete existing toolbar buttons: No
Internet Explorer Connection
HTTP Proxy Server: Proxy:port
Secure Proxy Server: Proxy:port
FTP Proxy Server: Proxy:port
Gopher Proxy Server: Proxy:port
Socks Proxy Server: Proxy:port
Auto Config Enable: Yes
Enable Proxy: Yes
Use same Proxy: Yes
Internet Explorer URLs
GPO: Proxy Settings
Home page URL: N/A
Search page URL: N/A
Online support page URL: N/A
Internet Explorer Security
Always Viewable Sites: N/A
Password Override Enabled: False
GPO: Proxy Settings
Import the current Content Ratings Settings: No
Import the current Security Zones Settings: No
Import current Authenticode Security Information: No
Enable trusted publisher lockdown: No
Internet Explorer Programs
GPO: Proxy Settings
Import the current Program Settings: No -
I can't determine how a group policy is being applied. Please help. Thank you.
Hi,
I'm having a problem trying to find how a particular policy is being applied on my domain (I've inherited this domain). When ever a user logs into a domain, the computer get's a new local group policy. One particular attribute is that the local
admin account get's renamed:
I can't figure out where it's coming from. I've run gpresult, and I'm assuming it's the default domain policy.
But when I go to the domain controller and look at the default domain policy, the entry is empty:
I'm really at a loss. However, I really don't think it's the default domain policy, but I can't figure out what else it could be?
Any help would be greatly appreciated. Thanks!!! -TimDoes this help
C:\Users\***>gpresult /z
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 2/12/2015 at 1:57:06 PM
RSOP data for ****\*** on H9MHD12 : Logging Mode
OS Configuration: Member Workstation
OS Version: 6.1.7601
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\***
Connected over a slow link?: No
COMPUTER SETTINGS
CN=H9MHD12,CN=Computers,DC=***,DC=com
Last time Group Policy was applied: 2/12/2015 at 1:03:12 PM
Group Policy was applied from: ***.***.Com
Group Policy slow link threshold: 500 kbps
Domain Name: ****
Domain Type: Windows 2000
Applied Group Policy Objects
Default Domain Policy
Local Group Policy
The computer is a part of the following security groups
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
H9MHD12$
Domain Computers
System Mandatory Level
Resultant Set Of Policies for Computer
Software Installations
N/A
Startup Scripts
N/A
Shutdown Scripts
N/A
Account Policies
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 42
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: N/A
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: N/A
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 1
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: N/A
Audit Policy
N/A
User Rights
N/A
Security Options
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: RequireLogonToChangePassword
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: NewAdministratorName
Computer Setting: Enabled
N/A
Event Log Settings
N/A
Restricted Groups
N/A
System Services
N/A
Registry Settings
N/A
File System Settings
N/A
Public Key Policies
N/A
Administrative Templates
GPO: Local Group Policy
KeyName: Software\Policies\Microsoft\Windows\ScPnp\EnableScP
nP
Value: 0, 0, 0, 0
State: Enabled
USER SETTINGS
CN=*******,OU=Users,OU=Corporate,OU=***,DC=***,DC=com
Last time Group Policy was applied: 2/12/2015 at 1:33:14 PM
Group Policy was applied from: ***.***.Com
Group Policy slow link threshold: 500 kbps
Domain Name: ***
Domain Type: Windows 2000
Applied Group Policy Objects
Default Domain Policy
The following GPOs were not applied because they were filtered out
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
The user has the following security privileges
Bypass traverse checking
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Change the time zone
Create symbolic links
Increase a process working set
Resultant Set Of Policies for User
Software Installations
N/A
Logon Scripts
N/A
Logoff Scripts
N/A
Public Key Policies
N/A
Administrative Templates
N/A
Folder Redirection
N/A
Internet Explorer Browser User Interface
N/A
Internet Explorer Connection
N/A
Internet Explorer URLs
N/A
Internet Explorer Security
N/A
Internet Explorer Programs
N/A -
W7 client machine stuck on startup "Group Policy Files Policy"
we have some w7 machine getting stuck on boot up before ctrl-alt-del, once verbose message was turned on for troubleshooting, we noticed they were stuck at "applying group policy files policy".
we had let it wait for more than 60 minutes at time and it would still be stuck. (thou mouse / kb still responsive)
this problem however, is not re-produceable on demand, if we power off the machine, it boots back up with no issues.
checking the group policy log, we didn't find anything weird, but was not sure if that's the right place to look thou.
we do have two group policy preferences pushing out host files as well as desktop shortcuts, might that be the culprit?
thanks!> we do have two group policy preferences pushing out host files as well
> as desktop shortcuts, might that be the culprit?
My recommendation: Use Group Policy Preferences as you like, but do NOT
use the "Files" extension.
Why? GP Processing at Boot/Logon is a synchronous foreground process
that cannot be interrupted (as you are already experiencing ;-)).
Replace GPP Files with a script that runs some robocopy commands. Start
this script through a scheduled task at boot or logon, so that it can
run asynchronously in the background, not disturbing the user experience.
regards, Martin
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating! -
Currently we are running ZfD 7 and Netware 6.5 and have recently upgraded all our workstations to Windows XP Service Pack 2. Our tree structure consists of an OU for each school level, elementary, middle, and high, and an OU for each school in that respective level. Example:
Elementary
West Main
South Main
Middle
Brown Middle
The current contents in each School OU have users, groups, policies, ect. Previously policy was applied by a workstation policy package that distributed all policies: user, machine, and security which were associated with the School OU. Now we split the policy into workstation packages and a user packages. The goal was to have the workstation apply the machine and security policy and the user policy to apply user settings and create dynamic the local user account.
The workstation policy remains persistent on the workstation while the user policy creates a local user (non-volatile) and applies the user policy from a server path depending on group membership. We have four different user policy packages: Student, Teacher, Specialist and Technology. Each with there own group policy user configuration. Everyone in our Tree has the appropriate permissions to access the policies. We configure the user policy package as follows:
Policies Windows XP
Enabled Dynamic Local User
Enabled Windows Group Policy
Workstation Manager
Network Location
\\serverpath
Checked User Configuration
Policy Schedule
User Desktop is active
Advanced Schedule
Impersonation
Interactive User
Associations
Groups (Teachers, Students)
I can get the workstation policy to apply with no problem. The problem comes when a users logs on. It doesnt matter if a new user is being created or if they are simply just switching users. User group policy doesnt apply randomly. The strange thing is it does copy down to the machine. If I connect to the admin share on a newly imaged workstation (with no policy applied) and open c:\windows\system32\ you see the creation of GroupPolicy.Usercache Folder and it copies to the GroupPolicy Folder which is were it applies policy from. Also you can see policy dynamically changing if different users logs on. The Registry.pol updates in the c:\windows\system32\ GroupPolicy.Usercache\User folder and c:\windows\system32\ GroupPolicy \User Sometimes group policy applies and sometimes it does not. When a user logs on you see the policy that was copied down apply. For example the run option is taken away from the start menu. During the log on process this remains in effect but when the process completes its almost like policy is take away. When this occurs I can run WMSCHED.Exe and reapply the user policy and it will apply sometimes. I tried applying group policy through both groups and organizational units. Both with the same results. I was wondering if anyone has had issues with applying group policy with ZEN or if I am doing this incorrectly. Any help would be much appreciated. Thanks.rscurr,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
Group Policy Preference's --APplied to Groups not always working
I've created a new group policy preference to add a couple new desktop shortcuts.
I've set the security filtering to apply to "JamesGroup". I have verified that "JamesGroup" has Read & Allow Apply Group Policy selected
I put myself into that group.
I then run a GPupdate/force on my computer and I get no new shortcuts.
If I adjust the security filtering to apply to "JamesUserAccount" and rerun GPupdate/force, the desktop shortcuts come through right away.
I've tried creating new groups and it never seems to work...it just works when I set the security filtering to specific user accounts.
When I remove myself from the security filtering, and run a GPresult /r I see that the GPO was not applied because it was filtered out: Denied (Security)
Why isn't the GPO applying when I set it on a security group?
To make things more interesting, it seems to work if I log onto a different computer as the same user?!? But doesn't work on 90% of the computers.> Yes I have tried logging out/in, locking/unlocking, and restarting
> computers...nothing seems to work...
How many groups are you a member of? You might suffer kerberos token
bloating...
To verify, check
"whoami /groups"
against
"dsquery user -samid %username% | dsget user -memberof -expand"
All groups in dsquery output also listed in whoami output?
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))
Maybe you are looking for
-
Finder won't open - continually crashes and asks me if I want to reopen windows
I have no idea how to fix this. It began right after I installed Mavericks on my 2010 Macbook Pro 13". Finder will not open. It keeps crashing with a pop-up window that tells me that Finder isn't working and asking if I want to try to reopen windows
-
Hi, I would like to have your advice about printing labels without delivery packaging. the organization needs the labels to be presented in the VL74 screen and I can't find the trigger to print it without pack the delivery first. I will be glad to ha
-
Using AcrobatPRO 8.2.3 on a MAC, Trying to create a PDF Form to email to potential customers. I have two basic issues. Locally (on my MAC) everything works perfectly, even the "submit" button, and it emails the PDF just fine. However, when I send the
-
every time i download lightroom 5 it fail and says the cause is this (errror: third party payload installer Adobe_Lightroom.msi failed with exit code: 1603..
-
Helllo, My solaris recently encounter kernel panic and reboot. I suspect it is hardware problem, but I am not sure, could anybody know this problem kindly give some suggestion? Following are messages: Nov 17 10:05:34 ASB_sim_1_1_5 unix: [ID 340138 ke