Cases in which Domain Group Policy settings would be reverted to default settings on a Win7 client
Hi - I'm sure this info is out there somewhere, but I'm having a hard time finding it. Basically, I'm trying to identify the cases in which settings deployed via Domain Group Policy on 2008R2/Win7SP1 would get reverted back to "default settings"
on a Win7SP1 client that is still a member of the domain, and is in a proper OU, properly targeted, WMI filters should still evaluate true, etc...
For instance, it appears that if machine-level registry settings contained within a LocalGPO file on a client get corrupted (C:\Windows\System32\GroupPolicy\Machine\registry.pol), all of those settings, plus all machine level administrative template settings
defined in Domain Group Policy, get reverted to default settings (corresponds with Event ID 1096 in System Event Log where it references "LocalGPO"). I have not confirmed if this is the case for machine level settings defined outside of administrative
templates in Domain Group Policy, or for any user level settings though. (But I suspect not.)
When a workstation is unable to talk to a Domain Controller in order to identify applicable Domain Group Policy settings (for instance, this issue:
http://support.microsoft.com/kb/2421599/en-us), do administrative templates Domain Group Policy settings revert to defaults up until the next successful processing interval? I don't believe
so, but would like confirmation.
Are there any other cases in which Domain Group Policy settings for a client still joined to the Domain would be reverted to defaults?
And when a client is unjoined from the Domain, what Domain Group Policy settings would remain on the client? I understand that some Domain Group Policy settings outside of administrative templates are "tattooed" to the registry. Does
anyone know of a full list of these settings? I believe that most or all of the ones in Windows Settings\Security Settings are tattooed, and the only way to get these settings removed is to explicitly change them via registry edit or LocalGPO/Local Security
Policy, after unjoining the domain.
Any info/insight/links to other doc/etc would be much appreciated!
Hi Shaun,
>>If a client cannot talk to a domain controller at all, admin template settings still stay in-place on the client, correct?
As far as I know, it's not this case. If a client can't communicate with domain controllers, it means that the GPOs applied to the client are out of scope. As suggested by
the article I provided, for native policy, "when a Group Policy object (GPO) goes out of scope, the policy setting is removed allowing the original configuration value to be used."
>>What if a client looses network connectivity while reading Domain GPO?
Group policy will be get updated when computers start up and users log on. Besides, for workstations, group policy will get refreshed at background with by default an interval
of 90 minutes. As long as workstations can restore network connectivity, the group policy settings will get updated.
>>Are there any other failure cases like this where some or all Group Policy settings (admin template or other areas) would get reverted?
There are many reasons which can cause GP malfunction. However, Windows itself provides necessary tools for troubleshooting various issues. When GP malfunctions, we can check
Event Viewer, collect group policy result, or generate group policy log to troubleshoot.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen
Similar Messages
-
Preventing Domain Group Policy from being applied
How can a user prevent the domain group policy from being applied to his machine? And How can I stop users from doing that?
Hi,
No, group policy is processed by order, that is, local GPO is processed first, and then domain policy is processed by order, which would overwrite settings in the earlier GPOs if there are conflict.
If you don’t want to apply the domain policy, apply a higher precedence policy or disjoin the domain.
Group Policy processing and precedence
http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx
Alex Zhao
TechNet Community Support -
Group Policy - Computer Startup Scripts - Add/Set Default printer
Good Morning.
Let's say we have 2 offices, A and B, and only 1 user. The user is using Roaming Profiles. Each office has its own printer.
What I am trying to do, is make a Startup script that is specific to the COMPUTER being logged into so when any user logs into that computer, they get the printer in that office defined and set as default.
I am able to do this successfully with my script but ONLY if i have the script be on the USER side of GP (i.e. in the Logon script section)
That is great that that is working however, when my user goes to Office B, they still get mapped to Office A's printer if I use that method.
So I figured I could just modify my GP and run the same script from the STARTUP section of the computer, rather than the LOGON section of the user. It does not work.
Here is my script:
Set WRFCUNetwork = CreateObject("Wscript.Network")
PrinterPath = "\\fileserver\MAINTELLER"
PrinterDriver = "PrinterDriver"
WRFCUNetwork.AddWindowsPrinterConnection PrinterPath, PrinterDriver
WRFCUNetwork.SetDefaultPrinter "\\fileserver\MAINTELLER"
This is where I Have the script placed:
Computer Configuration -> Windows Settings -> Scripts(Startup/Shutdown)
Once i'm in there, I double click Startup, click Add, and select my script which is named:
MainPrinterSetup.vbs
I have this GP applied to ONE OU, and that OU has ONE computer in it (my test computer)
I login with a brand new user called "testuser" (creative, huh?) and basically nothing happens
except they log in and have some Microsoft Document Image Writer printer set as default (which by the way sure does slow the PC down to the point of it almost being broke if anyone actually tries to print to that by accident)
No Main Teller Printer, no anything.
The strangest part about this is, if i apply this script to the user LOGON scripts, it works fine, the printer is there, and is set as default. (but see above why that wont work for my situation)
So obviously the script works fine, but I guess i'm missing something when it comes to applying GP's to Computers rather than Users.
Can anyone shed some light as to why the script is not running (i'm guessing the script isn't even attempting to run, rather than failing, but i have no way to know that)
Thank you in advance!!
Derek Conlon
Network Administrator
WRFCU
EDIT: Here are the PC's info that i'm working on:
Server: Windows Server 2003 Standard Edition (where my GP's are created and managed with AD)
Target PC: Windows XP Professional SP3
EDIT #2: I manually navigated to the Script file after logging in and "opened" it and it added and set the default printer no problem. the issue is definately with the script running at startup.I wanted to clarify a few things:
1. While it is true that printer connections are usually per user, it is definitely possible to create "global printers". There are a number of ways to do this, but two methods that come to mind are using:
a. "Rundll32 printui.dll,PrintUIEntry" option with the "/ga" switch. The "/ga" switch is the key here since it allows you to deploy printers "per machine" instead of "per user". More information
about this is available at:
http://members.shaw.ca/bsanders/NetPrinterAllUsers.htm
http://technet.microsoft.com/en-us/library/ee624057%28WS.10%29.aspx
http://www.computerperformance.co.uk/Logon/logon_printer_computer.htm
http://www.robvanderwoude.com/2kprintcontrol.php
b. The Print Management console that is available in Windows 2003 R2 and higher can help you deploy printers "per machine" in addition to "per user". More information about this is available at:
http://www.czsolution.com/print-management/print-management/print-management-console.htm#DeployingPrintersByGroupPolicy
http://technet.microsoft.com/en-us/library/cc753109%28WS.10%29.aspx
2. As Guy mentioned, Group Policy Preferences can help set the default printer. But there is another way to accomplish this. The problem with the computer startup portion is that it runs before the user logs in. And applying this script
in the login script section would not work per computer unless you used loopback processing. So another way to do this is to place a script that sets the default printer into the "All Users" startup folder. Items in the "All Users"
startup folder run for any user that logs into the computer, but it runs in the user's context. So, this script would effectively set the default printer on a "per machine" basis. The script method is a cruder way to approach the problem,
but it will help get the job done. Here are some resources on setting the default printer via script:
http://www.intelliadmin.com/index.php/2007/08/set-default-printer-from-a-script
http://www.computerperformance.co.uk/ezine/ezine17.htm -
When I close CS6 changes in settings are not saved. Reverts to default settings on reopen. Why?
Sorry Photoshop -- Problems solved -- I read the details -- turns out you need to make changes with no files open for the preferences to apply to all files.
Thanks, Al -
Hello,
In my new company, I noticed that the default domain controllers policy has been (largely) modified.
I thought it was a best practice to keep it clean (In case of restore).
So I would like to create a new GPOs for my DCs to move some of those settings out of the default domain policy.
For example, "Add workstations to domain". If I want to create a new policy for this particular setting, what kind of rules am I supposed to follow to make sure that my new setting will be applied before the default DC policy ?
Is the GPO Link order enough ?
Thank youHi,
Just a confirmation, did you mean that want to overwrite some settings in the
Default Domain Controllers Policy?
Within each domain, site, and OU, the
Link Order controls the order in which GPOs are applied. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the
Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest
Link Order is processed last, and therefore has the highest precedence. Since Default Domain Controllers Policy is linked to the Domain Controllers organizational unit, you can create a new GPO and link it to this Domain Controllers organizational
unit, then control thier order of them via Link Order.
If anything I misunderstand or any update, please feel free to let us know.
Hope this helps.
Best regards,
Justin Gu -
Domain Group Policy changes causes clients to be unable to connect to WSUS for Windows Updates
Domain Controller is Windows Server 2008 R2 64-bit, Group Policy Management version 6.0.0.1. WSUS server is Windows Server 2008 Enterprise 32-bit, Update Services version 3.2.7600.226. Client machines are Windows 7, some are 64-bit and some are 32-bit.
Every time we make any changes to any of our Group Policies most of our clients stop getting their Windows Updates from the WSUS server within 2-3 days. This occurs when we add a new policy for a group of users, temporarily disable a policy or edit a policy.
Check of the WindowsUpdate.log on affected client machines shows:
2014-06-25 13:40:44:976 760 1610 PT WARNING: GetAuthorizationCookie failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2014-06-25 13:40:44:977 760 1610 PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: PopulateAuthCookies failed: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: RefreshCookie failed: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: RefreshPTState failed: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: PTError: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 Report WARNING: Reporter failed to upload events with hr = 80072ee2.
A further check of the log files shows:
2014-06-21 19:36:06:995 156 1b0c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <proxy server name:8080> Bypass List used : <(null)> Auth Schemes used : <>
We do not use a proxy except for Internet connections. We configure IE with a pac file. This is set through Group Policy since we restrict user accounts from being able to set it.
The clients that are connecting to the WSUS server have these entries instead:
2014-06-24 09:12:16:779 992 270 Agent Setting download properties on call A20329BC-3467-4B7E-B9F4-6AC6ACBA23E1: priority=3, interactive=1, owner is system=0, proxy settings=1, proxy session id=2
I have a routine that will fix the problem but it is time-consuming and pulls me away from other things I should be doing:
Run registry files on client machine (WindowsUpdate and AU) This is not always necessary and is already set by Group Policy and the affected clients already have the registry settings. No idea why it is necessary to do but it the steps below don't always
work unless it is.
netstop bits and netstop wuauserv
ipconfig /flushdns
Delete qmgr*.* files from Downloader folder
Delete Software Distribution folder
Run from command prompt:
sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
netstart bits and netstart wuauserv
wuauclt /resetauthorization /detectnow
Run Windows Updates again from Control Panel
This routine always fixes the problem but I've found that I must do each step to guarantee success.
How or where is the proxy setting being changed for WSUS that we see in the WindowsUpdate logs and how do I prevent this from happening? It is also curious that it happens to most but not all of the client machines. When it does happen it's not always the
same client machines.You're right - the WSUS server is on the inside and does not need a proxy server. Tried running the netsh winhttp reset proxy command but was still not able to connect to the WSUS server. After running the netsh winhttp reset proxy command received response:
Current WinHTTP proxy setting: Direct access <no proxy server>.
Ran the command at 13:49 and then tried Windows Updates again. Here's snippet from the log file:
2014-06-27 13:49:56:889 548 f6c AU Triggering AU detection through DetectNow API
2014-06-27 13:49:56:890 548 f6c AU Triggering Online detection (interactive)
2014-06-27 13:49:56:890 548 4b8 AU #############
2014-06-27 13:49:56:890 548 4b8 AU ## START ## AU: Search for updates
2014-06-27 13:49:56:890 548 4b8 AU #########
2014-06-27 13:49:56:893 548 4b8 AU <<## SUBMITTED ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
2014-06-27 13:49:56:893 548 1260 Agent *************
2014-06-27 13:49:56:893 548 1260 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
2014-06-27 13:49:56:893 548 1260 Agent *********
2014-06-27 13:49:56:893 548 1260 Agent * Online = Yes; Ignore download priority = No
2014-06-27 13:49:56:893 548 1260 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1
or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
2014-06-27 13:49:56:893 548 1260 Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2014-06-27 13:49:56:893 548 1260 Agent * Search Scope = {Machine}
2014-06-27 13:49:56:893 548 1260 Setup Checking for agent SelfUpdate
2014-06-27 13:49:56:893 548 1260 Setup Client version: Core: 7.6.7600.256 Aux: 7.6.7600.256
2014-06-27 13:49:56:894 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2014-06-27 13:49:56:901 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:927 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2014-06-27 13:49:56:934 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:936 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2014-06-27 13:49:56:943 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:956 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2014-06-27 13:49:56:962 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:974 548 1260 Setup Determining whether a new setup handler needs to be downloaded
2014-06-27 13:49:56:974 548 1260 Setup SelfUpdate handler is not found. It will be downloaded
2014-06-27 13:49:56:974 548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256"
2014-06-27 13:49:56:976 548 1260 Setup Setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2014-06-27 13:49:56:976 548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
2014-06-27 13:49:56:989 548 1260 Setup Setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2014-06-27 13:49:56:989 548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
2014-06-27 13:49:57:007 548 1260 Setup Setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2014-06-27 13:49:57:007 548 1260 Setup SelfUpdate check completed. SelfUpdate is NOT required.
2014-06-27 13:49:57:165 548 1260 PT +++++++++++ PT: Synchronizing server updates +++++++++++
2014-06-27 13:49:57:165 548 1260 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =
http://(FQDN of WSUS server)/ClientWebService/client.asmx
2014-06-27 13:49:57:175 548 1260 PT WARNING: Cached cookie has expired or new PID is available
2014-06-27 13:49:57:175 548 1260 PT Initializing simple targeting cookie, clientId = 6be4a1ae-3313-4855-bdb1-57e3312f03ec, target group = AGENCIES, DNS name = dpk2.clear-rcic.rcc.org
2014-06-27 13:49:57:175 548 1260 PT Server URL =
http://(FQDN of WSUS server)/SimpleAuthWebService/SimpleAuth.asmx
2014-06-27 13:50:57:280 548 1260 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(proxy server):8080> Bypass List used : <(null)> Auth Schemes used : <>
2014-06-27 13:50:57:281 548 1260 PT + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
2014-06-27 13:50:57:281 548 1260 PT + Caller provided proxy = No
2014-06-27 13:50:57:281 548 1260 PT + Proxy list used = webgate.rcc.org:8080
2014-06-27 13:50:57:281 548 1260 PT + Bypass list used = <NULL>
2014-06-27 13:50:57:281 548 1260 PT + Caller provided credentials = No
2014-06-27 13:50:57:281 548 1260 PT + Impersonate flags = 0
2014-06-27 13:50:57:281 548 1260 PT + Possible authorization schemes used =
2014-06-27 13:50:57:281 548 1260 PT WARNING: GetAuthorizationCookie failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2014-06-27 13:50:57:281 548 1260 PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: PopulateAuthCookies failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: RefreshCookie failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: RefreshPTState failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: Sync of Updates: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: SyncServerUpdatesInternal failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 Agent * WARNING: Failed to synchronize, error = 0x80072EE2
2014-06-27 13:50:57:282 548 1260 Agent * WARNING: Exit code = 0x80072EE2
2014-06-27 13:50:57:282 548 1260 Agent *********
2014-06-27 13:50:57:282 548 1260 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
2014-06-27 13:50:57:282 548 1260 Agent *************
2014-06-27 13:50:57:282 548 1260 Agent WARNING: WU client failed Searching for update with error 0x80072ee2
2014-06-27 13:50:57:302 548 e04 AU >>## RESUMED ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
2014-06-27 13:50:57:302 548 e04 AU # WARNING: Search callback failed, result = 0x80072EE2
2014-06-27 13:50:57:302 548 e04 AU # WARNING: Failed to find updates with error code 80072EE2
2014-06-27 13:50:57:302 548 e04 AU #########
2014-06-27 13:50:57:302 548 e04 AU ## END ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
2014-06-27 13:50:57:302 548 e04 AU #############
2014-06-27 13:50:57:303 548 e04 AU Successfully wrote event for AU health state:0
2014-06-27 13:50:57:303 548 e04 AU AU setting next detection timeout to 2014-06-27 22:50:57
2014-06-27 13:50:57:304 548 e04 AU Setting AU scheduled install time to 2014-06-28 05:00:00
2014-06-27 13:50:57:304 548 e04 AU Successfully wrote event for AU health state:0
2014-06-27 13:50:57:305 548 e04 AU Successfully wrote event for AU health state:0
2014-06-27 13:51:02:285 548 1260 Report REPORT EVENT: {BD25B39C-6570-454C-A046-AF3AF2DEBDD4} 2014-06-27 13:50:57:282-0400 1 148 101 {00000000-0000-0000-0000-000000000000} 0 80072ee2 AutomaticUpdates Failure Software
Synchronization Windows Update Client failed to detect with error 0x80072ee2.
2014-06-27 13:51:02:295 548 1260 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
2014-06-27 13:51:02:295 548 1260 Report WER Report sent: 7.6.7600.256 0x80072ee2 00000000-0000-0000-0000-000000000000 Scan 101 Managed
2014-06-27 13:51:02:295 548 1260 Report CWERReporter finishing event handling. (00000000)
2014-06-27 13:51:48:184 548 4b8 AU ########### AU: Uninitializing Automatic Updates ###########
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 Report CWERReporter finishing event handling. (00000000)
2014-06-27 13:51:48:252 548 4b8 Service *********
2014-06-27 13:51:48:252 548 4b8 Service ** END ** Service: Service exit [Exit code = 0x240001]
2014-06-27 13:51:48:252 548 4b8 Service *************
2014-06-27 13:51:53:002 548 160c Misc =========== Logging initialized (build: 7.6.7600.256, tz: -0400) ===========
2014-06-27 13:51:53:002 548 160c Misc = Process: C:\Windows\system32\svchost.exe
2014-06-27 13:51:53:002 548 160c Misc = Module: c:\windows\system32\wuaueng.dll
Ran a batch file which resets the AU and WindowsUpdate registry keys and then runs the steps listed above:
regedit /s C:\WindowsUpdate.reg
regedit /s C:\AU.reg
net stop bits
net stop wuauserv
Ipconfig /flushdns
del C:\ProgramData\Microsoft\Network\Downloader\qmgr*.*
del /F /Q C:\Windows\SoftwareDistribution\*.*
sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
net start bits
net start wuauserv
wuauclt /resetauthorization /detectnow
After this runs, am able to connect to WSUS server for updates. I mentioned Group Policy changes because this only breaks after the Group Policy changes. It doesn't affect every client machine but most of them. Was wondering how the proxy gets reset from
none to the proxy server for Windows Updates? -
Mail for exchange and domain group policy removing...
Hi,
I currently administer 2 domains, both server 2003 with exchange 2003. On the one domain I can configure any of our e series ( e51/e71/e72/e6) via MFE and permanently accept the untrusted SSL certificate. When I configure MFE to our other domain the option to accept the untrusted certificate has vanished..!
Anyone have any ideas? I'm sure that it's a group policy setting but I cannot spot it!turbominor wrote:
No certificates have been generated bar the ones that exchange installed by default
Hmm, I don't recall ever realizing that. Lol. In that case, what are you using as a root certificate? Nothing...which explains why the cert is untrusted? (As connections to your first Exchange server work normally, apparently you don't need a root cert for a secure connection?) I used to get mine from http://www.cacert.org/ and installed the root cert either manually or through a device management server.
I wasn't completely sure where I was going with my question, but just did a few web searches. Apparently Symbian phones don't like installing self-signed certificates. "Accepting a certificate permanently" does install the cert, although I'm not sure that's quite the same thing. You might skim http://discussions.nokia.com/t5/Eseries-and-Communicators/E72-Email-Accept-Certificate-Permanently/m... in case any of that is relevant. -
ITunes won't work because of domain group policy
Hi my work just implemented a really stupid group policy through our domain that dissallows any file named iTunes.exe to run. The good news is I can rename iTunes.exe and get iTunes to work. That bad news is once I rename iTunes.exe the iPod service is unable to start. The iPod service I assume is what automatically launches iTunes when you plug in your iPod. Does anyone know if a way to let the iPod service and any other file that depends on iTunes.exe that I have renamed it?
I don't have a solution for you, but as a system administrator I feel I must comment.
I don't know about where you work -- but at my job, deliberate circumvention of policy is "abuse" and is considered grounds for termination. The computer you use at work is not yours; it belongs to the company you work for.
If you have a problem with the policy you should take it up with the administrators or your management -- not try to circumvent it. Perhaps the policy is based on a misunderstanding that you could clear up! You (your computer, really) might even be granted an exception to the policy. -
How to implement " log on locally" via Domain Group Policy
Hello,
Thanks for always being very helpful.
My Goal:
I want to restrict one domain user to login to one computer only (admin/root users to login to every computer).
I searched and I believe there is no such direct way to implement via the group policy unless I may add one GPO per user to implement"log on locally" from the group policy.
Do you have some VB script or other good way so I should not login to each computer one by one and edit the policy manually.
Thanks in advance.
Muhammad Asif Server Administrator Linux/WindowsI am sorry if I wasn't cleared, I am managing about 250 users and want accomplish from some centralized locations. I don't want to go to every machine and apply the changes.
I want to let one domain user to login to one system only.
I have the list of computer name VS username, and I want to apply from centralized location without login to each computer one by one.
Thanks a lot for the assistance.
Muhammad Asif Server Administrator Linux/Windows
The solution can only be applied once at the DC with ADUC or with Set-ADUSer as I posted. It only needs to be run once from one DC.
¯\_(ツ)_/¯ -
Group Policy For 2008 Terminal Server Users Default Open With Not Working
I'm trying to change the default open with behavior for jpg files on my terminal server. I created a Group Policy that changed it to MS Paint to Office 2010 Picture Manager. The policy appears to apply correctly but jpg files still open in
Paint. When a user is logged on, if they look at the properties of a jpg, it shows Photo Gallery as the program to open it but when opened, it opens in Paint.
Has anyone seen this behavior before?
Orange County District Attorney> did. It would be helpful to know where the changes actually go in the
> registry to see if they did or now.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Group Policy for Desktop background applied but showing black desktop in the client end
Trying to set wallpaper in group policy but it's coming up blank.We have windows 2008 and 2012 server.most of the computer is windows 7.
Hi,
Does this issue occur to all computers?
Besides, can the users access the wallpaper?
If this issue just happens to Windows 7, we can try applying the hotfix in the following article.
The "Desktop Wallpaper" Group Policy setting is not applied in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/977944/en-us
If the issue persists, we can refer to the following thread to troubleshoot the problem.
Black Desktop wall paper after implementing group policy
http://social.technet.microsoft.com/Forums/windowsserver/en-US/0c36d7bf-4694-46e1-b408-d644111c0264/black-desktop-wall-paper-after-implementing-group-policy?forum=winserverGP
Best regards,
Frank Shen -
How do I change the default settings in a printer's Default Settings Preset?
I am running Mavericks, printing to an HP LaserJet 4050N via IP. [The following behavior takes place whether the printer's internal settings are set to Duplex Printing is On or is Off.]
I would like to set the default to print duplex, whether I am in an application or 'drag and drop' a file onto the printer icon (which temporarily opens the application, prints the document, and quits).
I do not seem to be able to modify the "Default Settings" Preset to specify duplex printing. However, I have been able to create a new "Default Settings-1" Preset that specifies duplex printing. By selecting the "Default Settings-1" Preset, in any application, I get duplex printing without any problem.
First -- problem:
If I drag-and-drop a file -- e.g., .pdf or .docx -- onto the printer icon, it opens the application and uses the "Default Settings" Preset -- not the "Default Settings-1" Preset -- and prints single-sided. How do I get drag and drop to use the "Default Settings-1" Preset to get duplex printing?
Second -- issue:
Bizarrely, if I am in an application, select "Show Presets", select "Default Settings-1" and click on "Layout", it sometimes shows that "Two-Sided" printing is "Off" and sometimes that it is set to "Long-Edge Binding" -- but that seems to have no deleterious effect on duplex printing!
Any suggestions / explanations for my problem / issue?
Thanks much,
AviOther than using the CUPS interface, http://127.0.0.1:631,which it sounds like you've done, I don't think there is a way to edit the Default Settings. The standard approach is to create a preset, the solution you've found.
For drag and drop printing, you should be able to get to the print dialog and select your preset or turn duplex on by holding the option key down, selecting the file, then doing the drag and drop (either to a printer or to an open printer proxy application).
I realize this isn't a solution, but I hope it's helpful. -
My Safari settings wont reflect search engine default settings?
Hi,
A 'Search Nation' toolbar got downloaded on my Macbook by some mistake, and now it has become my default browser search engine. Even after changing the Preferences for Safari, it wont change back to google. I have removed all 'Search Nation' software, but there is no way to uninstall it. My Search default settings wont go back to normal . please help.Try my suggestion here > How do I uninstall the Nation search tool bar?
-
Shutdown workstations inactivity from domain group policy
I need to find a way to have workstations shut down after the user has walked away or has been inactive
meaning no keyboard, or mouse activity. Need to have the machines shut down. I have Active Directory on Windows 2003 server R2 Standard Edition SP 2. If I can have this done by active directory I would like to know how.
If it is not possible to do so with Active Directory I would like to know of any other suggestions to do this.I have some questions:
1. What research have you done on your own so far? (If you haven't researched it on your own, why haven't you done so, before asking?)
2. Is this a scripting question? (If so, please post the script and tell what errors, if any, you are getting.)
-- Bill Stewart [Bill_Stewart] -
Why doesn't deleting my LR plist preference revert to default settings?
I removed the original file from the Preferences folder and restarted LR. When I have done this in the past LR does not give me a catalog listing and when LR opens, the panels are all in default mode. This time I see my usual catalog list, and all of the panels are as I set them. I checked the Preferences folder, and a new plist file has been created. What am I missing. I am having problems with the program, and wanted to reset the preferences in case the file was corrupted.
What version of LR are you using, and have you recently upgraded from an earlier version? If so, which version?
Maybe you are looking for
-
How to create a Module Component containing a MAX().. GROUP BY Statement
Hi What do I have to do, to get a module component, which, in the end, returns a statement like SELECT mas_id, mas_name FROM v_masken_zugriff WHERE mzu_datenbank = 'database' AND (UPPER(vur_name) = UPPER(user) OR UPPER(vur_name) IN (SELECT granted_ro
-
Audio control no longer pops up when speakers are plugged in - NB200 w/ Windows XP SP3
Previously, when I plugged speakers or headphones into the jack on my laptop, a control would pop up asking me to select headphone or line out (amongst other things). There was also a check box to prevent the window from popping up again. I checked i
-
Powershell Coding vs C# Coding
Hey all, I opened this thread to have a real discussion on coding. I myself use Powershell for everything, I love it and I think it can be used for nearly everything that C# can be used for (please correct me if i'm wrong). Though, I find myself comp
-
I have drawn some lines with the Line Tool in Acrobat 7 and want to know how to show it in printed copy? Do I Select 'Document and Markups' in the Comments and Forms dropdown list in the Print dialog box?
-
When I'm on a column of a grid, I don't see the Table and the field of that column when I ask for the DEBUG INFORMATION which is located in the lower left corner of SAPB1 For instence, I can see the 4 first column information like "Form=, Column= and