Configure Firefox via GPO

Hi, I'm trying to find a way to update Firefox's settings, particularly "network.automatic-ntlm-auth.trusted-uris", via GPO. Any help will be greatly appreciated.

You can receive help for deploying Firefox at https://www.mozilla.org/en-US/firefox/organizations/

Similar Messages

Configuring Services via GPO

Is it possible to configure a service via a GPO if the service is not installed or running on the same server as Group Policy Manager?

> As far as I know, we need to install group policy management feature on
> the application server to do this
No, you don't. Configure a dummy service. Then simply dig into the
sysvol folder of your GPO, find gpttmpl.inf and open it up in notepad.
Replace the dummy service name with your "real" service name and you're
done.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

Deploying Adobe Creative Cloud via GPO

A few months ago my long and lasting journey with Adobe CC started and I was pretty eager to deploy the software in our enterprise. As it comes out, with a little help from Adobe, that just made me crazy and a few pretty pointless and sensless tests I finally managed it somehow to get Adobe CC deployment via GPO. None of our users have local admin rights due to restrictive policy in our enterprise. All testing and configuration was made on Windows 7 Enterprise (x86 and x64) machines.
As we don't use SCCM in our environment it was critical to use "simple" GPO rollout for software. As there are MSI's with all the packages I started my journey...
To start it all of:
As it seems, you cannot buy licenses any more permanent and you can buy them via subscription. OK, that's one way to go and since we need all these products in future we went in evaluating it. Since we cannot buy licenses in a big order like adobe wants us to we were only left to buy the creative cloud for teams and not for enterprise. Still, this was fine to, since adobe offered the cloud packager and a lot of documentation, i thought at least.
To test and make sure that we can deploy all of the wanted features of creative cloud we bought 2 licenses for the IT-staff. During testing, late semptember/october 2014, with the cloud packager in version 1.6 I was able to deploy the packages and software as we wanted. Just as information, we wanted our users to have Bridge, Photoshop, InDesign, Illustrator, Dreamveawer, Prelude and the most important thing, we did NOT want the creative cloud desktop application due to company restrictions. Well as mentioned before everything worked as charm and I was just happy to start ordering the licenses for all of our users and get things done
Well, as a lot surely know, the process of ordering the licenses and getting things rolling in a enterprise sometimes takes a little (more) time. After about one or two months later everything was ready and set and I was feeling like this is going to be a piece of cake. Make new packages with the cloud packager, create the gpo's, test the deployment, invite the users and I'm the king of the jungle.
That was what I thought...
Adobe was so nice to release the newer and more improved version (I think 1.7 or 1.8) of the cloud packager, that suddenly hasn't been able to deactivate the creative cloud desktop application. Well, not a problem I thought to myself, I'll just uninstall it later on and it's fine. Since there are about 20 users that were getting the software it would be a not so nice job, but once done it's done and it shouldn't happen again.
Then i was hit by Adobe with a colossal fist right in the face! Why are you asking? Well as I mentioned above, the deployment via GPO worked fine and now? Not anymore, since the exception deployer couldn't install the applications it just broke everything and didn't even try to install the other applications that don't need the exception deployer. After a few e-mails and further testing, run as local admin, run installation after being copied to local, I lost fate that this is ever going to work.
Adobe gave me the best help they could and I even had a deployment expert in on a web session and he gave me a short commandlet (exception deployer) and said that it has to work this way but surprise, it didn't. As I was getting more and more frustrated by this situation and the exception deployer I started to shrink down the packages as much as possible so that there are no applications that needed to be deployed with the exception deployer. I run tests and guess what? It worked! Man, was I happy that after almost a month things started getting in the right shape. As I couldn't sleep because of this mess I started testing the applications that Adobe techs said needed the exception deployer. I created a new package just for Lightroom 5 (yeah, I know there is a newer version out now, but not at that moment) and saw that it landed in this exception folder that is made during packaging with the cloud packager. I was just curious to test it and made a new GPO for just Lightroom, as a MSI was also within the package I figured, why not give it a try? It worked again!?! I was pretty surprised due to the information that it shouldn't be working, as Adobe techs stated.
The simpler problem was the creative cloud desktop application. After having the Adobe techs in on a websession they stated, that it should work if I choose enterprise licensing to get rid of this software. But due to Adobe's updating policy of the creative cloud packager, there has been a newer version released (1.9) that opted out this feature to deactivate the installation of the creative cloud desktop application. I thought myself, why? Just please tell us why Adobe do we need this? But OK, there was also a solutions for this problem, the adobe creative cloud cleaning tool. If you create and XML file that is being read from the cleaning tool you can run this and "almost silently" uninstall the software via GPO. I gave it a shot and it works like a charm.
To be honest I thought, that Adobe due to it's status as THE software company when it comes to creating/editing multimedia content they would know about the problems some of their customers across the globe could be having. As it seems, they don't care enough or haven't ever had somebody with a similar problem(what I cannot believe, but all right) to share some more detailed information about a case like this.
I know, why have we bought it, if we don't need any cloud space? Well it's simple, Adobe creative products are needed and the CS6 products won't be here forever so it's better to start sooner than later with migration to a newer release. Still I was hoping to get more help from Adobe....
Just to share the packages with you:
"Complete 32Bit" package includes: Audition CS6+Updates, Bridge CC, Dreamweaver CC 2014.1, Edge Animate CC 2014, Fireworks CS6, Illustrator CC 2014, Incopy CC 2014, InDesign CC 2014, Photoshop CC 2014, Prelude CS6
"Complete 64Bit" package includes: Audition CS6+Updates, Bridge CC, Dreamweaver CC 2014.1, Edge Animate CC 2014, Fireworks CS6, Illustrator CC 2014, Incopy CC 2014, InDesign CC 2014, Photoshop CC 2014, Prelude CS6, Premiere Pro CC 2014, SpeedGrade CC 2014
"InDesign 32Bit" package includes: InDesign CC 2014
"InDesign 64Bit" package includes: InDesign CC 2014
"Lightroom 5 32Bit" package: Lightroom 5
"Lightroom 5 64Bit" package: Lightroom 5
None of these packages needed the exception deployer to be run. It was all tested on different (also different machine specs) 32bit and 64bit machines. The OS was always Windows 7 Enterprise.
To uninstall the creative cloud desktop application i wrote a batch file:
@ECHO OFF
IF EXIST C:\log_adobe_cc_cleaner\*.* EXIT ## checks if this folder is existent. If not it continues. If there is the folder it stops and won't run again ##
mkdir C:\temp_adobe_cc_cleaner ## creates a temp folder, as the uinstall tool can only be run locally ##
xcopy \\your_server\your_share$\adobecc\adobecc-cleaner\*.* C:\temp_adobe_cc_cleaner\*.* /Y ## copies the complete content of the folder to the newly created local folder ##
call "C:\temp_adobe_cc_cleaner\AdobeCreativeCloudCleanerTool.exe" --cleanupXML=C:\temp_adobe_cc_cleaner\cleanup_desktop_app.xml
xcopy "%Temp%\Adobe Creative Cloud Cleaner Tool.log" "C:\log_adobe_cc_cleaner\*.*" /Y ## copies the log file to folder, creates the folder itself ##
rmdir /q /s "C:\temp_adobe_cc_cleaner" ## removes the adobe creative cloud unintaller from local machine, leaves the log file folder for further check if the creative cloud uninstall tool needs to be rerun ##
The XML file has following written:
<?xml version="1.0" encoding="UTF-8"?>
<Products>
<Properties>
<Property name="eulaAccepted">1</Property>

</Properties>
<CreativeCloud>
<Product productName="Adobe Creative Cloud" version="2.0"/>

</CreativeCloud>
<AdobeIdCredentials>

</AdobeIdCredentials>
</Products>
Updating of the Adobe products is done with Secunia CSI in our enterprise, but there is also the posibility to remotely run the updatemanager.exe or via logon/logoff script.
What I also found out, was the dependency of vcredist for adobe products. You need the 2010, 2012 of them and most importantly in the x86 and x64 version! In case you get a .DLL missing error.
I hope this here helps someone who has lost a lot of nerves and a lot of time due to the deployment of Adobe creative cloud applications. I stil hope that there is going to be a better and easier way to deploy this.
Excuse me for the bad english, good luck with your deployment and maybe we can get Adobe a bit smarter from our all experience to make us a good deployment method.
Toni

Slim.nl is an indirect seller of Adobe products whose policies are not known to us. In our server we do not see any purchase from Adobe.com.
Please try to purchase from https://store2.adobe.com/cfusion/store/html/index.cfm?store=OLS-NL&event=displayProduct&ca tegoryPath=/Applications/AcrobatProX
You do have an Adobe ID with the Email provided here.
Regards
Rajshree

How to configure Firefox to use OpenVPN?

summary: I'm running OpenVPN from a Debian client through a Debian jumpbox/server. After I [start the server, start the client] most IP-based applications (DNS, ping, ssh) seem to work from the client, but client's Firefox cannot connect to http://www.whatismyip.com/ (or any other URI). How to configure Firefox to use the VPN? or otherwise fix the problem? or further debug it?
details:
I have a laptop running debian_version==jessie/sid with Firefox version=33.0 which needs to access a compute cluster. The cluster formerly required only an SSL VPN (enabled by a Firefox plugin) to access, but now has several additional requirements, which I seek to satisfy by running the SSL VPN through a jumpbox running an OpenVPN server. The jumpbox is running a "vanilla" Debian 7.7.
I have been using the laptop successfully for a few years without network problems. Currently I have the laptop connected by wire directly to an ISP-supplied modem/router. With `openvpn` NOT running on the laptop, I see:
* `ifconfig` shows no entry='tun0' (just "the usual" entries for 'eth0', 'lo', 'wlan0'), and shows the expected client IP# bound to 'eth0'.
* I can `ping` my jumpbox/server using its real IP#, but cannot `ping 10.8.0.1`
* I can `ssh` to my jumpbox/server using its real IP#, but cannot `ssh 10.8.0.1`
* `nslookup www.whatismyip.com` gives correct results
* browsing to http://www.whatismyip.com/ shows my client's IP# (as also shown in `ifconfig`)
Both my client/laptop and server/jumpbox setups are quite generic OpenVPN-wise, and are almost exactly as described on the Debian wiki
https://wiki.debian.org/openvpn%20for%20server%20and%20client
me@jumpbox:~$ date ; cat /etc/openvpn/server.conf
Sat Nov 8 16:49:00 EST 2014
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8" # google public DNS
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
me@laptop:~$ date ; cat /etc/openvpn/client1.conf
Sat Nov 8 16:51:31 EST 2014
client
dev tun
proto udp
remote ser.ver.IP.num 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
mute-replay-warnings
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client1.crt
key /etc/openvpn/client1.key
ns-cert-type server
comp-lzo
verb 3
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
My jumpbox/server firewall is currently set to forward everything, using `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE`:
me@jumpbox:~$ date ; sudo iptables -L
Sat Nov 8 16:42:06 EST 2014
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
After I start `openvpn` on first the server and then the client, I see no OpenVPN errors on either the server or the client:
me@jumpbox:~$ sudo openvpn --script-security 2 --config /etc/openvpn/server.conf &
Sat Nov 8 17:48:25 2014 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 18 2013
Sat Nov 8 17:48:25 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Nov 8 17:48:25 2014 Diffie-Hellman initialized with 1024 bit key
Sat Nov 8 17:48:25 2014 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Nov 8 17:48:25 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sat Nov 8 17:48:25 2014 ROUTE default_gateway=ser.ver.gate.way
Sat Nov 8 17:48:25 2014 TUN/TAP device tun0 opened
Sat Nov 8 17:48:25 2014 TUN/TAP TX queue length set to 100
Sat Nov 8 17:48:25 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Nov 8 17:48:25 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sat Nov 8 17:48:25 2014 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sat Nov 8 17:48:25 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Nov 8 17:48:25 2014 GID set to nogroup
Sat Nov 8 17:48:25 2014 UID set to nobody
Sat Nov 8 17:48:25 2014 UDPv4 link local (bound): [undef]
Sat Nov 8 17:48:25 2014 UDPv4 link remote: [undef]
Sat Nov 8 17:48:25 2014 MULTI: multi_init called, r=256 v=256
Sat Nov 8 17:48:25 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sat Nov 8 17:48:25 2014 ifconfig_pool_read(), in='TomRoche,10.8.0.4', TODO: IPv6
Sat Nov 8 17:48:25 2014 succeeded -> ifconfig_pool_set()
Sat Nov 8 17:48:25 2014 IFCONFIG POOL LIST
Sat Nov 8 17:48:25 2014 TomRoche,10.8.0.4
Sat Nov 8 17:48:25 2014 Initialization Sequence Completed
me@laptop:~$ sudo openvpn --script-security 2 --config /etc/openvpn/client1.conf &
Sat Nov 8 17:49:12 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Nov 8 17:49:12 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sat Nov 8 17:49:12 2014 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sat Nov 8 17:49:12 2014 UDPv4 link local: [undef]
Sat Nov 8 17:49:12 2014 UDPv4 link remote: [AF_INET]jump.box.IP.num:1194
Sat Nov 8 17:49:12 2014 TLS: Initial packet from [AF_INET]jump.box.IP.num:1194, sid=25df7af6 0ece4089
Sat Nov 8 17:49:13 2014 VERIFY OK: depth=1, <my config data/>
Sat Nov 8 17:49:13 2014 VERIFY OK: nsCertType=SERVER
Sat Nov 8 17:49:13 2014 VERIFY OK: depth=0, <my config data/>
Sat Nov 8 17:49:14 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 8 17:49:14 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 8 17:49:14 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 8 17:49:14 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 8 17:49:14 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Nov 8 17:49:14 2014 [TomRoche] Peer Connection Initiated with [AF_INET]jump.box.IP.num:1194
Sat Nov 8 17:49:16 2014 SENT CONTROL [TomRoche]: 'PUSH_REQUEST' (status=1)
Sat Nov 8 17:49:16 2014 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: timers and/or timeouts modified
Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: --ifconfig/up options modified
Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: route options modified
Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Nov 8 17:49:16 2014 ROUTE_GATEWAY lap.top.gate.way/255.255.255.0 IFACE=eth0 HWADDR=la:pt:op:MAC:ad:dr
Sat Nov 8 17:49:16 2014 TUN/TAP device tun0 opened
Sat Nov 8 17:49:16 2014 TUN/TAP TX queue length set to 100
Sat Nov 8 17:49:16 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Nov 8 17:49:16 2014 /sbin/ip link set dev tun0 up mtu 1500
Sat Nov 8 17:49:16 2014 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Sat Nov 8 17:49:16 2014 /etc/openvpn/update-resolv-conf tun0 1500 1542 10.8.0.6 10.8.0.5 init
dhcp-option DNS 8.8.8.8
Sat Nov 8 17:49:16 2014 /sbin/ip route add lap.top.IP.num/32 via lap.top.gate.way
Sat Nov 8 17:49:16 2014 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Sat Nov 8 17:49:16 2014 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Sat Nov 8 17:49:16 2014 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Sat Nov 8 17:49:16 2014 GID set to nogroup
Sat Nov 8 17:49:16 2014 UID set to nobody
Sat Nov 8 17:49:16 2014 Initialization Sequence Completed
I then see the following on my client:
* `ifconfig` shows a new entry=`tun0`, which looks correct
* I can `ping` the server using either its real IP# or `10.8.0.1`
* I can `ssh` to the server using either its real IP# or `10.8.0.1`
* `nslookup www.whatismyip.com` gives correct results
... but I get no connection if I open a new instance of Firefox and browse to http://www.whatismyip.com/ :-( "Looking up www.whatismyip.com..." succeeds quickly but the status line continues to display "Connecting to www.whatismyip.com..." until the attempt times out. I also get the same behavior (connection timeout) if I open a new instance of Chrome, or if I browse to http://www.whatismyip.com/ with a Firefox opened prior to starting OpenVPN. FWIW I get the same behavior browsing to any URI, including (e.g.) Google.
This is a major problem for me! For the SSL VPN to work, I need to start a Firefox and run it (since the SSL VPN's vendor only supports it on Linux via a Firefox plugin) to access a particular remote-access website. Furthermore I need the SSL VPN to run through the jumpbox/OpenVPN. (Don't ask, it's a long, sad story ...)
Is there something I must do to configure Firefox to use the VPN? Or is there some other way to fix this?
Alternatively, what should I do to further debug the problem? It just seems odd to me that the other services work (e.g., `nslookup`, `ssh`) but Firefox does not. That being said, both Firefox and Chrome fail in this usecase, so the problem might be generic to web browsers.
your assistance is appreciated, Tom Roche <[email protected]>

You're kidding. You have to go through that rigamarole just to put your bookmarks on your own server? Where's the simple FTP option?
Also, the above-linked article has a broken link. The link to the weaveserver (which is what you have to set up on your own server) is no good, and there is no obvious replacement. There are plenty of Weave-related repositories here:
http://hg.mozilla.org/labs
but it's not clear what you need.

Installing Flash Player 11.8.800.94 via GPO not working properly

Hello,
i've installed Flash Player 11.8.800.94 via GPO.
Installation works fine, but there is no flash player available in Firefox or Internet Explorer.
Deployed both Flash Players.
Tried to reinstall Flash Player 11.8.800.94 for Firefox, but it's still not active.
Windows 7, 64bit
Greetings,
Michael

Hello Comvel.
RE:
Hello,
i haven't fixed it yet.
I've deployed the last few version of flash player without any problems.
I haven't found any new things in the admin guide.
The plugins don't show up in both browsers. I can't enable them.
On the most importent clients, i've installed flash player manually.
I know it has been a few months since your post but, I was wonderingif you were able to find a solution for this that didn't involve manual installations. I've recently deployed 11.8.800.175 and am running into the same problems. Some work stations are just fine. But others, (both windows 7 and xp, all IE8) are not working. When navigating to a site like youtube, theres a banner that says update is needed. When you go to manage add-ons there is no shock object/add on.

Granting privileges to logoff other TS users via GPO

Hi,
My client has asked me to grant a group of people (non admins) the rights to logoff other people's TS sessions on several servers.
I've seen some answers to this question, but usually focused on a single server topology kind of thing.
As I'm not a very experienced admin, I'd like to know if there's some sort of way to implement it via GPO so that I can deploy it on a more system-wide / OU fashion. As there is seemingly no prebuilt administrative template for this and no way that I can
find to edit RDP-Tcp or manage permissions for TS on gpedit, I'm trying to find some help with this issue.
Thanks in advance,
J

Hi Johnny,
You may use the WMI script in following threads, then configure it as startup script:
RDS 2012 Configure Permissions for Remote Desktop Services Connections
https://social.technet.microsoft.com/Forums/en-US/0d119172-1100-4f9d-accd-e2504e5f4908/rds-2012-configure-permissions-for-remote-desktop-services-connections?forum=winserverTS
Customizing RDS permissions with GPO or scripts - is it possible
https://social.technet.microsoft.com/Forums/windowsserver/en-US/e9ebd85b-841d-4c62-8a25-05977d9ba1e0/customizing-rds-permissions-with-gpo-or-scripts-is-it-possible?forum=winserverTS
Assign Computer Startup Scripts
https://technet.microsoft.com/en-us/library/cc770556.aspx
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Changing default picture viewer via GPO without changing image type and icon (Windows 7)

Hello,
I am trying to change the default picture viewer for some file extensions (.bmp, .jpeg, .png and .tiff). Actually Windows Photo Viewer is the default viewer and we need to replace it with Microsoft Office Picture Manager.
I managed to do that change via GPO using the 'open with' preference under User Configuration\ Preferences\Control Panel Settings\Folder Options. So now the files are opened with Microsoft Office Picture Manager (office 2010). The problem is that the image
type became 'OIS.EXE' for all the specified file extensions. Moreover the icon is now the same (Microsoft Office 2010).
When I change manually the associated program for a file extension, the icon change but no the image type... this is different using GPO.
Is there a solution in order to change the default program but keeping the image type and associated icon ?
I tried to do that modification using the 'new file type' preference under Computer Configuration\Preferences\Control Panel Settings\Folder Options. I specified the 'open' action for OIS.exe, selected file extension BMP with associated class 'Bitmap Image'.
It solves the problem for image type, Microsoft Office Picture Manager opens the files ... but I have to specify the icon file path and icon index and I don't know where I can find the default icons for the file extensions ...
What is the best solution ? Am I right ? Am I doing something wrong ?
Thank you in advance !

Hello,
thank you very much for your answers.
For the rollback, I will reimport the original/default keys for all the image types, this should be ok.
Here are the problems I have trying to pu Microsoft Office Picture Manager as default picture viewer (I just want .bmp, .jpg ... files to be opened with Microsoft Office Picture Manager by default).
1 Using new file type under Computer Configuration\Preferences\Control Panel Settings\folder options. : I define a new file type (BMP for example), associated class Bitmap Image, I configure the icon (imageres.dll,65) and an open action where OIS.EXE
is the application used to perform the action.
Result : Icon is correct, file type is correct, image files are opened with OIS.EXE (correct) ... BUT now Microsoft Office 2010 appears twice in open or open with menu
2 Using new open with under User configuration\Preferences\Control Panel Settings\Folder Options : new open with preference, action (update or replace same result), file extension BMP, associated program (path to OIS.EXE), i check set as default.
Result : Office 2010 opens image files (correct) but icon is Office 2010 one and the file type is now 'OIS.EXE' for all image file extensions I have specified ... so it won't be possible to sort the file by image type if I select that method...
3 Using ftype : OIS.EXE doesn't open the file when I double click on it but Microsoft Office 2010 appears twice in the open or open with list ...
I am a bit lost ... what is the best method to put Microsoft Office Picture Manager as default picture viewer, keeping the image type (Bitmap image, JPEG image etc) and without having Microsoft Office 2010 twice in the open or open with list ??
Last question : by default an image file is opened and previewed with Windows Photo viewer and edited with Paint. I would like just to open images with Office 2010 but keep Windows Photo viewer for preview and Paint for edit ... Is it possible ??
Thank you in advance for any help and support !!

Restart computers via GPO

Hello all,
I would like to do restart all our lab computers (joined into domain) daily at 23:59. Is there anyway I can schedule the script via GPO ? My domain controller in on windows 2003 ent server.
Throw your ideas or point me in right direction how to achieve this.
Madal

Hello Madal,
Thank you for your reply.
“Is there a way to encrypt the password ?”
Based on my research, you can create a “Schtasks Helper script” and “Encode” it to improve security as described in the following example:
1. On this share create a VBS file called Schtasks.vbs with the following code:
Schtasks.vbs
set shell=wscript.createobject("Wscript.shell")
shell.run "schtasks /create /ru <administrator> /rp <password> /sc dialy /st 23:59:00 /tn shutdown /tr \\servershare\shutdown.bat”
shutdown.bat
shutdown /t 0 /r
2. Download the Windows Script Encoder from:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e7877f67-c447-4873-b1b0-21f0626a6329&displaylang=en&Hash=2eeLrR1Fo%2bgy0pOMTILIDCo2B6FWF5ncnlQW61ur2UdX0K7ZsIKKjttmjR%2bpFX5MMlQ4EW7GWRIwNA%2f4WFS0rw%3d%3d
3. Encrypt the original .vbs file:
screnc original_vbs_file.vbs vbs_encrypted_file.vbe
The script encoder is a command-line tool that allows a scriptwriter to protect the contents of a script from unauthorized copies or modifications while (at the same time) allowing the script to run.
Disclaimer
This sample script is not supported under any Microsoft standard support program or service. The sample script is provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for
any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages
Actually, I also agree with Darren. You may use Group Policy Preferences to achieve the goal. It is a feature new in Microsoft Windows Server 2008. Group Policy preferences include mapped drives, scheduled tasks, and Start menu settings. For many types of operating system and application settings, using Group Policy preferences is a better alternative to configuring them in Windows images or using logon scripts. In fact, the new policy features in GPP support XP, Server 2003, Vista and Server 2008 “clients”. In order for clients to process GPP policy settings, they must install the GPP Client Side Extension (CSE) package, which is available from following site.
Group Policy Preference Client Side Extensions for Windows XP
http://www.microsoft.com/downloads/details.aspx?familyid=E60B5C8F-D7DC-4B27-A261-247CE3F6C4F8&displaylang=en
For more details, you can download Group Policy Preferences Overview
http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&DisplayLang=en
regards,Nick Gu - MSFT

Deploy FF 3.6.23 to 7.0.1 failed via GPO

<blockquote>Locking duplicate thread.<br>
Please continue here: [[/questions/928959]]</blockquote>
Hi, I tried to deploy the upgrade packet for Users from FF 3.6.23 to 7.0.1 via GPO.
(Environment: Windows 2008 R2 Standard Domain, Client PC: Windows XP SP3)
But some PCs can upgrade some PCs can not. (Other software deploy is OK, only FF)
Is there any guys also has the problem like this?
I doubt if any patch not install or reg not config?
Or something else may make this happen?

Why are you updating to such an ancient version as Firefox 7.0.1? The latest supported version of Firefox 13. You shouldn't use versions older than that as they have been dropped from support and have known and public vulnerabilities.
The only other vresoin that has some support if Firefox ESR. [http://www.mozilla.org/en-US/firefox/organizations/ http://www.mozilla.org/en-US/firefox/organizations/].

Error at RSOP while trying to set Audit settings via GPO

Hello,
i've configured Audit Policy via GPO and when i run RSOP on the server 2008 R2 i get X with the error "the policy engine did not attempt to configure the setting For more
information, see %windir%\security\logs\winlogon.log on the target machine.
Please help???

Hi,
This problem may occur if the "Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" policy setting is enabled. To resolve this issue, use one of the following methods, as appropriate for your situation.
Method 1: Disable the policy setting by using Group Policy Object Editor
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Method 2: Disable the policy setting by using Registry Editor
Note: Please backup the registry key before modify.
1.Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
2.Right-click SCENoApplyLegacyAuditPolicy, and then click Modify.
3.Type 0 in the Value data box, and then click OK.
Restart the computer after you make the change.
For more information, please refer to:
Security auditing settings are not applied to Windows Vista-based and Window Server 2008-based computers when you deploy a domain-based policy
http://support.microsoft.com/kb/921468/en-us
RSOP: the policy engine did not attempt to configure the setting
http://social.technet.microsoft.com/Forums/en-AU/winserverGP/thread/fde42cfc-bb74-4e11-8b60-c1a3cb5d80ed
If the problem still continues, please check the %windir%\security\logs\winlogon.log and reply the information in this log.
Regards,
Bruce

ActiveX UAC and Proxy Settings via GPO

Hi there,
Wondering if anyone can help.
I am experiencing the following issue when trying to load ActiveX control without UAC prompts for standard users.
I have:
Configured ActiveXInstaller Service and configured allowed sites and settings via GPO.
Configured IE Security settings for the Trusted Zone to Allow ActiveX content to run via GPO.
Configured IE to use per user proxy settings via GPO.
Allowed the domain in our proxy and bypassed authentication for that domain.
Everything seems to be in place but I receive a UAC prompt for the Internet Explorer Add-on Installer UNLESS I either turn off the IE proxy settings or add the domain to the IE proxy exclusions list.
Unfortunately neither of these are options in our environment..
Anything I've missed?
Thanks!

Hi,
Before going further, what's the operating systems you are using? How did you configure
approved Installation Sites for ActiveX Controls and Active X installation policy for sites in Trusted zones settings?
Regarding how to configure these two settings, we can refer to the following article for double check.
Administering the ActiveX Installer Service in Windows 7
http://technet.microsoft.com/en-us/library/dd631688(v=ws.10).aspx
Besides, we can also run command gpresult/h gpreport.html with admin privileges to collect group policy result report to check if the policy settings are applied correctly.
Best regards,
Frank Shen

Deploy IP Printer Locally without a print server via GPO

I have a client that has 1 main site and 3 smaller satellite sites. They only have one (yes 1) server for all of their clients. There is a 100MB connection between so bandwidth is not an issue. The server is 2008 R2,
clients are a mix of XP and Windows 7. I have deployed client side extensions to the XP clients.
My project: Install a new network printer in each site (its the same printer for all 4 sites), configure clients to use printer in their site via GPO.
Each site has its own OU with users in their respective site OU. Normally, if this were a single site I could add the print services role, install the drivers for the printer on the print server, and use GP preferences;
User config -> Preferences -> Control Panel -> Printers -> add new TCP/IP and then apply this to the users OU. The problem is that it requires a local name and local path, which would require a local print server in each site.
Is there a way to use GP to add a printer to each client computer (and set as default) throughout multiple sites, while only having the One server in 1 out of 4 sites?
All help is greatly appreciated!
NOTE: when I say site, I mean physical location, it is all one domain.

I am really getting close to the deadline of new printers arriving so I will walk through exact steps I have taken to get this set up.
Ok. I have a server running 2008 R2. I added the Print services role.
Right click 'Printers' -> Add printer
select 'Add a TCP/IP Printer by IP address or hostname'
'Type of device' = 'Autodetect'
'hostname or IP address' = 'x.x.x.x' (IP address that printer will be set to)
'Port name' = 'x.x.x.x_2'
do NOT select 'auto detect printer driver'
select 'Generic Network Card'
select 'Install new driver'
select 'Have Disk' and browse to driver
'Printer name' = Printer Name
select 'share this printer'
'Share name' = Printer Name
next, next, driver installs and printer installs, and finish.
Now you have the printer installed and showing up under printers.
Now, I right click printer and -> deploy with group policy
Browse to the OU where my user is located in ADUC, select the GPO that I have linked to that OU, click 'add' and click 'OK'.
Now, log in to a win 7 computer, gpupdate, printer shows up in devices and printers. I can't print to it obviously since it's not connected to the network yet. But, when I log in to an XP computer, run gpupdate, it does NOT populate in devices and printers.
What am I doing wrong?
Thank you in advance.

Setting WMI and Registry permissions via GPO?

Hi,
I am configuring SCOM 2012 R2 for my environment. To configure it for SQL Serve,r I neeed to do the following:
Grant Read permission on HKLM:\Software\Microsoft\Microsoft SQL Server registry path for SQLDefaultAction and SQLMPLowPriv
Grant “Execute Methods”, “Enable Account”, “Remote Enable”, “Read Security” permissions for root, root\cimv2, root\default, root\Microsoft\SqlServer\ComputerManagement11 WMI namespaces to SQLDefaultAction and SQLMPLowPriv
Grant Read permission on HKLM:\Software\Microsoft\Microsoft SQL Server\[InstanceID]\MSSQLServer\Parameters registry path for SQLMPLowPriv for each monitored instance
So I need to assign registry permissions and wmi permissions.
Is there a way to do this via GPO?
Thanks

Hi,
You can not change the permission by using group policy directly.
Steps to solve your requirement,
1. Using the SetACL tool you can automate the management of Windows permissions. It is inherently automatable and scriptable. The
COM version provides the full functionality to any COM-enabled programming language (C#, Visual Basic, C++, Delphi, PowerShell, VBScript, …).
Supported object types: files and folders, registry keys, printers, services, network shares, WMI
So using this tool you can create script to automate Windows permissions.
2. Then you can use the created script as the Startup script in the GPO with privileges to allow the permission changes.
Checkout the below links on similar discussion,
http://social.technet.microsoft.com/Forums/windowsserver/en-US/87d4ed25-5247-41e4-8bb6-e29a078a1da0/change-permissions-for-a-specific-key?forum=winserverGP
http://social.technet.microsoft.com/Forums/en-US/c60ad5bb-309e-471d-9f48-e04e897ba61b/problems-setting-registry-permissions-via-gpo?forum=winserverGP
Regards,
Gopi
www.jijitechnologies.com

In server 2008 r2 i cant prevent access to extra drive letters(apart from a,b,c,d) via gpo

in server 2008 r2 i want to prevent access to extra drives like g,h,i,j drives via GPO i have been able to successfully hide these extra drives but not able to prevent access to restrict them i have hidden these extra drive letters via code pasting
with hidedrives.adm file on right clicking adminstrative templates in GPO and adding templates but i dont know the code for preventing access to drives. HELP me need this fast

Hi Manish,
Based on your description, we can try enabling the following policy:
User Configuration\Administrative Templates\Windows Components\Windows Explorer\
Prevent access to drives from My Computer
If we enable this policy, users cannot view the contents of the selected drives in My Computer and Windows Explorer. Also, they cannot use the
Run dialog box, the Map Network Drive dialog box, or the Dir command to view the directories on these drives.
However, this policy does not prevent users from using programs to access local and network drives. And, it does not prevent them from using the Disk Management snap-in to
view and change drive characteristics.
Regarding this policy, the following article can be referred to for more information.
Prevent access to drives from My Computer
http://technet.microsoft.com/en-us/library/cc978514.aspx
Best regards,
Frank Shen

Flash pushed via GPO, but is now removing itself!

All of a sudden we are having systems that Flash is removing itself and I can't figure out why! Everything has been working just fine. We push Flash down through Group Policy and it's been working without problems. But all of a sudden we are seeing systems where Flash is removing itself for no apparent reason.
Nothing has changed. No settings have changed. People that have gotten it successfully via GPO and have had it working just fine are all of a sudden having it removed and left with nothing installed. Does anyone have any idea as to why it would be doing this?
Here are the log files from one of the system in succession...maybe someone here can make heads or tails of it???
"Application Adobe Flash Player 10.1 Plugin from policy GPO Install Flash Player is an upgrade of application Adobe Flash Player 10 Plugin from policy GPO Install Flash Player and will cause the assignment of application Adobe Flash Player 10 Plugin to be removed."
"The removal of the assignment of application Adobe Flash Player 10 Plugin from policy GPO Install Flash Player succeeded."
"The assignment of application Adobe Flash Player 10.1 ActiveX from policy GPO Install Flash Player succeeded."
"The assignment of application Adobe Flash Player 10.1 Plugin from policy GPO Install Flash Player succeeded."
"Product: Adobe Flash Player 10 Plugin -- Error 2753.The File 'FP_PL_MSI_INSTALLER.exe' is not marked for installation."
"The install of application Adobe Flash Player 10.1 Plugin from policy GPO Install Flash Player failed. The error was : Fatal error during installation."
"The removal of the assignment of application Adobe Flash Player 10.1 Plugin from policy GPO Install Flash Player succeeded."
"Application Adobe Flash Player 10.1 Plugin from policy GPO Install Flash Player was configured to upgrade application Adobe Flash Player 10 Plugin from policy GPO Install Flash Player. The assignment or install of the upgrade application Adobe Flash Player 10.1 Plugin from policy GPO Install Flash Player failed with error : Fatal error during installation. The upgrade will be aborted."
"The assignment of application Adobe Flash Player 10 Plugin from policy GPO Install Flash Player succeeded."
These entries all happened pretty much at the same time. Now granted, I'm no GPO guru. I inherited this system and it was my predecessor that set this all up. But I've checked all the settings and everything seems fine and like I said, nothing has changed. As a matter of fact, I just setup a couple of new systems and it got pushed down to them just fine.
Help!!!

Hello again, It sounds like it is working so far, I hope it stays that way. I wonder if the Anti-Virus had an update that day that that happened. It was so sudden, something triggered that action, may not know what. It was strange since that didn't happen when you Installed, if it was going to happen.
Let's hope there are no more problems.
Thanks for posting back.
eidnolb

Configure Firefox via GPO

Similar Messages

Maybe you are looking for