Configuring group policy for user profiles in Windows Server 2012 R2 Domain

Similar Messages

• What share/ntfs permission i've to setup for user profile disks on Server 2012 R2?

  Please, let me know.
  Regards!
  Lasandro Lopez

  Hi Lasandro,
  As far as I know, share permissions for UPD are automatically set up by the management tools.
  Besides, regarding how to install and configure UPD, the following article can be referred to as reference.
  Installing and Configuring User Profile Disks (UPD) in Windows Server 2012
  https://social.technet.microsoft.com/wiki/contents/articles/15304.installing-and-configuring-user-profile-disks-upd-in-windows-server-2012.aspx
  In addition, regarding UPD, the following article can be referred to for more information.
  Easier User Data Management with User Profile Disks in Windows Server 2012
  http://blogs.msdn.com/b/rds/archive/2012/11/13/easier-user-data-management-with-user-profile-disks-in-windows-server-2012.aspx
  Best regards,
  Frank Shen

• Set up a smart card for user logon to windows server 2012 R2

  Good Evening,
  I have Windows Server 2012 R2 Datacenter edition (dreamspark license)
  Is it possible to successfully set up smart card logon to a server ? I already have the smart card reader, smart card and the certificate (which is also my digital signature) I know how to setup a DC role (as far as I know, the server has to be in a domain
  to use smart card logon) I would like to logon using to my PC using a smart card and set the certificate I already have to use as a certificate for logon.
  Kind Regards,
  Tomasz

  It would take a few things to do this, and could cause some security issues. In short, I assume the certificate you "already have" came from another environment or a commercial provider. You would need to configure your computer to trust that CA
  to be an issuer of smart card authentication certificates. That effectively moves a good portion of your computer security control out of your environment. For many environments that is an unacceptable security risk.
  If you dont have an Active Directory running, you will also need to make some accommodations to the standard guides. I dont believe there are any published guides on how to do this with a single server and third-party CAs. 
  Here are some references for generic smart card authentications. They are not 100% applicable to your need, so some interpretation is going to be needed.
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa380142(v=vs.85).aspx
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• Exchange 2007 RTM support with Windows Server 2012 R2 Domain Controller

  Hi All,
  I have not found any TechNet Article which states about the Windows Server 2012 R2 Active Directory domain controller operating system support with Exchange 2007 RTM, can some one please let me know that does Exchange 2007 RTM supports Windows Server 2012
  R2 domain controller operating system, we are in the process of upgrading the domain controllers to 2012 R2 but not the forest and domain functional level to 2012 R2.
  thanks
  If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

  There are several likely reasons for this.  The most significant is that Exchange 2007 RTM is no longer supported (outside ot extended support, which is not going to include adding support for new operating systems): 
  http://support2.microsoft.com/lifecycle/default.aspx?LN=en-us&p1=10926
  You'll note from the following -
  http://technet.microsoft.com/library/ff728623(v=exchg.150).aspx - that only Exchange 2007 SP3 is currently supported in any environment.
  HTH ...

• How To Properly Delete a User Profile on Windows 7 in a Domain environment

  I have not been able to find an answer that matches the issue I'm facing. I had recently setup a laptop for a user and soon after, he was experiencing issues that I thought might be profile related. So, I did what always worked for me on prior versions of
  Windows without any fuss or side affects.
  Logged in under the local Administrator account, I went into: System Properties>User Profiles>Settings and removed the user profile from their. When I do that, I get an error message:
  Profile Error
  Profile not deleted completely. Error - A required privilege is not held by the client
  Ok, no problem I think. I just need to delete the user's profile directory under the users folder right? So I do this and figure when I try to log in again as the user that a new profile will be created. However, this is not what happens exactly. I login
  with the user credentials and it logs in successfully. However, I get a pop saying:
  You have been logged on with a temporary profile
  You cannot access your files and files created in this profile will be deleted when you log off. To fix this, log off and try logging on later.
  Please see the event log for details or contact your system administrator
  So my question is; why did the profile not delete completely after both deleting the user profile under System Properties and after deleting the actual profile directory? What did I miss and what is the proper method of deleting a user profile completely
  without running into these other issues?

  Hi Womprat,
  According to your description, I understand that you want to delete user profile but display an error in Windows 7.
  Please use other user (with administrator privileges) login this computer, then open Properties for Computer--->Advanced system setting--->Settings for User Profiles, then select the profile you want to delete.
  More details about Delete a user account, please refer to:
  http://windows.microsoft.com/en-us/windows7/delete-a-user-account
  Additional, please contact Windows 7 IT Pro Team so that you can get more professional suggestions. For your convenience:
  https://social.technet.microsoft.com/Forums/en-US/home?category=w7itpro&filter=alltypes&sort=lastpostdesc
  Best regards,
  Allen Wang

• The remote desktop session host configuration & Remote session shadowing options missing in Windows server 2012.

  Hi All,
  I am using a Windows server 2012 Standard. When i leave my session idle for more than 20 min it disconnects and post more 20 minutes my session is logged off.
  I know this setting can be changed from Remote desktop session host configuration in Windows server 2008 R2. But this option "Remote desktop session host configuration" is not there in Windows server 2012. Does any one have an idea where do i go
  and edit these settings in the Server 2012 o/s ?
  Also the Remote session shadowing option is also not available when i right click a user in the task manager. Any idea on an alternate method in Windows server 2012 ?
  Gautam.75801

  Exactly WHERE are the W2K12 R2 equivalent GPO settings to W2K8 R2 GPO settings of "Set time limit for disconnected sessions" and "set time limit for active but idle Remote Desktop Services
  sessions"?  Microsoft changed the remote desktop/terminal services around.  
  Appreciate it.
  Matt
   Policy Path 
   Scope 
   Policy Setting Name 
   Windows Components\Remote Desktop   Services\Remote Desktop Session Host\Session Time Limits 
   User 
   End session when time limits are   reached 
   Windows Components\Remote Desktop   Services\Remote Desktop Session Host\Session Time Limits 
   Machine 
   End session when time limits are   reached 
   Windows Components\Remote Desktop   Services\Remote Desktop Session Host\Session Time Limits 
   User 
   Set time limit for disconnected   sessions 
   Windows Components\Remote Desktop   Services\Remote Desktop Session Host\Session Time Limits 
   Machine 
   Set time limit for disconnected   sessions 
   Windows Components\Remote Desktop   Services\Remote Desktop Session Host\Session Time Limits 
   User 
   Set time limit for active but idle   Remote Desktop Services sessions 
   Windows Components\Remote Desktop   Services\Remote Desktop Session Host\Session Time Limits 
   Machine 
   Set time limit for active but idle   Remote Desktop Services sessions 
   Windows Components\Remote Desktop   Services\Remote Desktop Session Host\Session Time Limits 
   User 
   Set time limit for active Remote   Desktop Services sessions 
   Windows Components\Remote Desktop   Services\Remote Desktop Session Host\Session Time Limits 
   Machine 
   Set time limit for active Remote   Desktop Services sessions 
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Restore deleted AD User Account in Windows Server 2012

  Good day.
  I know Windows Server 2012 has an Active Directory Recycle Bin feature, however upon enabling the feature it doesn't display the deleted user account I have deleted prior to enabling the feature. Is this normal? Does the feature only displays deleted AD
  objects after you have enabled it? Is there other way to display those objects? Thanks in advance.

  Hi James,
  Yes, You should have a valid system state back to perform an authoritative restore.
   In case you don’t have any system state backup, you can use ADRestore to restore tombstoned objects. When an object is deleted from Active Directory, it isn't actually removed but is instead marked as deleted by an internal marker called
  a tombstone. 
  Note: ADRestore cannot restore the group membership for a user. Meanwhile, not all attribute data can be restored.
  http://blogs.technet.com/b/asiasupp/archive/2006/12/14/using-adrestore-tool-to-restore-deleted-objects.aspx
  Regards,
  Rafic
  If you found this post helpful, please give it a "Helpful" vote.
  If it answered your question, remember to mark it as an "Answer".
  This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
  No he can _not_, as there is no tombstones when the recycle-bin is enabled, recycled objects can not be restored/reanimated.
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Web Access for Remote Desktop on Windows Server 2012

  Hello,
  i've a Windows Server 2012 without a domain. So i installed the remote desktop session host, the remote desktop license server and the remote desktop gateway as a server role only. All is working fine. Without a domain, no management tools for remote
  desktop are available. So i configure the remote desktop via the registry. I define (via registry) some remoteapps, too. All values are copied from a running Windows Server 2008 R2. So the remoteapps are runing.
  Now i want to use the new Microsoft Remote Desktop client for Android. To use a remoteapp i must define a remote resource. To define a remote resource i need a url to the web access for remote desktop. So i installed the web access. But if i login to the
  web access, i don't see any remoteapp. What's wrong? I've set the ShowInTSWA to 1. What must i do to access an existing remoteapp via web access?
  Martin

  Hi Martin,
  Server 2012 RD Web Access is designed to retrieve published RemoteApps and Desktops from a Server 2012 RD Connection Broker and/or a Server 2008 R2 RD Session Host server.  From your description it doesn't appear that you are using either of the above.
  I know it is a more complicated set up, but you should consider having a domain, creating a RDS deployment, etc., so that you can use the full featureset as it was intended.  You can do it all on a single server if needed.  For Server 2012
  there is a hotfix that needs to be applied to permit RD Connection Broker to work on the same server instance as active directory.
  -TP

• How do I get a reliable schedule for automatic update in Windows Server 2012 R2?

  I don't understand why MS broke the automatic update in Windows Server 2012 R2. In previous versions, I used to set it for automatic updates - Saturdays at 2AM. I can no longer pick a weekly update in the GUI and the time seems to have no impact on its capricious
  reboots due to updates.   It might happen 2 days later at noon.   The best option for now is to just shut off the automatic updates but I'm reading this issue has been around since 2012 R1.   There supposedly is a fix/patch for
  2012 but it doesn't say if the patch is for 2012 R2 and the automatic updates haven't installed a fix that actually fixes what is broken with the automatic updates.
  Why even leave the GUI for automatic updates if it doesn't mean anything?
  Is there a simple registry key I can change so updates occur according to the schedule that you created in the GUI?      Please no powershell - worst crutch MS ever created to not fix their own gui.
  I'm seeing people have tried some advanced work around using GPO but many said those don't work reliably either on hosts or domain controllers.

  This may explain:
  http://blogs.technet.com/b/wsus/archive/2013/10/08/enabling-a-more-predictable-windows-update-experience-for-windows-8-and-windows-server-2012-kb-2885694.aspx
  http://blogs.technet.com/b/wsus/archive/2013/06/11/wsus-blog-managing-updates-with-deadlines-in-an-era-of-automatic-maintenance.aspx
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Add Windows Server 2012 R2 domain controller to Windows 2008 R2 domain

  Hi,
  Have today 2 x Windows Server 2008 R2 domain controllers, and domain and functional level 2008 R2.
  We now want to replace these DC`s with Windows Server 2012 R2.
  My plan is as follow
  - Install and promote a Windows Server 2012 R2 as a 3 DC`s with a temporary hostname and IP as DC3
  - Install and promote a second Windows Server 2012 R2 as a 4 DC`s with a temporary hostname and IP as DC4
  - Decomiss DC1 and remove this host. Change the IP and hostname of the new DC3 to DC1
  - Move FSMO roles from DC2 to DC1 and decomiss DC2
  - Change the IP and hostname of the new DC4 to DC2
  Will this be a ok progress ? I will offcours to have the DC`s replicate information between them before doing each task.
  /Regards Andreas

  Hi,
  Only error i got running dcdiag was the following
   Starting test: NCSecDesc
      Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
         Replicating Directory Changes In Filtered Set
      access rights for the naming context:
      DC=ForestDnsZones,DC=domain,DC=local
      Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
         Replicating Directory Changes In Filtered Set
      access rights for the naming context:
      DC=DomainDnsZones,DC=domain,DC=local
      ......................... DC1 failed test NCSecDesc
  Is this a problem ?
  I would guess not since im not implementing a RODC ? Ref:
  https://support.microsoft.com/en-us/kb/967482?wa=wsignin1.0
  You can ignore it.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Bind Mavericks to Windows Server 2012 R2 domain

  I have a Windows 2012 R2 domain controller (only one in the domain) with the forest and domain in native (not mixed) mode.
  I am trying to bind a Mavericks Macbook Pro to the domain.
  I have checked that I can ping the domain and domain controller by name and IP address.
  I have set the NTP on the Macbook to use the domain controller as the time source.
  I even set the "Prefer this domain server" to the domain controller.
  When I attempt bind the Macbook, the time tested message of "Authentication server could not be contacted."
  Any suggestions?  Something about Windows Server 2012 R2 that I am missing?  I admit that I am just learning Windows
  Server 2012 R2, so it is possible my lack of knowledge of it is the adding to the problem.
  Thank you in advance!

  I have 3 Server 2012 DC's here on my network.  No issues binding Macs to the DC.  I haven't had the time to roll out R2 DCs yet, but will be doing so shortly as I am now done with some other upgrades.  I would roll out one right now so I can test this for you, but don't have the time...sorry man.
  One of the most important thing with AD is DNS.  1 of my 3 AD's is my DNS and DHCP server.  I have not had to mess with any special settings, just let my Mac get it's IP from the DC and then bind away.  Are your windows machines (if you have any) on the same LAN able to bind?  Also make sure the account you are logged into the mac with is an Admin on the local mac. 
  Remove all the custom info you put in, keep it simple, I have never had to fill in any of those details, and make sure you use the FQDN of your DC (host.domain.com).  Once you put in the FQDN, does the utility recognize the Domain and then ask for the AD admin credentials?  If yes, then thats a good sign. 
  Let me know if it's still not working.  Also make sure you are using the correct login and password, the admin of your DC. 
  Is your DC virtual or Physical?  Do you have the firewall enabled on your DC?  Are you using wireless or wired? 
  I'm sure you will get this... S12R2 is really sweet, all my Hyper-V hosts are S12R2. 

• Deploy Windows Server 2012 R2 domain controller in 2008 domain

  Hi,
  We have three physical windows 2008 enterprise with SP1 32 bit domain controllers, we need to deploy two additional windows 2012 R2 standard as virtual machines on this domain. Do we need to install SP2 on the existing Windows 2008 sp1 DCs or we are fine?
  What are other requirements?  

  It is not required.
  Just your Forest/Domain Functional level should be Windows Server 2003 or higher to be able to add Windows Server 2012 R2 DCs.
  Please note that it is always recommended to have your Windows Operating Systems up-to-date to avoid known security attacks and known bugs.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• How to configure group policy for emet via a command line

  I have been tasked with installing emet on 50 servers that I only have access to with our patching server (so I can't remote in and open the gpedit gui). I can get it to install, but now the problem that I'm facing is I need to enable 6 of the group policies
  for emet. Is there a way to do this while installing it? or a way to do it after the install?

  cmd line you need to deal with is in the C:\Program Files (x86)\EMET 4.1 folder
  specifically emet_conf --refresh would tell the systems to pull in the settings from a GPO they have already applied.
  In a non - SCCM environment I would probably recommend using group policy preferences and create a task scheduler item on your servers that runs emet_conf --import
  \\fileserver\settingsfile.xml on some sort of automated basis. Then you can just configure a client like you need and run the emet_conf --export
  \\fileserver\settingsfile.xml whenever you need to change a mitigation etc and the clients will pick up on the change on their next run of the task scheduler item.
  In general installing on servers isn't a great idea and is not the intended use case for emet however if you are DoD/Gov then DISA has mandated it so won't argue there.  There's also the people that still have Internet access from servers so then it
  would make sense in that environment as well.
  CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response/FOPE) Check out my blog http://blogs.technet.com/kfalde or better yet check out http://technet.com/wiki and start contributing :)

• Some normal users profile on Windows Server 2003 ???

  Hello, I manage a Windows 2003 Server in a school board of 30 000+ students. Each of these students have their home folder located on a share on one of our file servers (eg :
  \\server\schoolID$\user) which is on the E:\ drive of the server)
  For some reason, while browsing in C:\Documents and Settings on that server, we noticed that 40 of these users had an incomplete profile only containing these 2 folders and 2 files...
  We have reviewed the security groups on the server and we are 100% sure that they don't have access in any way to that server (besides their home folder...). We also tried to connect using mstsc and they can't even log in remotely. We are wondering what
  can cause the creation of some of these users profiles for these specific users? (Since 2011, there were only 40 profiles created out of 30 000+ students so it is not something that started recently or that is growing or touching all of our users...)
  Any idea of what could be the cause of these mysterious incomplete student profiles on that server ?
  Thanks for the help!

  OK...we've been able to reproduce the problem... A normal user simply has to encrypt a folder on his home folder located on a share on one of our file servers (eg :
  \\server\schoolID$\user) and it will create the incomplete profile (see screenshot below - Right click on a folder - Properties - General tab - Advanced and select the last option) :
  Can't explain why it behaves like this but at least, we know why this happens...

• Firefox Settings for users in a Windows Server 2008/Win 7 Environment

  I am currently building images of Windows 7 with Firefox 4 for use on our machines. We use Windows Server 2008 to apply user settings. I am looking for a way that I can provide bookmarks, change some of the default settings, and remove the start-up splash screens for Firefox. It turns out that each time a unique user logs into a computer, they have to walk through these splash screens, and the settings revert back to defaults, and the bookmarks are gone. We have several thousand users on our network, so any help fixing this issue would be appreciated.

  Generally it is the browser service that populates network neighborhood. This technology is no longer used with newer OS like server 2008, windows 7/8.
  Description of the Microsoft Computer Browser Service
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.