Default domain Group Policy

Similar Messages

• Cases in which Domain Group Policy settings would be reverted to default settings on a Win7 client

  Hi - I'm sure this info is out there somewhere, but I'm having a hard time finding it.  Basically, I'm trying to identify the cases in which settings deployed via Domain Group Policy on 2008R2/Win7SP1 would get reverted back to "default settings"
  on a Win7SP1 client that is still a member of the domain, and is in a proper OU, properly targeted, WMI filters should still evaluate true, etc...
  For instance, it appears that if machine-level registry settings contained within a LocalGPO file on a client get corrupted (C:\Windows\System32\GroupPolicy\Machine\registry.pol), all of those settings, plus all machine level administrative template settings
  defined in Domain Group Policy, get reverted to default settings (corresponds with Event ID 1096 in System Event Log where it references "LocalGPO").  I have not confirmed if this is the case for machine level settings defined outside of administrative
  templates in Domain Group Policy, or for any user level settings though.  (But I suspect not.)
  When a workstation is unable to talk to a Domain Controller in order to identify applicable Domain Group Policy settings (for instance, this issue:
  http://support.microsoft.com/kb/2421599/en-us), do administrative templates Domain Group Policy settings revert to defaults up until the next successful processing interval?  I don't believe
  so, but would like confirmation.
  Are there any other cases in which Domain Group Policy settings for a client still joined to the Domain would be reverted to defaults?
  And when a client is unjoined from the Domain, what Domain Group Policy settings would remain on the client?  I understand that some Domain Group Policy settings outside of administrative templates are "tattooed" to the registry.  Does
  anyone know of a full list of these settings?  I believe that most or all of the ones in Windows Settings\Security Settings are tattooed, and the only way to get these settings removed is to explicitly change them via registry edit or LocalGPO/Local Security
  Policy, after unjoining the domain.
  Any info/insight/links to other doc/etc would be much appreciated!

  Hi Shaun,
  >>If a client cannot talk to a domain controller at all, admin template settings still stay in-place on the client, correct?   
  As far as I know, it's not this case. If a client can't communicate with domain controllers, it means that the GPOs applied to the client are out of scope. As suggested by
  the article I provided, for native policy, "when a Group Policy object (GPO) goes out of scope, the policy setting is removed allowing the original configuration value to be used."
  >>What if a client looses network connectivity while reading Domain GPO?
  Group policy will be get updated when computers start up and users log on. Besides, for workstations, group policy will get refreshed at background with by default an interval
  of 90 minutes. As long as workstations can restore network connectivity, the group policy settings will get updated.
  >>Are there any other failure cases like this where some or all Group Policy settings (admin template or other areas) would get reverted?
  There are many reasons which can cause GP malfunction. However, Windows itself provides necessary tools for troubleshooting various issues. When GP malfunctions, we can check
  Event Viewer, collect group policy result, or generate group policy log to troubleshoot.
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Windows 2012 R2 default domain controllers policy set to enforced

  Hi Guys,
  So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2 and so far everything is running ok. Had a few problems relating to orphaned DC's but have cleared this up now. However, i'm now trying to get to grips with using group policy. When
  i migrated, the old policy settings seemed to have come across and things seem to be still locked down ok, in relation to certain OUs. I run a network at our local college so i have a student container which applies a lock-down policy. All these GPOs where
  previously setup by someone else.
  I setup a test network at home before i did the said migration and am now comparing some group policy settings, namely the default ones, and i have noticed that default domain controllers policy has been set to enforced on my newly migrated domain. At home
  on my test server i see it is not enforced by default and am wondering why this is? I have been reading up but i can't find anything that tells me it should be enforced but wary to disable this setting. The students return on Monday so i don't want to mess
  it up at this stage.
  One thing that i did find odd is when i first opened up the GPO's, i was prompted with a message which stated that the policies in the sysvol folder where not consistent with the ones in AD so i followed its recommendation to update.
  Any advise you guys have on this would be greatly appreciated.
  David

  > So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2
  > and so far everything is running ok.
  This does NOT touch any GPOs, so your GPOs are not "migrated" or
  something like that - they are still what they were before.
  > enforced on my newly migrated domain. At home on my test server i see it
  > is not enforced by default and am wondering why this is?
  "A sever misunderstanding of how group policy inheritance and link order
  works" is the closest reason I see for this. The DDCP is linked to
  "Domain Controllers", and as long as you do not create subordinate OUs
  there (which I've never seen) and block inheritance on them, there's no
  reason to enforce.
  To add my experience from the field: When I see enforced GPOs, in most
  cases this enforcement is not required. People simply use it because
  they do not understand "link order".
  > One thing that i did find odd is when i first opened up the GPO's, i was
  > prompted with a message which stated that the policies in the sysvol
  > folder where not consistent with the ones in AD so i followed its
  > recommendation to update.
  That's fairly ok and nothing to hassle about.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Reboot domain controller changes audit policy on Default Domain Controller Policy

  This has been happening for a long time no matter whether my DCs were running Windows Server 2003 or, as they are now, are running Windows Server 2012 R2. It happens on DCs in one particular site, but the policy change it causes is domain-wide.
  I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
  Default Domain Controllers Policy - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Audit Policy.
  I have monitoring application relying on this policy being turned on, and if it's off, it's being reported. The monitoring application knows the change, but it doesn't know how the change was made.
  All my DCs are running Windows Server 2012 R2, DFL 2008 R2.
  Thanks and regards.

  Hi,
  >>I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
  Did we try to run command gpresult/h report.html with admin privileges to collect group policy result report to check how the policy setting was  applied after rebooting?  Besides, we can also try to run command
  auditpol /get / category:* from an elevated command prompt to check what audit settings are applied.
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Unable to edit the "Default Domain Controllers Policy" from a Server 2012 machine

  I am unable to edit the "Default Domain Controllers Policy" from a Server 2012 machine. The error message i recieve is:
  "Failed to open the group policy object.  You might not have the appropriate rights.  Details: The volume for a file has been externally altered so that the open file is no longer valid."
  The domain controllers are running Windows 2012 R2 upgraded from Windows 2008 R2, the domain functional level is Server 2012.
  I am able to edit the policy from both a Windows 7 and Server 2008 R2 machine.
  The following post is identical however the fix for them does not work for me:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/2d968a05-2cff-4dd0-9c5d-dd810d1fa66f/cant-edit-default-domain-controllers-policy-on-windows-8-or-server-2012
  Any ideas?

  MuhammadUmar
  Yes, the Unique ID is available on 2012 server
  Lany Zhang
  This only affects the default domain controllers policy object
  Another user added to amins and tested has no effect
  It is the same on another server
  DCDiag passes all tests
  Thanks for all your help so far

• Can't edit default domain controllers policy on windows 8 or server 2012

  I have found that I can't edit the "Default Domain Controllers Policy" from a Windows 8 or Server 2012 machine.  I can edit and save changes fine from a Windows 7 machine.  The domain controllers are running Windows 2012 Standard upgraded
  from Windows 2008 R2.  Is there a security setting I am missing?

  Posting the resolution from the other thread.  Hope it helps!
  I just accidentally resolved this issue today.  I added the GPMC to a 2008 R2 server so I could make a needed firewall
  change within the Windows Firewall with Advanced Security section of the Default Domain Controllers GPO (I enabled the Remote Event Log management rule for the Domain profile).  About an hour later, I forgot I was using my Windows 8 machine and I went
  to edit the Default Domain Controllers GPO and opened for edit without a problem.  I can now edit it from Windows 8 and from Windows Server 2012.  Until now, I was using a Windows 7 VM to make the edits, so in my case the problem was resolved by
  editing the GPO once from a 2008 R2 machine.

• Restore Default Domain Controllers Policy in its original state

  Hello,
  Our domain has 2003 DCs. For some reason, someone has unlinked Default Domain Controllers Policy from Domain Controllers OU and also modified it extensively.
  Domain Controllers OU has a GPO with basically same settings as DDCP but it has also been heavily modified.
  I'm in the process of upgrading our domain to 2012 level and would like to sort out DDCP before doing so.
  What would be the best course of action to restore DDCP in its place? I was planning to match all settings between custom GPO and currently unlinked DDCP and then disable custom GPO and enable DDCP. But sincerily I'm not sure what would be the best way to
  go.

  Hi,
  Any update?
  Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
  Best Regards,
  Andy Qi
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Andy Qi
  TechNet Community Support

• Default Domain Controller Policy

  Hello All,
  We will be starting promotion of Windows Server 2012 R2 Domain Controller in our organisation. For that we are trying to implement the Default Domain Controller Policy for 2012 r2 related.
  We already have Account Policies, Password policy, Audit Policy and Security Option Firewall Settings
  But would like your advice about any new features which we can applied in our Default Domain Controller
  policy.
  Thanks.
  Thanks HA

  Hi,
  >>But would like your advice about any new features which we can applied in our Default Domain
  Controller policy.
  Regarding this point, the following articles can be referred to as reference.
  Chapter 4: Strengthening Domain and Domain Controller Policy Settings
  https://technet.microsoft.com/en-us/library/cc773205(v=ws.10).aspx
  Applying Selected Domain and Domain Controller Policy Settings
  https://technet.microsoft.com/en-us/library/cc773164(v=ws.10).aspx
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Default domain controller policy audit

  If I enable auditing in default domain controller policy, I see event only from all domain controller or see event from all workstation in domain, or I should create new audit GPO and then linked it to workstation UO?

  If I enable auditing in default domain controller policy, I see event only from all domain controller or see event from all workstation in domain, or I should create new audit GPO and then linked it to workstation UO?
  If I enable auditing in default domain controller policy, I see event only from all domain controller or
  see event from all workstation in domain
  ---NO you wont see workstations, only if editing the default domain policy, as described prior best practice would be to create a new GPO with a great name that you
  wont mix up such as "workstation audit GPO" and link to the site, domain or OU you require.
  Its not great practise IMO adding loads of stuff to default domain policy when you want to troubleshoot best to segregate GPOS with great easy to
  interpret names for brevity 

• Preventing Domain Group Policy from being applied

  How can a user prevent the domain group policy from being applied to his machine? And How can I stop users from doing that?

  Hi,
  No, group policy is processed by order, that is,  local GPO is processed first, and then domain policy is processed by order, which would overwrite settings in the earlier GPOs if there are conflict.
  If you don’t want to apply the domain policy, apply a higher precedence policy or disjoin the domain.
  Group Policy processing and precedence
  http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx
  Alex Zhao
  TechNet Community Support

• Uninstall IE and set another web browser such as Chrome and FireFox as default using Group Policy

  Hi there,
  Please can anyone instruct me on how to uninstall IE and set another web browser such as Chrome and FireFox as default using Group Policy. Your help would be much appreciated.
  Kind regards,
  RocknRollTim
  P.S. I was redirected by a forum user off the Microsoft Community forum.

  IE can't be uninstalled.  It's part of the operating system and cannot be removed.  You can hide the icon but the engine is still on the machine and still must be updated.
  This is a topic best suited for a Group policy forum. 
  https://social.technet.microsoft.com/Forums/en
  US/home?forum=winserverGP
  Step one is to install the Chrome ADMX templates - see the link below for more detais:
  Configuring Google Chrome via Group Policy | Jack Stromberg:
  http://jackstromberg.com/2013/08/configuring-google-chrome-via-group-policy/
  Of the two browsers, my personal preference is Chrome over Firefox.  Firefox's add in model is too prone to developer insecurity.
  My blog
  Thanks Justin Gu for marking this as the proposed answer.
  Thank you,
  RocknRollTim

• Mail for exchange and domain group policy removing...

  Hi,
  I currently administer 2 domains,  both server 2003 with exchange 2003.  On the one domain I can configure any of our e series ( e51/e71/e72/e6) via MFE and permanently accept the untrusted SSL certificate. When I configure MFE to our other domain the option to accept the untrusted certificate has vanished..!
  Anyone have any ideas?  I'm sure that it's a group policy setting but I cannot spot it!

  turbominor wrote:
  No certificates have been generated bar the ones that exchange installed by default
  Hmm, I don't recall ever realizing that.  Lol.  In that case, what are you using as a root certificate?  Nothing...which explains why the cert is untrusted?  (As connections to your first Exchange server work normally, apparently you don't need a root cert for a secure connection?)  I used to get mine from http://www.cacert.org/ and installed the root cert either manually or through a device management server.
  I wasn't completely sure where I was going with my question, but just did a few web searches.  Apparently Symbian phones don't like installing self-signed certificates. "Accepting a certificate permanently" does install the cert, although I'm not sure that's quite the same thing.  You might skim http://discussions.nokia.com/t5/Eseries-and-Communicators/E72-Email-Accept-Certificate-Permanently/m... in case any of that is relevant.

• ITunes won't work because of domain group policy

  Hi my work just implemented a really stupid group policy through our domain that dissallows any file named iTunes.exe to run. The good news is I can rename iTunes.exe and get iTunes to work. That bad news is once I rename iTunes.exe the iPod service is unable to start. The iPod service I assume is what automatically launches iTunes when you plug in your iPod. Does anyone know if a way to let the iPod service and any other file that depends on iTunes.exe that I have renamed it?

  I don't have a solution for you, but as a system administrator I feel I must comment.
  I don't know about where you work -- but at my job, deliberate circumvention of policy is "abuse" and is considered grounds for termination. The computer you use at work is not yours; it belongs to the company you work for.
  If you have a problem with the policy you should take it up with the administrators or your management -- not try to circumvent it. Perhaps the policy is based on a misunderstanding that you could clear up! You (your computer, really) might even be granted an exception to the policy.

• Domain Group Policy changes causes clients to be unable to connect to WSUS for Windows Updates

  Domain Controller is Windows Server 2008 R2 64-bit, Group Policy Management version 6.0.0.1. WSUS server is Windows Server 2008 Enterprise 32-bit, Update Services version 3.2.7600.226. Client machines are Windows 7, some are 64-bit and some are 32-bit.
  Every time we make any changes to any of our Group Policies most of our clients stop getting their Windows Updates from the WSUS server within 2-3 days. This occurs when we add a new policy for a group of users, temporarily disable a policy or edit a policy.
  Check of the WindowsUpdate.log on affected client machines shows:
  2014-06-25 13:40:44:976  760 1610 PT WARNING: GetAuthorizationCookie failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
  2014-06-25 13:40:44:977  760 1610 PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80072ee2
  2014-06-25 13:40:44:977  760 1610 PT WARNING: PopulateAuthCookies failed: 0x80072ee2
  2014-06-25 13:40:44:977  760 1610 PT WARNING: RefreshCookie failed: 0x80072ee2
  2014-06-25 13:40:44:977  760 1610 PT WARNING: RefreshPTState failed: 0x80072ee2
  2014-06-25 13:40:44:977  760 1610 PT WARNING: PTError: 0x80072ee2
  2014-06-25 13:40:44:977  760 1610 Report WARNING: Reporter failed to upload events with hr = 80072ee2.
  A further check of the log files shows:
  2014-06-21 19:36:06:995  156 1b0c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <proxy server name:8080> Bypass List used : <(null)> Auth Schemes used : <>
  We do not use a proxy except for Internet connections. We configure IE with a pac file. This is set through Group Policy since we restrict user accounts from being able to set it. 
  The clients that are connecting to the WSUS server have these entries instead:
  2014-06-24 09:12:16:779  992 270 Agent Setting download properties on call A20329BC-3467-4B7E-B9F4-6AC6ACBA23E1: priority=3, interactive=1, owner is system=0, proxy settings=1, proxy session id=2
  I have a routine that will fix the problem but it is time-consuming and pulls me away from other things I should be doing:
  Run registry files on client machine (WindowsUpdate and AU) This is not always necessary and is already set by Group Policy and the affected clients already have the registry settings. No idea why it is necessary to do but it the steps below don't always
  work unless it is.
  netstop bits and netstop wuauserv
  ipconfig /flushdns
  Delete qmgr*.* files from Downloader folder
  Delete Software Distribution folder
  Run from command prompt:
  sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
  sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
  netstart bits and netstart wuauserv
  wuauclt /resetauthorization /detectnow
  Run Windows Updates again from Control Panel
  This routine always fixes the problem but I've found that I must do each step to guarantee success.
  How or where is the proxy setting being changed for WSUS that we see in the WindowsUpdate logs and how do I prevent this from happening? It is also curious that it happens to most but not all of the client machines. When it does happen it's not always the
  same client machines.

  You're right - the WSUS server is on the inside and does not need a proxy server. Tried running the netsh winhttp reset proxy command but was still not able to connect to the WSUS server. After running the netsh winhttp reset proxy command received response:
  Current WinHTTP proxy setting: Direct access <no proxy server>.
  Ran the command at 13:49 and then tried Windows Updates again. Here's snippet from the log file:
  2014-06-27 13:49:56:889  548 f6c AU Triggering AU detection through DetectNow API
  2014-06-27 13:49:56:890  548 f6c AU Triggering Online detection (interactive)
  2014-06-27 13:49:56:890  548 4b8 AU #############
  2014-06-27 13:49:56:890  548 4b8 AU ## START ##  AU: Search for updates
  2014-06-27 13:49:56:890  548 4b8 AU #########
  2014-06-27 13:49:56:893  548 4b8 AU <<## SUBMITTED ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
  2014-06-27 13:49:56:893  548 1260 Agent *************
  2014-06-27 13:49:56:893  548 1260 Agent ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
  2014-06-27 13:49:56:893  548 1260 Agent *********
  2014-06-27 13:49:56:893  548 1260 Agent   * Online = Yes; Ignore download priority = No
  2014-06-27 13:49:56:893  548 1260 Agent   * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1
  or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
  2014-06-27 13:49:56:893  548 1260 Agent   * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
  2014-06-27 13:49:56:893  548 1260 Agent   * Search Scope = {Machine}
  2014-06-27 13:49:56:893  548 1260 Setup Checking for agent SelfUpdate
  2014-06-27 13:49:56:893  548 1260 Setup Client version: Core: 7.6.7600.256  Aux: 7.6.7600.256
  2014-06-27 13:49:56:894  548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
  2014-06-27 13:49:56:901  548 1260 Misc  Microsoft signed: Yes
  2014-06-27 13:49:56:927  548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
  2014-06-27 13:49:56:934  548 1260 Misc  Microsoft signed: Yes
  2014-06-27 13:49:56:936  548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
  2014-06-27 13:49:56:943  548 1260 Misc  Microsoft signed: Yes
  2014-06-27 13:49:56:956  548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
  2014-06-27 13:49:56:962  548 1260 Misc  Microsoft signed: Yes
  2014-06-27 13:49:56:974  548 1260 Setup Determining whether a new setup handler needs to be downloaded
  2014-06-27 13:49:56:974  548 1260 Setup SelfUpdate handler is not found.  It will be downloaded
  2014-06-27 13:49:56:974  548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256"
  2014-06-27 13:49:56:976  548 1260 Setup Setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
  2014-06-27 13:49:56:976  548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
  2014-06-27 13:49:56:989  548 1260 Setup Setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
  2014-06-27 13:49:56:989  548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
  2014-06-27 13:49:57:007  548 1260 Setup Setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
  2014-06-27 13:49:57:007  548 1260 Setup SelfUpdate check completed.  SelfUpdate is NOT required.
  2014-06-27 13:49:57:165  548 1260 PT +++++++++++  PT: Synchronizing server updates  +++++++++++
  2014-06-27 13:49:57:165  548 1260 PT   + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =
  http://(FQDN of WSUS server)/ClientWebService/client.asmx
  2014-06-27 13:49:57:175  548 1260 PT WARNING: Cached cookie has expired or new PID is available
  2014-06-27 13:49:57:175  548 1260 PT Initializing simple targeting cookie, clientId = 6be4a1ae-3313-4855-bdb1-57e3312f03ec, target group = AGENCIES, DNS name = dpk2.clear-rcic.rcc.org
  2014-06-27 13:49:57:175  548 1260 PT   Server URL =
  http://(FQDN of WSUS server)/SimpleAuthWebService/SimpleAuth.asmx
  2014-06-27 13:50:57:280  548 1260 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(proxy server):8080> Bypass List used : <(null)> Auth Schemes used : <>
  2014-06-27 13:50:57:281  548 1260 PT   + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
  2014-06-27 13:50:57:281  548 1260 PT   + Caller provided proxy = No
  2014-06-27 13:50:57:281  548 1260 PT   + Proxy list used = webgate.rcc.org:8080
  2014-06-27 13:50:57:281  548 1260 PT   + Bypass list used = <NULL>
  2014-06-27 13:50:57:281  548 1260 PT   + Caller provided credentials = No
  2014-06-27 13:50:57:281  548 1260 PT   + Impersonate flags = 0
  2014-06-27 13:50:57:281  548 1260 PT   + Possible authorization schemes used =
  2014-06-27 13:50:57:281  548 1260 PT WARNING: GetAuthorizationCookie failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
  2014-06-27 13:50:57:281  548 1260 PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80072ee2
  2014-06-27 13:50:57:281  548 1260 PT WARNING: PopulateAuthCookies failed: 0x80072ee2
  2014-06-27 13:50:57:281  548 1260 PT WARNING: RefreshCookie failed: 0x80072ee2
  2014-06-27 13:50:57:281  548 1260 PT WARNING: RefreshPTState failed: 0x80072ee2
  2014-06-27 13:50:57:281  548 1260 PT WARNING: Sync of Updates: 0x80072ee2
  2014-06-27 13:50:57:281  548 1260 PT WARNING: SyncServerUpdatesInternal failed: 0x80072ee2
  2014-06-27 13:50:57:281  548 1260 Agent   * WARNING: Failed to synchronize, error = 0x80072EE2
  2014-06-27 13:50:57:282  548 1260 Agent   * WARNING: Exit code = 0x80072EE2
  2014-06-27 13:50:57:282  548 1260 Agent *********
  2014-06-27 13:50:57:282  548 1260 Agent **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
  2014-06-27 13:50:57:282  548 1260 Agent *************
  2014-06-27 13:50:57:282  548 1260 Agent WARNING: WU client failed Searching for update with error 0x80072ee2
  2014-06-27 13:50:57:302  548 e04 AU >>##  RESUMED  ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
  2014-06-27 13:50:57:302  548 e04 AU   # WARNING: Search callback failed, result = 0x80072EE2
  2014-06-27 13:50:57:302  548 e04 AU   # WARNING: Failed to find updates with error code 80072EE2
  2014-06-27 13:50:57:302  548 e04 AU #########
  2014-06-27 13:50:57:302  548 e04 AU ##  END  ##  AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
  2014-06-27 13:50:57:302  548 e04 AU #############
  2014-06-27 13:50:57:303  548 e04 AU Successfully wrote event for AU health state:0
  2014-06-27 13:50:57:303  548 e04 AU AU setting next detection timeout to 2014-06-27 22:50:57
  2014-06-27 13:50:57:304  548 e04 AU Setting AU scheduled install time to 2014-06-28 05:00:00
  2014-06-27 13:50:57:304  548 e04 AU Successfully wrote event for AU health state:0
  2014-06-27 13:50:57:305  548 e04 AU Successfully wrote event for AU health state:0
  2014-06-27 13:51:02:285  548 1260 Report REPORT EVENT: {BD25B39C-6570-454C-A046-AF3AF2DEBDD4} 2014-06-27 13:50:57:282-0400 1 148 101 {00000000-0000-0000-0000-000000000000} 0 80072ee2 AutomaticUpdates Failure Software
  Synchronization Windows Update Client failed to detect with error 0x80072ee2.
  2014-06-27 13:51:02:295  548 1260 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
  2014-06-27 13:51:02:295  548 1260 Report WER Report sent: 7.6.7600.256 0x80072ee2 00000000-0000-0000-0000-000000000000 Scan 101 Managed
  2014-06-27 13:51:02:295  548 1260 Report CWERReporter finishing event handling. (00000000)
  2014-06-27 13:51:48:184  548 4b8 AU ###########  AU: Uninitializing Automatic Updates  ###########
  2014-06-27 13:51:48:187  548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
  2014-06-27 13:51:48:187  548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
  2014-06-27 13:51:48:187  548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
  2014-06-27 13:51:48:187  548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
  2014-06-27 13:51:48:187  548 4b8 Report CWERReporter finishing event handling. (00000000)
  2014-06-27 13:51:48:252  548 4b8 Service *********
  2014-06-27 13:51:48:252  548 4b8 Service **  END  **  Service: Service exit [Exit code = 0x240001]
  2014-06-27 13:51:48:252  548 4b8 Service *************
  2014-06-27 13:51:53:002  548 160c Misc ===========  Logging initialized (build: 7.6.7600.256, tz: -0400)  ===========
  2014-06-27 13:51:53:002  548 160c Misc   = Process: C:\Windows\system32\svchost.exe
  2014-06-27 13:51:53:002  548 160c Misc   = Module: c:\windows\system32\wuaueng.dll
  Ran a batch file which resets the AU and WindowsUpdate registry keys and then runs the steps listed above:
  regedit /s C:\WindowsUpdate.reg
  regedit /s C:\AU.reg
  net stop bits
  net stop wuauserv
  Ipconfig /flushdns
  del C:\ProgramData\Microsoft\Network\Downloader\qmgr*.*
  del  /F /Q C:\Windows\SoftwareDistribution\*.*
  sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
  sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
  net start bits
  net start wuauserv
  wuauclt /resetauthorization /detectnow
  After this runs, am able to connect to WSUS server for updates. I mentioned Group Policy changes because this only breaks after the Group Policy changes. It doesn't affect every client machine but most of them. Was wondering how the proxy gets reset from
  none to the proxy server for Windows Updates?

• How to implement " log on locally" via Domain Group Policy

  Hello,
  Thanks for always being very helpful.
  My Goal:
  I want to restrict one domain user to login to one computer only  (admin/root users to login to every computer).
  I searched and I believe there is no such direct way to implement via the group policy unless I may add one GPO per user to implement"log on locally" from the group policy.
  Do you have some VB script or other good way so I should not login to each computer one by one and edit the policy manually.
  Thanks in advance.
  Muhammad Asif Server Administrator Linux/Windows

  I am sorry if I wasn't cleared, I am managing about 250 users and want accomplish from some centralized locations. I don't want to go to every machine and apply the changes.
  I want to let one domain user to login to one system only.
  I have the list of computer name VS username, and I want to apply from centralized location without login to each computer one by one.
  Thanks a lot for the assistance.
  Muhammad Asif Server Administrator Linux/Windows
  The solution can only be applied once at the DC with ADUC or with Set-ADUSer as I posted.  It only needs to be run once from one DC.
  ¯\_(ツ)_/¯