Demoting a DC and Group policy, help needed.

Similar Messages

• Deploying Files with Group Policy - Help Needed

  Hi,
  I am trying to use group policy to deploy files and folders to our server estate. The policy I have created first creates a folder on each server's C drive and then coppies a set of files to this folder from a network share. The folder creation works fine
  but the files copy fails. In the Application logs on the servers it displays the following error:
  The computer 'ILMT' preference item in the 'GPO - Servers_Production_ALL {CC026B58-FA3B-4399-AA00-AE8E844B2B47}' Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.
  Can anyone advise what exactly does not have access here? I don't know what I need to enable to get this to work.
  Can anyone help?
  Many thanks
  James

  The copy is on a file server share. presumably if I just give everybody read access to the share that would suffice?
  No it won't.
  "Sharing" requires several actions:
  a) create the folder
  b) share the folder
  c) grant NTFS permissions on the folder
  I think you've neglected action (c).
  For your scenario, you need to grant the "server computers" read permissions to the folder.
  You can add individual computer accounts, or a group, or "domain computers".
  (In a similar way, you could grant access to a user, a group, or "domain users")
  [if you need everybody (users) *AND* everything (computers), you could grant permissions to "authenticated users" since that principal includes *BOTH* users and also computers]
  Note that "domain computers" and "authenticated users" include all types of domain member computers, i.e. servers, workstations, etc.
  Also, note that granting a "computer account" access to a folder or share, does *NOT* mean that a user account on that computer can access the remote share, i.e. permission is granted to the computer account, and a logged-in user account on
  that computer does not inherit any kind of access to the remote share by virtue of being logged in.
  This means that the computer can access the share but the user cannot access the share. Because the computer account is an identity/principal of it's own accord.
  [None of which really has anything to do with Group Policy at all - it's how Windows does file sharing and ACLs... ;)
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Group policy helper and Folder Redirection

  I've installed windows7/32 bit to use the Group policy helper. Now I can use this tool.
  I want to use the Group policy helper to redirect folders as descripted in Managing Roaming User Data Deployment Guide.
  In this documentation a folder redirection management snap.in is used. Can I somehow include this in the grouppolicy helper in ZCC11?
  I want to redirect the user folders to their homedirectory. We have about 500 Students and I can't configure every login so I hope to solve the problem using the group policies.
  (with zen7 and XP we configure the default local user to move desktop and user files to NetWare Home directory.)

  This still works..........
  http://www.novell.com/coolsolutions/tools/14324.html
  On 7/27/2011 7:56 AM, Alix wrote:
  >
  > I've installed windows7/32 bit to use the Group policy helper. Now I can
  > use this tool.
  >
  > I want to use the Group policy helper to redirect folders as descripted
  > in 'Managing Roaming User Data Deployment Guide'
  > (http://technet.microsoft.com/de-de/l...9(WS.10).aspx).
  >
  > In this documentation a folder redirection management snap.in is used.
  > Can I somehow include this in the grouppolicy helper in ZCC11?
  >
  > I want to redirect the user folders to their homedirectory. We have
  > about 500 Students and I can't configure every login so I hope to solve
  > the problem using the group policies.
  >
  > (with zen7 and XP we configure the default local user to move desktop
  > and user files to NetWare Home directory.)
  >
  >
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Knowledge Partner
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• Group Policy Helper tool not working properly

  Hello,
  I`m using IE 9 on a x64 Win 7 enterprise PC with ZCM 10.3.4.
  When Im logging into ZCC and start to configure a "windows group policy" the group policy helper tool starts and begins to download the policy.
  Then the gpedit.msc appears i get the popup "group policy settings imported successfully" immediately. This popup should certainly come up, when i close the gpedit.msc to import the changed policy setting.
  But so i always get an empty policy for upload.
  Any hints what`s wrong with it?!

  Originally Posted by andreas_karl
  Hello,
  I`m using IE 9 on a x64 Win 7 enterprise PC with ZCM 10.3.4.
  When Im logging into ZCC and start to configure a "windows group policy" the group policy helper tool starts and begins to download the policy.
  Then the gpedit.msc appears i get the popup "group policy settings imported successfully" immediately. This popup should certainly come up, when i close the gpedit.msc to import the changed policy setting.
  But so i always get an empty policy for upload.
  Any hints what`s wrong with it?!
  IE 9 is not supported, you need to stay on IE8 until 11.2 is released (15 march).
  Thomas

• Windows 7 DNS and Group Policy Issues

  Hi,
  We have several suites of Windows 7 domain connected PC's.
  In one of the suites I have been called into look at 3 different PC's where the users have not got mapped drives, desktop backgrounds, internet connectivity - because their group policies have not applied.
  When I look at the error logs I find DNS 1014 errors, and Group Policy 1054 errors.
  I have looked at the logs on the switches, and there is nothing on them - Could a pupil pulling the network cable out cause these errors?... Possibly they could have put it back in before I got back in the room.
  The user logs off of the PC and back on again and are fine, as are the users that logon after them.
  We have 2 DC's/DNS servers, which I would have thought would be able to cope with the load here.
  Please let me know what you think the likely cause could be.

  Hello John555444,
  What is your current situation?
  Is this issue resolved?
  Best regards,
  Fangzhou CHEN
  Fangzhou CHEN
  TechNet Community Support

• How do I setup Active Directory and Group Policy on Windows Server 2012?

  I work for a school district that uses a Windows 2012 server with about 400 Windows 7 PCs and 150 Mac PCs. We are set up with Roaming Profiles on the PCs and would like to be able to setup Active Directory, Group Policy, and Roaming Profiles on our macs. (We also have a mac server that they are using as a file server only) As we are a school, our funds are very low. Now for the questions...
  Is there a software that allow us to accomplish this?
  Is there a free solution or a very reduced price option to do this?
  I heard that http://www.centrify.com/products/mac-edition.asp may accomplish this and I read something about it on here but didn't know if this is what I was really trying to do becuase it was marked as "The Golden Triangle" and did not mention Raoming Profiles. This is the link though: https://discussions.apple.com/message/17200059#17200059
  Any help would be greatly appreciated.

  The above reply does not take into account that I am trying to use GROUP POLICY EDITOR to make it the default browser.

• Access Connections and Group Policy generated network profiles

  Hello,
  We are in the middle of rolling out 3500 T400 machines and are having fits with Access Connections 5.02. We have a default in-house Preferred Wireless Network Profile that is created on each machine via Group Policy. This works fine with AC and everything does what is supposed to do when our users are in our buildings. When our users go offsite, we have nothing but fits with AC and trying to set up any other WAN connections.
  If users set up a new network connection, we are asking them to set it up thru AC. We have had them try using both the "Use Windows to Configure Wireless Network" as well as "IEEE 802.1X Authentication". Once the network connection is set up, for some, the wireless will work for a short period (a week or so) and then will no longer detect network connections.  The user nor the client site has made any changes to the wireless configuration. 
  Others will have a stable connection wirelessly until they connect over VPN – VPN will drop in a few minutes after connection.  They can then sometimes reconnect after a reboot; but the instability is a constant problem.
  It seems to me that the problem could all be traced back to GP enforcement, which occurs every 8 hours when connected to our network. If a user is offline for several days, then connects up to check email or transfer time or whatever, then they are kicked off. If a user connects via VPN, they are kicked off within minutes - again potentially traceable to GP enforcement.
  Has anyone else dealt with this scenario of Preferred Wireless Network policies and Access Connections?
  Thanks!

  Try going back to AC 4.52, which solved the problems i was having with AC5.02 (freezes, BSOD, loss of wireless connections when coming out of standby, GUI problems) on Vista Home Premium.  Scroll down for prevous versions of AC5.02 here:
  http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-67283
   I do not use a VPN system so AC4.52 may not help your 3500 Thinkpads.
  Lenovo (Mark_Lenovo) knows there are problems with AC5.02 for the last three (or more ) months and have stated that AC 5.1 will solve the problems, but it has not been released as far as I know. There are many threads on AC5.02 on this forum and also on thinkpads.com
  the Lenovo Blog site also has an update on AC5.02 ;under "Design Matters" on how they selected the graphics for wireless connections - the responses there offer some suggestions to fix the problems. 
  T60: 6371-CTO, VISTA Home Premium+SP1, 2GB....R51: 1836-Q4U,XP,1GB...600...755CD

• Anyconnect tunnel-group and group-policy from LDAP

  Recently we've changed from LOCAL to LDAP authentication and added additional group-policies for different users to increase security.
  To prevent users from selecting an incorrect group-policy, the LDAP server provides a IETF-Radius-Class value which matches the different group-policy names.
  It is my understanding that the authentication method is provided by the tunnel-group.
  tunnel-group DefaultWEBVPNGroup general-attributes
   authentication-server-group LDAP_AD
  This all works, but for _one_ of the group policies i'd like to enable (external) two factor authentication. Two enable two factor auth a 'secondary-authentication-server-group' needs to be set in the tunnel-group.
  Creating a tunnel-group which maches the name of the group-policy doesn't seem to have any effect.  When listing the connected users via "show vpn-sessiondb anyconnect", it always states the correct Group Policy but also always DefaultWEBVPNGroup.
  When enabling the listing of tunnel-groups for webvpn, thus allowing users to select their own tunnel-group, the two factor auth does work.
  To summarize, is it possible to let LDAP decide which tunnel-group is used or is there another way to have different group policies without users being able to choose ?

  Fabian, 
  Your connection lands on a tunnel group and picks a group policy. 
  A typical way to overcome the problem you're indicating is by using group-url. 
  a URL is bound to a specific tunnel-group and allows you to land directly on the one you desire. 
  vide:
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
  M.

• Difference between domain controllers and group policy objects in GPMC

  Hello,
  Am in confusion, someone can tel me the difference between
  1.Domain controllers>default domain controller policy  and
  2.Group policy object>default domain controller policy
  In Group policy management console and also i would like know where to define these categories. I normally use second option.
  I have attached screenshot for your information.
   regards,
  Dharanesh,

  This first/upper item is a link to the GPO, the second/lower item is the actual GPO.
  (notice the link, has a shortcut arrow showing)
  by default, when you double-click on a link, a message will display which says "you have clicked on a link....." and the messagbox offers a checkbox for "do not display this message again..."
  Effectively they are equivalent to a shortcut-to-a-file vs. the actual file.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• IE 8 Trusted sites list and Group Policy

  Hi all
  I have a problem deploying some IE trusted sites to all our users.
  I have previously been able to do this by editing the Local Group Policy, but am finding that what ZCM is telling me now, doesn't make sense. Here's what I'm doing when I edit the policy:
  GP Helper in the ZCM console brings up the Group Policy window, then I proceed as follows:
  Local Computer Policy / User Configuration / Internet Explorer Maintenance / Security / Security Zones and Content Ratings, click Continue to the prompt about Enhanced Security Configuration, then click Modify Settings.
  When I go to the Security tab and open Trusted Sites, the sites I entered are no longer listed (the list is empty), BUT if I try to add the sites back in, I am told that "This Site is already in the Trusted Sites Zone".
  If I log on as a user that has this policy applied, the sites are not in the Trusted Sites list.
  I really don't want to be in position where I have to do this through a bundle, I figure that's what policy is for! I'm also concerned that if this part of policy is showing some weirdness, maybe other parts of my policy are no longer being applied properly too.
  Just a bit stumped at the moment. Has anyone else seen this issue, or has any suggestions for me?

  Spearse,
  I just tried this with IE7, and it worked as advertised... I would
  suggest you look at the logs to see if there are any errors
  Shaun Pond

• ZENworks 6.5 SP1b And Group Policy Editor Problems

  I just installed ZENworks 6.5 SP1b on a brand new test server that I am
  running. I have no users or strain on the server. After I installed the
  service pack it started take about 20 to open the Group Policy Editor for
  a user policy and about a minute 20 to close it. I was using it before the
  upgrade and it only took like 10 seconds to close before. What's up? Can
  any one help?

  Yeah Sorry I clicked the wrong one
  > I presume someone will help in the Desktops forum, since this is for
  > server management...
  >
  > --
  >
  > Shaun Pond
  >
  >

• Pix 515 and group-policy

  Hello,
  how many group-policy can I configure on PIx 515E with release 7.x?
  Thanks in advance
  B.

  The number of group-policy is important for me because I've many vpn-client sessions that refer to only one vpn-group.
  By radius I authenticate the user and I send to pix the name of group policy that contains the specific address-pool and the split-tunneling acl.
  In this way I can associate per-user the address-pool and the split-acl.
  The best way would be to have only one group-policy and to send by radius the name of addrress pool and the name of split acl but the pix seems no support these parameters.
  Thanks B

• Itunes and group policy

  Hi all,
  I'm trying to deploy iTunes via published group policy package. I have modified the MSI package with ORCA. The setup goes fine but at the end it fails by the ipodservice.exe. It says the user does not have permission to install service. Anyone knows how to overcome this (with non-admin user of course) ?

  try this in your package
  1. create a custom action that runs the iPodService.exe file (found in the c:\program files\ipod\bin folder) with a /service
  2. I placed this custom action last in the InstallExecute sequence.

• Need help with Adobe Reader 11.0.0.8 and Group Policy Objects

  I am trying to deploy Adobe Reader 11.0.0.8 using Adobe Reader.
  I am using the AcroRead.msi I found in
  C:\Program Files (x86)\Adobe\Reader 11.0\Setup Files\{AC76BA86-7AD7-1033-7B44-AB0000000001}
  HOWEVER
  Instead of installing 11.0.0.8 it installs 11.0.0.0
  I have not had anyone complain about it asking for an update. But I'm sure it's only a matter of time. (I know about the customization which could prevent the updates, but I can't figure out how to get the correct version installed is the issue not the updates).
  So if I run the Setup.exe it ends up installing 11.0.0.8 but AcroRead.msi I think only installs 11.0.0.0
  Obviously you can't give a GPO an .exe so it's a closed loop. You can't use an .exe to install the proper version. And you can't install the proper version because you can't use an .exe
  You can only use the .msi which apparently only does 11.0.0.0
  I've been trying this that, have done jumping jacks and back flips trying to fix this (tried different versions, different approaches to this, nothing seems to work)
  Need some help. THIS IS WAYYYYYYY WAYYYYYYYYYYY Overcomplicated btw, shouldn't be this complicated for something so mundane.

  A couple of approaches and all involve a bit of work.
  Three steps:
  Do the install of the 11.0.0 MSI at the command line
  Then follow it with the 11.0.07 Updater MSP at the command line
  Finally the 11.0.08 Security Patch MSP at the command line.
  AIP
  Create the AIP from the three files above then then run the MSI from the command line.

• GROUP BY and ORDER BY help needed

  I have got an sql query where I have the need to pull out the latest copy of duplicate info, but what is happening is that the first instance is being displayed. The query I have is this:
  SELECT *
  FROM tbl_maincontenttext
  WHERE fld_menusection = 3
  GROUP BY fld_webpage
  ORDER BY fld_timedate DESC
  Basically, I have content that is listed under menu section 3, but within that I will have several copies of content that will relate to a specific webpage (eg: about us). What is currently happening is that GROUP BY is obviously grouping the similarly named 'about us', but it is pulling the first record it comes across out of the database rather than the latest updated record.
  As you can see, I am trying to get the query to order by fld_timedate which is a CURRENT_TIMESTAMP, but it's not working!
  I'm hoping that there is some sort of SQL that I am unaware of that will help me group by and display the latest update/content.
  Thanks.
  Mat

  It would help if you could show us the table definition. Your SQL statement is ambigous because you are selecting all table columns, yet only including one column in the group by clause.  A SQL statement must contain all selected columns that are not aggregates. Most DBMS will return an error for this statement. Others that don't return an error will return unexpected results.