Deploy MMC settings (Group Policy SnapIn to disable mass-storage devices to non-admin)

Similar Messages

• Deploying Reader through Group Policy

  Hi,
  I have applied for and been granted a deployment license, and am trying to follow the instructions to deploy reader through group policy to computers on my network.
  The document adobe gives you says to put the computer name under security filtering in the OU GP that was created.  I have done this but it's clear the policy isn't getting applied.
  When I run group policy result, it's not even showing so I must have something wrong.  The document that adobe gives has several of the pictures out of place and is covering some text (at least when I display it - and yes I am using most current version of reader).
  Any ideas?
  Thanks,
  Allen

  Unless I'm misunderstanding your last reply, the GPO is working as intended, when you change it back.
  GPO = Applied to one specific OU
  Security Filtering = 1 specific PC
  Active Directory OU for intended GPO contains = 0 computers
  The PC you're applying the security filtering to must exist in the Active Directory OU you created for the GPO.
  E.G. I create a GPO called acc_sw for my Accounting dept called accounting.  3 PCs in accounting are called:
  Ed_PC
  Karen_PC
  Thomas_PC
  In the security filtering for the GPO I created, I have:
  Ed_PC
  Karen_PC
  Thomas_PC
  Now, in Active Directory Users & Computers, in the accounting OU I have 0 computers.
  The end result is no acc_sw being processed for:
  Ed_PC
  Karen_PC
  Thomas_PC
  They must exist in the target OU, or a suboordinate OU of the target OU, for the GPO to work.

• Deploying office through group policy

  Hi people,
  English is not my mother language so i'll hope you'll understand me.
  I have a school project. Deploying office through group policy worked. But now my teacher has given me a command to give all OU's a different OFFICE packet when they logged in. So.. it will change the current installation when a different user from a different
  OU logged in. I'm out of options. Please can anybody help me:(:(

  No you don't misunderstand :p  My teacher first did it wit Office 2003 and know i must do it in office2010.. and i also thought it was a stupid idea.. But who am i... i have not much knowledge in IT.. i'm still learning.
  But i have 2 options
  To confince him that this is not a good idea... (and i dont know with wich argument)
  or find a way to do this... 
  Hmm, so, I think that kind of crazy was possible with very old versions of Office, which could be "advertised" via GPO to achieve per-user scenarios, but Office2007 and later versions, don't provide such different per-user options as part of setup.
  Office2007 and later, uses the MSPfile etc for customization, and that is per-machine (common to all users of that machine).
  You might be able to achieve something similar, by using AppLocker (e.g. AppLocker rules which deny excel.exe to be executed by GRP_Students).
  But this doesn't address the matter nicely, because the Students can see the Excel shortcut/icon/program, but are forbidden to execute it.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• How can I deploy EFS using Group Policy and automatically encrypt computers for ALL users who login?

  How can I deploy EFS using Group Policy and Active Directory with a goal to automatically encrypt computers for ALL users who login? (NOT an option for me to use BitLocker)
  I was asked to deploy EFS to encrypt the user my documents folder and profile on all of the users laptops. The laptops are in common areas (board meeting rooms, etc) and security of files is a must.
  I successfully created a recovery certificate in AD. I created an OU and setup an EFS policy and users can now login and select to encrypt their own files. The issue is that management would like to have automaticy Encrypt ALL users my documents AUTOMATICALLY
  when a user login.
  Can this be done?
  Please help

  Hi,
  Any update?
  Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
  Best Regards,
  Andy Qi
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Andy Qi
  TechNet Community Support

• To get some errors about group policy due to disabled an account

  Hello
  I have an active directory on windows 2012 datacenter. there is a domain on it. it works well.
  Also there is a another AD on another location.  there is another  domain on it. also it works too. 
  there is a trust relationship between 2 domains.
  I disabled an account on first AD server 4 days ago. and then my colleague who manages second AD, notified that started to recieve some errors from eventviewer and have an issue about their group policy.
  the issue event as below;
  The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller
  (LDAP Bind function call failed). Look in the details tab for error code and description.
  Event ID 1006
  Event Source Group Policy
  I think the concerning account was built on the second AD for a service. But we don't know how we can find the account on the second AD server in order to change it.
  How can I fix the issue?
  Thanks

  Hi Yavuz,
  >>But we don't know how we can find the account on the second AD server in order to change it.
  What account did we disable? We can check the error code (displayed as a decimal) and error description fields of Event ID 1006 to see if more information can be found.
  Regarding Event ID 1006, the following article can be referred to for more information.
  Event ID 1006 — Group Policy Preprocessing (Active Directory)
  https://technet.microsoft.com/en-us/library/cc727283(v=ws.10).aspx
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Deploying Files with Group Policy - Help Needed

  Hi,
  I am trying to use group policy to deploy files and folders to our server estate. The policy I have created first creates a folder on each server's C drive and then coppies a set of files to this folder from a network share. The folder creation works fine
  but the files copy fails. In the Application logs on the servers it displays the following error:
  The computer 'ILMT' preference item in the 'GPO - Servers_Production_ALL {CC026B58-FA3B-4399-AA00-AE8E844B2B47}' Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.
  Can anyone advise what exactly does not have access here? I don't know what I need to enable to get this to work.
  Can anyone help?
  Many thanks
  James

  The copy is on a file server share. presumably if I just give everybody read access to the share that would suffice?
  No it won't.
  "Sharing" requires several actions:
  a) create the folder
  b) share the folder
  c) grant NTFS permissions on the folder
  I think you've neglected action (c).
  For your scenario, you need to grant the "server computers" read permissions to the folder.
  You can add individual computer accounts, or a group, or "domain computers".
  (In a similar way, you could grant access to a user, a group, or "domain users")
  [if you need everybody (users) *AND* everything (computers), you could grant permissions to "authenticated users" since that principal includes *BOTH* users and also computers]
  Note that "domain computers" and "authenticated users" include all types of domain member computers, i.e. servers, workstations, etc.
  Also, note that granting a "computer account" access to a folder or share, does *NOT* mean that a user account on that computer can access the remote share, i.e. permission is granted to the computer account, and a logged-in user account on
  that computer does not inherit any kind of access to the remote share by virtue of being logged in.
  This means that the computer can access the share but the user cannot access the share. Because the computer account is an identity/principal of it's own accord.
  [None of which really has anything to do with Group Policy at all - it's how Windows does file sharing and ACLs... ;)
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Deploying software through group policy with certain requirements

  here is the question:
    I have an existing Active Directory environment, consisting of 300 computers.  we need to install the latest version of ADOBE ACROBAT READER to all computers with the following requirements:
  . The application is not supported on windows XP
  . We need to have automatic updates turned off within the application
  . We need a silent, automatic installation.
  . The Engineer Department needs to be excluded, as they use Proprietary PDF app. 
  Is is possible to deploy thru Group Policy and meet all these so called requirements ?  

  Hi,
  Before going further, I agree with Zanderol24.
  >>
  The application is not supported on windows XP
  We can use a WMI filter to exclude Windows XP clients from applying the software installation policy.
  Regarding WMI filter, the following article can be referred to for more information.
  WMI filtering using GPMC
  http://technet.microsoft.com/en-us/library/cc779036(v=ws.10).aspx
  Regarding how to use WMI filter to filter out Windows XP, the following article can be referred to as reference.
  Create WMI Filters for the GPO
  http://technet.microsoft.com/en-us/library/cc947846(v=ws.10).aspx
  >>We need to have automatic updates turned off within the application
  For this is related to the software, we can contact vendor support to ask for suggestions.
  >>We need a silent, automatic installation.
  We can choose to assign a program distribution to users or computers.
  If we assign the program to a user, it is installed when the user logs on to the computer. When the user first runs the program, the installation is completed.
  If we assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer. When a user first runs the program,
  the installation is completed.
  Regarding how to use Group Policy to remotely install software, the following article can be referred to for more information.
  How to use Group Policy to remotely install software in Windows Server 2008 and in Windows Server 2003
  http://support.microsoft.com/kb/816102/en-us
  >>The Engineer Department needs to be excluded, as they use Proprietary PDF app.
  If we choose to assign the software to computers, we have to filter out computer accounts for the Engineer Department from applying the software installation policy. If we
  choose to assign the software to users, we have to filter out user accounts for the department. We can use security filtering to do this.
  Regarding security filtering, the following articles can be referred to for more information.
  Security filtering using GPMC
  http://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
  Filter Using Security Groups
  http://technet.microsoft.com/en-us/library/cc752992.aspx
  Best regards,
  Frank Shen

• Deploying printers without Group Policy

  A little background first, I work for a company with 10+ sites while only 2 sites actually are in a domain. Everyday I am getting work orders for adding a ip printers to every machine because they want to print to any printer within their location. I
  understand the print services within windows server 2008 and how I can deploy them easily through group policy. The problem is the majority do not have the domain infrastructure to do this.
  Which leads me to my question of, how and what would be the most painless way of deploying printers to all computers in particular subnets between sites? Create a batch file to add the printers and run it on the each workstation? Create a network share for
  printers? or it is possible to force adding a new printer over the network without a group policy. Thank you all in advance

  script will be an option...
  http://www.computerperformance.co.uk/powershell/powershell_printers.htm
  http://support.risualblogs.com/blog/2012/02/14/using-powershell-to-create-printers/
  Best,
  Howtodo

• Deploying Contribute via Group Policy

  I've been trying to deploy contribute via MS Win 2003 Group
  Policy, but have had no luck. Has anyone been able to successfully
  push out the software, if so, did you utilize the Software Install
  or did you use a script? How did you deal with the input of the
  Contribute serial number? Optimally, we'd like to generate a silent
  install, but again, have had very little luck and there is very
  little information available.
  Any help is appreciated.

  Someone in another post pointed me to this document.
  http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=a4175402
  The only downside is that you need to set a batch to copy your
  ContributeConfiguration items to the install folder. I think Adobe
  could do a better job on the deployment side.

• Deploy itunes using group policy

  I've found a few links out there and I feel like I'm really close, but I can't get iTunes to work via MS Group Policy Deployment.  I've followed this article: http://techierambles.blogspot.com/2011/01/deploy-itunes-or-quicktime-msi-files.h tml but I'm not sure if things have just changed too much since 10.1 or what.
  My main issue, I believe, is that I can't get the Apple Application Support MSI to deploy.  I've tried assigning it and publishing it, but no joy.  However, without that MSI the iTunes MSI won't install properly.  Anyone ever run into this?
  Windows Server 2008, Windows 7 clients, iTunes 10.5.2 64-bit, no QuickTime (not a requirement in the newest version of iTunes).
  Thanks,
  Lauren

  I've found a few links out there and I feel like I'm really close, but I can't get iTunes to work via MS Group Policy Deployment.  I've followed this article: http://techierambles.blogspot.com/2011/01/deploy-itunes-or-quicktime-msi-files.h tml but I'm not sure if things have just changed too much since 10.1 or what.
  My main issue, I believe, is that I can't get the Apple Application Support MSI to deploy.  I've tried assigning it and publishing it, but no joy.  However, without that MSI the iTunes MSI won't install properly.  Anyone ever run into this?
  Windows Server 2008, Windows 7 clients, iTunes 10.5.2 64-bit, no QuickTime (not a requirement in the newest version of iTunes).
  Thanks,
  Lauren

• Deploying msi via group policy without administrative rights

  We are having a problem with flash player not working without
  Administrative right on the machine. We thought we could get around
  this by using the flash_player_active_x.msi and installing through
  group policy. The install during a computer reboot (if assigning to
  a computer) or during a user sign on (if assigned to a user) seems
  to work fine.
  However, when you actually try to load a webpage with flash,
  nothing. The component doesn't actually get installed into the
  browser. As soon as you log on with a privilaged account, and
  browse to a flash enabled page, the install finishes, the active x
  control is loaded and now all users can see it.
  However, I'd really prefer not to have to go around to each
  computer and log on with the administrator account - kind of
  defeats the purpose of group policy.
  All computers are Win XP sp2 with IE 7. The active directory
  server is a Win2k server.
  Any thoughts would be appreciated.

  I am having this issue also. Has anyone found a solution?
  I found this reference on this website, but there is no
  solution given:
  I
  have installed Adobe Flash Player but still don't see any Flash
  content. What is wrong?
  quote:
  Restricted User accounts are unable to display Flash Player
  content
  After successful installation under the Windows Administrator
  account, Restricted User accounts are unable to display Flash
  Player content. This issue has been reported on Microsoft Windows
  XP Service Pack 2 systems and occurs sporadically. It may also
  affect other versions of Windows, such as Windows 2000.
  If you installed Flash Player 8.0.24.0 prior to April 6,
  2006, then you must remove it using the Flash Player uninstaller
  released on May 11, 2006. Remove Flash Player using the
  instructions in How to uninstall the Adobe Flash Player (TechNote
  14157).

• Deploying Printers With Group Policy Preferences

  Ok so I know this is an old topic but I need to clarify my position a bit here to best decide how to deploy printers to our organization.
  We currently have about 600 printers on a Server 2012 R2 print server and we have 25 buildings. For several years we have deployed printers in GPO the old-fashioned way - user Deployed Printers. There have always been problems with this stemming
  from issues with multiple print driver installs on the client computers. That aside, the philosophy works out pretty well. We have NTFS permissions on the print queues that handle who can print to what. GPOs are linked to the staff OUs for each building that
  actually deploy the printers. This means that you have to have the GPO for a building and also have to have permission to the printer in order for it to actually install. When a user is removed from a particular building group then at next policy refresh the
  printers granted to that group go away. This is good.
  Based on the way that preferences work I think that they could solve our problems with occasional failed driver installs, but I can't find a way to reproduce the behavior I described above. If I use create, a user can be deployed a printer but if permission
  to that printer is removed then the printer stays behind and they get an access denied error when they attempt to print to it. Same with Update. Replace sort of mimics the desired behavior but deletes and recreates the printer every time policy refreshes.
  This wouldn't be a deal-breaker at logon, but it even happens while a user is logged in and policy updates in the background. They could potentially be attempting to print something and the printer will just disappear momentarily.
  Is there something else I am missing here that I can configure in order to take advantage of GPP printer deployments in our environment? Thanks!

  Hi Matt,
  As far as I know, if we choose to use GPP Printer extension to deploy printers, the printers will leave behind even if the policy is out of scope, unless we select the above mentioned option or delete the printers.
  >>There have always been problems with this stemming from issues with multiple print driver installs on the client computers.
  To tackle this issue, had we disabled the following policy setting?
  Computer Configuration\Policies\Administrative Templates\Printers : Point and Print Restrictions
  If not, we can disable this setting, which will disable driver installation warning messages and elevation prompts on computers.
  Regarding this policy setting, the following article can be referred to for more information.
  Control Printer Driver Installation Security
  http://technet.microsoft.com/en-us/library/cc753269.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here
  Best regards,
  Frank Shen
  Frank,
  Sorry for the delay, I recently had another issue take precedence over this one so didn't have much time to mull this over or test.
  We currently have policy set to enable Point and Print restrictions, but allow driver installation from our print server. This should effectively be the same as what you have recommended.
  I believe our driver installation issues have more to do with the large number of different printer models and sometimes the sheer number of printers that can be installed for each user. These are things that we have culturally always been there and probably
  won't change. What happens is that when a printer deployment fails no other printers will be installed after that one. The reason is that starting with Windows 7 the printer deployment policy will only be re-evaluated if changes to the policy are detected.
  So if a user is deployed 50 printers and one in the middle of the deployments fails, everything after that alphabetically fails and it doesn't retry until the GPO changes.
  So far from my limited testing GPP printers gets around this since each printer is essentially a separate object and installation of one does not seem to affect the others. However, I don't like the idea that there is no way to replicate the behavior we
  currently have which is to remove printers when the GPO is no longer applied. I may convince the powers that be that we need to change our philosophy about this and train our users to remove printers after they have changed buildings or positions, but for
  now I think we will stick with traditional printer GPOs rather than using GPP.
  Thanks for your help!

• Power settings/group policy/help!

  Hello again,
  We use Dell laptops in our business, primarily a selection of Latitude E6230s. E6330s, a few E7240s, and some others.
  There is the well known issue with Dell laptops that when they are plugged onto a docking station when they are already powered on, they completely freeze up and lose all USB support. I have read up on this online and everywhere suggests setting the default
  domain policy to a High Performance power plan.
  I have done this, however now we have a bunch of remote workers complaining that their laptop batteries are draining too quickly, and the machines are getting too hot and too noisy, because the machines now never go into sleep/hibernate mode.
  Has anyone got any ideas on how to obtain a happy medium for this? I'm getting grief from both sides and there isnt enough hours in the day to sit and play around with all the individual settings - although I suspect that I might have to?
  Any advice would be much appreciated?
  Thanks!

  Hello aglxs20,
  How about the Windows 7 restore disk?
  Is this issue resolved?
  Best regards,
  Fangzhou CHEN
  Fangzhou CHEN
  TechNet Community Support

• Deploying Bookmarks via Group Policy

  Hi,
  I've been tasked with deploying Firefox bookmarks via GPO. The GPO add-on is installed.
  Initially things are fine as I can deploy our centrally created places.sqlite file to the relevant Firefox directory.
  However, if the user creates new bookmarks these are overwritten when our central places.sqlite file is redeployed. We have to update the file frequently as new favourites are added.
  Is there any way of us being able to update each users places.sqlite without them losing their personally created bookmarks?
  Cheers.

  Try https://mike.kaply.com/2012/03/26/customizing-firefox-distribution-ini/

• Disable mass storage using a policy

  I'm having a issue with Lion Server, I created a simple MACOSX policy to make all external drives read only, so USB/FW etc when mounted would be read only. I downloaded the policy, installed in on a mac, restart the mac and it doesn't apper to be working. I can plug in a USB stick and read/write data. I see the policy installed and don't get any errors. Any ideas?

  A little more info....
  Created a new profile and installed locally to stop sending feedback to apple, this works. But when I enable making external drives read only under Restrictions > Media and install the profile It's not working. I can see mount and write to USB drives.
  not sure if this makes a different but I'm a local admin bound to a active directory server and also running a mobile account.