Domain Group Policy changes causes clients to be unable to connect to WSUS for Windows Updates
Domain Controller is Windows Server 2008 R2 64-bit, Group Policy Management version 6.0.0.1. WSUS server is Windows Server 2008 Enterprise 32-bit, Update Services version 3.2.7600.226. Client machines are Windows 7, some are 64-bit and some are 32-bit.
Every time we make any changes to any of our Group Policies most of our clients stop getting their Windows Updates from the WSUS server within 2-3 days. This occurs when we add a new policy for a group of users, temporarily disable a policy or edit a policy.
Check of the WindowsUpdate.log on affected client machines shows:
2014-06-25 13:40:44:976 760 1610 PT WARNING: GetAuthorizationCookie failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2014-06-25 13:40:44:977 760 1610 PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: PopulateAuthCookies failed: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: RefreshCookie failed: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: RefreshPTState failed: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: PTError: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 Report WARNING: Reporter failed to upload events with hr = 80072ee2.
A further check of the log files shows:
2014-06-21 19:36:06:995 156 1b0c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <proxy server name:8080> Bypass List used : <(null)> Auth Schemes used : <>
We do not use a proxy except for Internet connections. We configure IE with a pac file. This is set through Group Policy since we restrict user accounts from being able to set it.
The clients that are connecting to the WSUS server have these entries instead:
2014-06-24 09:12:16:779 992 270 Agent Setting download properties on call A20329BC-3467-4B7E-B9F4-6AC6ACBA23E1: priority=3, interactive=1, owner is system=0, proxy settings=1, proxy session id=2
I have a routine that will fix the problem but it is time-consuming and pulls me away from other things I should be doing:
Run registry files on client machine (WindowsUpdate and AU) This is not always necessary and is already set by Group Policy and the affected clients already have the registry settings. No idea why it is necessary to do but it the steps below don't always
work unless it is.
netstop bits and netstop wuauserv
ipconfig /flushdns
Delete qmgr*.* files from Downloader folder
Delete Software Distribution folder
Run from command prompt:
sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
netstart bits and netstart wuauserv
wuauclt /resetauthorization /detectnow
Run Windows Updates again from Control Panel
This routine always fixes the problem but I've found that I must do each step to guarantee success.
How or where is the proxy setting being changed for WSUS that we see in the WindowsUpdate logs and how do I prevent this from happening? It is also curious that it happens to most but not all of the client machines. When it does happen it's not always the
same client machines.
You're right - the WSUS server is on the inside and does not need a proxy server. Tried running the netsh winhttp reset proxy command but was still not able to connect to the WSUS server. After running the netsh winhttp reset proxy command received response:
Current WinHTTP proxy setting: Direct access <no proxy server>.
Ran the command at 13:49 and then tried Windows Updates again. Here's snippet from the log file:
2014-06-27 13:49:56:889 548 f6c AU Triggering AU detection through DetectNow API
2014-06-27 13:49:56:890 548 f6c AU Triggering Online detection (interactive)
2014-06-27 13:49:56:890 548 4b8 AU #############
2014-06-27 13:49:56:890 548 4b8 AU ## START ## AU: Search for updates
2014-06-27 13:49:56:890 548 4b8 AU #########
2014-06-27 13:49:56:893 548 4b8 AU <<## SUBMITTED ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
2014-06-27 13:49:56:893 548 1260 Agent *************
2014-06-27 13:49:56:893 548 1260 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
2014-06-27 13:49:56:893 548 1260 Agent *********
2014-06-27 13:49:56:893 548 1260 Agent * Online = Yes; Ignore download priority = No
2014-06-27 13:49:56:893 548 1260 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1
or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
2014-06-27 13:49:56:893 548 1260 Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2014-06-27 13:49:56:893 548 1260 Agent * Search Scope = {Machine}
2014-06-27 13:49:56:893 548 1260 Setup Checking for agent SelfUpdate
2014-06-27 13:49:56:893 548 1260 Setup Client version: Core: 7.6.7600.256 Aux: 7.6.7600.256
2014-06-27 13:49:56:894 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2014-06-27 13:49:56:901 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:927 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2014-06-27 13:49:56:934 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:936 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2014-06-27 13:49:56:943 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:956 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2014-06-27 13:49:56:962 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:974 548 1260 Setup Determining whether a new setup handler needs to be downloaded
2014-06-27 13:49:56:974 548 1260 Setup SelfUpdate handler is not found. It will be downloaded
2014-06-27 13:49:56:974 548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256"
2014-06-27 13:49:56:976 548 1260 Setup Setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2014-06-27 13:49:56:976 548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
2014-06-27 13:49:56:989 548 1260 Setup Setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2014-06-27 13:49:56:989 548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
2014-06-27 13:49:57:007 548 1260 Setup Setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2014-06-27 13:49:57:007 548 1260 Setup SelfUpdate check completed. SelfUpdate is NOT required.
2014-06-27 13:49:57:165 548 1260 PT +++++++++++ PT: Synchronizing server updates +++++++++++
2014-06-27 13:49:57:165 548 1260 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =
http://(FQDN of WSUS server)/ClientWebService/client.asmx
2014-06-27 13:49:57:175 548 1260 PT WARNING: Cached cookie has expired or new PID is available
2014-06-27 13:49:57:175 548 1260 PT Initializing simple targeting cookie, clientId = 6be4a1ae-3313-4855-bdb1-57e3312f03ec, target group = AGENCIES, DNS name = dpk2.clear-rcic.rcc.org
2014-06-27 13:49:57:175 548 1260 PT Server URL =
http://(FQDN of WSUS server)/SimpleAuthWebService/SimpleAuth.asmx
2014-06-27 13:50:57:280 548 1260 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(proxy server):8080> Bypass List used : <(null)> Auth Schemes used : <>
2014-06-27 13:50:57:281 548 1260 PT + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
2014-06-27 13:50:57:281 548 1260 PT + Caller provided proxy = No
2014-06-27 13:50:57:281 548 1260 PT + Proxy list used = webgate.rcc.org:8080
2014-06-27 13:50:57:281 548 1260 PT + Bypass list used = <NULL>
2014-06-27 13:50:57:281 548 1260 PT + Caller provided credentials = No
2014-06-27 13:50:57:281 548 1260 PT + Impersonate flags = 0
2014-06-27 13:50:57:281 548 1260 PT + Possible authorization schemes used =
2014-06-27 13:50:57:281 548 1260 PT WARNING: GetAuthorizationCookie failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2014-06-27 13:50:57:281 548 1260 PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: PopulateAuthCookies failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: RefreshCookie failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: RefreshPTState failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: Sync of Updates: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: SyncServerUpdatesInternal failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 Agent * WARNING: Failed to synchronize, error = 0x80072EE2
2014-06-27 13:50:57:282 548 1260 Agent * WARNING: Exit code = 0x80072EE2
2014-06-27 13:50:57:282 548 1260 Agent *********
2014-06-27 13:50:57:282 548 1260 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
2014-06-27 13:50:57:282 548 1260 Agent *************
2014-06-27 13:50:57:282 548 1260 Agent WARNING: WU client failed Searching for update with error 0x80072ee2
2014-06-27 13:50:57:302 548 e04 AU >>## RESUMED ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
2014-06-27 13:50:57:302 548 e04 AU # WARNING: Search callback failed, result = 0x80072EE2
2014-06-27 13:50:57:302 548 e04 AU # WARNING: Failed to find updates with error code 80072EE2
2014-06-27 13:50:57:302 548 e04 AU #########
2014-06-27 13:50:57:302 548 e04 AU ## END ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
2014-06-27 13:50:57:302 548 e04 AU #############
2014-06-27 13:50:57:303 548 e04 AU Successfully wrote event for AU health state:0
2014-06-27 13:50:57:303 548 e04 AU AU setting next detection timeout to 2014-06-27 22:50:57
2014-06-27 13:50:57:304 548 e04 AU Setting AU scheduled install time to 2014-06-28 05:00:00
2014-06-27 13:50:57:304 548 e04 AU Successfully wrote event for AU health state:0
2014-06-27 13:50:57:305 548 e04 AU Successfully wrote event for AU health state:0
2014-06-27 13:51:02:285 548 1260 Report REPORT EVENT: {BD25B39C-6570-454C-A046-AF3AF2DEBDD4} 2014-06-27 13:50:57:282-0400 1 148 101 {00000000-0000-0000-0000-000000000000} 0 80072ee2 AutomaticUpdates Failure Software
Synchronization Windows Update Client failed to detect with error 0x80072ee2.
2014-06-27 13:51:02:295 548 1260 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
2014-06-27 13:51:02:295 548 1260 Report WER Report sent: 7.6.7600.256 0x80072ee2 00000000-0000-0000-0000-000000000000 Scan 101 Managed
2014-06-27 13:51:02:295 548 1260 Report CWERReporter finishing event handling. (00000000)
2014-06-27 13:51:48:184 548 4b8 AU ########### AU: Uninitializing Automatic Updates ###########
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 Report CWERReporter finishing event handling. (00000000)
2014-06-27 13:51:48:252 548 4b8 Service *********
2014-06-27 13:51:48:252 548 4b8 Service ** END ** Service: Service exit [Exit code = 0x240001]
2014-06-27 13:51:48:252 548 4b8 Service *************
2014-06-27 13:51:53:002 548 160c Misc =========== Logging initialized (build: 7.6.7600.256, tz: -0400) ===========
2014-06-27 13:51:53:002 548 160c Misc = Process: C:\Windows\system32\svchost.exe
2014-06-27 13:51:53:002 548 160c Misc = Module: c:\windows\system32\wuaueng.dll
Ran a batch file which resets the AU and WindowsUpdate registry keys and then runs the steps listed above:
regedit /s C:\WindowsUpdate.reg
regedit /s C:\AU.reg
net stop bits
net stop wuauserv
Ipconfig /flushdns
del C:\ProgramData\Microsoft\Network\Downloader\qmgr*.*
del /F /Q C:\Windows\SoftwareDistribution\*.*
sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
net start bits
net start wuauserv
wuauclt /resetauthorization /detectnow
After this runs, am able to connect to WSUS server for updates. I mentioned Group Policy changes because this only breaks after the Group Policy changes. It doesn't affect every client machine but most of them. Was wondering how the proxy gets reset from
none to the proxy server for Windows Updates?
Similar Messages
-
Group Policy changes cause Access Denied error for Domain Admin account
Hi All,
I am battling to get WSUS to work, and I think the route cause is problems editing the domain and domain controller group policy objects.
We have 1 DC, approx 20 clients. 1 GPO for DC, 1 GPO for clients. Ther e is a link to the default domain GPO in our staff (users) OU, I don't know if it should be there or not.
I log in as domain administrator, right-click the domain GPO in GPMC, click Edit.
Find the setting I want to edit (specify intranet microsoft update service location), double click.
Change something, click OK.
I get error:
Unhandled exception has occurred in a component in your application. If you click Continue, the application will ignore this error and attempt to continute.
Access is denied. (Exception from HRESULT: 0x80070005
(E_ACCESSDENIED)).
I have followed the steps in the links posted by Brent in another post called: "restricting-domain-admin-account-to-edit-group-policies" (no links allowed for my account yet sorry) and the user does have edit settings, delete, modify security delecation.
PLEASE NOTE: the solution may very well be something very simple/basic. I am reasonably computer savvy, but have just upgraded the whole network for an NGO on a voluntary basis. Never seen a sever before I came here, but I'm the best they have. Please bare
that in mind when offering advice :)
Any help appreciated!
JamesMore diagnostic info:
Inside GPMC, there's Group Policy Results.
If I right-click, Result Wizard, choose this computer, it works fine showing default domain controllers policy with alert that it's enforced.
If I browse for another PC (it comes up as Domain\PC name), click Next, I get error:
Failed to connect to DOMAIN\PCNAME due to the error listed below. Ensure that the Windows Management Instrumentation (WMI) service is enabled on the target computer, and consult the event log of the target computer for further details.
Details: the RPC server is unavailable.
If you need the recent related events, I will post them. I also checked that service on the client - it's automatic and started.
PPS Clients are all Win 7, PCs are 32bit, laptops are 64. Server is Windows Server 2012 Datacenter. WSUS when clicking Help -> About from the snap-in/GUI: 6.2.9200.16384.
PPPS Directory browsing for the whole WSUS object in IIS is enabled, thanks to SorinAlbu over at Spiceworks post WSUS and IIS.
PPPPS Launching IE and loading http://servername:8530/iuident.cab fails 404 error from both clients and server. That file in C:\Program Files\Update Services\WebServices\Root\iuident.cab doesn't exist. Maybe because we recently removed the WSUS role and reinstalled
it, to check if something went wrong the first time? It's all been configured using the snapin/GUI, but the new installation of the role hasn't yet connected to the Microsoft Update servers.
PPPPPS Added the Application Server role with default settings as recommended by the step by step guide to WSUS at Technet. Still no dice. -
Cases in which Domain Group Policy settings would be reverted to default settings on a Win7 client
Hi - I'm sure this info is out there somewhere, but I'm having a hard time finding it. Basically, I'm trying to identify the cases in which settings deployed via Domain Group Policy on 2008R2/Win7SP1 would get reverted back to "default settings"
on a Win7SP1 client that is still a member of the domain, and is in a proper OU, properly targeted, WMI filters should still evaluate true, etc...
For instance, it appears that if machine-level registry settings contained within a LocalGPO file on a client get corrupted (C:\Windows\System32\GroupPolicy\Machine\registry.pol), all of those settings, plus all machine level administrative template settings
defined in Domain Group Policy, get reverted to default settings (corresponds with Event ID 1096 in System Event Log where it references "LocalGPO"). I have not confirmed if this is the case for machine level settings defined outside of administrative
templates in Domain Group Policy, or for any user level settings though. (But I suspect not.)
When a workstation is unable to talk to a Domain Controller in order to identify applicable Domain Group Policy settings (for instance, this issue:
http://support.microsoft.com/kb/2421599/en-us), do administrative templates Domain Group Policy settings revert to defaults up until the next successful processing interval? I don't believe
so, but would like confirmation.
Are there any other cases in which Domain Group Policy settings for a client still joined to the Domain would be reverted to defaults?
And when a client is unjoined from the Domain, what Domain Group Policy settings would remain on the client? I understand that some Domain Group Policy settings outside of administrative templates are "tattooed" to the registry. Does
anyone know of a full list of these settings? I believe that most or all of the ones in Windows Settings\Security Settings are tattooed, and the only way to get these settings removed is to explicitly change them via registry edit or LocalGPO/Local Security
Policy, after unjoining the domain.
Any info/insight/links to other doc/etc would be much appreciated!Hi Shaun,
>>If a client cannot talk to a domain controller at all, admin template settings still stay in-place on the client, correct?
As far as I know, it's not this case. If a client can't communicate with domain controllers, it means that the GPOs applied to the client are out of scope. As suggested by
the article I provided, for native policy, "when a Group Policy object (GPO) goes out of scope, the policy setting is removed allowing the original configuration value to be used."
>>What if a client looses network connectivity while reading Domain GPO?
Group policy will be get updated when computers start up and users log on. Besides, for workstations, group policy will get refreshed at background with by default an interval
of 90 minutes. As long as workstations can restore network connectivity, the group policy settings will get updated.
>>Are there any other failure cases like this where some or all Group Policy settings (admin template or other areas) would get reverted?
There are many reasons which can cause GP malfunction. However, Windows itself provides necessary tools for troubleshooting various issues. When GP malfunctions, we can check
Event Viewer, collect group policy result, or generate group policy log to troubleshoot.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
Preventing Domain Group Policy from being applied
How can a user prevent the domain group policy from being applied to his machine? And How can I stop users from doing that?
Hi,
No, group policy is processed by order, that is, local GPO is processed first, and then domain policy is processed by order, which would overwrite settings in the earlier GPOs if there are conflict.
If you don’t want to apply the domain policy, apply a higher precedence policy or disjoin the domain.
Group Policy processing and precedence
http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx
Alex Zhao
TechNet Community Support -
FTP-client behind RRAS - unable to connect to external FTP servers
FTP-client behind RRAS - unable to connect to external FTP servers
A small network (10-20PCs) without any segmentation - one LAN with one Gateway.
1. If the Gateway is some small hardware device, there are not any problems to make FTP-connections from LAN to Internet FTP-servers
2. If the Gateway is Win2003+RRAS+NAT or Win2003+ISA2005, there are not any problems to make FTP-connections from LAN to Internet FTP-servers
3. But if the gateway is Win2008+RAS+NAT or Win2012+RRAS+NAT, the computers in the LAN are not able to connect to Internet FTP-servers
I made a few tests:
1. On Win2012+RRAS+NAT
TurnOff Windows Firewall for All profiles (Domain, Private, Public) - the problem disappears, it it possible to connect to external Internet FTP-servers.
2. On Win2012+RRAS+NAT
TurnOff Windows Firewall only for Domain profile - the problem disappears, it it possible to connect to Internet FTP-servers.
3. On Win2012+RRAS+NAT
TurnOn Windows Firewall for All profiles (Domain, Private, Public)
But I excluded the Internal NIC in this list
Windows Firewall / Properties / Domain Profile / Protected network connections
and the problem disappears again
My question is:
What new Firewall rule I have to make and where to place it (to be able to make FTP-connection from LAN to Internet FTP-servers)?
I made some attempts to allow port21, but any success.Thank you, but did you try this ?
Can you describe in detail "exclusion rule for FTP traffic" ?!
In my previous post, I want to say that if you use Win 2008/2012 RAS+NAT as a network gateway, than it is not possible to make FTP-connections to external FTP servers from the computers behind that gateway.
And the standard attempts to make "Allow"-rules for port 21 in the gateway firewall (Win 2008/2012), do not solve the problem.
No matter which FTP-client you can try to use.
To see this problem, just make few simple tests:
">telnet <ftp-server> 21"
with firewall on/off and inbound/outbound "Allow port 21 rule (All/Domain/Private/Public)"
In my country, the Government Tax Department uses FTP-protocol to collect monthly data from companies.
And it is too stupid scenario (to be a small company and to) upgrade from Win 2003 to a newer 2008/2012 and than to not be able to make all your jobs.
-------EDIT---------
The same problem (and its solution) is described here:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/0c68aed6-e22b-4cd4-86bd-f3c767e88349/advanced-firewall-blocking-through-ftp-traffic-rras
The magic command:
">netsh routing ip nat delete ftp"
solved the problem for me.
And here is the description of this command - "Disables the FTP proxy on the NAT server."
http://technet.microsoft.com/en-us/library/cc754535(v=ws.10).aspx#BKMK_106 -
can't activate cs5 cause, keeps telling me unable to connect to internet, although am connected, any help please ?
it's a downloaded file. When i failed to activate it, i tried it trial bs it's expired and i wanna activate it . The serial number is right but it keeps telling me unable to connect to internet :s :s
-
Apply Group Policy to external clients
Is it possible to apply GPO's to clients on external networks such as their own personal networks. I'm looking at solutions such as authenticating them through a proxy on the perimeter network and are pushed to the Domain Controller to force these policies.
As it stands, the clients use a VPN client to gain access to the corporate network, and I know that group policy will use the Network Location Service to detect the Domain Controller, but the VPN connection is not mandatory and most be established by the client,
if this connection is not required for their job, the may never connect and not get updated GPO's.Hi,
I agree with Joseph. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections are designed to connect automatically as soon as the computer connects to the Internet.
Regarding DirectAcces, the following articles can be referred to for more information.
Using DirectAccess
http://technet.microsoft.com/en-in/windows/dn168168.aspx
Windows Server 2012 Direct Access – Part 1 What’s New
http://blogs.technet.com/b/meamcs/archive/2012/05/03/windows-server-2012-direct-access-part-1-what-s-new.aspx
In addition, for this question mainly focuses on network, in order to get more and better help, we can also ask for suggestions in the following forum.
Network Access Protection
https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNAP
Best regards,
Frank Shen -
How to implement " log on locally" via Domain Group Policy
Hello,
Thanks for always being very helpful.
My Goal:
I want to restrict one domain user to login to one computer only (admin/root users to login to every computer).
I searched and I believe there is no such direct way to implement via the group policy unless I may add one GPO per user to implement"log on locally" from the group policy.
Do you have some VB script or other good way so I should not login to each computer one by one and edit the policy manually.
Thanks in advance.
Muhammad Asif Server Administrator Linux/WindowsI am sorry if I wasn't cleared, I am managing about 250 users and want accomplish from some centralized locations. I don't want to go to every machine and apply the changes.
I want to let one domain user to login to one system only.
I have the list of computer name VS username, and I want to apply from centralized location without login to each computer one by one.
Thanks a lot for the assistance.
Muhammad Asif Server Administrator Linux/Windows
The solution can only be applied once at the DC with ADUC or with Set-ADUSer as I posted. It only needs to be run once from one DC.
¯\_(ツ)_/¯ -
ITunes won't work because of domain group policy
Hi my work just implemented a really stupid group policy through our domain that dissallows any file named iTunes.exe to run. The good news is I can rename iTunes.exe and get iTunes to work. That bad news is once I rename iTunes.exe the iPod service is unable to start. The iPod service I assume is what automatically launches iTunes when you plug in your iPod. Does anyone know if a way to let the iPod service and any other file that depends on iTunes.exe that I have renamed it?
I don't have a solution for you, but as a system administrator I feel I must comment.
I don't know about where you work -- but at my job, deliberate circumvention of policy is "abuse" and is considered grounds for termination. The computer you use at work is not yours; it belongs to the company you work for.
If you have a problem with the policy you should take it up with the administrators or your management -- not try to circumvent it. Perhaps the policy is based on a misunderstanding that you could clear up! You (your computer, really) might even be granted an exception to the policy. -
Group policy changed/device drivers
I admit, I should not have used slimdrivers to undtae my drivers but, I did. I only used it once and decided I wanted to use my pcs tools to updated rivers. I restored all drivers from slimdrivers and then went to device manager to update
my drivers. Ok, so far, im trying to get to my problem bare with me. After I did all this, I had been having troubles with my browser so I changed to comodo dragon. I was having problems with my point device (synaptics) and though maybe the
driver didn't install correctly or at all so when I went to device manager to update from there again, an error report came up saying that I have installed another ps/2 pointing device driver please uninstall the synaptics driver by clicking yes then you need
to reinstall your pointing device driver for your external device again. first off, I didn't change drivers for an external device. unless its referring to my laptop which is a HP G60-635Dx notebook, windows 7 (2009) It asked me if I wanted to uninstall
and I said no. My cursor was moving erratically while pointing to my game icons on zoo world 1 game on Facebook. it doesn't do this anywhere else when im on my laptop. just on the game. and only in comodo dragon. I switched back to IE 10
for now. chrome isn't an option as I deleted my user profile upon uninstalling it and deleting the browser history during uninstall. (I read later you cant so that or chrome wont reinstall) Unless you go to registry and reset the values to zero and im
to chicken to try it. I got the insturctions but, not the confidence. Ok so back to my problem. when slimdrivers was installed, from what I researched, did I give them permission as an administrator to update drivers? and did that take away
my advantages as an admin ? Im only asking this because when I was going thru the motions to control panel to figure things out, a lot of errors arose. one being that I changed my group policies and I know I didn't do it manually. Thru my research,
all I came up with is that group policies can be changed when you do something Like I did getting another website to download and install drivers. if I am right about this, how can I change the policy? should I e-mail slimdrivers? or is there an easy
way I can do it from my pc? another issue that arose was my error report says that my fire wall failed to load recommended setting for the firewall error code )x 80070422. I researched that on MS community by the error code but didn't get a fix.
another error code when I tried to go to advanced setting to change firewall settings was )x609. I couldn't have 2 firewalls set to on so I turned off windows defend FW because everytime Kaspersky updates the software, they turn theirs back on but windows
wont during their updates. I got all these problems because os slimdrivers. I didn't have nay of them before. restore points didn't work for me either. Do you think a tecj from here can help me solve these issues one at a time. I am a middle of
the road Pc user but unstand directions as long as abrv. aren't always used when helping me. thank you so very much. J.R.Hi Sablecat60,
According to your description, there are several errors: a lot of errors arose in control panel, group policies relating drivers and firewll failed to load recommended settings. Please give more detailed information about the issue to help us understand
correctly.
Since this is a forum about Group Policy and this issue is more than taht, and as you said you got all these problems
because os slimdrivers. We would try our best to help you. For your information, you can also connect
http://www.driverupdate.net/support.php
to get more help.
Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Regards,
Lany Zhang -
Hello,
In my new company, I noticed that the default domain controllers policy has been (largely) modified.
I thought it was a best practice to keep it clean (In case of restore).
So I would like to create a new GPOs for my DCs to move some of those settings out of the default domain policy.
For example, "Add workstations to domain". If I want to create a new policy for this particular setting, what kind of rules am I supposed to follow to make sure that my new setting will be applied before the default DC policy ?
Is the GPO Link order enough ?
Thank youHi,
Just a confirmation, did you mean that want to overwrite some settings in the
Default Domain Controllers Policy?
Within each domain, site, and OU, the
Link Order controls the order in which GPOs are applied. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the
Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest
Link Order is processed last, and therefore has the highest precedence. Since Default Domain Controllers Policy is linked to the Domain Controllers organizational unit, you can create a new GPO and link it to this Domain Controllers organizational
unit, then control thier order of them via Link Order.
If anything I misunderstand or any update, please feel free to let us know.
Hope this helps.
Best regards,
Justin Gu -
Mail for exchange and domain group policy removing...
Hi,
I currently administer 2 domains, both server 2003 with exchange 2003. On the one domain I can configure any of our e series ( e51/e71/e72/e6) via MFE and permanently accept the untrusted SSL certificate. When I configure MFE to our other domain the option to accept the untrusted certificate has vanished..!
Anyone have any ideas? I'm sure that it's a group policy setting but I cannot spot it!turbominor wrote:
No certificates have been generated bar the ones that exchange installed by default
Hmm, I don't recall ever realizing that. Lol. In that case, what are you using as a root certificate? Nothing...which explains why the cert is untrusted? (As connections to your first Exchange server work normally, apparently you don't need a root cert for a secure connection?) I used to get mine from http://www.cacert.org/ and installed the root cert either manually or through a device management server.
I wasn't completely sure where I was going with my question, but just did a few web searches. Apparently Symbian phones don't like installing self-signed certificates. "Accepting a certificate permanently" does install the cert, although I'm not sure that's quite the same thing. You might skim http://discussions.nokia.com/t5/Eseries-and-Communicators/E72-Email-Accept-Certificate-Permanently/m... in case any of that is relevant. -
All SCCM clients are looking towards WSUS for the updates
Hello,
I have enabled "software based-client installation" option in SCCM2012 SP1 (did not configured any GPO manually), and now all my clients can no longer get the updates from Microsoft.
Below rejistries shows the name of WSUS server on all client:
Specify intranet Microsoft update service location
Set the intranet update service for detecting updates
Set the intranet statistics server:
I have unchecked the option to disable software based-client installation in SCCM server and also under "client settings", but it's not reverting the changes on all the machines automatically.
What should I do to fix this?
ThanksThanks for the reply Torsten and Charsiu, yes its true I can see this local policy created by the sccm on all machines.
Is it also possible for you to specify me the GPO setting that I should deploy, so far I have deployed the following setting with no help:
Computer connfigration - Administrative template - Win components / win updates
"Specify intranet Microsoft update service location" - disabled
"Turn on recommended updates via Automatic Updates" -enabled -
Client Security Solution - unable to open even see in Windows after succesfull install
Hello,
I just downloaded and successfully installed the latest Client Security Solution for windows 7. After installation it asks for restart, I do it but after reboot I don't see it (!). Under Lenovo ThinkVantage Tools is no CSS at all .. everything others are there, at least I hope. All other features I have are absolutely up to date, since the laptop has only few days and I did careful
updates on everything.
I don't understand, windows install it and there is nothing .. I don't even know where to search for it ... can you help me out
why can't I see the installed CSS?
Password manager 3.20 - but no fingerprint options
Backup and restore 4.31
Downloaded CSS should be 8.30
Solved!
Go to Solution.you can stop it from auto filling PWs in PWM uncheck the box for auto log in every saved PW should have this option you should see something like this but not exactly LIKE IT this is PWM4 BETA
Thinkpad R61 7733-1GU
Thinkpad X61T 7762-54U
Thinkpad X60T 6363-4GU
Did a member help you today? Thank them with a Kudo!
If a post answers your question, please mark it as an "Accepted Solution"!
Regards,
GMAC -
Shutdown workstations inactivity from domain group policy
I need to find a way to have workstations shut down after the user has walked away or has been inactive
meaning no keyboard, or mouse activity. Need to have the machines shut down. I have Active Directory on Windows 2003 server R2 Standard Edition SP 2. If I can have this done by active directory I would like to know how.
If it is not possible to do so with Active Directory I would like to know of any other suggestions to do this.I have some questions:
1. What research have you done on your own so far? (If you haven't researched it on your own, why haven't you done so, before asking?)
2. Is this a scripting question? (If so, please post the script and tell what errors, if any, you are getting.)
-- Bill Stewart [Bill_Stewart]
Maybe you are looking for
-
Error "Application not found" from SICF while trying to test WD service
Hi All, I am getting an error as "Application not found" when i am trying to test my web dynpro component service from SICF. This service is active as well. But when i copied the same URL and pasted it in browser then my web dynpro component opened.
-
How to restrict read access to certain document in stellent content server
Hi, We are using stellent content server to store project documents. We would like to restrict access to certain confidential documents. Users with Read / Write permission should not be able to access but admins with RWDA permission should be able to
-
Hi all, I have a JInternalFrame with two JPanel (firstPan and secondPan). In firstPan I put a JTree. When the user click on a node of JTree I views a specific JPanel into secondoPan. This JPanel is different for every node of JTree I have a class for
-
Snmp config impossible on Jetdirect 175x (J6035B)
Hej all, it's now quite a time I have troubles with my setup: Laserjet 3020 with Jetdirect 175x (J6035B). Initially I had troubles using the scanner via network. I permanently got the error 'Device in use by another user'. Finally I found a hint to
-
Unlimited data w/ iphone 5?
hi all, i'm sure were in the same boat here, trying to find a way to get unlimited data for the new iphone 5. verizon has confirmed that if you want to upgrade your unlimited data line, you will need to switch to a tiered data plan. however, i'm on a