Drive Block using group policy

Can Any one help me about this drive block
i am unable to block the E & F drive for all users. so please advice with clear steps of commands, how do i write the drive blocks script using the group policy in server 2012.
However I tried through registry but still its not working. my only concern how to block few users accessing D drive and few users from F drive in the local system using group policy.
Thanks in advance.

whats registry settings have you set ?

Similar Messages

Does using Group Policy Preferences to deploy printers require the print driver to be pre-installed?

I'm trying to prepare our school system for Windows 7 (we currently use XP). I would like to use the new Group Policy Preferences method of deploying printers. I pushed out the XP client side extensions through WSUS. In my test environment, I added the shared printer in group policy preferences. My XP machine had the printers show up automatically, but my Windows 7 machine did not. I realized that I had previously connected a printer of the same type to my XP machine before and the drivers were already installed. To test this theory, I manually connected the shared printers to the Windows 7 machine, deleted them, then logged off and back on. Now the printers are showing up from group policy. My question is does using group policy preferences to deploy printers require the print driver to be pre-installed? If not, then what am I doing wrong? If so, is there a way to work around this? Thanks for your help.
EDIT: To clarify, I am using the share method in GPP. This is the error message I get in the event log:
The user 'PRINTERNAME' preference item in the 'win7 printer test {946461A1-27F8-406F-A0B3-0A1A05AF34F6}' Group Policy object did not apply because it failed with error code '0x80070bcb The specified printer driver was not found on the system and needs to be downloaded.' This error was suppressed.

This link have a description of resolution:
http://technet.microsoft.com/en-us/library/cc725938.aspx
Open the GPMC.
Open the GPO where the printer connections are deployed, and navigate to Computer Configuration, Policies, Administrative Templates, Control
Panel, and thenPrinters.
Note
The Point and Print Restrictions setting can also be found under User Configuration\Policies\Administrative Templates\Control Panel\Printers.
This policy is ignored by Windows 7 and Windows Server 2008 R2, but is enforced by earlier editions of Windows including Windows XP with SP1, Windows Server 2003 with SP1, and Windows Server 2008. We recommend that you change
this policy setting in both locations so that all down-level clients have a consistent experience.
Right-click Point and Print Restrictions, and then click Properties.
Click Enabled.
Clear the following check boxes:
Users can only point and print to these servers
Users can only point and print to machines in their forest
In the When installing drivers for a new connection box, select Do not show warning or elevation prompt.
Scroll down, and in the When updating drivers for an existing connection box, select Show warning only.
Click OK.

Block websites on Internet Explorer 11 using group policy

hi everyone,
i have been trying to block website for domain users using group policy windows server r2 for IE the problem is in internet properties content adviser option is not active.
thanks in advance

This is how you enable content adviser User Configuration -> Administrative
Templates -> Windows Components -> Internet Explorer -> Internet Control
Panel -> Content Page
Cant see a way to edit the content thereafter via GP however

"This program is blocked by group policy"

Hi all.
I have searched Google a fair bit on this but shockingly I just can't find an actual answer. The Group Policy forum is where I should have started rather than finally come to :)
I am no genius with GP, I use it in the most basic ways in very small orgs. My users appear to all have the same problem, when they insert a removable media device that has software on it that might run or autorun, I get the "This program
is blocked by group policy, contact your admin" message. I don't believe this ccurs with removable media just as just plain USB storage sticks. So far the two examples I know of are for an Internet providers USB broadband mobility stick, and
another user that is using some Kodak products (SD card, camera, and even the Kodak CD I think).
Environment is 2008 R2, Win7 Pro workstations, all users are local admin on their machine. All users are in the default Users container, and all computers are in the Computer container. To my recollection I have never set a GPO that would directly
or indirectly cause all users problems like this. The only thing that has had indirect consequences that I know of in the past, was because we use many of the options available under Folder Redirection, including redirecting the Desktop. In some
cases, when a user has tried to launch an exe or what not that was on the desktop, it failed because it's trying to launch in truth on their user folder on the server, not really on the Windows Desktop. I'm not sure if that might impact my current problem.
To start, where can I go to actually check GPO's for this? Is this the Software Restriction Policy? If so, which one governs, the one in User Configuration or Copmputer Configuration? In both cases I went to GPMC and under both, it would
say I had to go to the Actions menu to create a New Software Restriction policy. I did so (just picking the item in the Actions menu), and the resutlt was some choices under the actual GPO now, none of which I've yet configured.
So, I need to torublesahoot this ut also to know where such a thing causing this error message would be set under normal circumstances. Also, could antivirus cause this? I can't see the error saying "group policy" if it did though.
Thank you very much.

Hi,
Thanks for posting your issue in the forum.
Based on your description, I suspect that maybe Software Restriction Policy has been configured in the domain. At this time, I suggest we could try to collect the following information to narrow
down the cause of the issue.
GPMC.log
==================
a. On domain controller, click Start ->Run, type GPMC.MSC, it will load the GPMC console.
b. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper
user in the wizard)
c. Right click
the resulting group policy result and click the "Save Report…" => save report to save the report to a HTML file.
Once we get the report, please check if the Software Restriction Policy has been configured and applied to the problematic computers and users. If so, please disable the policy setting to see
if the issue persists.
In addition, please try to refer to the following articles for detailed information about Software Restriction Policy and how to troubleshoot Group Policy problems.
Software Restriction Policies
http://technet.microsoft.com/en-us/library/hh831534.aspx
Troubleshooting Group Policy Problems
http://technet.microsoft.com/en-us/library/cc787386(v=ws.10).aspx
Hope this helps.
Best Regards,
Andy Qi
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback
on our support quality, please send your feedback here.
Andy Qi
TechNet Community Support

Installation blocked by group policy designed to prevent CryptoLocker

We have followed the steps outlined by bleepingcomputer.com to prevent as best we can the CryptoLocker virus. Link to article: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#prevent
Please update your Reader installer to not use %AppData%\Local\Temp\. The CryptoLocker prevention method involves blocking that and the following paths. I know many businesses using these techniques.
Block CryptoLocker executable in %AppData%
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.
Block CryptoLocker executable in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.
Block Zbot executable in %AppData%
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.
Block Zbot executable in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.
Block executables run from archive attachments opened with WinRAR:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.
Block executables run from archive attachments opened with 7zip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.
Block executables run from archive attachments opened with WinZip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.
Block executables run from archive attachments opened using Windows built-in Zip support:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.

Hi, I am using a toshiba personal laptop, windows 7 home premuim. No one else uses it, nor have i brought it to any buisness , other home, etc.
I have been blocked by group policy for 3 months. I have spend over 200 dollars on ITs to only tell me they have never seen this before, and to buy a new laptop.. I have no idea why i am the admin, and only user yet all i can open is aol.
I am at my wits end, and will go buy another laptop, deffenitly nothing like this one.. I have lost alot of time and money trying to fix this, late payments etc
thanks for any input
aimee
oh my isp is cox, and i have a router
reading this I am able to identify that you are contaminated with malware, it may has also affected your recovery
try recovery to factory fresh and then install Microsoft Security Essentials so that you have 1/2 a chance next time
Corsair Carbide 300R with window
Corsair TX850V2 70A@12V
Asus M5A99FX PRO R2.0 CFX/SLI
AMD Phenom II 965 C3 Black Edition @ 4.0 GHz
G.SKILL RipjawsX DDR3-2133 8 GB
EVGA GTX 6600 Ti FTW Signature 2(Gk104 Kepler)
Asus PA238QR IPS LED HDMI DP 1080p
ST2000DM001 & Windows 8.1 Enterprise x64
Microsoft Wireless Desktop 2000
Wacom Bamboo CHT470M
Place your rig specifics into your signature like I have, makes it 100x easier to understand!
Hardcore Games Legendary is the Only Way to Play!

Programs Blocked by Group Policy - But Why?

Hi, I'm hoping someone can help with this... I'm an IT technician and one of my clients has suddenly experienced an issue whereby they can no longer execute two programs without right clicking and selecting "Run As Administrator". This happened
"out of the blue" and without any warning or trigger event. The user has been running this same configuration for months before this issue started happening. The only possible event was the user reported possibly running some sort of malware from
an email attachment they thought was safe but later determined it came from an unknown source. HOWEVER, all current virus and malware scans come up clean.
If they just click the icon and do a normal execute they receive the message "Program blocked by Group Policy". They are on a domain, however, there have been NO changes to any of the group policies AND no other users are experiencing the issue
despite the fact all the users are contained in the same security group on the domain controller.
The two programs this user can no longer execute, without elevation, are: AVG Antivirus Business edition and Symantec PC Anywhere.
I've been all over google and made some recommended changes via gpedit.msc but nothing has helped so far. I also did a gpupdate and tried turning UAC on and off but the behaivor is the same regardless of the state of UAC.
Anyone have any suggestions? Thanks much,
--Rick

The mailware may have put in a registry entry under policies that is
causing yuor behaviour.
As a last resort you could try this:
Logon as an Administrator
Navigate to HKLM\Software\Policies and nose around to see if anything
there might be the cause.
Next, Navigate to
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies and do the
same.
If nothing jumps out at you, back up both of these registry keys then delete them and then
run GPUPDATE /FORCE and see if problem is still there.
If so, try all the above steps again, but this time use HKCU instead
of HKLM.
Rick G.1 wrote:
>
>
>Hi, I'm hoping someone can help with this... I'm an IT technician and one of my clients has suddenly experienced an issue whereby they can no longer execute two programs without right clicking and selecting "Run As Administrator". This happened
"out of the blue" and without any warning or trigger event. The user has been running this same configuration for months before this issue started happening. The only possible event was the user reported possibly running some sort of malware from
an email attachment they thought was safe but later determined it came from an unknown source. HOWEVER, all current virus and malware scans come up clean.
>
>If they just click the icon and do a normal execute they receive the message "Program blocked by Group Policy". They are on a domain, however, there have been NO changes to any of the group policies AND no other users are experiencing the
issue despite the fact all the users are contained in the same security group on the domain controller.
>
>The two programs this user can no longer execute, without elevation, are: AVG Antivirus Business edition and Symantec PC Anywhere.
>
>I've been all over google and made some recommended changes via gpedit.msc but nothing has helped so far. I also did a gpupdate and tried turning UAC on and off but the behaivor is the same regardless of the state of UAC.
>
>Anyone have any suggestions? Thanks much,
>
>--Rick
>
>
>
Ha®®y

"Blocked by group policy"

My Photoshop Elements 10 will no longer work on my home computer. When I try to use it, a pop up will state " This program is blocked by group policy''. I am not aware of any changes that I have made to computer to cause this. Any ideas?

Look in AppLocker to see if there are rules restricting things:
http://www.sevenforums.com/tutorials/7844-applocker-create-new-rules.html
If you know your way around your computer to some extent, open a command prompt, and get a report of your group policy settings, and post it in a message here. Specifically:
Start / Run / cmd
C:\whatever> cd \
C:\> gpreport /z > c:\gp.txt
C:\> notepad c:\gp.txt
In notepad: Ctrl-A, Ctrl-C (to select all and copy the text)
Paste the contents of the clipboard into a reply on the web version of the forum.

Group Policy Preference Power Plan "Blocked By Group Policy"

I noticed this error in the application event log of a Windows 7 PC:
Log Name: Application
Source: Group Policy Power Options
Date: 3/21/2013 3:19:42 AM
Event ID: 4098
Task Category: (2)
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: xxx
Description:
The computer 'Power Plan (Windows Vista and later)' preference item in the 'Windows 7 Desktop Power Plan {A078F08F-45CC-4209-A264-FE0CB5635A99}' Group Policy object did not apply because it failed with error code '0x800704ec This program is blocked by group
policy. For more information, contact your system administrator.' This error was suppressed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Group Policy Power Options" />
<EventID Qualifiers="34305">4098</EventID>
<Level>3</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-03-21T10:19:42.000000000Z" />
<EventRecordID>7687</EventRecordID>
<Channel>Application</Channel>
<Computer>xx</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data>computer</Data>
<Data>Power Plan (Windows Vista and later)</Data>
<Data>Windows 7 Desktop Power Plan {A078F08F-45CC-4209-A264-FE0CB5635A99}</Data>
<Data>0x800704ec This program is blocked by group policy. For more information, contact your system administrator.</Data>
</EventData>
</Event>
How can I find out exactly why it is not working? "Blocked by group policy" is not specific enough.

Hi,
You can also enable GPP tracing and logging for more information:
Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure Power Options preference logging and tracing
http://blogs.technet.com/b/askds/archive/2008/07/18/enabling-group-policy-preferences-debug-logging-using-the-rsat.aspx
Regards,
Cicely
There is no such option "Configure Power Options preference logging and tracing" at Computer
Configuration\Policies\Administrative Templates\System\Group Policy\.
It alphabetical order Always use local ADM files ... is followed by Disallow interactive users from generating ... Not

Uninstall Lync 2010 client, Install Lync 2013 using Group Policy/VB/MS Customisation Tool

Hi, I am using Group Policy/vb/Lync customization tools to deploy 2013 and remove 2010. The machines have Office 2010. The vb script is as below:
Dim objShell 'As Object
Dim objFSO 'As FileSystemObject
'-- SET OBJECTS
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("WScript.Shell")
strComputerName = objShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
Dim WshNetwork : Set WshNetwork = WScript.CreateObject("WScript.Network")
objShell.Run """\\xxxxxxxxx - Do not Remove\Lync Install 2013 2010\Lync 2013 Outlook 2010\setup.exe"""
I have amended the OCT with relevant settings, Lync 2013 installs but Lync 2010 does not uninstall. Here is how i have it set:
In the Office Customization Tool - Set-up - Add Installation and Run Programs,
In target - pointing to the Lync2010 exe file (on above share)
In Arguments - /silent /uninstall
Is this correct?
Also, i would have thought that, Remove Previous Installations, it would have an option to remove Lync2010?
Anyway..pulling my hair out here!
Hope you can help.

Hi,
Based on your description, we can refer to the following threads for help.
Slient Unninstall of Lync 2010 on client machines script required
http://social.technet.microsoft.com/Forums/lync/en-US/69e32128-4581-4be5-9a44-b5d133e1f480/slient-unninstall-of-lync-2010-on-client-machines-script-required
Scripting a Lync 2010 client Uninstall
http://social.technet.microsoft.com/Forums/en-US/a65bd0d0-daa1-4616-8725-63f349fdde86/scripting-a-lync-2010-client-uninstall?forum=lyncconferencing
For this issue is more related to Lync, in order to get better help, we can ask the question in the following TechNet dedicated Lync forum.
Lync 2010 and OCS - Lync Clients and Devices
http://social.technet.microsoft.com/Forums/lync/en-US/home?forum=ocsclients&filter=alltypes&sort=lastpostdesc
In addition, for it also involves scripts, we can also ask for help in the following scripting forum.
The Official Scripting Guys Forum
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG&filter=alltypes&sort=lastpostdesc
Hope it helps.
Best regards,
Frank Shen

"This program is blocked by group policy. Contact admin"

This message comes us up when I try to manage accounts in the control panel. What do I do?

Sounds like this has been blocked by Group Policy. Run a GPRESULT /h on the computer to see if this is being pushed to you as a Domain GPO. If so... contact you administrator and ask them about the restriction.
Alan Burchill (MVP)
http://www.grouppolicy.biz
@alanburchill

How to use Group Policy to remove the shutdown button on the logon screen

Environment: Shared use computers running Window 7 Professional and MS office Suite; Windows 2008 Standard server, Windows 7 EC Domain Policy and MS Office 2007 ADML Template downloaded from Microsoft. WIndows 7 Accounts OU.
I am in the process of developing a shared use computer lockdown policy for several Windows 7 computers that will made available in my client's computer lab. I need to use a group policy setting to remove the Shut Down button on
the logon screen of the Windows 7 client computers. I am editing the Windows 7 EC Domain Policy to user accounts in a Windows 7 Accounts OU that I created. I am using the Group Policy editor in the Group Policy Management Console.
Please let me know the best practice for accomplishing this using Group Policy editor.
Thanks.
P.S. I tried a setting recommended in the following link in the Windows 7 EC Domain Policy which did not seem to work.
http://www.windowsitpro.com/article/group-policy/can-i-use-group-policy-to-display-or-remove-the-shut-down-button-on-the-logon-screen-.aspx

Hi Vernon,
I tried the group policy you mentioned (Computer Configuration, Windows Settings, Security Settings, Local Policies, and select Security Options, "Shutdown: Allow system to be shut down without having to log on") and it worked on a Windows 7 client.
Thus you may need to check if the group policy you created is actually applied to clients.
A screenshot can be found here:
http://cid-b7ed40feb32ba29f.office.live.com/self.aspx/.Public/desktop/Capture.JPG

Applying custom Group policy to existing users using group policy

Hello Everyone,
i am unable to find a way to push a custom theme to client PC using group policy.
I have tried "Load a Specific Theme" Group Policy but it is only applying to a new user logging on windows.
I have a custom theme that i want it to load to every existing user's machine.
Is there any way to do it using GPO??

Apply theme group policy does not work. Known issue.
I use a vb script,
'@SLH // This Script applies the Themepack "
On Error Resume Next
Select Case themeApplied
Case "yes"
'Has been set once before, nothing happens!
Case Else
'Has not been set before, Company theme is applied
strRegistryKey = readfromRegistry("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperSource", "C:\Windows\web\wallpaper\Windows\img0.jpg")
End Select
Function readFromRegistry (strRegistryKey, strDefault )
Dim WshShell, value
Set WshShell = CreateObject("WScript.Shell")
value = WshShell.RegRead( strRegistryKey )
if strDefault = value then
'Write key in registry
WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\themeApplied", "yes", "REG_SZ"
'Applying theme from server
'Remember to change the path tothe location of your .themepack file
WshShell.Run "rundll32.exe %SystemRoot%\system32\shell32.dll,Control_RunDLL %SystemRoot%\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:""\\seraddressto\ Default.themepack"""
WScript.Sleep 1000
WshShell.AppActivate("Desktop Properties")
WshShell.Sendkeys "%{F4}"
end if
End Function
I then run this in a run once script when the user first logs in, this sets the theme once on new profile generation.

Use Group Policy to prevent other network connections

I need to define a Group Policy which says that IF a user is in the companys Domain network that no other connections are avaiable. So if the user is not connected to the Domain network he should be able to connect to any network he wants.
Are there any possible solutions to this?
Best regards.

Hi,
>>Use Group Policy to prevent other network connections
As far as I know, group policy can’t help us do this. However, when a user is in the company and there is just domain network, he or she may not be able to connect to other
network.
Best regards,
Frank Shen

Using Group Policy to Set Windows Font DPI size

I was in need of a way to change the Windows 7 user interface to use the Font size of 100% (vs the default of 125%) for custom applications on our network.
Many searches on the net did not provide an easy way to accomplish this via Group Policy. The font size is PER USER and not PER MACHINE.
I found a method using Group policy preferences (GPP) to configure the Font DPI size and wanted to share it for others who might need to do the same...
I created a new GPO for the users needing this font size and linked it to their OU. Then configured the following:
User Configuration \ Preferences \ Registry (Right click and select NEW \ Registry Wizard)
Configure the following DWORD key: HKEY_CURRENT_USER\Control Panel\Desktop\LogPixels
Use the values as needed:
00000060 (Small Font Size 100%)
00000090 (Medium Font Size 125%)
00000144 (Large Font Size 150%)
I used 00000060 to set the Small Font Size of 100%. Gpupdate /force a test client machine, then logoff/logon and see the setting take effect.
When users try to change the font size in via the control panel, the value will be overwritten the next time the group policy updates. Id even recommend preventing users from being able to change the font dpi with another GPO setting:
User Configuration \ Policies \ Administrative Templates \ Control Panel \ Personalization \ Prohibit selection of visual style font size = Enable
Just wanted to share this for anyone needing to change the Windows 7 default font DPI size en mass using Group Policy. We can thank Microsoft for not giving us a ADMX template for this issue!!!!
Drumgod
me

User Configuration \ Policies \ Administrative Templates \ Control Panel \ Personalization \ Prohibit selection of visual
style font size = Enable
This policy setting states that it is supported on Windows Server 2003, Windows XP, and Windows 2000 operating
systems only.
The description on this setting says that it disables the "Font size" drop-down list on the Appearance tab in Display Properties. This does not exist in Windows 7. I don't think the DPI setting you are talking about is the equivalent.
The other setting is good to have enough. Thanks for the tip!

Assign a local logon script using Group Policy

Is there a way to assign a local logon script using Group Policy? The reason I ask is that I wrote a logon/logoff script that will record the date/time, user, and computer for everyone who logs on to any machine in the domain. Right now it's set on a domain
GPO, so it works great for domain accounts, but I'd like to extend that functionality to local accounts as well. The only way I know how to do that would be to set my script to run using the local policy. Since I don't want to manually go around to all 400+
machines in my domain, I would rather find a simpler way of modifying the local policy. Any ideas?

Martin, thank you for your response. That's exactly the kind of out-of-the-box answer I was looking for, unfortunately, it looks like I can only do that for Logon scripts. I don't see an option for Logoff. (Maybe the took the Logoff functionality out?
This article says there should be a Logoff item in the GPO, but they're talking about Windows 2000 in that article.)
Matthias, I started playing around with what you said, and I noticed that the "Scripts" key only seems to show up on my Windows 7 clients. The XP workstations don't have that key. Plus I did some testing, and I think I can do it without having
to mess with the registry at all.
So I think I have a workable solution at the moment. I found
this article that talks about copying Local Polices from one computer to another. I tried manually setting the Logon/Logoff scripts in the Local policy on a fresh machine. From that reference computer I copied the Scripts folder out of the %SYSTEMROOT%\System32\GroupPolicy\User
directory. It also created a gpt.ini file in the %SYSTEMROOT%\System32\GroupPolicy directory. The gpt.ini file contained an attribute called gPCUserExtensionNames, and one called Version. The gPCUserExtensionNames attribute specified two GUIDs, which
I assumed to be the GUIDs that identify the Local Policy. I tried manually creating the Local policy on several different machines, with several different Operating Systems, and those GUIDs always seemed to be the same (not sure why). So I copied the gpt.ini
file off the reference machine as well. When I placed all of the files I copied from the reference machine on to a new machine, everything seemed to work just fine (no registry modification necessary), with one caveat. It seemed to be running the script twice.
So I went back into the gpt.ini file and deleted one of the GUIDs listed under gPCUserExtensionNames, and now the script runs just once!
So I think this solution will work ok for me. We don't have any other Local Policies in place, so demolishing all existing Local Policies is perfectly acceptable in my case. I'm just not sure if I'm doing any damage by copying the gpt.ini file from a reference
machine (if anyone can expand on how that works, I would appreciate the peace of mind that I'm not making things worse by doing this). So all I need now is to write a Startup script, or an SCCM package to deliver the Logon scripts and associated ini files
to the appropriate location on all the domain PCs. Easy enough to do on my own. If anyone knows of a reason why this method is a bad idea, please post here. I'll be testing it out on a handful of PCs in the mean time.
Hi Guys,
Will this solution work for my case? I have a forcereboot batch script that I need to load on the local policy (logoff script through GPEDIT) however I can only load it manually. I need to do it on multiple machines (approx 5000 computers). I am having
trouble doing it using powershell. Is there any other options to do it?
Will I have to use the same GUID's you mentioned on the gpt.ini file? (gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}] since it refers to the local script and how about the version on the gpt.ini file?
Thanks in advance.
Dash
https://social.technet.microsoft.com/Forums/en-US/1f636042-bcff-498d-93c0-e1aa89f80961/how-to-load-a-script-on-the-local-group-policy-on-multiple-computers?forum=mdopagpm

Drive Block using group policy

Similar Messages

Maybe you are looking for