EMET v5.1 ADMX Group Policy Template Issue - Default protection settings can't be disabled

Similar Messages

• Using Office 2013 group policy template to define Trusted Locations and Template Locations doesn't work

  User Configuration/Policies/Administrative Templates
  - Using Office 2013 group policy template to define Trusted Locations and Template Locations doesn't work
  Microsoft Word 2013/Word Options/Security/Trust Center/Trusted Locations
  - Allow Trusted Locations on the network: 
  Enabled 
  - Trusted Location #1: 
  Enabled 
  Path:  //server/sharedfoldername   [Edit:  Path:
  \\server\sharedfoldername]
  Date: June 10, 2013
  Description: Trusted Location
  Allow sub folders: Enabled
  The policy appears to apply to the client correctly by adding the following registry key and values:
  HKEY_CURRENT_USER\Software\Policies\Microsoft\office\15.0\word\security\trusted locations\location1
  allowsubfolders: 1
  date: June 10, 2013
  Description: Trusted Location
  Path:  //server/sharedfoldername  [Edit: Path: 
  \\server\sharedfoldername]
  However, when you open Word Options/Trust Centre/Trust Centre Settings…/Trusted Locations
  There are no trusted locations listed under ‘Policy Locations’
  I have tried setting similar settings for setting the Shared Templates folder location and just like the trusted locations policy, the registry keys are created properly in HKEY_CURRENT_USER\Software\Policies however word doesn’t
  seem to recognize these either.
  This used to work flawlessly using the administrative templates for Word 2007 and 2010. Has anyone been able to get these policies to apply successfully, or know why office doesn’t recognize these settings from the Policies registry
  Key?

  This would have been an easy solution to the issue.  Unfortunately it isn't the problem.  This question was originally posted on another Microsoft site and
  was transferred here and when it was transferred the path's changed from the original post: 
  \\server\sharedfodlername to //server/sharedfoldername.  (I will edit the question to show up as it did in the original post) Not sure how that happened.  This
  is still an issue that I haven't been able to get working correctly.
  As it turns out the 'New from Template' interface Word 2013 has developed is very bulky with large thumbnails and is not very customizable nor practical for an office
  that has a large number of templates.   Because I am unsatisfied with the display and performance of the 'New' template chooser I sought after a solution to change the way word creates a document from a template in another thread: 
  http://answers.microsoft.com/en-us/office/forum/office_2013_release-word/how-can-you-change-the-display-of-templates-in/d49194b9-a6b4-4768-8502-7d7b50e9dd65 working through this issue with Jay we were able to develop
  some VB script with handles a very large number of templates in a list view and it works much faster than the built-in Word interface.  The above thread is how I've worked around trying to define a shared template location and I am quite happy with it.

• Group policy template for Novell Client for Windows 7

  Does anyone know if there is a group policy template for the Novell Client for Windows 7? I find it really hard to believe that Novell has not yet released one, but I cannot find one anywhere. We use ZCM 11.2, and I really need to be able to send out settings for the client via a group policy.
  By the way, I am also posting this on the Novell Client forum, but since this is also a ZCM thing, I am hoping I might get some feedback here.
  Rick P

  Two recent/new resources are available for the Novell Client 2 SP3 for Windows:
  Cool Solutions AppNote: Novell Client 2 SP3 for Windows: Registry Settings
  Novell Client 2 SP3 for Windows: Registry Settings | Novell User Communities
  Cool Solutions Tool: Group Policy Administrative Template for Novell Client 2 SP3 for Windows
  Group Policy Administrative Template for Novell Client 2 SP3 for Windows | Novell User Communities

• Server 2012 Group Policy Templates installed on Server 2008 R2

  Setup: 2 x Domain Controllers running Server 2K8 R2 SP1
  We are currently running our environment with IE9 and want to upgrade to IE11. However 2K8 R2 group policy doesnt support IE11 unless you upgrade your DC's to this version of IE. We are not going to deploy IE11 all at once but instead as we reimage or replace
  PC's. 
  My question is can install http://www.microsoft.com/en-us/download/details.aspx?id=36991 Server 2012 templates on 2008 R2 and have the ability to apply GP objects to both versions of the browser? Will it's possibly make some of the current GP's ineffective
  by erasing some settings?
  Maybe there is a better was for me to do this? Any help on this would be appreciated! Thanks in advance. 
  I will monitor this thread very closely and reply to any questions as soon as I can. Thanks!
  BCU

  Yes this can be done and its advisable to install the latest and greatest admx templates, please be aware that from IE10 upwards IE maintenance is deprecated and applied via a GPP, id advise you create a central store for your Admx and adml files if not
  already done so
  http://support.microsoft.com/kb/929841
  http://support.microsoft.com/kb/929841

• Group Policy Templates - Namespace Already Defined

  Hi,
  I've got 2 Citrix environments (versions 6.5 and 7.6).  The older farm is currently using Citrix Profile Management GP template 4.1.1.  I would like to use the newer template 5.2.0 for the new farm but I'm getting the "Namespace 'Citrix' is
  already defined as the target namespace for another file in the store" error.
  We're using a central store for GP.  I would like to keep the status quo on the 6.5 farm but use the newer template for the 7.6 farm.  Is it possible to use 2 different versions of a template that has the same namespace?
  There's the option to upgrade the older farm to use the newer template but would like to avoid that as it'll be decommissioned once the 7.6 farm is online.
  Thanks.

  > possible to use 2 different versions of a template that has the same
  > namespace?
  No. If you require this, you cannot use a central store, but use 2
  different workstations holding the appropriate ADMX files. Starting with
  8.1 you can disable the central store for individual computers:
  https://sdmsoftware.com/group-policy-blog/tips-tricks/override-the-group-policy-admx-central-store/
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Local group policy application issues

  I'm having some issues with applying local group policies using ZCM 11.2.3a. Basically, not all of the settings I've applied in the GPO are being applied to the PC.
  The setup is this:
  * Applying policies to Windows 7 Enterprise x64
  * User Group Policies are applied first, then Computer policies are applied. User policies seem to be applying correctly.
  * Security settings in the Computer Group Policy are applying correctly (eg, renaming the local administrator and guest account, displaying a message prior to the logon window).
  * The policies list in the ZCM agent properties reports that the policy has been successfully applied.
  * No settings in the 'Administrative Templates' section of the policy are applied to the PC.
  Checking in gpedit.msc, policies show that they're enabled. However if I run rsop.msc, there's no administrative templates section in the computer policy at all. If I run gpupdate /force, I also get errors for the computer configuration - 'The processing of Group Policy failed because of an internal system error'.
  This is a new policy package I've created from scratch within the past week.
  I've just now also gone and created a brand new test policy package, with one setting in admin templates configured, and one in security settings. This one has successfully applied correctly.
  Is anyone else seeing issues like this? It's not the first strange behaviour I've been seeing with ZCM policy application, and not the first policy package we've had that's become corrupted. I'm really starting to lose confidence in policy application via ZCM. Unfortunately, with no AD in our environment, I've got no alternative.

  Originally Posted by thatsnotme
  I'm having some issues with applying local group policies using ZCM 11.2.3a. Basically, not all of the settings I've applied in the GPO are being applied to the PC.
  The setup is this:
  * Applying policies to Windows 7 Enterprise x64
  * User Group Policies are applied first, then Computer policies are applied. User policies seem to be applying correctly.
  * Security settings in the Computer Group Policy are applying correctly (eg, renaming the local administrator and guest account, displaying a message prior to the logon window).
  * The policies list in the ZCM agent properties reports that the policy has been successfully applied.
  * No settings in the 'Administrative Templates' section of the policy are applied to the PC.
  Checking in gpedit.msc, policies show that they're enabled. However if I run rsop.msc, there's no administrative templates section in the computer policy at all. If I run gpupdate /force, I also get errors for the computer configuration - 'The processing of Group Policy failed because of an internal system error'.
  This is a new policy package I've created from scratch within the past week.
  I've just now also gone and created a brand new test policy package, with one setting in admin templates configured, and one in security settings. This one has successfully applied correctly.
  Is anyone else seeing issues like this? It's not the first strange behaviour I've been seeing with ZCM policy application, and not the first policy package we've had that's become corrupted. I'm really starting to lose confidence in policy application via ZCM. Unfortunately, with no AD in our environment, I've got no alternative.
  We have the same problem.
  It does not occur on all clients. Only sporadically. Some settings are applied, some not.
  We also have ZCM 11.2.3a in use.
  Have you already opened a SR on this? Can you let us share the information? Perhaps an SR number so that we can attach ourselves?
  Thanks Stefan

• ActiveX msi Flash Player 10.0.42.34 group policy deploy issue

  I have been deploying the flash player to our workstations since version 9.  We have a 2003 AD domain and XP SP3 workstations.
  I know that it is recommended to use the flash uninstall program to remove flash when installing a new version but I haven’t taken the time to work on that type of scripting for any install.  Any attempts to uninstall the previous versions of flash via group policy when deploying have never worked.  I had the same experience with java 1.5 jres…they would never uninstall via policy.
  I have had success so far with deploying the latest version to the workstations with a new policy while leaving the old policy applied until a few weeks have past when all the workstations have been updated.
  I am in the process of deploying Flash Player 10.0.42.34 to replace Flash Player 10.0.32.18
  My test deploy to my virtual XP test workstation worked with no problems.  The flash test paged detected the newer version and the correct version was in add/remove programs.
  I then did a test deploy to a production workstation and the software installed without errors (the group policy install went extremely fast so I knew something was wrong).  No errors were reported in the workstation application log.  However when you visited the flash test page no version of flash was detected.  I also checked in add/remove programs and the program icon was the windows installer icon instead of the normal red flash box….this has been associated with other installation issues in the past.
  I have tried this on 3 other production machines and experienced the same results.  My virtual XP test workstation has only had version 10.0.32.18 on it so I am guessing that having had the older versions of 10 on the production workstations is causing the problem somehow.
  I have had issues in the past, but nothing like this.  Looks like I may have been owned by adobe on this one.
  Any insight would be appreciated.
  Thanks

  Sure , here is the url :
  http://www.forevermark.com/ja-jp/The-World-of-Forevermark-/Precious-Collection/
  On some machines , the Japanese text in the centre section appears very large. ..( see attached snapshot)
  We initially encountered this on the version prior to the 10.0.42.34 version.
  However even after the upgrading to 10.0.42.34 , the problem still persists .
  Thanks

• 11.5.2.602 Group Policy Installation issues

  Consider the following scenario:
  BigCorp wants to deploy a limited amount of software to their MS Windows desktop service, such that they can provide a rich browsing experience at login after a machine is joined to the domain.  To facilitate this, they deploy browser plug-ins such as Flash and Shockwave using group policy software installation (GPSI).
  This is a sensible decision, as there are vendor provided MSIs available to use and it ensures that the software is easily managed (upgrades, removal etc)
  When attempting to deploy Shockwave v11.5.2.602 an incorrect repair of the MSI is triggered on first use of the software for each user.
  On a standalone, otherwise clean, Windows XP SP3 machine with IE7:
  1. Install the software as a user with the correct rights (AdminUser), using the MSI direct from Adobe. 
  2. Logout AdminUser and Login StandardUser
  3. Visit http://www.adobe.com/shockwave/welcome/  - At this point the MSI runs a repair and logs the following to the application event log:
  Event Type: Warning
  Event Source: MsiInstaller
  Event Category: None
  Event ID: 1004
  Date:  02/12/2009
  Time:  09:30:48
  User:  IT-2220-VM4\Standard
  Computer: IT-2220-VM4
  Description:
  Detection of product '{7D0F2155-D7D3-42CE-903F-684ADD77FF89}', feature 'Adobe_Shockwave_Player_', component '{E89F323D-7BDB-46E1-A0FD-6227821F94EA}' failed.  The resource 'C:\Documents and Settings\AdminUser\Application Data\Adobe\' does not exist.
  Event Type: Warning
  Event Source: MsiInstaller
  Event Category: None
  Event ID: 1001
  Date:  02/12/2009
  Time:  09:30:48
  User:  IT-2220-VM4\Standard
  Computer: IT-2220-VM4
  Description:
  Detection of product '{7D0F2155-D7D3-42CE-903F-684ADD77FF89}', feature 'Adobe_Shockwave_Player_' failed during request for component '{3D3697FC-DB90-46D8-9ED4-5D54B4901F62}'
  *** Please note the path in EventID 1004 above (C:\Documents and Settings\AdminUser\Application Data\Adobe\) has been generated whilst logged in as StandardUser NOT AdminUser. ***
  This condition will always be true, since there is no read permission on another users profile for a standard user account.  Granting this right is not desirable in a roaming profile environment. This repair will be triggered for each and every user of the machine.
  Though this repair appears to be non-destructive and doesn't appear to inhibit successful removal, it is undesirable behaviour.
  Furthermore, and as other have mentioned, loading a shockwave item in a browser (IE7 in our case) also results in the following entry in the system event log:
  Event Type: Error
  Event Source: DCOM
  Event Category: None
  Event ID: 10000
  Date:  02/12/2009
  Time:  09:30:49
  User:  IT-2220-VM4\Standard
  Computer: IT-2220-VM4
  Description:
  Unable to start a DCOM Server: {1F3CB77D-D339-49E0-B8E4-FECD6D6F8CB8}. The error:
  "The filename, directory name, or volume label syntax is incorrect. "
  Happened while starting this command:
  C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE" -Embedding
  We are keen to move to the latest version of Shockwave, for the obvious reasons, but these issues are going to make it difficult to get through our change management processes; as the package doesn't meet the requirements we have laid out for our user experiences.
  Can someone at Adobe comment on the reason for this undesirable behaviour and how it came about? Can we expect later versions of Shockwave to exhibit the same behaviour?

  Hi,
  I have posted an MST file which fixes this and other issues to the following thread here:
  http://forums.adobe.com/message/2697135#2697135
  Please post any feedback to that thread!
  Kind regards,
  Chris Hill

• IE10 - Technical Issues Group Policy

  Hi,
  Microsoft connect have asked me to raise this issue here - can someone assist with a Bug Hotfix please?
  http://connect.microsoft.com/IE/feedback/details/790635/managing-internet-explorer-10-using-a-domain-gpo
  IEfeedback bug 62637
  Many thanks
  Peace

  reposted from
  http://community.spiceworks.com/topic/342202-ie-10-group-policy-help-needed-i-think-i-ve-found-a-bug
  We have a Windows 2012 DC and I am using Group Policy Management to configure Internet settings for IE 7, 8, 9 and 10 users.
  The group policy settings for IE 7, 8, 9 work fine.  I can configure the Proxy Server settings and the Advanced Settings with no problems.  However, I think I have found a bug when trying to configure the Proxy Server settings for IE10.  Here
  is what I do.
  1) Go into Group Policy Management
  2) Select the Group Policy Object that I want to add the IE10 settings to.
  3) Edit the Group Policy Object
  4) When Group Policy Management Editor opens, I go to User Configuration /
  Preferences / Control Panel Settings /
  Internet Settings.  Here I see the "Internet Explorer 7" and the "Internet Explorer 8 and 9" settings that I have already created.  I
  right click in the right hand pane, select "New", then select "Internet Explorer 10". 
  5) With the "New Internet Explorer 10 Properties" window open, I go to the "Connections" tab, select "LAN Settings".
  6) Check to enable the "Use a proxy server...." option
  7) Enter the ip address of my proxy server and the port address, in this case I enter "192.168.160.22" and "8080"
  8) Press "F5" so the settings get applied to all users as indicated by the solid green line.
  9) Check to enable the "Bypass proxy server...." option
  10) Click "Ok", then click "Apply", then click "Ok" to save the changes.  I now see the Internet Explorer 10 listed along with the IE 7 and IE8and9.
  11) Double-click the Internet 10 option to go back into its "Properties".
  12) Select the "Connections" tab, then "LAN Settings".  I see the proxy ip address and port number that I entered in step 7 above.
  13) Now the wonderful part where I think there is a bug.  Click "Advanced". This opens the "Proxy Settings" window.
  14) Move the window over so you can see the "Local Area Network (LAN) Settings" window.
  15) Click the "OK" button in the "Proxy Settings" window and
  watch the proxy ip and port numbers in the LAN Settings window disappear.
  16) So you think to yourself, ok they must still be there.  If you click "Cancel" and go back into the "LAN Settings" you will see the proxy server ip address and port number still there. 
  But if you click "OK", and then "Apply" your screwed. 
  The proxy server ip address and port numbers never reappear when you go back into "LAN Settings".   To get the proxy server ip address and port numbers to reappear, you have to recreate the Internet Explorer 10 settings, but going
  into the "Advanced" settings will burn you every time.
  Doing the above when setting the IE 7 and IE 8and9 settings works fine.
  See the attached image showing what I see.
  Anyone else experience this?  Have you found a way around it?
  Thank you for your time and help.
  Thank you.
  Rob^_^

• Enforce template via group policy

  HI,
  I have deployed the Office2013 template and I could see the settings for Office2013 applications are available for users to select
  Is there a way to enforce to virtualize the Office2013 applications setting? V 2.0 only includes the policies for Office2010
  thanks
  Andy

  There is currently no Group Policy template for Office 2013 as the Office 2013 template was released after the UE-V 2.0 Template Release. The Group Policy templates will be refreshed with the upcoming
  release of UE-V 2.1.
  Brandon
  MDOP on the Springboard Series on TechNet

• EMET 5.0 Group Policy Settings Ignored (Probable race condition with Policy application)

  In our deployment, EMET 5 seems to be ignoring group policy settings from immediately after the first group policy refresh post-boot.
  Settings are being applied to the computer correctly, and are appearing in the registry correctly, and on boot, a set of Event ID 50 events are logged containing ConfigAppmitGPO (and similar for the other settings) elements with the correct settings.
  Upon the first group policy refresh, further eventID 50 events are logged, with empty ConfigAppmitGPO elements.
  Investigation with Process Monitor seems to indicate this is a race condition between Group Policy Registry settings being refreshed (which deletes the entries) and the EMET service reading out these settings from the registry (which appears to be triggered
  by Group Policy application or by a notification on the registry keys themselves)
  This is reproducible on Windows 7 and Windows 8.1.
  Is there any way to arrange for settings to be applied correctly at all times, or is this a bug that will need to be fixed in a future update?

  We're experiencing the exact same behavior currently. I was starting to think I was going crazy. Glad to know others are experiencing the same behavior.
  I've found that using the method from pervious versions to read and update settings from Group Policy, using "emet_conf.exe --refresh" still works, and upon every execution, the event log shows the GPO settings being read and applied. While I welcome the
  move to have EMET update from GPO settings without requiring running a separate task, as it stands now in its current condition, it is a step back.
  Scott Ladewig http://www.ladewig.com

• Windows 7 Group Policy Processing - EventID 1058

  I am having an issue with Windows 7 clients refreshing group policy. When I run gpupdate the user policy refreshes and the moves on to the computer policies but fails displaying the error below.  Replication topology checks out, dcdiag returns
  no errors and sysvol permissions look ok too.  Curiously the same policies apply just fine on windows xp pro systems.  The Domain Controller is running Server 2008 Enterprise Edt R2 SP1, I see no 1030 eventid's on the domain controllers as others
  frequently report with this error.  The domain is running at Windows Server 2003 functional level but I have creaded a PolicyDefinitions folder in the sysvol for admx files etc.  Where to go from here? Does anyone have any suggestions/insight
  as to what the issue may be?
  The sysvol and the gpt.ini file is accessible from the Windows 7 client using UNC path.
  Thanks in advance for any assistance given.
  The error code listed is 0 which is not mentioned in this article
  http://social.technet.microsoft.com/wiki/contents/articles/1456.aspx
  ## Error details
  Log Name:      System
  Source:        Microsoft-Windows-GroupPolicy
  Date:          2/8/2012 2:38:09 PM
  Event ID:      1058
  Task Category: None
  Level:         Error
  Keywords:     
  User:          SYSTEM
  Computer:      win7box.abc123.net
  Description:
  The processing of Group Policy failed. Windows attempted to read the file
  \\abc123.net\SysVol\abc123.net\Policies\{EB062BE8-CAF6-47B4-9B8B-27A19268C520}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused
  by one or more of the following:
  a) Name Resolution/Network Connectivity to the current domain controller.
  b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
  c) The Distributed File System (DFS) client has been disabled.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
      <EventID>1058</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>1</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime="2012-02-08T20:38:09.770740300Z" />
      <EventRecordID>3972</EventRecordID>
      <Correlation ActivityID="{24F60AA4-DC8D-4F6D-8787-9535072F03C0}" />
      <Execution ProcessID="996" ThreadID="1148" />
      <Channel>System</Channel>
      <Computer>win7box.abc123.net</Computer>
      <Security UserID="S-1-5-18" />
    </System>
    <EventData>
      <Data Name="SupportInfo1">4</Data>
      <Data Name="SupportInfo2">816</Data>
      <Data Name="ProcessingMode">0</Data>
      <Data Name="ProcessingTimeInMilliseconds">3354</Data>
      <Data Name="ErrorCode">0</Data>
      <Data Name="ErrorDescription">The operation completed successfully. </Data>
      <Data Name="DCName">DC.abc123.net</Data>
      <Data Name="GPOCNName">CN={EB062BE8-CAF6-47B4-9B8B-27A19268C520},CN=Policies,CN=System,DC=abc123,DC=net</Data>
      <Data Name="FilePath">\\abc123.net\SysVol\abc123.net\Policies\{EB062BE8-CAF6-47B4-9B8B-27A19268C520}\gpt.ini</Data>
    </EventData>
  </Event>
  ## DCDiag Results (No RODC's hence NCSecDesc error )
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     Home Server = DC
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
     Testing server: North\DC
        Starting test: Connectivity
           ......................... DC passed test Connectivity
  Doing primary tests
     Testing server: North\DC
        Starting test: Advertising
           ......................... DC passed test Advertising
        Starting test: FrsEvent
           ......................... DC passed test FrsEvent
        Starting test: DFSREvent
           ......................... DC passed test DFSREvent
        Starting test: SysVolCheck
           ......................... DC passed test SysVolCheck
        Starting test: KccEvent
           ......................... DC passed test KccEvent
        Starting test: KnowsOfRoleHolders
           ......................... DC passed test KnowsOfRoleHolders
        Starting test: MachineAccount
           ......................... DC passed test MachineAccount
        Starting test: NCSecDesc
           Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
              Replicating Directory Changes In Filtered Set
           access rights for the naming context:
           DC=ForestDnsZones,DC=abc123,DC=net
           Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
              Replicating Directory Changes In Filtered Set
           access rights for the naming context:
           DC=DomainDnsZones,DC=abc123,DC=net
           ......................... DC failed test NCSecDesc
        Starting test: NetLogons
           ......................... DC passed test NetLogons
        Starting test: ObjectsReplicated
           ......................... DC passed test ObjectsReplicated
        Starting test: Replications
           ......................... DC passed test Replications
        Starting test: RidManager
           ......................... DC passed test RidManager
        Starting test: Services
           ......................... DC passed test Services
        Starting test: SystemLog
           ......................... DC passed test SystemLog
        Starting test: VerifyReferences
           ......................... DC passed test VerifyReferences
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test
           CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test
           CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : abc123
        Starting test: CheckSDRefDom
           ......................... abc123 passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... abc123 passed test CrossRefValidation
     Running enterprise tests on : abc123.net
        Starting test: LocatorCheck
           ......................... abc123.net passed test LocatorCheck
        Starting test: Intersite
           ......................... abc123.net passed test Intersite

  I shortened this down a good bit but here is the gist of it, my question is which context/user/account is being denied access to the .ini files?  I have never used the streams utility but I'll give it a whirl and report back what I get. Most of
  the cannot be accessed are probably just policies that are  not applicable to the machine but the gpt.ini errors are baffling me.
  New GPO - it appears that new GPOs are fine
  GPSVC(3e4.80c) 12:43:27:510 ProcessGPO:  Searching <cn={5D0EF3CD-7942-4A89-A879-4F9FDB3064BF},cn=policies,cn=system,DC=abc123,DC=net>
  GPSVC(3e4.80c) 12:43:27:510 ProcessGPO:  Machine has access to this GPO.
  GPSVC(3e4.80c) 12:43:27:510 ProcessGPO:  GPO passes the filter check.
  GPSVC(3e4.80c) 12:43:27:510 ProcessGPO:  Found functionality version of:  2
  GPSVC(3e4.80c) 12:43:27:510 ProcessGPO:  Found file system path of:  <\\abc123.net\SysVol\abc123.net\Policies\{5D0EF3CD-7942-4A89-A879-4F9FDB3064BF}>
  GPSVC(3e4.80c) 12:43:27:510 ProcessGPO:  Found common name of:  <{5D0EF3CD-7942-4A89-A879-4F9FDB3064BF}>
  GPSVC(3e4.80c) 12:43:27:510 ProcessGPO:  Found display name of:  <gpoC-Win7Test>
  GPSVC(3e4.80c) 12:43:27:510 ProcessGPO:  Found machine version of:  GPC is 0, GPT is 0
  GPSVC(3e4.80c) 12:43:27:510 ProcessGPO:  Found flags of:  0
  GPSVC(3e4.80c) 12:43:27:510 ProcessGPO:  No client-side extensions for this object.
  GPSVC(3e4.80c) 12:43:27:510 ProcessGPO:  GPO gpoC-Win7Test doesn't contain any data since the version number is 0.  It will be skipped.
  Older GPO's - not so fine
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={B34A8F23-269C-43D8-A097-2307729FBFF6},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  ==============================
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  Searching <CN={55338992-95C9-4FA2-80E4-0ED4A623EE09},CN=Policies,CN=System,DC=abc123,DC=net>
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  Machine has access to this GPO.
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  GPO passes the filter check.
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  Found functionality version of:  2
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  Found file system path of:  <\\abc123.net\SysVol\abc123.net\Policies\{55338992-95C9-4FA2-80E4-0ED4A623EE09}>
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  Found common name of:  <{55338992-95C9-4FA2-80E4-0ED4A623EE09}>
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  Found display name of:  <gpoS-RealPlayerEnt6 - Security>
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  Found machine version of:  GPC is 0, GPT is 0
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  Found flags of:  0
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  No client-side extensions for this object.
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  GPO gpoS-RealPlayerEnt6 - Security doesn't contain any data since the version number is 0.  It will be skipped.
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  ==============================
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={C92FD413-E891-47E0-B554-BD7F9209D036},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={FEF33797-46D0-452A-B3D7-0BEEC2330592},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={CCBFECA5-2FF8-4512-8CE4-108C4092D009},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={767959D5-7AB6-4D55-A02E-3F54439CC7DA},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={10DCAC5E-9904-41FF-B678-E8514F481E56},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={3229FD3D-868A-4406-AFAF-6449ADBB4749},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={1DD39B5C-B930-4750-8EC3-42D0FB89A3B9},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={E10350D2-F632-4D5E-9668-4151596B1D77},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={86C864C5-C861-42FC-B728-BAEE81C9A091},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={FE1162BF-9FE2-4F04-A514-80A8E6D5F7CD},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={F68214D3-33F3-4F76-BE26-306D0237A048},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={CA6B06CE-C546-41F1-87FB-9013701AEF00},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={C8C9EFA2-90AA-4162-9051-23FD83B5CF62},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={DE445C4F-9A0F-488F-8769-C041CF2184AA},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={7CDB465C-55AC-4CBC-9C18-F3ADACDFEB46},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={F4E0F78E-BE36-4793-A8B1-83B2D67083F1},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={53359F0A-8C9B-4831-936F-3D47C4CC2694},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={6793DBEE-47B0-458D-8F1C-D92EB7015733},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={93919120-7113-47C0-AA38-0561EAB18E42},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={5ABD1D9E-07E4-4A53-B854-A2FFC3B257CB},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={71E2B86C-A4A0-47C0-9D7F-BDD6220B9FA4},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={4401CF1C-7839-4496-BB87-304A8AB917FC},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={1244CA5A-D654-4ED6-9374-148F1F3DA8ED},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={42875CF2-B9E9-4EFA-90C2-7ACA8882F1B7},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={6DD428B6-6B19-4A53-B172-57DB3E15A38E},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={983BFDAD-65F0-42B4-807A-E78DF275C352},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={AFA31A2D-07D8-4CB4-BE86-067A9624E324},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={77C9CA17-6359-4355-9FDF-F605F0441245},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={75D43291-6FA2-4B98-8422-228DDB45571B},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={870C6FB3-74CD-46E8-9D4D-E6E6C0A2B52D},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={2144E4CF-01C1-4C5B-984B-E9BD4461406F},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={7D9DB917-1245-46BD-AEBF-163A2F0FCD06},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={B7431941-5DAA-4DD2-A569-35C31B92B677},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={D01BF1D1-33C8-4FC3-95C3-5948A1EE1647},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={57D4AD83-3BBF-43C2-9A3B-F71F3E52C2A6},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={A8DB7DAC-42F0-43FC-99E1-F1AC15006101},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={56574927-6DC5-48A7-82F9-A00E820335F6},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={2FB6858E-8B1C-4C89-83B2-0EEE97D9A72B},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={93C56E3F-5334-4325-A328-0CCAFED0828B},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={1B64E00F-D3B6-49B6-B6C8-7AD0A8C9AEFA},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={81B4E46C-8249-4547-BC75-9A1FB395E282},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 EvalList: Object <CN={43D5184A-73C8-4BFD-9B09-33C70B8BC3C2},CN=Policies,CN=System,DC=abc123,DC=net> cannot be accessed
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  ==============================
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  Searching <CN={0ABE0BCF-0BC5-481E-AC86-5768D00901D5},CN=Policies,CN=System,DC=abc123,DC=net>
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  Machine has access to this GPO.
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  GPO passes the filter check.
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  Found functionality version of:  2
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  Found file system path of:  <\\abc123.net\SysVol\abc123.net\Policies\{0ABE0BCF-0BC5-481E-AC86-5768D00901D5}>
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  Couldn't find the group policy template file <\\abc123.net\SysVol\abc123.net\Policies\{0ABE0BCF-0BC5-481E-AC86-5768D00901D5}\gpt.ini>,
  error = 0x0. DC: DC2.abc123.net
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPO:  ==============================
  GPSVC(3e4.80c) 12:43:27:541 EvalList:  ProcessGPO failed
  GPSVC(3e4.80c) 12:43:27:541 GetGPOInfo:  EvaluateDeferredGPOs failed. Exiting
  GPSVC(3e4.80c) 12:43:27:541 GetGPOInfo:  Leaving with 0
  GPSVC(3e4.80c) 12:43:27:541 GetGPOInfo:  ********************************
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPOs: GetGPOInfo failed.
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPOs: No WMI logging done in this policy cycle.
  GPSVC(3e4.80c) 12:43:27:541 ProcessGPOs: Processing failed with error 87.
  GPSVC(3e4.80c) 12:43:27:557 Application complete with bConnectivityFailure = 0.
  GPSVC(3e4.80c) 12:43:27:557 Signalling 1 Refresh Policy callers
  GPSVC(f84.df4) 12:43:27:557 Exiting RefreshPolicyForPrincipal with status = 0
  GPSVC(3e4.80c) 12:43:27:557 GPLockPolicySection: Sid = (null), dwTimeout = 600000, dwFlags = 0
  GPSVC(3e4.80c) 12:43:27:557 LockPolicySection called for user <Machine>
  GPSVC(3e4.80c) 12:43:27:557 Sync Lock Called
  GPSVC(3e4.80c) 12:43:27:557 Writer Lock got immediately.
  GPSVC(3e4.80c) 12:43:27:557 Lock taken successfully
  GPSVC(3e4.80c) 12:43:27:557 UnLockPolicySection called for user <Machine>
  GPSVC(3e4.80c) 12:43:27:557 UnLocked successfully

• How to disable attachment preview in Outlook 2013 - group policy

  How do I disable attachment preview in Outlook 2013 in GPO?

  Hi,
  We may follow the steps below to disable attachment preview in Outlook 2013:
  1. Download
  Office 2013 Administrative Template files, and then follow the instructions in the "Loading the ADMX templates" section of the
  Use Group Policy to enforce Office 2010 settings article to load the ADMX templates.
  2. Navigate to User Configuration > Administrative Templates > Microsoft Outlook 2013 > Outlook Options > Preferences > Email Options
  3. Double-click Do not allow attachment previewing in Outlook from the right pane.
  4. Select Enable bullet.
  5. Click OK.
  6. Run gpupdate /force command to force an update of GPO settings.
  7. Start Outlook and you should see the attachment previewing feature is disabled.
  Regards,
  Steve Fan
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs.

• MBAM Group Policy Problems

  I am trying to install and configure MBAM 2.0. I have installed all of the components on two separate servers. Server 1 has sccm 2012
  integration and gpo policy templates. Server two has the rest. When I load Group Policy Management the templates do not appear. I have manually extracted and copied the templates in the local policy definitions and still nothing. Any ideas?

  By default the Group Policy Management console will look for templates at a central SYSVOL location (a so called central store). Likely you have a PolicyDefinitions folder in
  \\domain.com\sysvol\domain.com\Policies and then you need to add the MBAM ADMX and ADML files to that location to be able to see those settings when managing group policies. The reason for this is
  that the central store has precedence over local group policy templates.
  Blogging about Windows for IT pros at
  www.theexperienceblog.com

• Remote Desktop connection - Set URL by group policy

  on our 2008 R2 DC we do not have a "RemoteApp and Desktop Connections" entry and so i cant
  set the Default URL of the RDS web , how i can have an admx for this policy or any work around in order to set the URL by group policy, by the way i have an rds 2012 R2 and DC 2008 R2 and all clients are using thin clients with windows 8 embedded.

  Hi,
  You can download and install the latest group policy templates on your DC:
  Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2
  http://www.microsoft.com/en-us/download/details.aspx?id=41193
  Another option would be to edit your group policies from your Server 2012 R2 server.  For this you need to install Group Policy Management via Server Manager Add Roles and Features Wizard.
  -TP