GPO & GPRESULT in Domain Environment

Similar Messages

• We have created shared folder on multiple client machine in domain environment on different 2 OS like-XP,Vista, etc. from some day's When we facing problem when we are access from host name that shared folder is accessible but same time same computer when

  Hello All,
  we have created shared folder on multiple client machine in domain environment on different 2 OS like-XP,Vista, etc.
  from some day's When we facing problem when we are access from host name that shared folder is accessible but same time same computer when we are trying to access the share folder with IP it asking for credentials i have type again and again
  correct credential but unable to access that. If i re-share the folder then we are access it but when we are restarted the system then same problem is occurring.
  I have checked IP,DNS,Gateway and more each & everything is well.
  Pls suggest us.
  Pankaj Kumar

  Hi,
  According to your description, my understanding is that the same shared folder can be accessed by name, but can’t be accessed be IP address and asks for credentials.
  Please try to enable the option below on the device which has shared folder:
  Besides, check the Advanced Shring settings of shared folder and confrim that if there is any limitation settings.
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Is Lightroom supported in a Active Directory domain environment with multiple users logging into a machine?

  We are a school district using an Active Directory environment.  We currently use other Adobe products with multiple users on different machines and it works fine.  If Lightroom does work in a domain environment what are the required local user permissions needed for it tor work properly?  Thanks!

  Lightroom is not a multiuser program. It is required that the catalog is located on a hard drive that is local to the machine accessing it. There are no workarounds.

• Implementing Sites for a new Single Domain Environment and effects on Exchange

  Copied from the Active Directory forums as the suggestion of replies.
  I didn't find exactly what I was looking for so decided to create my own question to get some direct feedback.
  Currently we have a single domain environment with two domain controllers located at two separate sites. When the domain was first set up, no configuration was done in the Sites and Services module for Active Directory. The two domain controllers we have are
  currently located in the Default-First-Site-Name container. We do not have any subnets configured with the Sites and Services module.
  These two domain controllers are located at two different sites with different IP schemes and the sites are connected with a high speed site-to-site VPN. We also have 2 satellite offices with their own IP schemes as well with more offices to come. In the future
  domain controllers will be placed at these satellite offices which are connected with a slower site-to-site VPN to the main offices.
  All replication and network functions are working well now, but I would like to know what the effects would be and what to watch out for if I create sites for our environment. I am particularly concerned about our Exchange 2010 server and need to make sure
  that the change will not disrupt communications between it and the domain controllers.
  I would like to create a site for each of our locations and link the subnet to that site now so that when we install the domain controllers the configuration is ready.
  Any suggestions or input is highly appreciated thank you in advance.

  Exchange will be an issue only if your Exchange servers span sites when your new Windows sites are created.  If you have Exchange servers all in a single location, adding sites to your Windows forest will cause no issues.  However, if you have
  Exchange servers in both locations, as soon as a new site is defined for an Exchange server in a separate location from your other Exchange servers, you will start having issues.  Let me give some examples so you can see what problems might occur:
  Two datacenters, one Windows site, Exchange mailbox servers in both locations (primary and DR), but hub and CAS roles only in the primary datacenter:
  In this situation, as soon as your second site is defined, the server in the DR datacenter will no longer be receiving mail - there is no hub to deliver it - and users will no longer be able to access their mailboxes - there is no CAS to support them. 
  Solution:  Add hub and CAS to second datacenter and all is well with the world.
   Two datacenters, one Windows site, Exchange multirole servers in both locations (primary and DR), but CAS Array defined:
  Now we have a little bit better setup, since we have all roles in both locations.  However, the CAS array in the primary site isn't going to be able to support your client connections in the DR site - so users will be connecting directly to the CAS
  servers in the DR site (not optimum).  Solution:  Define a second CAS array for the DR site, with its own load balancer and configure the databases in your DR location to use that CAS array as the RPC Client Access Server.
  There are other oddities, but as you can see, there will definitely be issues if your Exchange servers aren't all in the same location and you start defining Windows sites ...

• In domain environment standard users can't open .psd files

  in domain environment with non admin users; getting this error: http://imageshack.com/a/img543/9085/cdnu.png
  only administrators can open .psd files
  what permissions needs a standard user to open .psd files?

  did fw work previously to open psd files?  - no, only admin users can open psd files wiht fw or ps.
  do you see that error with all psd files? - yes, all psd files give this error, no error given jpeg or png files
  are those cs6 psd files? - yes.
  what happens if you right click fw>click 'run as administrator'? - same error.
  i have to give local administrator rights to users that they can work with psd files.

• AD RMS for multi tenant domain environment

  Hi,
  I have successfully configure the AD RMS with lots of work around. now i want to use multi tenant domain environment. i have multiple domains running on my production env. Now can anyone help me out to configure the RMS Server to add multiple URLs for licensing
  and certifications in AD RMS Server on windows Server 2012. i need a proper step by step configuration roles to activate on immediate basis. 
  Any help in this regards will be highly appreciated,
  Attahcments screent shots might help you what i want ;)
  Regards,
  Imran Bashir
  MCSA 2008, MCITP, MCTS, MCP
  JNCIA ER,EX
  Brocade Certified
  Imran Bashir Network Administrator MCP, JNCIA-EX,ER,JNIOUS +92-333-4330176

  Hi,
  in a single forest you can have only one RMS SCP. You could create more RMS clusters but those are not discover-able that way, only over using RMS templates or overwriting the clients registry.
  If you say multi-tenant I assume every tenant should have its own RMS key, correct? If you have only one RMS cluster the cluster admin will have control over all documents.
  Hope that helps,
  Lutz

• Activating Windows 7 by using KMS Without the Active Directory Domain environment

  Dear,
               Can we able to activate the Windows 7 O/S Machines by using KMS without the Active Directory Domain environment,As our some of the Computers will not connect with AD domain, we need to setup the speprate KMS
  server for this.
  Thanks
  Balaji K 

  You can point the KMS clients to the KMS host machine by opening an Elevated CMD prompt:
  and running slmgr /skms to point directly to the KMS host.
  You do not need a Domain controller.
  Volume Licensing: Key Management Service (KMS) Client Options:
  /skms <Name[:Port] | : port> [Activation ID] [Activation ID]                                                                                                          
  Set the name and/or the port for the KMS computer this machine will use. IPv6 address must be specified in
  the format [hostname]:port                          /ckms [Activation ID]                  
  Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading
  the thread.

• Recommended DNS zone replication scope for single domain environment

  Hi, in my company we have domain/forest functional level Windows Server 2008 R2 - there is only one domain. AD DS is installed on 5 servers -
  AD integrated DNS zone is used.
  I noticed today that on both forward lookup DNS zones, _msdcs.internaldomain.com
  & internaldomain.com, zone replication scope was set to
  All DNS servers in this domain and also for one reverse lookup zone. I changed this setting for all these zones to
  All domain controllers in this domain but later (10-15 mins at most) I reverted these settings back to
  All DNS servers in this domain.
  Which zone replication scope for mentioned zones is recommended keeping in mind this is single domain environment? Also could I do any harm to DNS and AD in all when I changed zone replication scope and later reverting it back for these zones? How to check
  that dns related informations (zones) are located where they should be in Active Directory and that there is no any garbage in other locations (partitions) in AD database.

  Hi,
  All DNS servers in this domain : Replicates zone data to all Windows Server 2003 and Windows Server 2008 domain controllers running the DNS Server service in the Active Directory domain. This option replicates zone data
  to the DomainDNSZone partition. It is the default setting for DNS zone replication in Windows Server 2003 and Windows Server 2008.
  http://technet.microsoft.com/en-us/library/cc772101.aspx
  Hope this helps.
  Regards.
  If you have any feedback on our support, please click
  here
  Vivian Wang

• Firewall problem in domain environment

  I have built two domains for testing purposes. Having deployed domain controllers, exchange servers, sccm/scom servers, sql servers along with some client computers I noticed that I had problems accessing some of servers/clients - I could not manage
  some of them directly with manage command from domain controller or access them via unc path. Some of them I could not ping neither. I was able to solve these problems by changing inbound firewall rules on these machines thus
  allowing some connections such as smb-in, dcom-in . . . In my production environment (I have been working there as system engineer for almost seven years) I have never had these problems - any domain member, whether it has been server or client, was easily
  accessible (managed from dc, unc, ping, . . .). I could deploy GPO with all necessary settings for inbound rules but it should be done automatically - as soon as machine is joined to the domain it must be accessible by using at least common protocols such as
  dcom, smb for managing or simple file copy operation. I checked my production environment again and there were no GPOs for altering default firewall settings on domain member computers so I have no idea why this is happening in my testing domains.

  No one but me has access to these machines. Also Symantec Endpoint Protection software is installed on these machines as it is the case with my production machines where everything is functioning flawlessly - as I mentioned I can access all my machines
  in production domain via computer management, smb, ping . . . One of my test domains has FFL/DFL Windows Server 2008 R2,  the same as my production domain, the other one has FFL/DFL Windows Server 2012 R2 and it is created for learning purposes. As I
  said, in both test domains, all domain computers have SEP installed - the same version and configuration as on my production machines. I have not done anything related to firewall in my test domains on problematic machines - I installed OS on them, joined
  to the domain, installed SEP and afterwards I have worked with specific product machine was created for - SCCM/SCOM, Exchange, SQL . . . servers and their clients.

• Localy configured security policy in domain environment

  Hello.
  I have run in to a problem when configuring security policy for servers in my domain. Due to the large size of my environment and many different local administrators on servers quite a few of those administrators has configured local security policys on
  their servers instead of asking for our central IT-dep to create domain based GPO's for those settings.
  It's quite often settings that give a account the right to logon as a batchjob and so on. This creates the problem for us that work centraly that we can't configure central GPO since we will overwrite the localy configured ones and that will quite often
  create a application to stop working.
  So my question is if there's any way to make a inventory to find out what servers has a local configured  policy so that i can change that to a central one.
  /Lee

  You can use secedit to get the local security policy. You can use
  psexec to get it remotely and store the content in a share. Once done, you can fetch the data using Powershell and get what you need.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• GPO Inheritance Default Domain Policy

  For this particular problem, I would take the offending setting out of the DPP and create a GPO with the setting and apply it to the other OU's and whatever setting you need for your special OU
  After that, I'd take a look at your DPP and remove anything that could need changed later and make separate GPO's for those.  I generally don't put anything in the DPP
  At this time, I wouldn't take the enforce off until you look closely at all your GPO's to make sure nothing crazy will happen

  We have a DDP that is set to Enforced at the root level of domain course.One of the settings in the DDP needs to be reversed for one OU. Firewall rule.I have created a new OU and applied a GPO to that OU.The new GPO is not applying because the precedence rules say that the enforced DDP is going to win. Enforcing the new GPO doesn't change this.Do I have any other options other than1. Move the offending piece in the DDP into a new root level GPO that is not enforced2. Remove the Enforced off of the DDP3. Creating the new GPO at the root level and use WMI filtering for one computer.Server 2012/2008 domainThis is an old config and I am not sure why the DDP was enforced to begin with and I would rather avoid moving GPO's around that involve firewall rules and network connectivity. The root level GPO just seems like overkill if it would...
  This topic first appeared in the Spiceworks Community

• Preventing Windows Store App Purchases in a Domain Environment

  Hello,
  We are using Applocker to prevent unwanted apps to be installed through the Windows 8 store, however users are able to complete the purchase of an app before the applocker prevent them from installing it.
  Are we able to disable store purchases using group policy or can this be done in another way?
  Thanks
  John

  Hi,
  I don't think we can only block purchase in GPO.
  Based on my knowledge, the channel is designed in each app and different from each other.
  The family safety can prevent family account from buying app, but doesn't apply to Domain account.
  Kate Li
  TechNet Community Support

• Users see all applications in RDS 2012 Web access in one-way trust domain environment

  Hello!
  We have RDS 2012 deployment in domainA.local. There is a one-way trust between domainA.local and domainB.local: A trusts B and B doesn't trust A.
  A user from domainB.local authenticates in Web-access interface (wa.domainA.local) and sees
  every published application in every collection in the deployment independently of UserGroups setting of collections and applications. This occurs for any domainB user.
  In the security log of wa.domainA.local we can find an event :
  An account failed to log on.
  Subject:
  Security ID:                IIS APPPOOL\RDWebAccess
  Account Name:                RDWebAccess
  Account Domain:                IIS APPPOOL
  Logon ID:                0x2C7B16
  Logon Type:                        3
  Account For Which Logon Failed:
  Security ID:                NULL SID
  Account Name:                
  Account Domain:                
  Failure Information:
  Failure Reason:                An error occurred during logon
  Status:                        0xC000005E
  Sub Status:                0x0
  Also in network trace on wa.domainA.local kerberos error could be found:
  On TGS-REQ for krbtgt/[email protected] there is an answer: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7), server name krbtgt/domainB.
  How to deal with this issue? The aim is to show only specified applications to domainB users.
  Any help would be appreciated.

  Hi,
  Thank you for your posting in Windows Server Forum.
  Please check below links might useful for your case.
  “After adding the RDS server’s computer account to the Builtin Windows Authorization Access Group domain group, the RemoteApp icons displayed perfectly.” (Quoted from
  this article)
  1. Remote APP list empty
  2. RD
  Web Access unable to access Source (RD Server)
  In respect to Kerberos Error, refer this link for troubleshooting.
  1. Troubleshooting Kerberos Authentication problems – Name resolution issues
  2. Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 2
  Hope it helps! 
  Thanks,
  Dharmesh

• Android, Ipad authentication under windows domain environment

  I’m really confused about the best practice to set up these devices in a 802.1x and Windows Domain network using ISE.
  I had seen the Ipad download the ISE certificate the very first time the device is connected to the SSID. In Android device (Galaxy phone) I don’t see the device download certificate.
  Testing with the Android device I was able to install the root CA certificate (a not easy procedure), then when the SSID is configured in the device I have the option to choice the root CA certificate.
  Now if I don’t include the certificate in the SSID configuration, the device is able to connect with an Identity and Password only. If I include the certificate in the SSID configuration, the device ask for the certificate storage password if the option for use secure credentials is not enabled before.
  How can I validate through the ISE the android device is using the certificate? Is it possible to set a rule in the ISE denying access if the device does not validate the certificate? I think EAP necesarity use certificates, but the Android device does not show anything.
  I had read about provisioning and profiling the Android devices. I think the Network Setup Assistant available through Google Play is an easy procedure to install the root CA certificate. Am I Right?
  The customer said it appears the certificate is being used to encrypt the username and password not for do the authentication itself. Reading about EAP functionality I believe it is right, I understand the EAP-MSCHAP actually creates a tunnel to passthrough the username and password. Right?
  As the Ipad and Android devices are not in the windows domain, what should be expected when the password is expired? Customer Policy indicates users must change domain passwords every four months. In a Windows PC users receive warnings some days before the expiration but it appears nothing happen in non-domain devices. A co-worker told me the easy way is that when this happen the user should remove the SSID in the device and create it again. The customer does not like this behavior, so what should be a best practice work around?
  I hope you can help me to clarify my doubts.
  Regards.
  Daniel Escalante

  Client Provisioning for Android you can refer thease guides:
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_ISE.html#wp1024291
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html#anc10

• "There are currently no logon servers available to service the logon request." when trying to access a shared folder in domain environment.

  Hi,
  I already have a windows server 2003 working as a Primary Domain Controller (PDC) and now I created another windows server 2012 to work as an Additional Domain Controller (ADC).
  - PDC is doing (Active directory domain services + DNS + DHCP)
  - ADC is doing (Active directory domain services + DNS)
  For testing purposes, I shutdown the PDC and let the ADC up and running. Now, Whenever I try to access a shared folder on any server in the domain, I got this message "\\x.x.x.x is not accessible. You might not have permission to use this network resource.
  Contact the administrator of this server to find out if you have access permissions.
  There are currently no logon servers available to service the logon request."
  Actually, the replication of AD objects and DNS records between the PDC and ADC is done successfully.  I also can resolve names using the ADC's DNS. Also, I can ping servers hosting the files I want to access. 
  Appreciate your help.

  The PDCe is required for a lot of services, to include DFS.
  Turn the PDC back on and try again.  If it's still not working, ensure the file server has the correct DNS entries on the NIC.
  I think I see what you were trying to test.  The issue is that not all DCs are equal.  Yes, they hold the same information, but some DCs do extra work.  That is why FSMOs exist.
  Let me know how it goes.
  - Chris Ream -
  **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**