Group Policy and Windows 8.1 questions

Similar Messages

• Group Policy Guru? Group Policy and Windows 7 erratic and inconsistant.

  (*If you don't feel like reading everything, skip to the bottom two paragraphs for my questions)
  I've had a premier call open with MS since August. This week I had a Microsoft Technician in-house.  Though we eliminated some possibilities, we're not really closer to a cause or solution.
  Every time we work with an expert, I get a different explanation to describe the situation we are viewing.
  Quick summery of the issue:  We've been using Group Policy to manage most Windows XP and 7 settings for years, but starting the middle of last year, we began having clients with machines where some or all group policies would fail to apply. 
  These could be long assigned policies, new polices, or changes to policies.  It would never affect everyone or even a majority at once, and the resolution is never the same.  Sometimes a GPUDPATE /FORCE sometimes fixed automajically the next day,
  sometimes (but very rarely) longer.
  Troubleshooting History:
  What we found in early troubleshooting, that these machines, had errors in Event Viewer for Netlogon, Time-Sync, and Group Policy.  The other issue we noticed, was that our GPRESULT /H reports were missing security groups and the denied section was
  nothing but SSID's.  The first issue pointed me to:
  Event ID 5719 and event ID 1129 may be logged when a non-Microsoft DHCP Relay Agent is used
  I installed these Hot Fixes.  No change to any of the errors in event viewer, or to our Group Policy problems.
  Initial work with Premier Support found that Netlogon, Time-Sync, and Group Policy, were failing before loading of the network stack.  The suggestion was to apply the group policy setting "Always wait for the network at computer startup and
  logon".  At the time, this seemed not to work.  The policy was set on a test bed of laptops and desktops, and no changes in behavior were seen after 3 days.
  Windows 7 Clients intermittently fail to apply group policy at startup
  For some time after this, we were collecting GPSVC and NetTrace logs for Premeir Support, trying to document and troubleshoot the problem.  Eventually we got fed up and asked our TAM to call in a pro to get this resolved.  We were sent an engineer
  for 3 days.  For three days we banged away on this issue.  We verified AD and replication health, we tried numerous fixes and workarounds.  I learned 3 different desriptions of how Group Policy works, and in the end we thought we had a workaround
  using the "Always wait for the network at computer startup and logon" because of a single success late in the day.  On day 3 we tried replicating this fix, and quickly realized that the same issue we were having preventing other GPOs to apply,
  were also preventing our "fix" GPO from applying.  So we went the route of using a registry entry.  I also had a problem that even though it was making the process more consistant, it was still taking 3 reboots for a Computer Policy, assigned
  to a computer object via Security Group, to fully take affect on a computer.
  I used the registry methods in the above article.  It didn't work, no sign it was having the same affect the GPO had had.
  Our support engineer claimed this was the proper method, but that path wasn't even close in a Windows 7 SP1 registry, and after creating all the keys that were not present, it still didn't work.
  Always wait for the network at computer startup and logon - AzureWeb
  We ran out of time, our engineer returned home.
  I can understand how these errors indicate a problem applying Group Policy at boot.  But to me it doesn't explain why it doesn't correct post boot, and after a GPUDPATE /FORCE and a reboot.
  It also doesn't explain why we were working fine for years, then all of a sudden DHCP is being outrun by background services.  (By the way logging showed DHCP wasn't significantly delayed, out boot process was actually excellent, health wise.) 
  Why all of a sudden is this not behaving optimly?  No changes to network design or function.  No changes to the domain since 2008 R2 was installed in 2011.
  Today I'm reading through all these KB's and articles again, and took some time to read:
  [Forum FAQ] Common steps to start troubleshooting Group Policy
  application and it's links below.
  We ran though all of that before and during the 3-day onsite.  It's not getting us any closer to the cause or a solution.
  I found and begin some deep reading in this link today.  It has some additional information I will try to use next week:
  Group Policy Basics - Part 3: How Clients Process GPOs
  The one unanswered question I have is this.  How is group policy supposed to apply to a computer, when that policy is applied to a AD Security Group, in which the computer object is a member?
  Before we began having this problem, we would assign a computer GPO, then ask the user to reboot.  If it were a user GPO, we'd ask the user to log off, or reboot.  Either way, if we allowed a few minutes for AD and FRS replication, the user would
  log back in with that new policy in affect.  A new imaged machine would boot with all the GPO's linked to that domain and assigned to "Authenticated Users", already in affect.  Admin groups would be present in administrators, proxy settings
  would be set in Internet Explorer, etc.
  Now I'm aked to beleive this was never the case from Premeier Support and Microsoft Engineers.  That those policies require the equilent of a "GPUPDATE /FORCE" that was executed by the Local_System account.  That 3 reboots may
  be nessessary for a group policy to be applied.  One for the AD Security Group to be applied.  One for the Computer Policy to be applied.  And a final one for the policy in the GPO to be applied to Windows.
  Can someone confirm or correct this information please?  It's imperitive to my troubleshootng.
  There's no place like 127.0.0.1

  That key is empty on all of my machines I have checked today.  Working and problematic alike.
  GPRESULT logs, when ran as me, historically would show the group polices applied, denied, and the AD group membership all by name.  About 6 months ago I noticed this changed.
  Now they show the applied GPO's by name, a few of the denied GPO's by name, most by SID, and only 2 to 3 AD groups, though PowerShell shows all the AD groups assigned.  This happens after several AD security and distribution groups are added to the
  machine (Radia software distribution uses Dist groups to assign software).
  A check showed no groups with long legacy Kerberos keys.
  When we make a change to AD Security Group membership, to assign or deny a Group Policy, is usually when we encounter this problem.  It will usually fix itself in 24 hours of the machine being left up and running.  But no amount of GPUPDATE /FORCE
  and rebooting will cause the changes to take affect.
  During this time, the Group Policies will show assigned to the computer in the GPRESULT log.
  Yesterday I began looking into Spanning Tree configuration on our network being a possible cause for the boot up issues.  I'm waiting on responses from our Network group to confirm our configuration.
  There's no place like 127.0.0.1

• Pushing Printers through Group Policy and Windows 8.1

  I'l looking for help with an issue our organization is having.  We are pushing out our printers through Group Policy on our Windows 2012 server.  We setup a printer security group, then setup the printer on the print server (not shared).  We
  then created a policy under User Configuration\Preferences\Control Panel Settings\Printers\ to then do item level targeting.  We then add that security group to the PC we want to get that printer.  This works with our Windows 7 systems.  Windows
  8.1 on the other hand just has a hard time getting these policies.  
  My question is, is there a certain way you have to deploy printers with Windows 8.1?  We would like to deploy printers going the user configuration route because that way the print jobs have to be pushed to the print server.  Deploying them though
  Computer Configuration doesn't give us that option.
  Any help is greatly appreciated!

  The security group for the printer has multiple computers added to it but only the Windows 7 systems seem to get the policy applied.  Attached is a screen shot(s) of how we currently have it setup.
  https://drive.google.com/file/d/0B3Z5p22SZgFlODJqVVFxOXFFUHM/view?usp=sharing

• How do I setup Active Directory and Group Policy on Windows Server 2012?

  I work for a school district that uses a Windows 2012 server with about 400 Windows 7 PCs and 150 Mac PCs. We are set up with Roaming Profiles on the PCs and would like to be able to setup Active Directory, Group Policy, and Roaming Profiles on our macs. (We also have a mac server that they are using as a file server only) As we are a school, our funds are very low. Now for the questions...
  Is there a software that allow us to accomplish this?
  Is there a free solution or a very reduced price option to do this?
  I heard that http://www.centrify.com/products/mac-edition.asp may accomplish this and I read something about it on here but didn't know if this is what I was really trying to do becuase it was marked as "The Golden Triangle" and did not mention Raoming Profiles. This is the link though: https://discussions.apple.com/message/17200059#17200059
  Any help would be greatly appreciated.

  The above reply does not take into account that I am trying to use GROUP POLICY EDITOR to make it the default browser.

• Import Windows XP Group Policy into Windows 7?

  Is it possible to import a Windows XP Group Policy into Windows 7? It seems ZCM will not let you edit the XP policy from Windows 7 even though you can apply the policy to a Windows 7 Workstation and have the policy applied without issue. I'm still researching it, but the search terms return many Active Directory results.
  ZCM 10.3.3 on Linux. and eDirectory only.

  jcsmith1,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• Group Policy and GroupWise Attachments

  My company uses the "Run only allowed Windows Applications" feature from Group Policy to lock down what can be run on our workstations. We have 2 main policies, a standard (lockdown) policy and an admin (open) policy.
  Ever since a 7.0.2 GroupWise client/server upgrade, under my lockdown policy some of my users have complained that when they click the attachment button in GroupWise it no longer goes to the location of the last attached document, instead it goes to a default location. It might be the D drive, the GroupWise directory, it changes from computer to computer. I have confirmed that this is the behavior of the lockdown policy, and when I switch to the open policy the attachment button goes to the previous attachment location as is expected.
  I've placed addrbook.exe, grpwise.exe, gwmailto.exe, gwreload.exe, gwsync.exe and notify.exe in my allowed list for executables and can't figure out what I might be missing. In the past I ahve found OCX and DLL files that have had to be specifically added to the policies as well to get certain functions to work, is it possible that this may be the case in my situation or could it be a completely different policy that I should be looking at?
  I'm getting ready to push the 8.0.2 clients to my users and this is something that I'd like to try to resolve before I do that push. Thanks!

  I just tore apart my group policy and found that using the Hide These Specific Drives and hiding the C: drive is what is causing this attachment behavior issue. Any ideas why it is causing this and any possible work arounds other than unhiding the C: drive?

• MSI Package Software Installations and uninstallations by group policy and sccm

  Hi,
              I have a domain comprising approx. 30 ADCs, 5000 clients and 50 OUs. Our developers have created a c# Program for fetching some information from client machines and displaying them on their
  screen on bootup (presence of 2 particular softwares, antivirus presence and its update date, OS patches updation etc... ). This program(.msi) and .net framework 4.0 is required to be pushed to all client machines. We have SCCM server through which we can
  push software to be installed on clients. There are no. of ADCs for controlling different sites and OUs. Now I need to push this msi and .net framework to all clients. Dotnet  framework I pushed from SCCM & it is successful.
  Till today I have pushed this .MSI package using Group policy software installation settings using a local sharepath & sysvol.
  In Local Share path , MSI source is availbale at only one ADC and all clients  contact this adc only to install software and its taking very long time to boot.
  Using Sysvol share path , MSI Source is available at All ADC and All Clients Contact their Site's ADC to install software.Only Win 7, win 8 machines are getting install and software is  not able to install on XP and vista machine. What might be the
  problem for xp machine getting it from sysvol path?
  The error for XP machines is that Sysvol path is not accessible/ source is not available.
     Now I need to have some other fullproof method to apply it. How I need to push this .MSI packages to all sites (ADCs) in my child domain from my PDC.
     I want to know the steps & methods for installing & uninstalling this .MSI package using Group policy and SCCM as well.
     Thanks for replying...

  Hi,
  Based on your description, I want to confirm whether we have more than one domain. If we have more than domain, it is suggested that we can push the
  MSI package from each domain.
  Regarding how to use Group Policy to remotely install software, the following article can be referred to for more information.
  How to use Group Policy to remotely install software in Windows Server 2008 and in Windows Server 2003
  http://support.microsoft.com/kb/816102/en-us#method1
  In addition, you also mentioned how to use SCCM to do this, in order to get better assistance, we can ask help in the following SCCM forum.
  System Center Configuration Manager
  http://social.technet.microsoft.com/Forums/systemcenter/en-US/home
  Best regards,
  Frank Shen

• Group Policy for Windows Ten

  http://community.spiceworks.com/topic/1104098-windows-10-gpos

  Does anyone know if you need to have Server 2012 domain controller in order to setup group policy for windows ten?  Currently we are running Server 2008 R2 but I am starting to get devices with windows ten that I will need to control from group policy.  
  @CreativeTechie
  This topic first appeared in the Spiceworks Community

• How can I deploy EFS using Group Policy and automatically encrypt computers for ALL users who login?

  How can I deploy EFS using Group Policy and Active Directory with a goal to automatically encrypt computers for ALL users who login? (NOT an option for me to use BitLocker)
  I was asked to deploy EFS to encrypt the user my documents folder and profile on all of the users laptops. The laptops are in common areas (board meeting rooms, etc) and security of files is a must.
  I successfully created a recovery certificate in AD. I created an OU and setup an EFS policy and users can now login and select to encrypt their own files. The issue is that management would like to have automaticy Encrypt ALL users my documents AUTOMATICALLY
  when a user login.
  Can this be done?
  Please help

  Hi,
  Any update?
  Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
  Best Regards,
  Andy Qi
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Andy Qi
  TechNet Community Support

• Windows 8 and IE10 and 11 not accepting Proxy Settings via Group Policy from windows server 2003

  Hi
  We are still running Windows Server 2003 with a Win7 and Win8 desktop environment. I can control Win7 IE9 settings,
  But Win8 systems are running IE10. We have an internal proxy server.
  Is there any way to force the proxy settings to the Win8/IE10 or 11 systems .
  i have tried with The IE 10 .adm template and applied gpo,but does not have any proxy settings for ie10 and no changes were applies
  please can anyone help me regarding this
  i want to apply GPO from windows server 2003  to windows 8 ie10/11
  Thanks
  KNC

  Hi,   
  I agree with Zanderol24, we can install RSAT on a windows8 client, and then we can use Group Policy Management to manage group policy from the client.
  For more information about RSAT, we can refer to the following link:
  Remote Server Administration Tools (RSAT) for Windows Client and Windows Server (dsforum2wiki)
  http://social.technet.microsoft.com/wiki/contents/articles/2202.remote-server-administration-tools-rsat-for-windows-client-and-windows-server-dsforum2wiki.aspx
  For more detailed information about how to use GPP to configure the proxy setting for ie10 and ie11, we can refer to the following link:
  How to configure Group Policy Preference settings for Internet Explorer 11 in Windows 8.1 or Windows Server 2012 R2
  http://support.microsoft.com/kb/2898604
  When we use GPPs you need to be aware of the F5-F8 keys:
  Red / Green: GP Preferences doesn’t work even though the policy applied and after gpupdate \force
  http://blogs.technet.com/b/grouppolicy/archive/2008/10/13/red-green-gp-preferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-force.aspx
  Besides, aside from using group policy to manage IE, IEAK can also be used to do this.
  For IEAK, the following article can be referred to for more information.
  Internet Explorer Administration Kit (IEAK) Information and Downloads
  http://technet.microsoft.com/en-in/ie/bb219517.aspx
  Best Regards,
  Erin

• How to access group policy in windows 8 home premium, not 8.1 to disable snipping tool

  how do I access group policy to disable the snipping tool in windows 8 home premium? client has not installed update 8.1. client is trying to save pictures to pictures album, but it also saves a screenshot to the documents folder as well regardless
  of what save method is used.
  thanks.

  You can disable the Snipping Tool by creating the below registry setting
  (save as a .REG file)
  Windows Registry Editor Version 5.00
  [HKEY_CURRENT_USER\Software\Policies\Microsoft\TabletPC]
  "DisableSnippingTool"=dword:00000001
  ref: http://gpsearch.azurewebsites.net/Default.aspx?PolicyID=2426
  I am not aware of any Snipping Tool feature which automatically saves the snip, as a file.
  (there are other utilities available which can perform similar functions)
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)
  This has apparently resolved the problem with the saving of screenshots based on the customers response. thanks so much.

• Automatic Windows Update via Group Policy in Windows 8

  Hi,
  I have created a new GPO to place some settings on the Automatic Update to all my client pcs. The settings applied as the image i uploaded below. The problem is that this GPO were successfully applied to all my Windows 7 machine but not Windows 8.1 machines.
  Is there anything that i missed or i should know about Windows 8.1 automatic update configuration via Group Policy?. I've tried to google but cant find any guidance that relates. I'm not using WSUS. Appreciates any advise. Thanks.
  Cheers, Sparcx [MCTS,MCITP-EA]

  Hi Leon, yes i have read the blog that you gave, It says that Windows 8 requires a KB update to roll the changes that will solve this issue. However its also said that the update is included in Windows 8.1 and there's no need to update to solve the Automatic
  Update behaviour via Group Policy as mentioned. Also tried to apply the KB update suggested, but failed. It is not for Windows 8.1 platform. Is there any other suggestion? I kinda stuck here..
  Cheers, Sparcx [MCTS,MCITP-EA]

• Hit with Virus that executed via PowerShell Scripting. Can I disable Powershell on my network via Group Policy and what implications does that have for me.

  Our network was hit recently with virus previously unknown, O97M.Crigent.  It is a nasty Macro virus that targets Microsoft Office Documents & Spreadsheets and uses a combination of Macros and Scripts via Powershell. 
  How do I disable PowerShell scripting via Group Policy?
  Will this raise any issues such as random application or network failures or other issues?
  Can I apply it to the entire domain or should I be selective and only apply it to the workstations?
  Network Summary: Windows 2008 Active Directoy Server, 75% Windows 7, 25% Windows XP workstations.
  DouglasOfSanMarcos

  Disabling Windows PowerShell can be done with GPO:
  Computer Configuration | Administrative Templates | Windows Components | Windows PowerShell
  From GPO Description: "This setting exists under both "Computer Configuration" and "User Configuration" in the group policy editor. The "Computer Configuration" has precedence over "User Configuration."
  By default this option is restricted any way on computers.
  I would be very selective when apply it at all:
  Workstations - I would apply to test group of workstations first, just to see that there are no side effects before applying to all computers. 
  Server - I wouldn't apply it at all. I have seen too many issues when setting this policy on Exchange and other systems.
   If you are using a Group Policy to define a PowerShell logon, logoff or computer script, that script will disregard any execution policy set locally or through a GPO.
  http://4sysops.com/archives/set-powershell-execution-policy-with-group-policy/
  http://technet.microsoft.com/en-us/library/hh849812.aspx
  Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

• Group-Policy and Inheritence

  I have a Group-Policy created with all the attributes that my SVC clients should be using -- this GP is called GP-SVC.  My client wants to add different access-levels for different sets of users.  I would like to do this by having three new Group-Policies inherit attributes from GP-SVC, except for the VPN Filter ACL which will be different on each of these "child" GP. 
  So here is how I want inheritence to work:
  DfltGrpPolicy
  |
  +-- GP-SVC
         |
         +--GP-SVC-Users
         +--GP-SVC-Devs
         +--GP-SVC-Admins
  But for some reason, its not letting me choose a group to inherit attributes from for my child GPs:
  asa5505#    show run group-policy GP-SVC
  group-policy GP-SVC internal
  group-policy GP-SVC attributes
  dns-server value 172.17.96.181
  vpn-tunnel-protocol svc
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value SPLIT-SVC
  default-domain value something.local
  split-dns value something.local
  address-pools value SVC-POOL
  asa5505(config)# group-policy GP-SVC-Users internal ?
  configure mode commands/options:
    from  Specify group to initialize attributes from
  asa5505(config)# group-policy GP-SVC-Users internal from GP-SVC
  ERROR: source group GP-SVC does not exist
  Anyone have any ideas as to what I'm doing wrong?  My goal was for the "child" group-policies to only have one attribute assigned, the VPN Filter, and for the rest of their attributes to be inherited from GP-SVC.
  My Device:
  Cisco Adaptive Security Appliance Software Version 8.2(5)3
  Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz

  Hi jcarvaja
  Looks like you're right.  Strange that it errors out:
  student10#  show run group-policy
  group-policy PARENT internal
  group-policy PARENT attributes
  dns-server value 1.1.1.1 1.1.1.2
  vpn-access-hours none
  vpn-idle-timeout 111
  vpn-session-timeout 111
  split-dns value one.com one.one.com one.one.one.com
  student10#
  student10# conf t
  student10(config)# group-policy CHILDa internal from PARENT
  ERROR: source group PARENT does not exist
  student10(config)#
  student10(config)# show run group-policy
  group-policy PARENT internal
  group-policy PARENT attributes
  dns-server value 1.1.1.1 1.1.1.2
  vpn-access-hours none
  vpn-idle-timeout 111
  vpn-session-timeout 111
  split-dns value one.com one.one.com one.one.one.com
  group-policy CHILDa internal
  group-policy CHILDa attributes
  dns-server value 1.1.1.1 1.1.1.2
  vpn-access-hours none
  vpn-idle-timeout 111
  vpn-session-timeout 111
  split-dns value one.com one.one.com one.one.one.com
  student10(config)#
  So it creates the CHILD GP, but it only copies the configurtion, doesn't truly inherit.  Which is to say, if I make a change to the parent group, it is not replicated to the child:
  student10(config)#
  student10(config)# group-policy PARENT attributes
  student10(config-group-policy)# dns-server value 3.3.3.3
  student10(config-group-policy)# exit
  student10(config)# exit
  student10#  show run group-policy
  group-policy PARENT internal
  group-policy PARENT attributes
  dns-server value 3.3.3.3
  vpn-access-hours none
  vpn-idle-timeout 111
  vpn-session-timeout 111
  split-dns value one.com one.one.com one.one.one.com
  group-policy CHILDa internal
  group-policy CHILDa attributes
  dns-server value 1.1.1.1 1.1.1.2
  vpn-access-hours none
  vpn-idle-timeout 111
  vpn-session-timeout 111
  split-dns value one.com one.one.com one.one.one.com
  I guess I have my answer then, the "from" keyword is to simply copy the settings from another group-policy, not set up a parent-child relationship.
  Thanks for your help, Jcarvaja.  I'll mark your respone as the answer.

• Group Policy and shortcuts

  ok imagine there is a company "x" that has a group policy which allows certain softwares to be executed  . In one department of this company , employs uses a certain program called "y" . One employ create a shortcut of this program
  on the desktop and when he tries to open it , a error message comes out which tell him that a policy which allows certain softwares is in use . Can someone explain to me what happened ? I know the group policy which allows certain softwares is in use but if
  he can use the program why he cant use the shortcut ? :/ 

  Am 04.02.2014 11:47, schrieb KristAlbania:
  > One employ create a shortcut of this program on the desktop and when he
  > tries to open it , a error message comes out which tell him that a
  > policy which allows certain softwares is in use .
  AppLocker or SRP? AppLocker has an event log that will tell you what
  exactly was blocked...
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))