Group policy didnt work (SYSVOL replication)

Similar Messages

• Group Policy not work in some client machine.

  Hello All,
  Existing environment is AD 2012. gpupdate /force command does not working in some client machine. And it's occur randomly. Error shown about 15-20% of client machine. Please suggest. Hopefully this time get reply from community.
  The Error:
  User policy could not be updated successfully. The following errors were encount
  ered:
  The processing of Group Policy failed. Windows attempted to read the file \\example.net\sysvol\example.net\Policies\{31B2F340-016D-11D2-945F-00C04FB
  984F9}\gpt.ini from a domain controller and was not successful. Group Policy set
  tings may not be applied until this event is resolved. This issue may be transie
  nt and could be caused by one or more of the following:
  a) Name Resolution/Network Connectivity to the current domain controller.
  b) File Replication Service Latency (a file created on another domain controller
   has not replicated to the current domain controller).
  c) The Distributed File System (DFS) client has been disabled.
  Computer policy could not be updated successfully. The following errors were enc
  ountered:
  The processing of Group Policy failed. Windows attempted to read the file \\example.net\sysvol\example.net\Policies\{31B2F340-016D-11D2-945F-00C04FB
  984F9}\gpt.ini from a domain controller and was not successful. Group Policy set
  tings may not be applied until this event is resolved. This issue may be transie
  nt and could be caused by one or more of the following:
  a) Name Resolution/Network Connectivity to the current domain controller.

  Thanks for your reply. basically this error occurs with in same location as well as branch location. i have check event log in AD but not got any specific error. AD health status is ok. AD to AD synchronization also working well. All the client machine running
  on windows 7 64 bit and few of them are windows 8. 
  Please suggest. if you need any event log for analysis i can send you.
  Thanks
  I recommend you examine the event logs upon an affected client machine. Specifically, look for the surrounding events on that machine (both System, and Application logs), for the hours previous and the hour after.
  The time period may vary according to your environment (e.g. what is expected/normal for your environment, your configured GP refresh cycle-time).
  e.g., are there network drops, or power drops, or system crashes, restarts at the similar time.
  if it's a laptop, is it wireless? Was there a transition from wireless to wired operation?
  Is there VPN in use?
  If you are able to compare with another machine (I would encourage that), to understand what "normal" looks like in the logs, so that you have some kind of baseline data for comparison.
  Other checks, maybe confirm that the machines are updating as required (have the relevant WindowsUpdates etc), and consider if some security/protection/firewall software might be interfering with normal Windows operations.
  Also the potential for malware or virus, which can disturb many basic services (ensure a scan is performed and returns clean).
  If you have the opportunity for an affected user to contact you urgently when the symptom occurs, check that the gpt.ini file is accessible from their PC.
  e.g.: \\example.net\sysvol\example.net\Policies\{31B2F340-016D-11D2-945F-00C04FB
  984F9}\gpt.ini
  This file is hosted within the replicated SYSVOL share on your DC's, so check that it is accessible.
  You might also validate the particular GPO this refers to, and check each of your DC's holds the correct copy of the files for that GPO GUID.
  If you open that GPO, and perform a minor change to it (e.g. add a comment), then click Apply, OK, this should cause the GPO contents to replicate an updated version (be cautious, depending upon the nature of that GPO !!!)
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Windows 2008 Group Policy not working in Windows 8.1

  Hi ,
  We found that the GPO settings created in Windows 2008 is not working in a Windows 8.1 machine.
  One example is the proxy settings.
  We confirmed from gpresult that the GPO is in the list but checking the actual proxy settings, it is not applied.
  Regards,
  Jhun

  Hi,
  How did we configure the proxy settings, using Internet Explorer Maintenance? If it is this case, just as Martin suggested, we can’t use IEM to manage
  IE 10 and IE 11.  However, we can configure the proxy setting via Group Policy Preferences (GPP).
  Regarding this point, the following blog can be referred to for more information.
  Configuring Internet Explorer 10′s
  Proxy Via Group Policy
  http://johnfail.wordpress.com/2013/06/15/configuring-internet-explorer-10s-proxy-via-group-policy/
  In addition, when we use this GPP extension, pay attention to GPP F5-F8 keys.
  Regarding this point, the following blog can be referred to for more information.
  Group Policy Preferences F5 F6 F7 F8 “documentation”
  http://msitpros.com/?p=1014
  Please Note: Since the above two websites are not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy
  of this information.
  In addition, regarding the deprecation of IEM, the following article can be referred to for more information.
  Appendix B: Replacements for Internet Explorer Maintenance
  http://technet.microsoft.com/en-us/library/jj890998.aspx
  Best regards,
  Frank Shen

• New Group Policy not working on 2008 RDS in 2012 Domain - Security Filtering problem?

  We have a Windows 2008 R2 RDS in a Windows 2012R2 Domain. We want to lockdown the 2008 RDS for Domain users that we have added to a new  security Group--named "Data Collection Users". These users are "Domain Users" and login to the
  2008 RDS using Windows XP SP3 machines to run a specific application -they do not use their local desktops for anything. WE added this group to the local RDU group on the RDS.  We do not have any other users that login to the RDS through terminal,
  including any Domain Admins.
  So far we have done these steps:
  On the DC, created new OU (called Terminal Servers) and moved the RDS into it.
  Opened Group Policy on the DC, and under GP Objects, created a new policy called "TS Users Lockdown".
  Linked the Policy to the OU.
  Under Security Filtering we removed the Authenticated Users, added the RDS computer account (called QS2), added the "Data Collection Users" and chose Allow for "Read" and "Apply Policy"
  Under Security Filtering, for Domain Admins, we chose Deny for "Apply Group Policy"
  We edited the Policy (under Computer Configuration>AT>SYS>GP) to Enable Loopback processing - Replace mode.
  We first tested the policy by trying to remove the "Run" from startup menu and "prohibit access to Control Panel".
  We ran the Group Policy force update from within GP Management - ran successfully.
  We did not reboot the RDS.
  Neither of the settings we tried in Step 7 worked.  Why Not?
  Here are images from the Security Filtering:

  Ok--Do I reboot the RDS or the DC?  or both?
  Does it look like my Security Filtering is correct?  I have seen posts where you should not remove the "Authenticated users"?

• Group Policy Deployment Acrobat Standard XI Version 11

  I was able to successfully create a Windows 2008 R2 SP1 Group Policy that would be able to distribute the Adobe Reader Application using the Adobe Customization Wizard XI. I tried to use the same procedure from the Adobe Acrobat Standard 11 download from the adobe licensing site and was unable to get the Group Policy to work. The error message that I am getting is...
  The install of application Adobe Acrobat XI Standard 11.0 from policy  Deploy Adobe Acrobat 11 failed. The error was : %%1603
  This is the procedure that I created for deployment of Adobe Acrobat XI using Group Policy.
  How to create a group policy deployment of Adobe Acrobat XI
  Overview:
  This procedure covers the steps needed to create a group policy that will deploy the Adobe Acrobat installation.
  Requirements
  •    Windows 2008 Group Policy
  •    Adobe Acrobat Customization Wizard
       o    ftp://ftp.adobe.com/pub/adobe/acrobat/win/11.x/11.0.00/misc/CustWiz11000_en_US.exe
  •    Adobe Acrobat XI (Version 11)
       o    download from adobe account
  Procedure:
  1.    Download the Adobe Acrobat XI package.
  2.    Extract the contents of the Adobe Acrobat XI package.
  a.    Type msiexec.exe /a AcroStan.msi
  b.    Click Next
  c.    Put in the Network Location Share where everyone can extract the installation.
  d.    Click Install
  e.    The package will then extract to the network location as indicated above.
  f.    Click Finish, once the installation has completed.
  g.    Open the Adobe Customization XI Wizard, and customize the package by selecting the AcroStan.msi file. 
  h.    Customize the AcroStan.MSI installation file   
  i.    Default viewer of PDF files: Make Acrobat the Default PDF Viewer
  ii.    Remove previous versions of Acrobat
  iii.    Run Installation: Silently
  iv.    If reboot is required at the end of installation: Suppress reboot
  i.    Shortcuts: Remove the desktop Shortcut
  j.    Online and Adobe Services: Disable Product Improvement Program: checked.
  k.   Generate Transform File
  i.    Click Transform > Generate Transform File
  ii.   Create an Setup.Ini file in the folder of the Distribution Package.
  iii.  Name the Transform File something useful like “CompanyConfigs”.
  3.    Create a Group Policy to deploy the software package. It is usually best to have a group policy for each software installation package.
  a.    Update the Domain Default Policy with Always install with elevated privileges. This will allow all software deployment packages to install. 
  i.    Computer Configuration > Policies > Windows Settings > Administrative Templates > Windows Components > Windows Installer > Always install with elevated privileges : Enabled.
  b.  Create a Group Policy to enable Windows 7 Verbose Mode
  i.    Computer Configuration > Policies > Administrative Templates > System > Verbose vs normal status messages : Enabled.
  c.    Create a Group Policy for the Software Installation
  i.     Computer Configuration > Policies > Software Settings
  ii.    Right click and select New > Package
  iii.   Click the AcroRead.msi
  iv.   Click Advanced
  v.    Click the Modifications Tab and click Add
  vi.   Optional: Click the Uninstall this application when it falls out of the scope of management.
  Note: This setting can be used to uninstall the application if the group policy ever changes in that the application should be removed.
  vii.    The package is now created …
  4.    Test the Client in a Virtual Machine
  a.    Go to a windows client and run “gpupdate /force”.
  b.    The system will then respond that it needs to restart the computer.
  c.    Type Yes, and allow the computer to reboot.
  d.    If Group Policy is not setup to allow for verbose messages in Windows 7 then the user will just see “Please wait…”, if verbose message is enabled the user will see “Installing Adobe Acrobat…”.
  Can someone please tell me what I am missing to get the group policy deployed? It has the same permissions as the Adobe Reader folder and I have done everything exactly the same, except that Adobe Standard has the license number, and owner information included in the Transform file (.mst).
  Thank you.

  Your case isn't unique. We've heard this a lot. While Acrobat has a small, very small percentage of settings available in the ADMX files,
  in case you don't know, PolicyPak software has a solution to manipulate, basically, near 100% of the settings in Acrobat Reader and Professional.
  You're welcome to check out how it works. These videos are for Acrobat X, but there is also tempaltes in the download for XI.
  Here are links to the pages with full how-to videos:
  http://www.policypak.com/products/manage-acrobat-reader-with-group-policy.html
  and
  http://www.policypak.com/products/manage-acrobat-x-pro-and-acrobat-x-standard-using-group- policy.html
  You can be up and running in 20 minutes, but note, it's NOT a template.. PolicyPak is full application management and lockdown system.

• Group Policy SYSVOL replication + health status

  Is there a way for me to programmatically check the health status of a specific GPO in SYSVOL across all Domain Controllers?
  How do I force a "Good" copy of a GPO to all other DC's?

  Hi,
  >>How do I force a "Good" copy of a GPO to all other DC's?
  As Alex suggested, we can do a non-authoritative restore for Sysvol on un-healthy domain controllers to make them sync their Sysvol from a healthy one.
  Regarding how to perform non-authoritative restore for Sysvol, this depends on what replication mechanism we use for replicating Sysvol.
  If Sysvol is replicated by FRS, we can follow the procedure described in the following article to do a non-authoritative restore.
  Using the BurFlags registry key to reinitialize File Replication Service replica sets
  http://support.microsoft.com/kb/290762?wa=wsignin1.0
  If Sysvol is replicated by DFSR, we can follow the procedure described in the following article to do a non-authoritative restore.
  How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS)
  http://support.microsoft.com/kb/2218556
  >>Is there a way for me to programmatically check the health status of a specific GPO in SYSVOL across all Domain Controllers?
  We can check event logs in Event Viewer on domain controllers. If something goes wrong with Sysvol replication, error events will be logged under Applications and Services Logs\FRS or DFSR Replication.
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Deleted Policy from sysvol location by mistake - Group Policy Infrasturure Failure - 2008 R2

  Hello, I accidentally deleted a GPO Policy from the Policies Folder in the sysvol location. I was sure that it was not being used but was somehow causing an errors when i ran an rsop on my test machine.
  Group Policy Infrastructure failed due to the error listed below.
  The system cannot find the path specified.
  Note:  Due to the GP Core failure, none of the other Group Policy components processed their policy.  Consequently, status information for the other components is not available
  Getting it from Backup would take too long.
  There are no auditing on the DC and cant work out how to recover it now. Is there anyway to get this back? I have checked the other DCs but couldnt find the exact policy ID before replication.
  Thanks
  GP 2008 R2

  > *Group Policy Infrastructure failed due to the error listed below.*
  > *The system cannot find the path specified.*
  gpotool.exe is a handy tool for this :) Download at MS.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Using Office 2013 group policy template to define Trusted Locations and Template Locations doesn't work

  User Configuration/Policies/Administrative Templates
  - Using Office 2013 group policy template to define Trusted Locations and Template Locations doesn't work
  Microsoft Word 2013/Word Options/Security/Trust Center/Trusted Locations
  - Allow Trusted Locations on the network: 
  Enabled 
  - Trusted Location #1: 
  Enabled 
  Path:  //server/sharedfoldername   [Edit:  Path:
  \\server\sharedfoldername]
  Date: June 10, 2013
  Description: Trusted Location
  Allow sub folders: Enabled
  The policy appears to apply to the client correctly by adding the following registry key and values:
  HKEY_CURRENT_USER\Software\Policies\Microsoft\office\15.0\word\security\trusted locations\location1
  allowsubfolders: 1
  date: June 10, 2013
  Description: Trusted Location
  Path:  //server/sharedfoldername  [Edit: Path: 
  \\server\sharedfoldername]
  However, when you open Word Options/Trust Centre/Trust Centre Settings…/Trusted Locations
  There are no trusted locations listed under ‘Policy Locations’
  I have tried setting similar settings for setting the Shared Templates folder location and just like the trusted locations policy, the registry keys are created properly in HKEY_CURRENT_USER\Software\Policies however word doesn’t
  seem to recognize these either.
  This used to work flawlessly using the administrative templates for Word 2007 and 2010. Has anyone been able to get these policies to apply successfully, or know why office doesn’t recognize these settings from the Policies registry
  Key?

  This would have been an easy solution to the issue.  Unfortunately it isn't the problem.  This question was originally posted on another Microsoft site and
  was transferred here and when it was transferred the path's changed from the original post: 
  \\server\sharedfodlername to //server/sharedfoldername.  (I will edit the question to show up as it did in the original post) Not sure how that happened.  This
  is still an issue that I haven't been able to get working correctly.
  As it turns out the 'New from Template' interface Word 2013 has developed is very bulky with large thumbnails and is not very customizable nor practical for an office
  that has a large number of templates.   Because I am unsatisfied with the display and performance of the 'New' template chooser I sought after a solution to change the way word creates a document from a template in another thread: 
  http://answers.microsoft.com/en-us/office/forum/office_2013_release-word/how-can-you-change-the-display-of-templates-in/d49194b9-a6b4-4768-8502-7d7b50e9dd65 working through this issue with Jay we were able to develop
  some VB script with handles a very large number of templates in a list view and it works much faster than the built-in Word interface.  The above thread is how I've worked around trying to define a shared template location and I am quite happy with it.

• Windows 8.1 Group Policy based Wireless Profiles do not appear to be working

  I'm wondering if anyone else out there has run into the same issue as I am seeing.  The environment is all Server 2012(not R2), with Windows 8.1 clients.  
  I configure a GPO that is linked to the entire domain/authenticated users and contains a Windows Vista and Later wireless network profile.  Let's call it "GPO_Wireless.  It is configured to automatically connect it to a specific SSID, the
  encryption settings are unimportant, as I've tried numerous approaches.  In our case, we're trying to do EAP-TLS with the NPS role.  We have the CA rolled out, NPS has a proper cert, and the clients are auto-enrolling for both Computer and User certs.
   This is all verified as working.  We've also tried straight password authentication.
  I refresh group policy on a Windows 8.1 client and see that Computer Policy "GPO_Wireless" is being applied to the client.  I restart the computer, but it does not connect to the wireless network.
  I run "netsh wlan show profiles" and under "Group Policy Profiles(read only)" it is blank.
  I run gpresult /r /scope computer again, and it shows "GPO_Wireless" is being applied.
  The last note is that Windows 7 clients can connect to the wireless just fine.

  Hi，
  For the client side, I would like to know if the windows 7 as you mentioned used the same Group Police like Windows 8.1.
  Meanwhile, I suggest you try using script as a workaround.
  Regards,
  Kelvin hsu
  TechNet Community Support

• ITunes won't work because of domain group policy

  Hi my work just implemented a really stupid group policy through our domain that dissallows any file named iTunes.exe to run. The good news is I can rename iTunes.exe and get iTunes to work. That bad news is once I rename iTunes.exe the iPod service is unable to start. The iPod service I assume is what automatically launches iTunes when you plug in your iPod. Does anyone know if a way to let the iPod service and any other file that depends on iTunes.exe that I have renamed it?

  I don't have a solution for you, but as a system administrator I feel I must comment.
  I don't know about where you work -- but at my job, deliberate circumvention of policy is "abuse" and is considered grounds for termination. The computer you use at work is not yours; it belongs to the company you work for.
  If you have a problem with the policy you should take it up with the administrators or your management -- not try to circumvent it. Perhaps the policy is based on a misunderstanding that you could clear up! You (your computer, really) might even be granted an exception to the policy.

• [Forum FAQ] Group Policy Preferences Scheduled Tasks Item not working when the option Run whether user is logged on or not is selected

  Scenario:
  We use one of the following Group Policy Preferences Scheduled Tasks item to deploy a task to clients:
  Computer Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Scheduled Task (At least Windows 7)
  Computer Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Immediate Task (At least Windows 7)
  User Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Scheduled Task (At least Windows 7)
  User Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Immediate Task (At least Windows 7)
  (Note that on some platforms, "At least Windows 7" is replaced with "Windows Vista and later.")
  After designating a user account to run the task, we select “Run whether user is logged on or not” option, and “The Do not store password…”
  check box is automatically grayed out (See Figure 1).
  Figure 1
  After finishing configuring the task item, on a client, we run command
  gpupdate/force to forcefully update group policy. However, on the client, when we check if the task is listed in Task Scheduler snap-in, the task is not displayed, and when we run
  gpresult/h report.html to collect group policy result for troubleshooting, we see an error as similar as shown in the following figure (Figure 2).
  Figure 2
  Cause:
  To make the scheduled task run whether the user is logged on or not, we need to store the password of the designated user account. However, for the content of the scheduled
  task item is stored in Sysvol where it’s not safe to store passwords, this function has been deprecated.
  Workaround:
  We can run the task with system account
  NT Authority\System, or we can use specific user accounts to run the task when the given user is logged on. (See Figure 3)
  Figure 3
  Reference:
  MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege: May 13, 2014
  http://support.microsoft.com/kb/2962486
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Hello Everyone,
  Succeeded !!!!!!!
  Even i was struggling with this same Problem to execute a batch via Window scheduler and set the setting to "Run whether the user is logged in or not".
  I tried many time but the batch runs with " Run
  whether user is logged on" and not with "Run
  whether user is logged on or not".
  what i discovered is that there was one mapped drive
  path in my batch file which was not the complete path like y:/AR.qvw actually what i did i changed that map path to the complete path like \\servnamename\d$\AR.qvw and the batch executed successfully with the setting "Run
  whether user is logged on or not"
  The
  conclusion is that check the dependency of the script on external resources because when you check this option "Run
  whether user is logged on or not" It actually conflicts. This my discovery.
  If
  you have any question write me on [email protected]
  Thanks
  & Regards,
  Arun

• I have a Win7Pro SP1 PC locked down with a Group Policy as it is a public facing PC. PDF fillable forms cannot be completed when logged on as the restricted user. The forms work as a normal user. What are the user requirements/permissions needed to fill f

  I have a Win7Pro SP1 PC locked down with a Group Policy as it is a public facing PC. PDF fillable forms cannot be completed when logged on as the restricted user. The forms work as a normal user. What are the user requirements/permissions needed to fill forms?

  Well, try this (I was able to fix my with these steps):
  Go Utilities > Disk Utility
  Select your Startup Disk, e.g. Macintosh HD
  Then, under the First Aid Tab, click Verify Disk Permissions.
  If there are errors, then click repair Disk Permissions.
  After it is done, restart the computer and see if your problem is resolved.
  I hope this help.
  Zeke
  www.ZekeYuen.com/blog/

• Deployment of software through Group policy does not work

  Hi all,
  I am trying to deploy a program through Group policy, specifically winrar, any client computer is able to install the program. Please find below the events from the workstation:
  Log Name:      Application
  Source:        Microsoft-Windows-WMI
  Date:          4/27/2014 10:06:01 PM
  Event ID:      10
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      IRCLIENT0001.corp.healthcareinnovation.com
  Description:
  Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because
  of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
  Log Name:      System
  Source:        Microsoft-Windows-GroupPolicy
  Date:          4/27/2014 10:04:49 PM
  Event ID:      1085
  Task Category: None
  Level:         Warning
  Keywords:      
  User:          SYSTEM
  Computer:      IRCLIENT0001.corp.healthcareinnovation.com
  Description:
  Windows failed to apply the Software Installation settings. Software Installation settings might have its own log file. Please click on the "More information" link.
  Log Name:      System
  Source:        Application Management Group Policy
  Date:          4/27/2014 10:04:49 PM
  Event ID:      108
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          SYSTEM
  Computer:      IRCLIENT0001.corp.healthcareinnovation.com
  Description:
  Failed to apply changes to software installation settings.  Software changes could not be applied.  A previous log entry with details should exist.  The error was : %%1612
  Log Name:      System
  Source:        Application Management Group Policy
  Date:          4/27/2014 10:04:48 PM
  Event ID:      102
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          SYSTEM
  Computer:      IRCLIENT0001.corp.healthcareinnovation.com
  Description:
  The install of application WinRAR from policy Basic Computers GPO failed.  The error was : %%1612
  I am using windows server 2008 R2 and all my clients are running Windows 7 Enterprise and they are working over a domain, note that I am using VMware.
  Below there are a list of the troubleshooting steps that have been already applied:
  *Disable the the firewall both in the server and in the clients 
  *Grant read access to the folder where the the program is shared for installation, it was added the authenticated users and domain computers.
  *Group policy modifications: 
  -> User Account Control
  Policy Setting Winning GPO 
  - User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Elevate without prompting Basic Computers GPO 
  - User Account Control: Detect application installations and prompt for elevation Disabled Basic Computers GPO 
  - User Account Control: Only elevate UIAccess applications that are installed in secure locations Disabled Basic Computers GPO 
  - User Account Control: Run all administrators in Admin Approval Mode Disabled Basic Computers GPO 
  --> System/Group Policy
  Policy Setting Winning GPO 
  - Startup policy processing wait time Enabled Basic Computers GPO 
  Amount of time to wait (in seconds): 120 
  --> System/Logon
  Policy Setting Winning GPO 
  - Always wait for the network at computer startup and logon Enabled Basic Computers GPO 
  Thank you very much for your time.

  Hi Marco,
  Based on your description, we can enable diagnostic logging of Group Policy Software Installation processing to troubleshoot the issue.
  Regarding this point, the following article can be referred to for more information.
  How to troubleshoot software installations by using Windows application management debug logging
  http://support.microsoft.com/kb/249621
  Once you get the log, you may upload it to OneDrive and provide us the download link.
  In addition, the following article provides a step-to-step guidance for deploying software via group policy and can be referred to for double check.
  How to use Group Policy to remotely install software in Windows Server 2008 and in Windows Server 2003
  http://support.microsoft.com/kb/816102
  Best regards,
  Frank Shen

• Reset Group Policy Replication

  I have 2 domain servers.  They both, when configured, were set to replicate to one another.  Changes on one get changed on the other and vice versa.  It would appear now that my Group Policy is not getting replicated.  If I am under Group
  Policy Manager and I right click on my domain, and change the domain server from server 1 to server 2, I show that the GPO are all old.  If I look at server 1 everything is the way it should be.  The problem I am having is some of my workstations
  are pulling their GPO from server 2.  How can I reset the replication so that server 2 will pull everything that server 1 has, and go back to the way it use to be where changes to 1 changed the other.
  Also I ran dcdiag and I get this and got a lot of errors about DFS Replication.  Any advice would be great as I didn't set these servers up and am still learning.  Everything I read talks about opening the DFS Management console but I dont show
  that on either of my domain servers.
  Thanks in advance.

  I went back and reread and tried this all again.  I know this is an old post and hopefully it still reaches you.  Here is what I got from the last command of wevtutil
  qe /f:text "DFS Replication" /c:6
  Event[0]:
    Log Name: DFS Replication
    Source: DFSR
    Date: 2013-03-06T16:49:16.000
    Event ID: 1002
    Task: N/A
    Level: Information
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: HMDC2
    Description: 
  The DFS Replication service is starting.
  Event[1]:
    Log Name: DFS Replication
    Source: DFSR
    Date: 2013-03-06T16:49:16.000
    Event ID: 1004
    Task: N/A
    Level: Information
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: HMDC2
    Description: 
  The DFS Replication service has started.
  Event[2]:
    Log Name: DFS Replication
    Source: DFSR
    Date: 2013-03-06T16:49:16.000
    Event ID: 1314
    Task: N/A
    Level: Information
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: HMDC2
    Description: 
  The DFS Replication service successfully configured the debug log files. 
  Additional Information: 
  Debug Log File Path: C:\Windows\debug
  Event[3]:
    Log Name: DFS Replication
    Source: DFSR
    Date: 2013-03-06T16:49:22.000
    Event ID: 6102
    Task: N/A
    Level: Information
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: HMDC2
    Description: 
  The DFS Replication service has successfully registered the WMI provider.
  Event[4]:
    Log Name: DFS Replication
    Source: DFSR
    Date: 2013-03-06T16:49:24.000
    Event ID: 1202
    Task: N/A
    Level: Error
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: HMDC2
    Description: 
  The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused
  by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues. 
  Additional Information: 
  Error: 1355 (The specified domain either does not exist or could not be contacted.)
  Event[5]:
    Log Name: DFS Replication
    Source: DFSR
    Date: 2013-03-06T17:49:24.000
    Event ID: 1202
    Task: N/A
    Level: Error
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: HMDC2
    Description: 
  The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused
  by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues. 
  Additional Information: 
  Error: 1355 (The specified domain either does not exist or could not be contacted.)

• Block USB drive via Group Policy but keyboard, mouse, printers will work

  Hi
  We are using Windows Server 2008 R2 Std Edition and on clinet XP SP2
  We want to block USB Storage via Group Policy and allow Keyboard and mouse to work.
  Any suggestion will appreciate.
  regards
  Arvind
  Arvind

  Hi,
  In 2008 you can use the below GPO.
  User Configuration \ Administrative Templates \ System \ Removable Storage Access \ All Removable Storage classes: Deny all access.
  Force a Restart to Ensure Removable Storage Access Policy is Enforced
  http://technet.microsoft.com/en-us/library/cc771896(v=WS.10).aspx
  Deny All Access to Removable Devices or Media
  http://technet.microsoft.com/en-us/library/cc772540(v=WS.10).aspx
  For "legacy" clients:
  http://support.microsoft.com/kb/555324
  Regards,
  Rafic
  If you found this post helpful, please give it a "Helpful" vote.
  If it answered your question, remember to mark it as an "Answer".
  This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!