Group Policy for Windows Ten

Similar Messages

• Configuring group policy for user profiles in Windows Server 2012 R2 Domain

  Requesting some experts advise on configuring group policy for user profiles.
  We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
  The settings which I am concerned:
  1. Folder Redirection: Desktop, Documents, Favorites.
  2. Quota for Folder Redirection - 1 GB per user.
  3. Map a networked drive - 1 GB per user.
  4. Roaming profile - (Will ignore if it does not suit our requirement). 
  The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
  Thanks a lot for your valuable time and efforts.

  Hi,
  >>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  This depends on where our outlook data files are stored. If these data files are stored under
  drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
  However, regarding your question, we can refer to the following thread to find the solution.
  Roam outlook profiles without roaming profiles
  http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
  In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
  Configuring Folder Redirection
  http://technet.microsoft.com/library/cc786749.aspx
  Hope it helps.
  Best regards,
  Frank Shen

• Import Windows XP Group Policy into Windows 7?

  Is it possible to import a Windows XP Group Policy into Windows 7? It seems ZCM will not let you edit the XP policy from Windows 7 even though you can apply the policy to a Windows 7 Workstation and have the policy applied without issue. I'm still researching it, but the search terms return many Active Directory results.
  ZCM 10.3.3 on Linux. and eDirectory only.

  jcsmith1,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• Windows Server 2008 - Group policy for domain client to start/stop services installed on it

  Hello Experts
  I am a newbie to windows server administration , though did a Google  , but ended up with these question with my requirements
  I have created a new domain and 2 client/computer (A & B namely) to domain . Now A & B has tomcat server running with port 8080 , 9090 which i have installed
  domain ADMIN account .
  && now i am want to start/stop/restart services enabled for domain users  !! How do i achieve this !!
  basic question : How can i access A & B tomcat services on DOMAIN CONTROLLER server to create a GPO and that are on (A & B)
  what is the easiest way to achieve the same , (if not using GPO)???
  similarly I am looking for many features : where I want to control the permission to user on (A & B ) like : If the binaries of tomcat is available on machine say : A , if the user can install (now
  it ask for ADMIN credentials) 
  Thanks
  Mike~Ed

  Controlling services with Group Policy is done under Computer Configuration\Policies\Windows Settings\Security Settings\System Services.
  The limitation is that system services can only see the services the computer running the Group Policy management console. To access other services, you will either need to create the services on your computer (install the software the adds the service)
  or install the remote server administration toolkit (RSAT) on the computer with the service already on it.
  If my answer helped you, check out my blog:
  Deploy Happiness

• Windows Server 2012 Essentials - Implement Group Policy for the 1st time

  This is my first server. We have 15 users and 20 devices, all clients are running Win7 Pro.
  On the Dashboard, Devices tab, when I click on each device there is an option to implement Group Policy in the right-hand task pane. Does this mean I can implement it for one device at a time? Or will it happen for everyone in the domain?
  I'm hesitant to start. Is this something where I should wait for the weekend, so I can restore from a backup if need be?
  Thanks for your help
  Alan

  Time to get a basic Windows networking reference book and read up on group policy. Policies are applied by the system on a predicable refresh rate, which if memory servers is 15 minutes. This can be forced from the stations with the cli command "gpupdate
  /force" but in most cases there is little need to do so.
  Some, like folder redirection, only impact the stations on reboot/sign on
  Larry Struckmeyer[MVP] If your question is answered please mark the response as the answer so that others can benefit.

• How do I setup Active Directory and Group Policy on Windows Server 2012?

  I work for a school district that uses a Windows 2012 server with about 400 Windows 7 PCs and 150 Mac PCs. We are set up with Roaming Profiles on the PCs and would like to be able to setup Active Directory, Group Policy, and Roaming Profiles on our macs. (We also have a mac server that they are using as a file server only) As we are a school, our funds are very low. Now for the questions...
  Is there a software that allow us to accomplish this?
  Is there a free solution or a very reduced price option to do this?
  I heard that http://www.centrify.com/products/mac-edition.asp may accomplish this and I read something about it on here but didn't know if this is what I was really trying to do becuase it was marked as "The Golden Triangle" and did not mention Raoming Profiles. This is the link though: https://discussions.apple.com/message/17200059#17200059
  Any help would be greatly appreciated.

  The above reply does not take into account that I am trying to use GROUP POLICY EDITOR to make it the default browser.

• Group Policy Guru? Group Policy and Windows 7 erratic and inconsistant.

  (*If you don't feel like reading everything, skip to the bottom two paragraphs for my questions)
  I've had a premier call open with MS since August. This week I had a Microsoft Technician in-house.  Though we eliminated some possibilities, we're not really closer to a cause or solution.
  Every time we work with an expert, I get a different explanation to describe the situation we are viewing.
  Quick summery of the issue:  We've been using Group Policy to manage most Windows XP and 7 settings for years, but starting the middle of last year, we began having clients with machines where some or all group policies would fail to apply. 
  These could be long assigned policies, new polices, or changes to policies.  It would never affect everyone or even a majority at once, and the resolution is never the same.  Sometimes a GPUDPATE /FORCE sometimes fixed automajically the next day,
  sometimes (but very rarely) longer.
  Troubleshooting History:
  What we found in early troubleshooting, that these machines, had errors in Event Viewer for Netlogon, Time-Sync, and Group Policy.  The other issue we noticed, was that our GPRESULT /H reports were missing security groups and the denied section was
  nothing but SSID's.  The first issue pointed me to:
  Event ID 5719 and event ID 1129 may be logged when a non-Microsoft DHCP Relay Agent is used
  I installed these Hot Fixes.  No change to any of the errors in event viewer, or to our Group Policy problems.
  Initial work with Premier Support found that Netlogon, Time-Sync, and Group Policy, were failing before loading of the network stack.  The suggestion was to apply the group policy setting "Always wait for the network at computer startup and
  logon".  At the time, this seemed not to work.  The policy was set on a test bed of laptops and desktops, and no changes in behavior were seen after 3 days.
  Windows 7 Clients intermittently fail to apply group policy at startup
  For some time after this, we were collecting GPSVC and NetTrace logs for Premeir Support, trying to document and troubleshoot the problem.  Eventually we got fed up and asked our TAM to call in a pro to get this resolved.  We were sent an engineer
  for 3 days.  For three days we banged away on this issue.  We verified AD and replication health, we tried numerous fixes and workarounds.  I learned 3 different desriptions of how Group Policy works, and in the end we thought we had a workaround
  using the "Always wait for the network at computer startup and logon" because of a single success late in the day.  On day 3 we tried replicating this fix, and quickly realized that the same issue we were having preventing other GPOs to apply,
  were also preventing our "fix" GPO from applying.  So we went the route of using a registry entry.  I also had a problem that even though it was making the process more consistant, it was still taking 3 reboots for a Computer Policy, assigned
  to a computer object via Security Group, to fully take affect on a computer.
  I used the registry methods in the above article.  It didn't work, no sign it was having the same affect the GPO had had.
  Our support engineer claimed this was the proper method, but that path wasn't even close in a Windows 7 SP1 registry, and after creating all the keys that were not present, it still didn't work.
  Always wait for the network at computer startup and logon - AzureWeb
  We ran out of time, our engineer returned home.
  I can understand how these errors indicate a problem applying Group Policy at boot.  But to me it doesn't explain why it doesn't correct post boot, and after a GPUDPATE /FORCE and a reboot.
  It also doesn't explain why we were working fine for years, then all of a sudden DHCP is being outrun by background services.  (By the way logging showed DHCP wasn't significantly delayed, out boot process was actually excellent, health wise.) 
  Why all of a sudden is this not behaving optimly?  No changes to network design or function.  No changes to the domain since 2008 R2 was installed in 2011.
  Today I'm reading through all these KB's and articles again, and took some time to read:
  [Forum FAQ] Common steps to start troubleshooting Group Policy
  application and it's links below.
  We ran though all of that before and during the 3-day onsite.  It's not getting us any closer to the cause or a solution.
  I found and begin some deep reading in this link today.  It has some additional information I will try to use next week:
  Group Policy Basics - Part 3: How Clients Process GPOs
  The one unanswered question I have is this.  How is group policy supposed to apply to a computer, when that policy is applied to a AD Security Group, in which the computer object is a member?
  Before we began having this problem, we would assign a computer GPO, then ask the user to reboot.  If it were a user GPO, we'd ask the user to log off, or reboot.  Either way, if we allowed a few minutes for AD and FRS replication, the user would
  log back in with that new policy in affect.  A new imaged machine would boot with all the GPO's linked to that domain and assigned to "Authenticated Users", already in affect.  Admin groups would be present in administrators, proxy settings
  would be set in Internet Explorer, etc.
  Now I'm aked to beleive this was never the case from Premeier Support and Microsoft Engineers.  That those policies require the equilent of a "GPUPDATE /FORCE" that was executed by the Local_System account.  That 3 reboots may
  be nessessary for a group policy to be applied.  One for the AD Security Group to be applied.  One for the Computer Policy to be applied.  And a final one for the policy in the GPO to be applied to Windows.
  Can someone confirm or correct this information please?  It's imperitive to my troubleshootng.
  There's no place like 127.0.0.1

  That key is empty on all of my machines I have checked today.  Working and problematic alike.
  GPRESULT logs, when ran as me, historically would show the group polices applied, denied, and the AD group membership all by name.  About 6 months ago I noticed this changed.
  Now they show the applied GPO's by name, a few of the denied GPO's by name, most by SID, and only 2 to 3 AD groups, though PowerShell shows all the AD groups assigned.  This happens after several AD security and distribution groups are added to the
  machine (Radia software distribution uses Dist groups to assign software).
  A check showed no groups with long legacy Kerberos keys.
  When we make a change to AD Security Group membership, to assign or deny a Group Policy, is usually when we encounter this problem.  It will usually fix itself in 24 hours of the machine being left up and running.  But no amount of GPUPDATE /FORCE
  and rebooting will cause the changes to take affect.
  During this time, the Group Policies will show assigned to the computer in the GPRESULT log.
  Yesterday I began looking into Spanning Tree configuration on our network being a possible cause for the boot up issues.  I'm waiting on responses from our Network group to confirm our configuration.
  There's no place like 127.0.0.1

• Group Policy and Windows 8.1 questions

  I have a few group policy questions. Thanks in advance for taking a look.
  I’ve downloaded the Win 8.1/Server 2012 ADMX files. They look to  be the same file names as the Win 7 ADMX files. Can I copy them into the  PolicyDefinitions folder and still be able create GPOs for either win 7 or Win  8?
  If we use a windows 8.1 client with the GPO mmc to create the GPOs (instead of putting the ADMX files on the servers), will the GPO built from the win 8.1 client apply correctly even though its coming down from a DC that doesn’t have those ADMX files?
  Does it make a difference if the win 8.1 client we use to create/edit the GPOs is x64 or x86?
  We recently needed to add in an admx file for Lync 2013. I put the lync.admx file in the PolicyDefinitions folder on one DC. If we build the GPO from that server, when it replicates out to all the other DCs, does it matter that they don’t have that particular
  ADMX file for lync?
  How do we organize and structure our ADMX files wherever they end up so that we know which sets are for which operating system? Should we be thinking about deleting the Win 7 ADMX files when the point comes in the future that we are using only Windows 8
  and Windows 9?
  We are at AD functional level 2003. Do we need to go up in level for any of this to work?

  >  1. I’ve downloaded the Win 8.1/Server 2012 ADMX files. They look to  be
  >     the same file names as the Win 7 ADMX files. Can I copy them into
  >     the  PolicyDefinitions folder and still be able create GPOs for
  >     either win 7 or Win  8?
  Yes. Simply overwrite and you'll be fine.
  >  2. If we use a windows 8.1 client with the GPO mmc to create the GPOs
  >     (instead of putting the ADMX files on the servers), will the GPO
  >     built from the win 8.1 client apply correctly even though its coming
  >     down from a DC that doesn’t have those ADMX files?
  Yes. GPO processing doesn't need ADMX, only GPO editing needs them.
  >  3. Does it make a difference if the win 8.1 client we use to
  >     create/edit the GPOs is x64 or x86?
  No.
  >  4. We recently needed to add in an admx file for Lync 2013. I put the
  >     lync.admx file in the PolicyDefinitions folder on one DC. If we
  >     build the GPO from that server, when it replicates out to all the
  >     other DCs, does it matter that they don’t have that particular ADMX
  >     file for lync?
  If you have a central store for your ADMX, it will automatically
  replicate through all DCs. If not, "2." applies anyway.
  >  5. How do we organize and structure our ADMX files wherever they end up
  >     so that we know which sets are for which operating system? Should we
  >     be thinking about deleting the Win 7 ADMX files when the point comes
  >     in the future that we are using only Windows 8 and Windows 9?
  If you use a central store, update it as required. If not, do nothing
  and use a client with the OS version you want to target.
  >  6. We are at AD functional level 2003. Do we need to go up in level for
  >     any of this to work?
  AD level doesn't matter in any aspect. Schema version matters (Bitlocker
  and Wireless, eg...), but you can update the Schema easily to 2012 and
  have your DCs still run Server 2003.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Need help in setting up Group Policy for same user in local system and Terminal server

  Hi All,
  Currently our remote users are using our network using VPN client over internet.
  They are generally at their home computer and doing VPN as they have to work only in one RDP server for application.
  We actually have a OU created for these RDP users and assign then some strict policy like they can not use any other .exe,they can not user any explorer ,they can not even use windows explorer when they are on RDP they just use one exe of their application.
  Now what my management want is they want their home computers in Domain and want them to login via their same credentials they are using for RDP but they don't want them to restrict in their home computers with any strict policy.
  Now my confusion is how can I configure different policies for same users or same OU.
  Can any one guide me please...

  you can achieve this fairly easily with group policy.
  create an OU and put your remote desktop servers in that OU.
  configure both user and computer policies in a group policy and link it to that ou.
  you need to enable loopback mode - you may want it in merge or replace depending on your other policies you have. Probably replace though I would guess. this is set in the computer configuration > admin templates > system / group policy section.
  now remove the policy you have currently setup for your users on the users OU containing the rdp users. If you want you can move these users back to your main users OU.
  when your users login to the RDP server the settings in the user section of the GPO linked to the RDP Servers OU will apply.
  when the user logs in to their own computer the policies from the user OU and computer OU will apply - but not the more restrictive RDP OU.
  hope that makes sense.
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  My Blog
  LinkedIn:

• Group Messaging for Windows 8 Phones

  Can anyone tell me if Verizon is going to send an upadate for group messaging with the new Windows phones?  I have asked Verizon and they can't tell me anything about this and I spoke with At&t and all their's have the option to turn off and on the MMS. 

  I have added the Windows 8.1 / Server 2012 R2 Group Policy definitions to my GP store already. I'd really like to add this one for the Taskbar. I'll have to look for a registry hack in the meantime.
  Orange County District Attorney

• Windows 8 and IE10 and 11 not accepting Proxy Settings via Group Policy from windows server 2003

  Hi
  We are still running Windows Server 2003 with a Win7 and Win8 desktop environment. I can control Win7 IE9 settings,
  But Win8 systems are running IE10. We have an internal proxy server.
  Is there any way to force the proxy settings to the Win8/IE10 or 11 systems .
  i have tried with The IE 10 .adm template and applied gpo,but does not have any proxy settings for ie10 and no changes were applies
  please can anyone help me regarding this
  i want to apply GPO from windows server 2003  to windows 8 ie10/11
  Thanks
  KNC

  Hi,   
  I agree with Zanderol24, we can install RSAT on a windows8 client, and then we can use Group Policy Management to manage group policy from the client.
  For more information about RSAT, we can refer to the following link:
  Remote Server Administration Tools (RSAT) for Windows Client and Windows Server (dsforum2wiki)
  http://social.technet.microsoft.com/wiki/contents/articles/2202.remote-server-administration-tools-rsat-for-windows-client-and-windows-server-dsforum2wiki.aspx
  For more detailed information about how to use GPP to configure the proxy setting for ie10 and ie11, we can refer to the following link:
  How to configure Group Policy Preference settings for Internet Explorer 11 in Windows 8.1 or Windows Server 2012 R2
  http://support.microsoft.com/kb/2898604
  When we use GPPs you need to be aware of the F5-F8 keys:
  Red / Green: GP Preferences doesn’t work even though the policy applied and after gpupdate \force
  http://blogs.technet.com/b/grouppolicy/archive/2008/10/13/red-green-gp-preferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-force.aspx
  Besides, aside from using group policy to manage IE, IEAK can also be used to do this.
  For IEAK, the following article can be referred to for more information.
  Internet Explorer Administration Kit (IEAK) Information and Downloads
  http://technet.microsoft.com/en-in/ie/bb219517.aspx
  Best Regards,
  Erin

• Automatic Windows Update via Group Policy in Windows 8

  Hi,
  I have created a new GPO to place some settings on the Automatic Update to all my client pcs. The settings applied as the image i uploaded below. The problem is that this GPO were successfully applied to all my Windows 7 machine but not Windows 8.1 machines.
  Is there anything that i missed or i should know about Windows 8.1 automatic update configuration via Group Policy?. I've tried to google but cant find any guidance that relates. I'm not using WSUS. Appreciates any advise. Thanks.
  Cheers, Sparcx [MCTS,MCITP-EA]

  Hi Leon, yes i have read the blog that you gave, It says that Windows 8 requires a KB update to roll the changes that will solve this issue. However its also said that the update is included in Windows 8.1 and there's no need to update to solve the Automatic
  Update behaviour via Group Policy as mentioned. Also tried to apply the KB update suggested, but failed. It is not for Windows 8.1 platform. Is there any other suggestion? I kinda stuck here..
  Cheers, Sparcx [MCTS,MCITP-EA]

• Group Policy for IE security option

  Hello
  I have a problem with group policy.
  I wanted to add intranet site to IE properties in security tab and I did research and found one link which saying
  go to group policy management -> user configuration -> windows settings -> internet explorer maintenance ->
  security -> right click on security zones and and click on properties and make changes. 
  (I was able to find this option running GPMC in DC. If I add GPMC in MMC in my computer, i was not able to see this option)
  so I clicked on"import the current security zones and privacy settings in security zones and privacy and added the site.
  on my PC, I did gpupdate /force and it seemed working since the site was added and in my computer IE settings, it said "some settings are managed by your system administrator" and I updated the GP on other PC which did not work and
  I realized that the link was for windows 2003 server and I have windows 2008. so I reverted what I did and on my PC, I updated the GP but the settings in IE was not changed back to what it was.
  my questions are
  - how to change the settings on my computer?
  - why the GP was working on my computer but now the other computers?
  - how to add intranet site thru GP for all the users?
  Thanks

  Hi,   
  I agree with Zanderol24, which IE version is installed on the other PCs? The settings of Internet explorer maintenance can’t apply to IE 10 and later version.
  Besides, on the troubled clients, we could use the
  gpresult /h GPReport.html command to generate a Resultant Set of Policy (RSoP) report. We could check if the policy applied from the report.
  Moreover, aside from using IEM to add the sites, we can also use policy setting
  Site to Zone Assignment List or GPP Registry extension to do this.
  For more information, we could refer to the following articles.
  How to configure Internet Explorer security zone sites using group polices
  http://blogs.msdn.com/b/askie/archive/2012/06/05/how-to-configure-internet-explorer-security-zone-sites-using-group-polices.aspx
  How to Add Trust Sites into IE before IE10 through Group Policy
  http://blogs.msdn.com/b/asiatech/archive/2013/01/04/how-to-add-trust-sites-into-ie-before-ie10-through-group-policy.aspx
  Best Regards,
  Erin

• Group Policy For 2008 Terminal Server Users Default Open With Not Working

  I'm trying to change the default open with behavior for jpg files on my terminal server. I created a Group Policy that changed it to MS Paint to Office 2010 Picture Manager. The policy appears to apply correctly but jpg files still open in
  Paint. When a user is logged on, if they look at the properties of a jpg, it shows Photo Gallery as the program to open it but when opened, it opens in Paint.
  Has anyone seen this behavior before?
  Orange County District Attorney

  > did. It would be helpful to know where the changes actually go in the
  > registry to see if they did or now.
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Group Policy for Lockscreen

  Hi All,
  My conundrum is as such:
  We have set-up a Group Policy on the server for a default Lockscreen (Company Image) to be sent to all users on the network on their PC's. It's a new server running 2012 R2. It's fully up to date.
  However the default lock screen is now causing everyone's Lockscreen screen to show a blank blue page. The image is located on a shared drive all PC's have access to. We have tried numerous solutions online but none seem to have worked.
  Any help on this matter would be much appreciated so we can put this niggle to bed!
  Thanks in advance.

  Hi,
  Before going further, what are the operating systems of our clients? The group policy setting
  Force a specific default lock screen image should be supported on Windows 8 or above. Besides, for Windows 8, to apply this policy setting, please make sure that the following update has been installed.
  Windows 8 and Windows Server 2012 update rollup: November 2012
  http://support.microsoft.com/kb/2770917/EN-US
  Regarding managing the lock screen image on Windows 8, the following article can be referred to for more information.
  Win8: How to Manage the Lock Screen Image on Windows 8 and Windows Server 2012
  http://support.microsoft.com/kb/2787100/en-us
  Best regards,
  Frank Shen