Group Policy isn't entirely applied to desktop

Similar Messages

• The user '*' preference item in the 'User - 6th Form Students Policy {E03166E7-A848-48B5-AA93-97B848AA9C13}' Group Policy object did not apply because it failed with error code '0x80070003 The system cannot find the path specified.' This error was suppres

  I am looking at an issue with users not getting specific group policies. 
  After searching a number of client computers I found that the following error
  The user '*' preference item in the 'User - 6th Form Students Policy {E03166E7-A848-48B5-AA93-97B848AA9C13}' Group Policy object did not apply because it failed with error code '0x80070003 The system cannot find the path specified.' This error was suppressed.
  I can find the folder in the Sysvol folder on all of the domain controllers. 
  The issue with end users seems to be that the proxy settings for internet explorer is not being applied. 
  Potential problems?
  one folder in sysvol entry is empty 
  \\<server>\SYSVOL\<domain.name>\Policies\{E03166E7-A848-48B5-AA93-97B848AA9C13}\User\microsoft\IEAK\LOCK
  or is this our issue
  The old method of configuring proxy settings  to Internet Explorer 9 has changed?
  https://support2.microsoft.com/kb/2530309?wa=wsignin1.0 
  http://thommck.wordpress.com/2013/11/08/the-new-way-to-configure-internet-explorer-proxy-settings-with-group-policy/

  Hi all 
  In administering this policy I am a little confused. 
  We have a policy that distributes proxy settings in the internet explorer maintenance settings section - however when opening this policy up in GPO editor the internet explorer maintenance section is not present.
  I plan to apply the settings via User/preferences/control panel settings/ internet settings (or registry settings from article) however I am unable to edit the settings for internet explorer maintenance and these will persist. Ideas????

• Adobe Reader & Acrobat 6~9 Group Policy ADM file (only applied once?)

  Hi folks. I created the below ADM template last month based on some of the ones I have seen elsewhere. I import the ADM file to use with Group Policy and make the necessary settings (need to uncheck "Only show policy settings that can be fully managed" to see it in GPO Editor).
  Anyway, when the user logs on it stamps them with the desired registry setting (bEnableJS value 0). Yay! But I notice that if a user re-enables JavaScript in Adobe Reader/Acrobat and then logs off and back on again (reboot or logoff/on) the registry setting does not get re-applied. All other pre-existing Group Policies get applied and doing a gpresult or rsop.msc has everything looking as though it did get applied.
  I notice that if I manually do a "gpupdate /force" to a logged on system the setting appears to be reapplied (need to reconfirm this though). Has anyone expierienced similar with their ADM templates for this? Perhaps I am missing something? Appreciate any help/advice.
  ; Administrative Template to enable/disable Javascript of Adobe Acrobat/Reader 6.x~9.x
  ; Version 1.0
  ; 2010/1/22
  CLASS USER
  CATEGORY !!Adobe_Acrobat_Reader_6-9
      POLICY !!JavaScript_Reader_9.x
      EXPLAIN !!JavaScript_Reader_9.x_help   
          KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs"
          PART "Enable/Disable JavaScript:" DROPDOWNLIST
              VALUENAME "bEnableJS"
          ITEMLIST
              NAME !!JavaScript_Enabled VALUE NUMERIC 1
              NAME !!JavaScript_Disabled VALUE NUMERIC 0 DEFAULT
          END ITEMLIST
          REQUIRED
          END PART
      END POLICY
      POLICY !!JavaScript_Acrobat_9.x
      EXPLAIN !!JavaScript_Acrobat_9.x_help
          KEYNAME "Software\Adobe\Adobe Acrobat\9.0\JSPrefs"
          PART "Enable/Disable JavaScript:" DROPDOWNLIST
              VALUENAME "bEnableJS"
          ITEMLIST
              NAME !!JavaScript_Enabled VALUE NUMERIC 1
              NAME !!JavaScript_Disabled VALUE NUMERIC 0 DEFAULT
          END ITEMLIST
          REQUIRED
          END PART
      END POLICY
      POLICY !!JavaScript_Reader_8.x
      EXPLAIN !!JavaScript_Reader_8.x_help
          KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs"
          PART "Enable/Disable JavaScript:" DROPDOWNLIST
              VALUENAME "bEnableJS"
          ITEMLIST
              NAME !!JavaScript_Enabled VALUE NUMERIC 1
              NAME !!JavaScript_Disabled VALUE NUMERIC 0 DEFAULT
          END ITEMLIST
          REQUIRED
          END PART
      END POLICY
      POLICY !!JavaScript_Acrobat_8.x
      EXPLAIN !!JavaScript_Acrobat_8.x_help
          KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs"
          PART "Enable/Disable JavaScript:" DROPDOWNLIST
              VALUENAME "bEnableJS"
          ITEMLIST
              NAME !!JavaScript_Enabled VALUE NUMERIC 1
              NAME !!JavaScript_Disabled VALUE NUMERIC 0 DEFAULT
          END ITEMLIST
          REQUIRED
          END PART
      END POLICY
      POLICY !!JavaScript_Reader_7.x
      EXPLAIN !!JavaScript_Reader_7.x_help
          KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs"
          PART "Enable/Disable JavaScript:" DROPDOWNLIST
              VALUENAME "bEnableJS"
          ITEMLIST
              NAME !!JavaScript_Enabled VALUE NUMERIC 1
              NAME !!JavaScript_Disabled VALUE NUMERIC 0 DEFAULT
          END ITEMLIST
          REQUIRED
          END PART
      END POLICY
      POLICY !!JavaScript_Acrobat_7.x
      EXPLAIN !!JavaScript_Acrobat_7.x_help
          KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs"
          PART "Enable/Disable JavaScript:" DROPDOWNLIST
              VALUENAME "bEnableJS"
          ITEMLIST
              NAME !!JavaScript_Enabled VALUE NUMERIC 1
              NAME !!JavaScript_Disabled VALUE NUMERIC 0 DEFAULT
          END ITEMLIST
          REQUIRED
          END PART
      END POLICY
      POLICY !!JavaScript_Reader_6.x
      EXPLAIN !!JavaScript_Reader_6.x_help
          KEYNAME "Software\Adobe\Acrobat Reader\6.0\JSPrefs"
          PART "Enable/Disable JavaScript:" DROPDOWNLIST
              VALUENAME "bEnableJS"
          ITEMLIST
              NAME !!JavaScript_Enabled VALUE NUMERIC 1
              NAME !!JavaScript_Disabled VALUE NUMERIC 0 DEFAULT
          END ITEMLIST
          REQUIRED
          END PART
      END POLICY
      POLICY !!JavaScript_Acrobat_6.x
      EXPLAIN !!JavaScript_Acrobat_6.x_help
          KEYNAME "Software\Adobe\Adobe Acrobat\6.0\JSPrefs"
          PART "Enable/Disable JavaScript:" DROPDOWNLIST
              VALUENAME "bEnableJS"
          ITEMLIST
              NAME !!JavaScript_Enabled VALUE NUMERIC 1
              NAME !!JavaScript_Disabled VALUE NUMERIC 0 DEFAULT
          END ITEMLIST
          REQUIRED
          END PART
      END POLICY
  END CATEGORY
  [strings]
  Adobe_Acrobat_Reader_6-9="Adobe Acrobat and Reader 6 to 9"
  JavaScript_Reader_9.x="JavaScript Adobe Reader 9.x"
  JavaScript_Reader_9.x_help="Enable/Disable JavaScript in Adobe Reader 9.x"
  JavaScript_Acrobat_9.x="JavaScript Adobe Acrobat 9.x"
  JavaScript_Acrobat_9.x_help="Enable/Disable JavaScript in Acrobat Acrobat 9.x"
  JavaScript_Reader_8.x="JavaScript Adobe Reader 8.x"
  JavaScript_Reader_8.x_help="Enable/Disable JavaScript in Adobe Reader 8.x"
  JavaScript_Acrobat_8.x="JavaScript Adobe Acrobat 8.x"
  JavaScript_Acrobat_8.x_help="Enable/Disable JavaScript in Acrobat Acrobat 8.x"
  JavaScript_Reader_7.x="JavaScript Adobe Reader 7.x"
  JavaScript_Reader_7.x_help="Enable/Disable JavaScript in Adobe Reader 7.x"
  JavaScript_Acrobat_7.x="JavaScript Adobe Acrobat 7.x"
  JavaScript_Acrobat_7.x_help="Enable/Disable JavaScript in Acrobat Acrobat 7.x"
  JavaScript_Reader_6.x="JavaScript Adobe Reader 6.x"
  JavaScript_Reader_6.x_help="Enable/Disable JavaScript in Adobe Reader 6.x"
  JavaScript_Acrobat_6.x="JavaScript Adobe Acrobat 6.x"
  JavaScript_Acrobat_6.x_help="Enable/Disable JavaScript in Acrobat Acrobat 6.x"
  JavaScript_Enabled="JavaScript Enabled"
  JavaScript_Disabled="JavaScript Disabled"

  Hey, what you have described is normal behaviour for the way you have written your Custom ADM file.
  Because you are not using Proper Windows Policies, i.e. Setting them in the policy location in the registry, then once you apply a setting, it will not get over written again ever unless you made a group policy change or do a gpupdate.
  Normal group policies will get re-applied depending on the time frame set in the policy its self.

• Group Policy Administrative Templates not applying on Windows XP SP3 - Windows Server 2008 R2

  I have a Windows 2008 R2 domain with windows 7, and Windows XP SP3 client workstations.
  I have a group policy to deny all access to removable storage in policies/administrative templates/system in user configuration (actually its in the computer configuration as well)
  The problem is the policy is having no effect on the Windows XP machines. It works perfectly on Windows 7 machines.
  Group policy in general is working on the Windows XP machines, as I can successfully map drives, push out scheduled tasks, and push out printers. (All preferences I know and I have GP Preferences client side extensions installed).
  Its almost like the windows XP machines can't "understand" the admin templates from Windows Server 2008 R2.
  Do I need to install something on the windows XP machines? What could be the problem?

  > Its almost like the windows XP machines can't "understand" the admin
  > templates from Windows Server 2008 R2.
  Simply read the "supported on" of these settings... Vista and above
  required.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Group Policy for Desktop background applied but showing black desktop in the client end

   Trying to set wallpaper in group policy but it's coming up blank.We have windows 2008 and 2012 server.most of the computer is windows 7.

  Hi,
  Does this issue occur to all computers?
   Besides, can the users access the wallpaper?
  If this issue just happens to Windows 7, we can try applying the hotfix in the following article.
  The "Desktop Wallpaper" Group Policy setting is not applied in Windows 7 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/977944/en-us
  If the issue persists, we can refer to the following thread to troubleshoot the problem.
  Black Desktop wall paper after implementing group policy
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0c36d7bf-4694-46e1-b408-d644111c0264/black-desktop-wall-paper-after-implementing-group-policy?forum=winserverGP
  Best regards,
  Frank Shen

• Wallpaper fixed for the entire domain with group policy but some systems are getting the updated wallpaper

  Hi , 
  I fixed the wallpaper for the entire domain and It was applied to entire domain. 
  After some day, I have changed the domain wallpaper. Then some systems are showing New wallpaper and some systems are showing old wallpaper.
  I have applied the gpudate /force command for those system who didn't get wallpaper. 
  Could you please suggest. 

  Hi Srikanth,
  First, please make sure that the GPO is applied to client properly.
  To check that, please follow the steps below:
  gpupdate /force
  gpresult /h C:\report.html
  Note: This procedure needs the privilege of the Administrator.
  If the GPO is applied properly, please try to reboot the client.
  If issue persists after reboot, please check if the following link is helpful:
  The "Desktop Wallpaper" Group Policy setting is not applied in Windows 7 or in Windows Server 2008 R2
  https://support.microsoft.com/en-us/kb/977944
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Group Policy won't apply, No mapping between account names and security IDs was done.

  I am using Group Policy Preferences to remove users from the local admin group and add a local admin account.  This GPO is working on 90% of the Win7 machines on the network, but three laptops are not accepting the GPO.  I get the following error:
  Log Name:      Application
  Source:        Group Policy Local Users and Groups
  Date:          6/24/2014 8:49:28 AM
  Event ID:      4098
  Task Category: (2)
  Level:         Warning
  Keywords:      Classic
  User:          SYSTEM
  Computer:      laptop1.internal.com
  Description:
  The user 'Administrators' preference item in the 'Local Admin Policy - Remove Permissions {593ACD77-3663-4023-BEB8-938D83F7862E}' Group Policy object did not apply because it failed with error code '0x80070534 No mapping between account names and security
  IDs was done.' This error was suppressed.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Group Policy Local Users and Groups" />
      <EventID Qualifiers="34305">4098</EventID>
      <Level>3</Level>
      <Task>2</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-06-24T13:49:28.000000000Z" />
      <EventRecordID>68771</EventRecordID>
      <Channel>Application</Channel>
      <Computer>laptop1.internal.com</Computer>
      <Security UserID="S-1-5-18" />
    </System>
    <EventData>
      <Data>user</Data>
      <Data>Administrators</Data>
      <Data>Local Admin Policy - Remove Permissions {593ACD77-3663-4023-BEB8-938D83F7862E}</Data>
      <Data>0x80070534 No mapping between account names and security IDs was done.</Data>
    </EventData>
  </Event>
  I've searched high and low for an answer and nothing I find on-line seems to apply.  I also notice that the option to 'Run as Administrator' does not work.  If I right-click on cmd.exe and select 'run as administrator', the command box opens but
  I am not prompted for credentials and the command box does not have admin rights.  Not sure if this is related or not.
  Any help on this would be greatly appreciated.
  Thanks,
  Joe

  Hi,
  Delete your  remove action from the GPP and push it again, does this issue still occur?
  If it still exists, let’s collect the GPP log for analysis:
  Group policy Preference debug logging policy settings are located under:
  Computer Configuration\Administrative Templates\System\Group Policy
  Click Logging and tracing, select local users and group preference logging and trace.
  Meanwhile, just a similar issue, but it is worth trying:
  A user is added to the wrong group on a client computer that is running Windows 7 or Windows Server 2008 R2
  http://support.microsoft.com/kb/2280515
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support

• Group policy Preference - Internet Option setting not applying

  Hi,
  I’m not very sure if any of you have encounter this strange issue when
  configuring GPP -> Internet option setting for window 7 IE9 or IE11.
  The following
  are spec of OS and IE version used in my environment.
  Window Server
  2012 R2 (IE 10)
  Window 7 (IE9
  and IE11)
  Recently I
  have deployed proxy setting via GPP as I do not have IEM under my GPMC console.
  Once the setting is been configured and deployed, I have notice that the GPO do
  not apply after the user login. The following scenarios is what we observed.
  1) User boot up the machine, Login and proxy setting will not applied
  1a) gpupdate /force -> Proxy Settings applied
  1b) setting will be removed after the GPO refreshed
  2) User boot up the machine, Login and proxy setting will not apply
  2a) User logoff and login proxy setting applied.
  2b) Setting will be removed after the GPO refreshed
  Kindy advise
  if there is any solution to ensure that the setting apply whenever the user
  login and stay intact even after the gpo refreshed by itself.

  Hi,
  >>1a) gpupdate /force -> Proxy Settings applied
  >>1b) setting will be removed after the GPO refreshed
  Based on the description, we can run command gpresult/h report.html to collect group policy result reports to compare how the settings are being applied.
  Besides, have we installed the following hotfix on the computers with IE 9? If not, we can try to install the hotfix.
  Internet Explorer Group Policy Preferences do not apply to Internet Explorer 9 in a Windows Server 2008 R2 domain environment
  https://support.microsoft.com/en-us/kb/2530309?wa=wsignin1.0
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• ISE 1.2 & AD & Meraki - Per User Group Policy ?

  I am working on a PoC for a deployment in an MDU. We are using Meraki switches and access points. There are 250 units in the building, each unit will have it's own subnet. The goal is to have the tenant be able to connect to a common building SSID and be placed into their assigned VLAN. There will also be physical ports in each unit that will need to do the same. I am trying to figure out a way to use ISE to authorize on a per user basis and not based on groups of users. On the Meraki system there are group policies that will assign the VLAN for the user as well as any type of layer 7 firewalling and bandwidth control. So there will be 250 group policies, one for each unit. There is a deployment guide that shows how to setup ISE for use with Meraki and it is great but it assumes that there will be large groups like Employees, Contractors, etc.. that will be used. This is where I'm being tripped up, also... this is my first swing at a NAC deployment so I have a lot to learn.
  1.Can I setup each user in Active Directory to have a tag that ISE can then forward on to Meraki for the group policy? Say it's unit 101 and I have a group policy called 101 in Meraki, Meraki documentation says to use the Airespace-ACL-Name attribute in ISE to indicate the group policy to use. This gives me the ability to place a group into that policy but not an individual. Or would this be better done by creating the users in ISE directly? Omit AD entirely?
  2. Each unit will have devices that will need MAB because they are not 802.1x compatible. I need to do the same as above with them. I would create a separate SSID for these devices but then use the MAC address to authenticate them but will need to authorize them to go into a specific group policy.
  I know this isn't a typical ISE application but I think that this will work really well in the end, just need to iron out these details and get a test system functioning. Any help would be greatly appreciated!!!
  Thanks,
  Nathan

  Please find the Meraki_ISE integration doc. in attachment.
  When VLAN tagging is configured per user, multiple users can be associated to the same SSID, but their traffic is tagged with different VLAN IDs. This configuration is achieved by authenticating wireless devices or users against a customer-premise RADIUS server, which can return RADIUS attributes that convey the VLAN ID that should be assigned to a particular user’s traffic.
  In order to perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings:
  MAC-based access control (no encryption)
  WPA2-Enterprise with 802.1x authentication
  A per-user VLAN tag can be applied in 3 different ways:
  The RADIUS server returns a Tunnel-Private-Group-ID attribute in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MCC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section.
  The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.
  On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user. 

• Strange DNS, Group Policy & Active Directory Issues - Can't track down root issue!

  For the last few weeks, we've been getting complaints, from our developers, about not being able to authenticate on various systems.  The issues were hit & miss but still problematic enough to warrant our looking into it.  It seems to be getting
  worse...  I now have new servers that aren't getting group policy updates.  They may get some, like the list of local admins but won't pick up NTFS permissions for folder-access.  Those that pick up the AD group full of local admins have trouble
  authenticating members of the group.  Some were showing event log entries regarding authentication issues due to being unable to contact an AD DC.  We reloaded that DC but many of the issues still persist.  At this point, I'm running
  out of places to look for ideas.  I've spent the last week looking up Event Log IDs and looking though their meanings and possible remedies but, again, the issues persist.  It doesn't seem to matter what the OS is.  We've been seeing
  this on 2008, 2008-R2 & 2012-R2.
  Here are some examples of events I'm seeing.  I can't figure out the root cause(s).
  Log Name: Application
  Source: Group Policy Files
  Date: 2/19/2015 2:35:12 PM
  Event ID: 4098
  Task Category: (2)
  Level: Warning
  Keywords: Classic
  User: SYSTEM
  Computer: H2T8-IOLDP1.HOMENET.local
  Description:
  The computer 'uptime.exe' preference item in the 'APPS (UpTime) {3BF05605-27C0-43AD-AC0F-873B678EB217}' Group Policy Object did not apply because it failed with error code '0x80090006 Invalid Signature.' This error was suppressed.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Group Policy Files" />
  <EventID Qualifiers="34305">4098</EventID>
  <Level>3</Level>
  <Task>2</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2015-02-19T19:35:12.000000000Z" />
  <EventRecordID>1871</EventRecordID>
  <Channel>Application</Channel>
  <Computer>H2T8-IOLDP1.HOMENET.local</Computer>
  <Security UserID="S-1-5-18" />
  </System>
  <EventData>
  <Data>computer</Data>
  <Data>uptime.exe</Data>
  <Data>APPS (UpTime) {3BF05605-27C0-43AD-AC0F-873B678EB217}</Data>
  <Data>0x80090006 Invalid Signature.</Data>
  </EventData>
  </Event>
  Log Name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
  Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
  Date: 2/19/2015 9:38:13 AM
  Event ID: 20499
  Task Category: None
  Level: Warning
  Keywords:
  User: NETWORK SERVICE
  Computer: H2T8-IOLDP1.HOMENET.local
  Description:
  Remote Desktop Services has taken too long to load the user configuration from server \\h2s3-addc1.HOMENET.local for user RSickler
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
  <EventID>20499</EventID>
  <Version>0</Version>
  <Level>3</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x4000000000000000</Keywords>
  <TimeCreated SystemTime="2015-02-19T14:38:13.182363700Z" />
  <EventRecordID>4</EventRecordID>
  <Correlation />
  <Execution ProcessID="1932" ThreadID="2156" />
  <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin</Channel>
  <Computer>H2T8-IOLDP1.HOMENET.local</Computer>
  <Security UserID="S-1-5-20" />
  </System>
  <UserData>
  <EventXML xmlns="Event_NS">
  <ServerName>\\h2s3-addc1.HOMENET.local</ServerName>
  <UserName>RSickler</UserName>
  </EventXML>
  </UserData>
  </Event>
  Note that these servers are sitting in OUs that are full of other servers that don't have these issues.  These GPOs have been in place for years.  I suspect there's a deeper issue with AD, GP or a combination thereof.  The group policy issues
  seem to only affect freshly loaded servers...

  Hello,
  assure that no firewall is blocking connection for AD required ports as listed in
  https://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
  You have error about not connect setup from AD sites and services with the used subnets in your network and linking them to the correct site, please check this in AD sites and services and also have the DCs placed correct to the site they belong to.
  "During the past 4.20 hours there have been 83 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to
  any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet
  object(s) covering the above IP addresses with mapping to one of the existing sites.  The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially,
  in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'.
  The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize';
  the default is 20000000 bytes.  The current maximum size is 20000000 bytes.  To set a different maximum size, create the above registry value and set the desired maximum size in bytes."
  This error is about a not run adprep /rodcprep:
  Starting test: NCSecDesc
           Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
              Replicating Directory Changes In Filtered Set
           access rights for the naming context:
           DC=ForestDnsZones,DC=HOMENET,DC=local
           Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
              Replicating Directory Changes In Filtered Set
           access rights for the naming context:
  So either run the command on a DC or ignore this error.
  Please provide also the following data as file:
  ipconfig /all >c:\ipconfig.log [all DCs]
  dcdiag /v /c /d /e /s:dcname >c:\dcdiag.log
  repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
  dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)
  ADREPLSTATUS:
  http://www.microsoft.com/en-us/download/details.aspx?id=30005 can also be exported to file.
  As the output will become large, DON'T post them into the thread, please use Windows Sky Drive(with open access!)
  https://skydrive.live.com and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  
  Info you requested:
  ipconfig_dcs.txt
  dcdiag.txt
  repl.log
  dnslint.htm
  ADREPLSTATUS: ADReplicationStatus.2015.2.23.9.21.16.csv ADReplicationStatusToolData.zip

• Group Policy Shortcuts

  I am trying to use the Shortcuts extension in the Computer Configurations section to create some links, but any File System Object shortcuts fail with:
  The computer '<Name> preference item in the '<Policy> {GUID}' Group Policy object did not apply because it failed with error code '0x80070002 The system cannot find the file specified.' This error was suppressed.
  For troubleshooting, I tried the following:
  Action: Update
  Name: Explorer
  Type: File System Object
  Location: All Users Desktop
  Target: %SystemRoot%\Explorer.exe
  Args: <Blank>
  Start In: %SystemDrive%
  Shortcut: None
  Run: Normal Window
  Comment: <Blank>
  Icon File: <Blank>
  Icon Index: <Blank>
  None of the "Common" items are configured, so I am not sure what file it is failing to find.  Shortcuts fail to be processed on all Windows Servers 2008 RTM systems that the GPO applies to.

  Hi,
  No, it should not be an expected behavior that system variables are not set by default. I have verified this on cleanly installed Windows Server 2008 computers.
  So, could you let me know the following?
  1.    Is it a cleanly installed Windows Server 2008 system, or a
  2.    Did you check system variables immediately after the installation?
  3.    By the way, the echo command may not be accurate. So, do the shortcut policy settings (with "%WINDOWSDIR% and %SYSTEMDIR%" variables) still work there on your computers?

• Group Policy Preference Power Plan "Blocked By Group Policy"

  I noticed this error in the application event log of a Windows 7 PC:
  Log Name:      Application
  Source:        Group Policy Power Options
  Date:          3/21/2013 3:19:42 AM
  Event ID:      4098
  Task Category: (2)
  Level:         Warning
  Keywords:      Classic
  User:          SYSTEM
  Computer:      xxx
  Description:
  The computer 'Power Plan (Windows Vista and later)' preference item in the 'Windows 7 Desktop Power Plan {A078F08F-45CC-4209-A264-FE0CB5635A99}' Group Policy object did not apply because it failed with error code '0x800704ec This program is blocked by group
  policy. For more information, contact your system administrator.' This error was suppressed.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Group Policy Power Options" />
      <EventID Qualifiers="34305">4098</EventID>
      <Level>3</Level>
      <Task>2</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2013-03-21T10:19:42.000000000Z" />
      <EventRecordID>7687</EventRecordID>
      <Channel>Application</Channel>
      <Computer>xx</Computer>
      <Security UserID="S-1-5-18" />
    </System>
    <EventData>
      <Data>computer</Data>
      <Data>Power Plan (Windows Vista and later)</Data>
      <Data>Windows 7 Desktop Power Plan {A078F08F-45CC-4209-A264-FE0CB5635A99}</Data>
      <Data>0x800704ec This program is blocked by group policy. For more information, contact your system administrator.</Data>
    </EventData>
  </Event>
  How can I find out exactly why it is not working?  "Blocked by group policy" is not specific enough.

  Hi,
  You can also enable GPP tracing and logging for more information:
  Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure Power Options preference logging and tracing
  http://blogs.technet.com/b/askds/archive/2008/07/18/enabling-group-policy-preferences-debug-logging-using-the-rsat.aspx
  Regards,
  Cicely
  There is no such option "Configure Power Options preference logging and tracing" at Computer
  Configuration\Policies\Administrative Templates\System\Group Policy\.
  It alphabetical order Always use local ADM files ... is followed by Disallow interactive users from generating ...  Not

• Wallpaper Group Policy

  I created a domain in which i added 100 clients computer window 7 installed. I have set corporate
  wallpaper to all of my client computers in the domain via Group Policy. But problem is that this GP is followed by some systems and some are not following. How to resolve this problem?

  Hi Pawan,
  Before going further, as Zanderol24 suggested, we can run command gpresult/h gpreport.html on the troubles machines to check the issue. Besides, we need to make sure that all machine accounts can access the wallpaper. We can also check event logs in Event
  Viewer to see if some related events were logged.
  Moreover, we can check the Symptoms described in the following article, and if they match ours, we can install the available hotfix.
  The "Desktop Wallpaper" Group Policy setting is not applied in Windows 7 or in Windows Server 2008 R2
  http://support2.microsoft.com/kb/977944
  In addition, there are several ways to configure desktop wallpaper, and the following blog can be referred to for more information.
  Using Group Policy to configure Desktop Wallpaper (“Background”)
  http://www.grouppolicy.biz/2011/03/best-practice-using-group-policy-to-configure-desktop-wallpaper-background/
  Best regards,
  Frank Shen

• Deploying Reader through Group Policy

  Hi,
  I have applied for and been granted a deployment license, and am trying to follow the instructions to deploy reader through group policy to computers on my network.
  The document adobe gives you says to put the computer name under security filtering in the OU GP that was created.  I have done this but it's clear the policy isn't getting applied.
  When I run group policy result, it's not even showing so I must have something wrong.  The document that adobe gives has several of the pictures out of place and is covering some text (at least when I display it - and yes I am using most current version of reader).
  Any ideas?
  Thanks,
  Allen

  Unless I'm misunderstanding your last reply, the GPO is working as intended, when you change it back.
  GPO = Applied to one specific OU
  Security Filtering = 1 specific PC
  Active Directory OU for intended GPO contains = 0 computers
  The PC you're applying the security filtering to must exist in the Active Directory OU you created for the GPO.
  E.G. I create a GPO called acc_sw for my Accounting dept called accounting.  3 PCs in accounting are called:
  Ed_PC
  Karen_PC
  Thomas_PC
  In the security filtering for the GPO I created, I have:
  Ed_PC
  Karen_PC
  Thomas_PC
  Now, in Active Directory Users & Computers, in the accounting OU I have 0 computers.
  The end result is no acc_sw being processed for:
  Ed_PC
  Karen_PC
  Thomas_PC
  They must exist in the target OU, or a suboordinate OU of the target OU, for the GPO to work.

• Problem Pushing Printer Preferences through Group Policy

  Most of the time, networked printers that we push through group policy preferences show up just fine on our clients (Windows 7). About 1 in 10 computers fail however, and it's driving me up the wall! The computer that fails is not consistent, meaning I can
  reboot a computer and the printer then shows up correctly. It may not, however, a week later. Fairly random. Looking through the application event log, I uncovered this:
  The user 'myprinter' preference item in the 'mygrouppolicy {7EDE8A14-773C-4E43-93AE-050240E0B204}' Group Policy object did not apply because it failed with error code '0x800706ba The RPC server is unavailable.' This error was suppressed.
  Again, this error does not occur all the time, though if I reboot a large group of computers, it will definitely show up on 1 or 2 of them. At this point, I'm looking for any suggestions for a next step. Thanks!
  -Peter

  Hello Modab,
  If you reboot server the printer is redeployed properly. It is possible that when the printer is deployed the network is still not prepared properly so the RPC error
  is popped up.  Please try the following suggestions:
  1. Disable Fast Logon feature
  Enable the
  [Computer Configuration \ Administrative Templates \ System \ Logon \ Always wait for the network at computer startup and logon]
  group policy.
  Logon Optimization
  http://msdn.microsoft.com/en-us/library/aa374350(VS.85).aspx
  Description of the Windows XP Professional Fast Logon Optimization feature
  http://support.microsoft.com/kb/305293/en-us
  2. Group policy application issue may occur because of Gigabit NIC. Please try the suggestions in the following steps and KB.
  a.      
  To prevent your network adapter from detecting the link state(For Windows Vista/7):
  Run the following commands one by one:
  netsh interface ipv4 set global dhcpmediasense=disabled
  netsh interface ipv6 set global dhcpmediasense=disabled
  For Windows XP, you can see
  http://support.microsoft.com/kb/239924
  b.     
  Contact the vendor of the network card or visit their web site to obtain updated drivers for the Gigabit NIC.
  Examples of NICs known to exhibit this issue:
  - Broadcom Gigabit Adapter
  - Intel Gigabit Ethernet PRO Adapter, Intel Pro/1000
  - Intel 82544EI-based XT Gigabit Adapter (82540EM chipse)
  - Compaq/HP NIC dual interface 10/100/1000 doing teaming (HP NC7170)
  - Dell Inspiron laptops using an on-board Broadcom BCM4401 NIC
  c.      
  A sever may have a Dual Port NIC or multiple NIC's with one port or NIC set to Disabled. The disabled port or NIC should not be at the top of the binding order in the Network
  Advance Properties.
  1.      
  Click Start, point to Settings, and then click "Network and Dial-up Connection".
  2.      
  On the Advanced menu, click "Advanced Settings".
  3.      
  On the "Adapters and Bindings" tab, in the connections list, select the NIC that the clients use to connect to the server and move it to the top of the list.
  d.     
  Turning off STP can cause issues in your network if a loop ever develops. If you are running a Cisco Series switch or any other switch that runs Spanning Tree, it is best to
  leave spanning tree turned on, but enable PORTFAST on all the ports except uplink and fiber trunks.
  326152 Cannot connect to domain controller and cannot apply Group Policy with Gigabit Ethernet devices
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;326152
  3.
   Remove all of 3rd-party software such as firewall software.
  4.  Set a registry value to delay the application of Group Policy.
  http://support.microsoft.com/kb/2421599
        http://support.microsoft.com/kb/840669
  Brent Hu,
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”