Group Policy issues
Hi All,
Am facing plenty of issues in Group policies.. Like when i run this command "gpresult /v" i could see the same policy applied in as thrice in applied group policy.. and that policy is default domain policy.. also trying to add one of intranet site
in Internet Group policy maintenance policy but its not reflected to users.. even i forced the policy.. Please advice me on this.
i have given the gpresult fyr.. some have a quick look and advice me accordingly.
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 3/6/2014 at 9:20:31 AM
RSOP data for OURDOMAIN\venkat2r on INBRLT141 : Logging Mode
OS Configuration: Member Workstation
OS Version: 6.1.7601
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\venkat2r
Connected over a slow link?: No
USER SETTINGS
Last time Group Policy was applied: 3/6/2014 at 9:07:33 AM
Group Policy was applied from: INCHDC01.OURDOMAIN.com
Group Policy slow link threshold: 500 kbps
Domain Name: OURDOMAIN
Domain Type: WindowsNT 4
Applied Group Policy Objects
ourdomain_Policy_Customized
Global_Wallpaper
ourdomain_Policy_Customized
ourdomain_Policy_Customized
The following GPOs were not applied because they were filtered out
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
High Mandatory Level
The user has the following security privileges
Resultant Set Of Policies for User
Software Installations
N/A
Logon Scripts
N/A
Logoff Scripts
N/A
Public Key Policies
N/A
Administrative Templates
GPO: Global_Wallpaper
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
Value: 1, 0, 0, 0
State: Enabled
GPO: ourdomain_Policy_Customized
KeyName: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut
Value: 54, 0, 48, 0, 48, 0, 0, 0
State: Enabled
GPO: Global_Wallpaper
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\System\Wallpaper
Value: 67, 0, 58, 0, 92, 0, 87, 0, 105, 0, 110, 0, 100, 0, 111, 0, 119, 0, 115, 0, 92, 0, 87, 0, 101, 0, 98, 0, 92, 0, 87, 0, 97, 0, 108, 0, 108, 0, 112, 0, 97, 0, 112, 0, 101, 0,
114, 0, 92, 0, 69, 0, 109, 0, 101, 0, 114, 0, 105, 0, 111, 0, 46, 0, 106, 0, 112, 0, 103, 0, 0, 0
State: Enabled
GPO: ourdomain_Policy_Customized
KeyName: Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage
Value: 1, 0, 0, 0
State: Enabled
GPO: ourdomain_Policy_Customized
KeyName: Software\Policies\Microsoft\Internet Explorer\Main\Start Page
Value: 104, 0, 116, 0, 116, 0, 112, 0, 58, 0, 47, 0, 47, 0, 115, 0, 116, 0, 97, 0, 114, 0, 46, 0, 101, 0, 109, 0, 101, 0, 114, 0, 105, 0, 111, 0, 99, 0, 111, 0, 114, 0, 112, 0, 46,
0, 99, 0, 111, 0, 109, 0, 47, 0, 83, 0, 105, 0, 110, 0, 103, 0, 97, 0, 112, 0, 111, 0, 114, 0, 101, 0, 47, 0, 100, 0, 101, 0, 102, 0, 97, 0, 117, 0, 108, 0, 116, 0, 46, 0, 97, 0, 115, 0, 112, 0, 120, 0, 0, 0
State: Enabled
GPO: ourdomain_Policy_Customized
KeyName: Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure
Value: 49, 0, 0, 0
State: Enabled
GPO: Global_Wallpaper
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper
Value: 1, 0, 0, 0
State: Enabled
GPO: Global_Wallpaper
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab
Value: 1, 0, 0, 0
State: Enabled
GPO: Global_Wallpaper
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\System\WallpaperStyle
Value: 52, 0, 0, 0
State: Enabled
Folder Redirection
N/A
Internet Explorer Browser User Interface
GPO: ourdomain_Policy_Customized
Large Animated Bitmap Name: N/A
Large Custom Logo Bitmap Name: N/A
Title BarText: ourdomain
UserAgent Text: N/A
Delete existing toolbar buttons: No
Internet Explorer Connection
HTTP Proxy Server: N/A
Secure Proxy Server: N/A
FTP Proxy Server: N/A
Gopher Proxy Server: N/A
Socks Proxy Server: N/A
Auto Config Enable: No
Enable Proxy: No
Use same Proxy: No
Internet Explorer URLs
GPO: ourdomain_Policy_Customized
Home page URL: http://star.OURDOMAIN.com/Singapore/default.aspx
Search page URL: N/A
Online support page URL: N/A
Internet Explorer Security
Always Viewable Sites: N/A
Password Override Enabled: False
GPO: ourdomain_Policy_Customized
Import the current Content Ratings Settings: No
Import the current Security Zones Settings: Yes
Import current Authenticode Security Information: No
Enable trusted publisher lockdown: No
Internet Explorer Programs
GPO: ourdomain_Policy_Customized
Import the current Program Settings: No
Thanks, Venkatesh. "Hardwork Never Fails"
Hi,
Before going further, I have to admit that I made a mistake and Paul is right.
>>But i am not able to change the security settings in IE like adding sites in Trusted sites its grayed out.
If we don’t want to allow users to change this setting, we can configure this setting via native policy and the following blog can be referred to as reference.
Internet Explorer 10 – Add Sites To The Trusted Sites Zone With Group Policy
http://johnfail.wordpress.com/2013/11/07/internet-explorer-10-add-sites-to-the-trusted-sites-zone-with-group-policy/
If we want to allow users to change this setting, we can configure this setting via GPP Registry.
Regarding this point, the following thread can be referred to for more information.
Add Trusted Sites Via GPO but still allow users to add trusted sites
http://community.spiceworks.com/topic/326140-add-trusted-sites-via-gpo-but-still-allow-users-to-add-trusted-sites
Best regards,
Frank Shen
Similar Messages
-
I have two Domain Controllers Main ( Main DC ) and Second DC.
the date of some policies is not out of date....
please check these files to know the problem.
dcdiag.txt output:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine ASMDC, is a Directory Server.
Home Server = ASMDC
* Connecting to directory service on server ASMDC.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=buc,DC=edu,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=buc,DC=edu,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=BSMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 2 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\ASMDC
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
Determining IP6 connectivity
* Active Directory RPC Services Check
......................... ASMDC passed test Connectivity
Testing server: Default-First-Site-Name\BSMDC
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
Determining IP6 connectivity
* Active Directory RPC Services Check
......................... BSMDC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\ASMDC
Starting test: Advertising
The DC ASMDC is advertising itself as a DC and having a DS.
The DC ASMDC is advertising as an LDAP server
The DC ASMDC is advertising as having a writeable directory
The DC ASMDC is advertising as a Key Distribution Center
The DC ASMDC is advertising as a time server
The DS ASMDC is advertising as a GC.
......................... ASMDC passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
......................... ASMDC passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... ASMDC passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... ASMDC passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... ASMDC passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Role Domain Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Role PDC Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Role Rid Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Role Infrastructure Update Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
......................... ASMDC passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC ASMDC on DC ASMDC.
* SPN found :LDAP/ASMDC.buc.edu/buc.edu
* SPN found :LDAP/ASMDC.buc.edu
* SPN found :LDAP/ASMDC
* SPN found :LDAP/ASMDC.buc.edu/BUC
* SPN found :LDAP/5e88f85b-15a6-4ff5-b0fd-6df748df06fd._msdcs.buc.edu
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/5e88f85b-15a6-4ff5-b0fd-6df748df06fd/buc.edu
* SPN found :HOST/ASMDC.buc.edu/buc.edu
* SPN found :HOST/ASMDC.buc.edu
* SPN found :HOST/ASMDC
* SPN found :HOST/ASMDC.buc.edu/BUC
* SPN found :GC/ASMDC.buc.edu/buc.edu
......................... ASMDC passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC ASMDC.
* Security Permissions Check for
DC=ForestDnsZones,DC=buc,DC=edu
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=buc,DC=edu
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=buc,DC=edu
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=buc,DC=edu
(Configuration,Version 3)
* Security Permissions Check for
DC=buc,DC=edu
(Domain,Version 3)
......................... ASMDC passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\ASMDC\netlogon
Verified share \\ASMDC\sysvol
......................... ASMDC passed test NetLogons
Starting test: ObjectsReplicated
ASMDC is in domain DC=buc,DC=edu
Checking for CN=ASMDC,OU=Domain Controllers,DC=buc,DC=edu in domain DC=buc,DC=edu on 2 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu in domain CN=Configuration,DC=buc,DC=edu on 2 servers
Object is up-to-date on all servers.
......................... ASMDC passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=buc,DC=edu
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
DC=DomainDnsZones,DC=buc,DC=edu
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
CN=Schema,CN=Configuration,DC=buc,DC=edu
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
CN=Configuration,DC=buc,DC=edu
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
DC=buc,DC=edu
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
* Replication Site Latency Check
......................... ASMDC passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 8604 to 1073741823
* ASMDC.buc.edu is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 7604 to 8103
* rIDPreviousAllocationPool is 7604 to 8103
* rIDNextRID: 7640
......................... ASMDC passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... ASMDC passed test Services
Starting test: SystemLog
* The System Event log test
An Warning Event occurred. EventID: 0x825A0024
Time Generated: 08/21/2014 00:22:16
Event String:
The time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp. The time service will not update the local system
time until it is able to synchronize with a time source. If the local system is configured to act as a time server for clients, it will stop advertising as a time source to clients. The time service will continue to retry and sync time with its time sources.
Check system event log for other W32time events for more details. Run 'w32tm /resync' to force an instant time synchronization.
An Warning Event occurred. EventID: 0x8000000E
Time Generated: 08/21/2014 00:32:29
Event String:
There were password errors using the Credential Manager. To remedy, launch the Stored User Names and Passwords control panel applet, and reenter the password for the credential BUC.EDU\administrator.
An Error Event occurred. EventID: 0x00000422
Time Generated: 08/21/2014 00:32:29
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\buc.edu\sysvol\buc.edu\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not
successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
......................... ASMDC failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=ASMDC,OU=Domain Controllers,DC=buc,DC=edu and backlink on
CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
are correct.
The system object reference (serverReferenceBL)
CN=ASMDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=buc,DC=edu
and backlink on
CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
are correct.
......................... ASMDC passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Testing server: Default-First-Site-Name\BSMDC
Starting test: Advertising
The DC BSMDC is advertising itself as a DC and having a DS.
The DC BSMDC is advertising as an LDAP server
The DC BSMDC is advertising as having a writeable directory
The DC BSMDC is advertising as a Key Distribution Center
The DC BSMDC is advertising as a time server
The DS BSMDC is advertising as a GC.
......................... BSMDC passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
......................... BSMDC passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... BSMDC passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... BSMDC passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... BSMDC passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Role Domain Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Role PDC Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Role Rid Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
Role Infrastructure Update Owner = CN=NTDS Settings,CN=ASMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
......................... BSMDC passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC BSMDC on DC BSMDC.
* SPN found :LDAP/BSMDC.buc.edu/buc.edu
* SPN found :LDAP/BSMDC.buc.edu
* SPN found :LDAP/BSMDC
* SPN found :LDAP/BSMDC.buc.edu/BUC
* SPN found :LDAP/93561cab-4fb3-421f-9a67-af6b4c280eca._msdcs.buc.edu
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/93561cab-4fb3-421f-9a67-af6b4c280eca/buc.edu
* SPN found :HOST/BSMDC.buc.edu/buc.edu
* SPN found :HOST/BSMDC.buc.edu
* SPN found :HOST/BSMDC
* SPN found :HOST/BSMDC.buc.edu/BUC
* SPN found :GC/BSMDC.buc.edu/buc.edu
......................... BSMDC passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC BSMDC.
* Security Permissions Check for
DC=ForestDnsZones,DC=buc,DC=edu
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=buc,DC=edu
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=buc,DC=edu
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=buc,DC=edu
(Configuration,Version 3)
* Security Permissions Check for
DC=buc,DC=edu
(Domain,Version 3)
......................... BSMDC passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\BSMDC\netlogon
Verified share \\BSMDC\sysvol
......................... BSMDC passed test NetLogons
Starting test: ObjectsReplicated
BSMDC is in domain DC=buc,DC=edu
Checking for CN=BSMDC,OU=Domain Controllers,DC=buc,DC=edu in domain DC=buc,DC=edu on 2 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=BSMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu in domain CN=Configuration,DC=buc,DC=edu on 2 servers
Object is up-to-date on all servers.
......................... BSMDC passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=buc,DC=edu
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
DC=DomainDnsZones,DC=buc,DC=edu
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
CN=Schema,CN=Configuration,DC=buc,DC=edu
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
CN=Configuration,DC=buc,DC=edu
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
DC=buc,DC=edu
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
* Replication Site Latency Check
......................... BSMDC passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 8604 to 1073741823
* ASMDC.buc.edu is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 8104 to 8603
* rIDPreviousAllocationPool is 8104 to 8603
* rIDNextRID: 8106
......................... BSMDC passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... BSMDC passed test Services
Starting test: SystemLog
* The System Event log test
An Error Event occurred. EventID: 0x00000457
Time Generated: 08/20/2014 23:52:15
Event String:
Driver Send To Microsoft OneNote Driver required for printer Send To OneNote 2007 is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 08/20/2014 23:52:18
Event String:
Driver SolidPDF XChange required for printer SolidPDF XChange is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 08/20/2014 23:52:18
Event String:
Driver NRG SP 3400N PCL 6 required for printer !!net_pc5!NRG SP 3400N PCL 6 is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 08/20/2014 23:52:19
Event String:
Driver Send To Microsoft OneNote Driver required for printer !!BUCLAPTOP1!Send To OneNote 2007 is unknown. Contact the administrator to install the driver before you log in again.
An Error Event occurred. EventID: 0x00000457
Time Generated: 08/20/2014 23:52:20
Event String:
Driver NRG SP 3400N PCL 6 required for printer !!BUCLAPTOP1!NRG SP 3400N PCL 6 is unknown. Contact the administrator to install the driver before you log in again.
An Warning Event occurred. EventID: 0x80000008
Time Generated: 08/20/2014 23:52:20
Event String:
The jobs in the print queue for printer Microsoft XPS Document Writer (redirected 2) were deleted. No user action is required.
To stop logging warning events for the print spooler, in Control Panel, open Printers, right-click a blank area of the window, click Run as Administrator, click Server Properties, click the
Advanced tab, and then clear the Log spooler warning events check box.
An Warning Event occurred. EventID: 0x80000004
Time Generated: 08/20/2014 23:52:20
Event String:
Printer Microsoft XPS Document Writer (redirected 2) will be deleted. No user action is required.
To stop logging warning events for the print spooler, in Control Panel, open Printers, right-click a blank area of the window, click Run as Administrator, click Server Properties, click the
Advanced tab, and then clear the Log spooler warning events check box.
An Warning Event occurred. EventID: 0x80000003
Time Generated: 08/20/2014 23:52:20
Event String:
Printer Microsoft XPS Document Writer (redirected 2) was deleted, and users will no longer be able to print to this printer. No user action is required.
To stop logging information events for the print spooler, in Control Panel, open Printers, right-click a blank area of the window, click Run as Administrator, click Server Properties, click
the Advanced tab, and then clear the Log spooler information events check box.
An Error Event occurred. EventID: 0x00000457
Time Generated: 08/20/2014 23:52:22
Event String:
Driver NRG SP 3400N PCL 6 required for printer !!BUCLAPTOP1!NRG SP 3400N PCL 6 (Copy 1) is unknown. Contact the administrator to install the driver before you log in again.
......................... BSMDC failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=BSMDC,OU=Domain Controllers,DC=buc,DC=edu and backlink on
CN=BSMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
are correct.
The system object reference (serverReferenceBL)
CN=BSMDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=buc,DC=edu
and backlink on
CN=NTDS Settings,CN=BSMDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=buc,DC=edu
are correct.
......................... BSMDC passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : buc
Starting test: CheckSDRefDom
......................... buc passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... buc passed test CrossRefValidation
Running enterprise tests on : buc.edu
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\ASMDC.buc.edu
Locator Flags: 0xe00013fd
PDC Name: \\ASMDC.buc.edu
Locator Flags: 0xe00013fd
Time Server Name: \\ASMDC.buc.edu
Locator Flags: 0xe00013fd
Preferred Time Server Name: \\ASMDC.buc.edu
Locator Flags: 0xe00013fd
KDC Name: \\ASMDC.buc.edu
Locator Flags: 0xe00013fd
......................... buc.edu passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... buc.edu passed test Intersite
====================================================================
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\ASMDC
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 5e88f85b-15a6-4ff5-b0fd-6df748df06fd
DSA invocationID: 1355f657-cd24-4ad4-b890-f04f5c624acd
==== INBOUND NEIGHBORS ======================================
DC=buc,DC=edu
Default-First-Site-Name\BSMDC via RPC
DSA object GUID: 93561cab-4fb3-421f-9a67-af6b4c280eca
Last attempt @ 2014-08-21 00:43:56 was successful.
CN=Configuration,DC=buc,DC=edu
Default-First-Site-Name\BSMDC via RPC
DSA object GUID: 93561cab-4fb3-421f-9a67-af6b4c280eca
Last attempt @ 2014-08-21 00:41:11 was successful.
CN=Schema,CN=Configuration,DC=buc,DC=edu
Default-First-Site-Name\BSMDC via RPC
DSA object GUID: 93561cab-4fb3-421f-9a67-af6b4c280eca
Last attempt @ 2014-08-20 23:51:37 was successful.
DC=DomainDnsZones,DC=buc,DC=edu
Default-First-Site-Name\BSMDC via RPC
DSA object GUID: 93561cab-4fb3-421f-9a67-af6b4c280eca
Last attempt @ 2014-08-21 00:45:39 was successful.
DC=ForestDnsZones,DC=buc,DC=edu
Default-First-Site-Name\BSMDC via RPC
DSA object GUID: 93561cab-4fb3-421f-9a67-af6b4c280eca
Last attempt @ 2014-08-20 23:51:37 was successful.
Regards and thanks in advance
MhiarHi,
Based on the description, the Sysvol is replicated by FRS service.
>>some policies at the main DC are not updated like same policies in second DC.
In this case, we can do a non-authoritative restore on the main DC.
To do so:
Click Start, and then click
Run.
In the
Open box, type cmd and then press ENTER.
In the
Command box, type net stop ntfrs.
Click Start, and then click
Run.
In the
Open box, type regedit and then press ENTER.
Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
In the right pane, double-click
BurFlags.
In the
Edit DWORD Value dialog box, type D2 and then click OK.
Quit Registry Editor, and then switch to the
Command box.
In the
Command box, type net start ntfrs.
Quit the
Command box.
Regarding reinitializing File Replication Service replica sets, the following article can be referred to for more information.
Using the BurFlags registry key to reinitialize File Replication Service replica sets
http://support.microsoft.com/kb/290762/en-us
Best regards,
Frank Shen -
Windows 7 DNS and Group Policy Issues
Hi,
We have several suites of Windows 7 domain connected PC's.
In one of the suites I have been called into look at 3 different PC's where the users have not got mapped drives, desktop backgrounds, internet connectivity - because their group policies have not applied.
When I look at the error logs I find DNS 1014 errors, and Group Policy 1054 errors.
I have looked at the logs on the switches, and there is nothing on them - Could a pupil pulling the network cable out cause these errors?... Possibly they could have put it back in before I got back in the room.
The user logs off of the PC and back on again and are fine, as are the users that logon after them.
We have 2 DC's/DNS servers, which I would have thought would be able to cope with the load here.
Please let me know what you think the likely cause could be.Hello John555444,
What is your current situation?
Is this issue resolved?
Best regards,
Fangzhou CHEN
Fangzhou CHEN
TechNet Community Support -
Group Policy - Issues deploying software packages through GPO
Hello everyone,
I am having issues successfully deploying MSI packages through group policy. I have set my computer account up in its own test OU in my domain, but yet the software will not deploy. Example, I'm trying to deploy AVG Anti-Virus and make sure it
is installed on each and every PC in my domain. As for the GPO, I set it up as an assigned package and pointed to the location of the package with the UNC file path (visible to both the DC and my computer that is part of the affected OU)
On the domain controller, I get these messages in application event logs:
Beginning a Windows Installer transaction: \\hs-dc2\software\avg\installavg.msi. Client Process Id: 9048.
Ending a Windows Installer transaction: \\hs-dc2\software\avg\installavg.msi. Client Process Id: 9048.
This shows up when I refresh GP on my computer. I run gpresult /h GPReport.html and get the following message:
Software Installation failed due to the error listed below.
Fatal error during installation.
Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between
The software is in a share on the domain controller that is visible from my computer, and permissions are set where "Everyone" has read access. I have tested the package on my computer and it installs
correctly if I do it manually, so it's a good package.
I'm at a loss. I am admitedly very new to GP management, but I'm pretty sure I have covered all my bases here. I humbly ask for any and all help that you all can provide.
Thank you all very much, have a great weekend!> Magnolia_Schools.exe
What's that???
> \\hs-dc2\software\avg\installavg.msi
> <file://\\hs-dc2\software\avg\installavg.msi> /qb addeploy=1
/qb ADDEPLOY=1
Uppercase matters (:
A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
I should have explained, my apologies. The InstallAVG.msi is the package I have GP deploying. it is a package that AVG wrote for us that goes in, uninstalls the two previous antivirus softwares we have on our network if it is present, and
then wraps it to run magnolia_schools.exe which installs the AV software. I am uninstalling AVG now and will try reinstalling with
\\hs-dc2\software\avg\installavg.msi /qb ADDEPLOY=1 and report back.
also, the only logs I found that were around the time of the install attempt were such as these:
1: 2905 2: C:\windows\system32\appmgmt\MACHINE\{06ee0d46-cd5f-4216-a09f-2aeb573aa5ba}.aas
1: 2905 2: C:\windows\system32\appmgmt\MACHINE\{06ee0d46-cd5f-4216-a09f-2aeb573aa5ba}.aas
Does that tell you anything?
I will say this, if this means anything...now that AVG is installed, the event logs are changing from an error %%1603 to this:
Failed to apply changes to software installation settings. The installation of software deployed through Group Policy for this user has been delayed until the next logon because the changes must be applied before the user logon. The error was : %%1274
The removal of the assignment of application exe2msiSetupPackage from policy Install AVG failed. The error was : %%2
So it acts like it's at least seeing that the package is installed...and reacting differently, correct?
Thanks so much -
Urgent Group Policy Issue - not applying despite saying it does
Thank you for this urgent help. Auditors checking this out tomorrow morning.
We have a GPO that sets the eventlog audit settings for success or failure security events. The scope is set to Authenticated Users.
When I run the group policy wizard in GPMC it shows the settings applying to one of our servers in that OU.
When I run gpresult/z from that server it shows the policy applying to that server.
But when I go into gpedit.msc the security audit settings are all set to "not defined" and they are grayed out so I can't edit them manually.
As a test I set the GPO to deny applying to that server. I ran gpudpate/force on the system and then gpresult and it shows the GPO now not applying. But the settings are still set to not defined and still not editable. they are not being set by any other GPO.
In the event logs I only see three GPO errors but they are unrelated. A separate GPO is having issues creating user accounts. No other GPOs apply.
Quick help would be fantastic.
Server runs on Windows Server 2008 R2 (I can edit GPO but not the domain ones and I don't have access to the domain controllers).OK, After several hours I figured it out. Turns out there's bugs and odd functionality.
If someone ever tested the 'advanced audit settings' (which I did in the same GPO at some point) then it sets a registry key to disable the use of the older basic audit settings. But when you stop using those advanced settings in your GPO it doesn't remove
that registry bit. So I used the GPO to undo that setting. This was the first step. This is found Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > "Audit: Force audit policy subcategory
settings (Windows Vista or later) to override audit policy category settings" to DISABLED.
Even though this is done, sometimes the GPO files on the domain controllers don't remove the old audit settings. So in the comments of another thread I found out you may have to go to
\\domain-fqdn\SYSVOL\domain-fqdn\Policies\{your-policy-id-where-this-setting-was-originally-set}\Machine\Microsoft\Windows NT\ and delete the Audit folder which is left behind due to some odd bug. If you don't do this even after doing the next step the
next gpupdate will bring that security setting above back down.
Next you have to reset your audit settings on your PC to the defaults. Unfortunately there is no way to do this. Auditpol /clear does not accomplish this. The only way to do this is to take the audit settings from another working system, export them and
then 'restore' those same settings to the affected server. To do this:
1. On 'working system' run cmd.exe as administrator and export the audit settings to a folder like this:
auditpol /backup /file:c:\working-auditpol-settings.txt
2. Copy that file to the broken system such as the C:\ drive and run this on the broken system:
auditpol /restore /file:c:\working-auditpol-settings.txt
Open GPEDIT.MSC and verify the audit settings are back to normal. Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Then run gpupdate/force on the formerly broken system. Close gpedit.msc and reopen and verify the settings were not overwritten. If you skipped the sysvol audit folder deletion step they may come back.
Hope this helps someone. -
Group Policy issue - Bandwidth detection failed
Hi
We have a major issue affecting multiple users (>100) where they are unable to login to the machine.It looks like core windows services do not start such as DHCPClient, EventLog, UserProfileService.
Looking at the events on the pc I can see the following events:
Event 6314
Group policy bandwidth estimation failed. Group policy processing will continue. Assuming fast link.
Event 6323
Group Policy dependency (Network Location Awareness) did not start. As a result, network related features of Group Policy such as bandwidth estimation and response to network changes will not work.
I can see the NLA service started but I am worried alot more machines will become unusable. A change was made to group policy regarding searching items in the start menu
User Configuration\Administrative Templates\Start Menu and Taskbar
Do not search files
Enabled
Do not search Internet
Enabled
Remove Games link from Start Menu
Enabled
Remove Help menu from Start Menu
Enabled
Remove Music icon from Start Menu
Enabled
Remove Network Connections from Start Menu
Enabled
Remove Network icon from Start Menu
Enabled
Remove Run menu from Start Menu
Disabled
Remove the networking icon
Enabled
Remove the volume control icon
Disabled
Remove user's folders from the Start Menu
Enabled
The clients are mostly Vista SP2 with some Windows 7. DCs are Server 2008.
Any help in resolving this much appreciated.Hi,
>>Group Policy dependency (Network Location Awareness) did not start. As a result, network related features of Group Policy such as bandwidth estimation and response to network changes will not work.
Network Location Awareness service is a needed service for processing group policy settings since Windows Vista. It helps check the network location of the computers and helps detect slow link when processing group policy settings.
Before going further, does this happen to all clients in our environment? Please check our network configuration and make sure that the clients are able to correctly communicate with DCs. Besides, we can try to reinstall network
adapters to see if it helps. Moreover, please further check event logs to see if some other error events were logged.
Here, we can also try to clean boot our clients to troubleshoot if this is caused by some third party services or applications.
Regarding how to perform clean boot, the following article can be referred to for more information.
How to perform a clean boot in Windows
http://support.microsoft.com/kb/929135
In addition, if everything goes clean, we can try to delay the application of Group Policy at startup by following the procedure described in the Resolution section in the article below to see if it helps.
Windows 7 Clients intermittently fail to apply group policy at startup
http://support.microsoft.com/kb/2421599
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Strange DNS, Group Policy & Active Directory Issues - Can't track down root issue!
For the last few weeks, we've been getting complaints, from our developers, about not being able to authenticate on various systems. The issues were hit & miss but still problematic enough to warrant our looking into it. It seems to be getting
worse... I now have new servers that aren't getting group policy updates. They may get some, like the list of local admins but won't pick up NTFS permissions for folder-access. Those that pick up the AD group full of local admins have trouble
authenticating members of the group. Some were showing event log entries regarding authentication issues due to being unable to contact an AD DC. We reloaded that DC but many of the issues still persist. At this point, I'm running
out of places to look for ideas. I've spent the last week looking up Event Log IDs and looking though their meanings and possible remedies but, again, the issues persist. It doesn't seem to matter what the OS is. We've been seeing
this on 2008, 2008-R2 & 2012-R2.
Here are some examples of events I'm seeing. I can't figure out the root cause(s).
Log Name: Application
Source: Group Policy Files
Date: 2/19/2015 2:35:12 PM
Event ID: 4098
Task Category: (2)
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: H2T8-IOLDP1.HOMENET.local
Description:
The computer 'uptime.exe' preference item in the 'APPS (UpTime) {3BF05605-27C0-43AD-AC0F-873B678EB217}' Group Policy Object did not apply because it failed with error code '0x80090006 Invalid Signature.' This error was suppressed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Group Policy Files" />
<EventID Qualifiers="34305">4098</EventID>
<Level>3</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-02-19T19:35:12.000000000Z" />
<EventRecordID>1871</EventRecordID>
<Channel>Application</Channel>
<Computer>H2T8-IOLDP1.HOMENET.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data>computer</Data>
<Data>uptime.exe</Data>
<Data>APPS (UpTime) {3BF05605-27C0-43AD-AC0F-873B678EB217}</Data>
<Data>0x80090006 Invalid Signature.</Data>
</EventData>
</Event>
Log Name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date: 2/19/2015 9:38:13 AM
Event ID: 20499
Task Category: None
Level: Warning
Keywords:
User: NETWORK SERVICE
Computer: H2T8-IOLDP1.HOMENET.local
Description:
Remote Desktop Services has taken too long to load the user configuration from server \\h2s3-addc1.HOMENET.local for user RSickler
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" />
<EventID>20499</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2015-02-19T14:38:13.182363700Z" />
<EventRecordID>4</EventRecordID>
<Correlation />
<Execution ProcessID="1932" ThreadID="2156" />
<Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin</Channel>
<Computer>H2T8-IOLDP1.HOMENET.local</Computer>
<Security UserID="S-1-5-20" />
</System>
<UserData>
<EventXML xmlns="Event_NS">
<ServerName>\\h2s3-addc1.HOMENET.local</ServerName>
<UserName>RSickler</UserName>
</EventXML>
</UserData>
</Event>
Note that these servers are sitting in OUs that are full of other servers that don't have these issues. These GPOs have been in place for years. I suspect there's a deeper issue with AD, GP or a combination thereof. The group policy issues
seem to only affect freshly loaded servers...Hello,
assure that no firewall is blocking connection for AD required ports as listed in
https://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
You have error about not connect setup from AD sites and services with the used subnets in your network and linking them to the correct site, please check this in AD sites and services and also have the DCs placed correct to the site they belong to.
"During the past 4.20 hours there have been 83 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to
any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet
object(s) covering the above IP addresses with mapping to one of the existing sites. The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially,
in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'.
The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize';
the default is 20000000 bytes. The current maximum size is 20000000 bytes. To set a different maximum size, create the above registry value and set the desired maximum size in bytes."
This error is about a not run adprep /rodcprep:
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=HOMENET,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
So either run the command on a DC or ignore this error.
Please provide also the following data as file:
ipconfig /all >c:\ipconfig.log [all DCs]
dcdiag /v /c /d /e /s:dcname >c:\dcdiag.log
repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)
ADREPLSTATUS:
http://www.microsoft.com/en-us/download/details.aspx?id=30005 can also be exported to file.
As the output will become large, DON'T post them into the thread, please use Windows Sky Drive(with open access!)
https://skydrive.live.com and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter:
Info you requested:
ipconfig_dcs.txt
dcdiag.txt
repl.log
dnslint.htm
ADREPLSTATUS: ADReplicationStatus.2015.2.23.9.21.16.csv ADReplicationStatusToolData.zip -
We have migrated machines using ADMT tool but we have found some window 7 machines Group policy issues. We see that the computer GP is getting from the new domain but the users profile still has the old domain GP information. Any help on
removing the old GP objects and forcing the new domain User policy would be great. We have tried the basic troubleshooting gpupdate /force reboot etc.
ThanksHi,
Sorry for the delayed response.
First, please verify whether these domain users you mentioned belong to old domain or new domain.
If they belong to old domain the GP is right with no problem. If they belong to new, try following suggestions.
Please test these steps in one of the problematic computer. If it worked, then go on for others.
To avoid unexpected problems, please backup your register keys before following steps:
Open regedit.exe, and delete following keys:
HKLM\Software\Policies\Microsoft Key (looks like a folder).
HKCU\Software\Policies\Microsoft Key.
HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects Key.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies key
Exit the registry and restart.
Note: HKLM = HKEY_LOCAL_MACHINE & HKCU = HKEY_CURRENT_USER
If you have any feedback on our support, please click
here
Keep post.
Kate Li
TechNet Community Support -
Event 4098, Group Policy Local Users and Groups
Hello,
A few of our computers on the network are not replacing the local "Administrator (built-in)"account with our administrator account we set up through Group Policy. I recieve the follow error message from the Applicaiton Logs. I'm
not sure if this error is a PC issue instead of a Group Policy issue, because Group Policy seems to be working fine on our other PCs. Any suggestions/ideas would be helpful. Thank you.
Error message: The computer "Administrators (built-in) preference item in the "Security Policies {CD8199AF-99A8-41F8-8D28-C92DD9C57A51}" Group Policy object did not apply because it failed with error code '0x80070526 The specified group policy
already exists.' This error was suppressed.Hi,
It seems that you have configured this security policy already, you can try run GPupdate /force command and then check if all security policies are applied in your computer:
Resultant Set of Policy
http://technet.microsoft.com/en-us/library/cc772175.aspx
you can use this command to retrieve the specific group policy:
http://technet.microsoft.com/en-us/library/ee461059.aspx
If you have any feedback on our support, please click
here
Alex Zhao
TechNet Community Support -
Group Policy Startup Script Applies My Policy But Does Not Run The Acual Scripts
I have created a basic batch file with msiexec.exe to uninstall a program on startup and then another separate .bat script to install the same program but the newer version. The software I'm referring to has to be completely uninstalled BEFORE
I install the "newer" version of the same program, it cannot just be overwritten. If I run a gpupdate /force on the client computer and restart, the scripts run as they are supposed to and everything works but the problem is that I can't get it to
run on first boot on a computer that has been turned off for months, even after multiple reboots it still doesn't run the scripts. The 3 policies apply to the different computers/users but the scripts don't run. I manage a theme park that is
only open 4 months of the year so the rest of the time the in park PC's are turned off. I have created my OU as "POS Computers & Users" which has all of the computers and users that will take this policy. I also have 3 Group Policy
Objects attached to this OU in Group Policy, 1 is the program uninstallation .bat script policy that runs on startup, 2 is the install .bat script policy that runs after the uninstallation script, and 3 is the Default Policy for the OU. I already have the
"Always wait for the network at computer startup and logon", "Run startup scripts visible"enabled, "Run startup scripts asynchronously" disabled, and "Run Logon Scripts Synchronously" enabled for all 3 of the
policies. They are all "link enabled" and security filtering is set to only the OU I mentioned earlier so that it doesn't affect anyone else. I have the link order set as the script I want to run first as the last and the one I want to run last first
because from what I understand inheritance is from bottom to top. The install file is accessible by everyone with full permissions on our "Shared" drive so I know its not a permissions issue because it runs after a gpupdate /force with a restart.
The scripts are in the proper folder for the policies they are attached to and permissions are fine.
Here is my uninstall .bat script (msiexec.exe /X{14324A6A-BDD1-4F40-8E77-664C8AEEA251} /forcerestart /qb-! ALLUSERS=1 REMOVE=ALL)
Here is my install .bat script (msiexec.exe /i {\\kksrvad\shared\Gatemaster\NewGatemaster.msi} /qb ALLUSERS=1)Can't be done in a login script.
This is a Group Policy issue and not a scripting issue. You do not have a script. You have a command saved in a batch file and you are using a GPO. Not a scripting issue.
¯\_(ツ)_/¯ -
Issue with GPO "WSE Group Policy Password Synchronization"
When I started my migration of SBS2011 to 2012r2 with essentials service I noticed this GPO appear which I assume is for passwords to be synced to the cloud however when I implemented group policy from essentials the dashboard crashed and the typical
GPO's that it creates weren't there and only the folder-redirection was present it was also blank so I deleted it (I didnt delete the GPO "WSE Group Policy Password Synchronization" )
I then re-launched the dashboard and ran through the process again, it worked what a treat! except the GPO for "WSE Group Policy Password Synchronization"
appears to be blank, I remember it pointing to a ps file but I dont know what ps file and how to recreate it, along with to confirm what it does. Sadly I have no GPO backup to go back to.
any help on this would be much appreciated
CheersHi,
à
however when I implemented group policy from essentials the dashboard crashed
Based on your description, I understand that Dashboard crashed when implemented group policies (some WSE Group
Policy).
àthe typical
GPO's that it creates weren't there and only the folder-redirection was present it was also blank so I deleted it (I didnt delete the GPO "WSE Group Policy Password Synchronization")
Did you mean that deleted the ‘WSE Group Policy Folder Redirection’? Would you please let me know whether do
any operation for the ‘WSE Group Policy Password Synchronization’? Meanwhile, please check if other WSE Group Policy also was
No Settings defined in Settings tab (as your ‘WSE Group Policy Password Synchronization’ picture showed).
àSadly I have
no GPO backup to go back to.
Please start a BPA scan and check if find relevant issue. If no GPO backup, it seems that not be able to help
us to restore group policy objects. By the way, did you have a Full server backup?
If anything I misunderstand or any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu -
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
-
Please wait for the group policy client - shutting down issues
Hi
I have issues with shutting down machines. When machine is connected to company's LAN everything works fine. However, if machine is connected to VPN - Juniper NC - 1 hour or more it always hangs when it is shutting down. When I shut down the machine
(verbose mode on), first stage is:
Please wait for the system Event Notification service.
This ends exactly
after 3 minutes. Next stage:
Please wait for the group policy client windows 7
...is never timed out (even after few hours). Machine never shuts down.
In Application logs there are always these 4 events when machine is unsuccessfully shutting down:
6005: The winlogon notification subscriber <Sens> is taking long time to handle the notification event (Logoff).
4627: The COM+ Event System timed out attempting to fire the Logoff method on event class {D5978650-5B9F-11D1-8DD2-00AA004ABD5E} for publisher and subscriber . The subscriber failed to respond within 180 seconds.
The display name of the subscription is "ISensLogon2". The HRESULT was 80010002.
6006: The winlogon notification subscriber <Sens> took 180 second(s) to handle the notification event (Logoff).
6005: The winlogon notification subscriber <GPClient> is taking long time to handle the notification event (Logoff).
Sens is timed out after 3 minutes while there is no 6006 event for GPClient and machine is stuck there for ages (Please wait for the group policy client
stage). I noticed in System logs that machine always hangs if there is this error
5783: The session setup to the Windows NT or Windows 2000 Domain Controller \\server for the domain X is not responsive. The current RPC call from Netlogon on \\machine to \\server has been cancelled.
I made a group policy log and below you can see part of GPSVC log when machine is unsuccessfully shutting down:
GPSVC(2d4.1cfc) 21:31:24:327 CGPNotify::UnregisterNotification: Entering with event 0xe58
GPSVC(2d4.1cfc) 21:31:24:327 CGPNotify::AbortAsyncRegistration: No asyn registration is pending
GPSVC(2d4.1cfc) 21:31:24:327 CGPNotify::UnregisterNotification: Canceling pending calls
GPSVC(2d4.1cfc) 21:31:24:327 Client_CompleteNotificationCall: failed with 0x71a
GPSVC(2d4.1cfc) 21:31:24:327 CGPNotify::UnregisterNotification: Cancelled pending calls
GPSVC(2d4.1cfc) 21:31:24:327 CGPNotify::UnregisterNotification: Exiting with dwStatus = 0x0
GPSVC(438.1a04) 21:31:24:327 Waiting for user group policy thread to terminate.
GPSVC(2d4.1cfc) 21:31:24:327 CGPNotify::UnregisterNotification: Entering with event 0xe10
GPSVC(2d4.1cfc) 21:31:24:327 CGPNotify::AbortAsyncRegistration: No asyn registration is pending
GPSVC(2d4.1cfc) 21:31:24:327 CGPNotify::UnregisterNotification: Canceling pending calls
GPSVC(218.c88) 21:31:24:327 Client_CompleteNotificationCall: failed with 0x525
GPSVC(2d4.1cfc) 21:31:24:327 Client_CompleteNotificationCall: failed with 0x71a
GPSVC(2d4.1cfc) 21:31:24:327 CGPNotify::UnregisterNotification: Cancelled pending calls
GPSVC(2d4.9c8) 21:31:24:327 CGPNotify::OnNotificationTriggered: Completenotification failed with 1317
GPSVC(2d4.1cfc) 21:31:24:327 CGPNotify::UnregisterNotification: Entering with event 0xdcc
GPSVC(218.1054) 21:31:24:327 CGPNotify::UnregisterNotification: Entering with event 0x20cc
GPSVC(2d4.1cfc) 21:31:24:327 CGPNotify::AbortAsyncRegistration: No asyn registration is pending
GPSVC(2d4.9c8) 21:31:24:327 CGPNotify::OnNotificationTriggered: Completenotification failed with 1317
GPSVC(2d4.1cfc) 21:31:24:327 CGPNotify::UnregisterNotification: Entering with event 0xd90
GPSVC(218.1054) 21:31:24:327 CGPNotify::AbortAsyncRegistration: No asyn registration is pending
GPSVC(2d4.1cfc) 21:31:24:327 CGPNotify::AbortAsyncRegistration: No asyn registration is pending
GPSVC(2d4.1cfc) 21:31:24:342 CGPNotify::UnregisterNotification: Exiting with dwStatus = 0x0
GPSVC(218.d48) 21:31:24:342 Client_CompleteNotificationCall: failed with 0x525
GPSVC(218.d48) 21:31:24:342 CGPNotify::OnNotificationTriggered: Completenotification failed with 1317
GPSVC(218.1c04) 21:31:24:327 Client_CompleteNotificationCall: failed with 0x525
GPSVC(218.1c04) 21:31:24:342 CGPNotify::OnNotificationTriggered: Completenotification failed with 1317
GPSVC(218.1054) 21:31:24:342 CGPNotify::AbortAsyncRegistration: No asyn registration is pending
GPSVC(218.1054) 21:31:24:342 CGPNotify::UnregisterNotification: Exiting with dwStatus = 0x0
GPSVC(218.1054) 21:31:24:342 CGPNotify::UnregisterNotification: Entering with event 0x2100
GPSVC(218.1054) 21:31:24:342 CGPNotify::AbortAsyncRegistration: No asyn registration is pending
GPSVC(218.1054) 21:31:24:342 CGPNotify::UnregisterNotification: Exiting with dwStatus = 0x0
GPSVC(218.1054) 21:31:24:342 CGPNotify::UnregisterNotification: Entering with event 0x1264
GPSVC(218.1054) 21:31:24:342 CGPNotify::AbortAsyncRegistration: No asyn registration is pending
GPSVC(218.1054) 21:31:24:342 CGPNotify::UnregisterNotification: Exiting with dwStatus = 0x0
I tried with signing out from VPN before shutting down machine, I even switched off WiFi but machine still hung. If i tried to get GP results before shutting down machine it takes ages and it is stuck in "Getting the user name" stage.
Gpupdate /force never updates policy (It stops at Updating Policy...). I tired with installing different hotfixes which did not resolve the issue. I never have any
issues with logging in, no GP scripts are applied when user is logging off or on, no roaming profiles. The only issue is when machine needs to be shut down.
I excluded 1 machine from GP and left it on VPN for a few hours, several times. It always shuts down successfully. I applied GP back one by one and the one which is presumably causing an issue is Avecto which adds admin rights when VPN application
starts (event 100):
Process started with admin rights added to token.
Command Line: "C:\Users\User\AppData\Roaming\Juniper Networks\Setup Client\JuniperSetupClient.exe"
Process Id: 5540
Parent Process Id: 2252
Policy: EA-PrivilegeGuardSettings.UK Policy
Application Group: EA-PrivilegeGuardSettings.Applications Granted Admin Rights
Reason: <None>
File Name: c:\users\User\appdata\roaming\juniper networks\setup client\junipersetupclient.exe
Hash: 27D8463A913A802E555AEEF45717B122249AA993
Certificate: Juniper Networks, Inc.
Description: Juniper Setup Client
Application Type: exe
Product Name: Juniper Setup Client
Product Code: <None>
Upgrade Code: <None>
Product Version: 8.0.6.48695
I guess there is a DNS issues when machine is on VPN which leads that GP cannot be applied / updated. Not sure if or why Avecto would have an impact on this. When machine is trying to shut down it still somehow thinks it is connected to DC. What
I also noticed are several explorer crashes while machine is on VPN.
Does anyone have same issues? All machines are Dell with Juniper NC (VPN).
Thanks,Hi,
According to event log, Winlogon process takes a long time to handle logoff event. That's to say winlogon process is waiting for response to logoff.
According to your description after, this problem is most probably caused by Avecto. You can try to disable or uninstall it temporarily for test.
To make further troubleshoot with this problem, you can try to use WPT (Windows Performance Tool) to make troubleshoot.
http://blogs.technet.com/b/askpfeplat/archive/2013/03/22/troubleshooting-windows-performance-issues-using-the-windows-performance-recorder.aspx
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Group Policy Preferences Shortcut issues ( event ID 1085 )
I am hoping someone will be able to help me with a problem that is causing our users a headache
We have a Windows 2008 SP2 terminal server farm ( 1 gateway, 2 Terminal servers TS1 and TS2 ), we also use Group Policy Preferences to deliver app shortcuts to different AD user groups.
TS1 and TS2 were built from the same image. On TS1 users logon and get all the icons they are entitled to, on TS2 it is random to whether they get their shortcuts or not.
Both TS are rebooted daily and I have scripted removing any local profiles incase it was something left behind.
Checking the event Logs on TS2 I see several errors that appear to relate to Group Policy and correspond to when users have connected in.
any help with this issue would be appreciated.
Here is the information from the System log:
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 05/12/2014 15:32:26
Event ID: 1085
Task Category: None
Level: Warning
Keywords:
User: Username
Computer: TerminalServer
Description:
Windows failed to apply the Group Policy Shortcuts settings. Group Policy Shortcuts settings might have its own log file. Please click on the "More information" link.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
<EventID>1085</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-12-05T15:32:26.450Z" />
<EventRecordID>478778</EventRecordID>
<Correlation ActivityID="{CCB45268-E6F8-4127-97C8-A8544829F2DE}" />
<Execution ProcessID="344" ThreadID="11212" />
<Channel>System</Channel>
<Computer>TerminalServer</Computer>
<Security UserID="S-1-5-21" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">3892</Data>
<Data Name="ProcessingMode">1</Data>
<Data Name="ProcessingTimeInMilliseconds">6047</Data>
<Data Name="ErrorCode">2147942413</Data>
<Data Name="ErrorDescription">The data is invalid. </Data>
<Data Name="DCName”>\\OurDomain</Data>
<Data Name="ExtensionName">Group Policy Shortcuts</Data>
<Data Name="ExtensionId">{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}</Data>
</EventData>
</Event>> <Data Name="ErrorDescription">The data is invalid. </Data>
Delete the history XML.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
ActiveX msi Flash Player 10.0.42.34 group policy deploy issue
I have been deploying the flash player to our workstations since version 9. We have a 2003 AD domain and XP SP3 workstations.
I know that it is recommended to use the flash uninstall program to remove flash when installing a new version but I haven’t taken the time to work on that type of scripting for any install. Any attempts to uninstall the previous versions of flash via group policy when deploying have never worked. I had the same experience with java 1.5 jres…they would never uninstall via policy.
I have had success so far with deploying the latest version to the workstations with a new policy while leaving the old policy applied until a few weeks have past when all the workstations have been updated.
I am in the process of deploying Flash Player 10.0.42.34 to replace Flash Player 10.0.32.18
My test deploy to my virtual XP test workstation worked with no problems. The flash test paged detected the newer version and the correct version was in add/remove programs.
I then did a test deploy to a production workstation and the software installed without errors (the group policy install went extremely fast so I knew something was wrong). No errors were reported in the workstation application log. However when you visited the flash test page no version of flash was detected. I also checked in add/remove programs and the program icon was the windows installer icon instead of the normal red flash box….this has been associated with other installation issues in the past.
I have tried this on 3 other production machines and experienced the same results. My virtual XP test workstation has only had version 10.0.32.18 on it so I am guessing that having had the older versions of 10 on the production workstations is causing the problem somehow.
I have had issues in the past, but nothing like this. Looks like I may have been owned by adobe on this one.
Any insight would be appreciated.
ThanksSure , here is the url :
http://www.forevermark.com/ja-jp/The-World-of-Forevermark-/Precious-Collection/
On some machines , the Japanese text in the centre section appears very large. ..( see attached snapshot)
We initially encountered this on the version prior to the 10.0.42.34 version.
However even after the upgrading to 10.0.42.34 , the problem still persists .
Thanks
Maybe you are looking for
-
Size limits for embedding video in Dreamweaver?
I have a .wmv file. I need to make it viewable in a website. Can someone tell me what the target size should be for the file? The 11-minute .wmv file handed me is almost 700 MB. Something tells me that is too large. Is there a size I should get it do
-
ETF charges - what can I expect?
I understand I've already asked about how much the ETF itself would be, and I understand that it's $350. I just want to know; are there other charges? Like taxes? Surcharges? I've done a little looking around and found that several people have had so
-
How to change a photo from 32 bit mode to 16/8 bit mod in Photoshop cs6?
How to change a photo from 32 bit mode to 16/8 bit mod in Photoshop cs6? I tried to go to Image- Mod but i cant press on Mod button.. I saw to late that i cant save the image i created with 32bit mode. Please help..
-
Secondary Unit Designations from Data Services' Global Address Cleanse
Using Data Services' Global Address Cleanse transform and want to have multiple Secondary Unit Designations retained, parsed, standardized and returned in output data. ie: 1 Dexter Ave Floor 10 Suite 5 Only finding "Suite 5" store in the output SECO
-
I need just to know the difference between plan SKF and Actual SKF in business example and when I use one of them. thanks