Group Policy Preference's --APplied to Groups not always working

Similar Messages

• Unable to make changes to LAN Settings in IE after Group Policy Preference is applied

  Hi all,
  I have an IE10 group policy preference on a Server 2008 R2 domain that is pushed out to Windows 7 SP1 x64 clients. This IE10 GPP is used to push out proxy settings etc. The GPP is applied fine, however when I go into LAN Settings in IE and make any
  changes such as unchecking "Use a proxy server..." these changes are not saved. As soon as I click OK and go back into LAN Settings it reverts back to the GPP settings. Are IE10 GPP's meant to allow a user to amend settings in IE? The users have
  permissions to write to the Connections key under Internet Settings in the registry. If I delete the Connections key (Which includes DefaultConnectionSettings and SavedLegacySettings) I can then make changes to the proxy (Although without the original settings).
  I know their are other, and better, methods of controlling proxy settings for users but unfortunately this is the way the customer has it implemented. All defaults for GP is applied such as refresh rate etc. I've tested IE10 on a Server 2012 R2 / Win8 environment
  with the exact same GPP settings and I can make changes to the LAN Settings. Is this possibly a bug? Any help would be appreciated.
  Thanks.

  Hi,
  So by now we could make it work by deleting the Connections key, in order to change the proxy settings of IE 10-Windows 7 in the Windows Server 2008 R2 environment?
  Besides, could it be convenient for us to perform some more tests here? How IE 10 of Windows 7 behaves in Server 2012 R2 environment? And Windows 8 in Server 2008 R2?
  Best regards
  Michael
  Michael Shao
  TechNet Community Support

• Group policy Preference - Internet Option setting not applying

  Hi,
  I’m not very sure if any of you have encounter this strange issue when
  configuring GPP -> Internet option setting for window 7 IE9 or IE11.
  The following
  are spec of OS and IE version used in my environment.
  Window Server
  2012 R2 (IE 10)
  Window 7 (IE9
  and IE11)
  Recently I
  have deployed proxy setting via GPP as I do not have IEM under my GPMC console.
  Once the setting is been configured and deployed, I have notice that the GPO do
  not apply after the user login. The following scenarios is what we observed.
  1) User boot up the machine, Login and proxy setting will not applied
  1a) gpupdate /force -> Proxy Settings applied
  1b) setting will be removed after the GPO refreshed
  2) User boot up the machine, Login and proxy setting will not apply
  2a) User logoff and login proxy setting applied.
  2b) Setting will be removed after the GPO refreshed
  Kindy advise
  if there is any solution to ensure that the setting apply whenever the user
  login and stay intact even after the gpo refreshed by itself.

  Hi,
  >>1a) gpupdate /force -> Proxy Settings applied
  >>1b) setting will be removed after the GPO refreshed
  Based on the description, we can run command gpresult/h report.html to collect group policy result reports to compare how the settings are being applied.
  Besides, have we installed the following hotfix on the computers with IE 9? If not, we can try to install the hotfix.
  Internet Explorer Group Policy Preferences do not apply to Internet Explorer 9 in a Windows Server 2008 R2 domain environment
  https://support.microsoft.com/en-us/kb/2530309?wa=wsignin1.0
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Registry Wizard not saving selections in Group Policy Preferences.

  Hello,
  I am trying to set registry keys for ODBC settings using Group Policy Preferences. All PC's in the domain are Windows 7. In testing, I was able to get this to work. Now that I am trying to create it for production, I am unable to get it to work.
  I am using the same PC to create for production that I used when I was testing.
  The steps I am taking are as follows:
  Create a new GPO. Edit the GPO and navigate to the registry node under Computer Configuration, Preferences where I create a new Collection Item. I then right click the new collection item and choose New - Registry Wizard. Using Local Computer,
  I navigate to [HKLM] > Software > Wow6432Node > ODBC > ODBC.ini
  Under the ODBC.ini key are all of the keys and data I want to include in my policy. When I check each key and put a check mark beside each data item in the lower window, my selections in the lower window are not being saved. The check mark
  shows up at the time but they are gone if I go back to check my work before hitting the finish button. If I go ahead and finish the policy anyway, I only get the keys, not the data items when the GPO is applied.
  I have found a work around but it is very cumbersome and isn't a good long term solution. The work around is to go ahead and create the policy, then go back into the collection and expand everything on the left and add each data value to each key one at
  a time using the All Tasks > Add - menu item.
  Any ideas why this is happening? I should also mention when I was "testing", I was hitting the same domain controller as I am when trying to build this for my "production" policy.
  Thanks in advance.

  Hello,
  Thanks for your reply. I am waiting on my account to be verified before I can post a screen shot.
  I did discover that if I go through and click on all the data items more than once, it appears to work. Basically, I went through each key and checked the data items, then went back to the top and started over again. All of the checks were gone, so I checked
  them again and clicked finish. I don't know if they were still missing but checking them twice seems to have worked.
  I can replicate the issue if I only check them once.

• Group Policy Preferences IE9 settings inconsistently applying on Windows 7 Clients

  We have two Windows 2008 R2 Domain Controllers.
  We have only Windows 7 SP1 clients.
  We have a mix of IE 9, 10 ,11 on the clients.
  We moved to using GPP to control IE Proxy settings some considerable time ago.
  We recently needed add a site the the proxy exceptions list. This appeared to work. However we discovered that for IE 10+ the setting was not effective. So we spun up a Windows 8.1 VM with RSAT and added a new IE Settings object into GP targeting IE
  11. This appeared to have the desired effect.
  After a while some  (and it appears only some) IE9 machines, found their proxy settings reverting. This could be resolved by closing IE down and issuing a gpupdate /force command. However the issue would re-occur for these users, and they would be required
  to close their browser and re-issue update /force again.
  Furthermore (this may or may not be linked) we have been seeing JavaScript disabled warnings from OWA from some machines running IE11.
  Any thoughts on troubleshooting this would be appreciated.
  Nick

  Would you please let me know if the issue only occurred on all Windows 7 with IE 9 installed machines? Or
  only some Windows 7 with IE 9 installed machines have this issue?
  The issue is affecting about 20-25% of machines. Generally after a logon they are fine, but then after a background gp refresh they pick up 'old' settings for the bypass proxy list.
  Would you please let me know how did you configure the GPP settings?
  We opened up an existing GPO that contained our previous Internet Explorer GPP settings on our first domain controller (which appears to have IE11 installed) made the changes to the existing
  GPP IE Settings.
  We then noticed that the settings hadn't taken on IE11 machines, so we used a windows 8.1 RTM VM with RSAT installed to add an additional "Internet Explorer 8: Internet Explorer 11" only
  set of preferences. The IE8/9/10 preferences had priority of 1 the IE 11 preferences a priority of 2
   I think the original GPP settings were created from a Windows 7 machine with IE9 and the Enterprise Hotfix Rollup installed.
  Did you configure it in one GPO and applied to all machines?
  Yes.
  Have you tried to just configure it separately on Windows 2008 R2 DC and applied it to these Windows 7 with IE 9 installed machines?
  Not yet. We currently have a some LOB activities that require one of the sites in the proxy bypass list. I do not want to risk breaking that until later on this week.
  How to enable Group Policy Preferences support for IE9
  http://www.grouppolicy.biz/2011/03/how-to-enable-group-policy-preferences-support-for-ie9/
  We have the enterprise hotfix rollup installed on the Clients. However
  it appears it is not installed on the DCs. 
  Further examination of the output of a gpresult /h shows that legacy settings from the IE Maintenance object within the GPO match the settings we see applying from time to time. Is that possible? How can we remove the IE Maintenence settings from the
  GPO to test?

• [Forum FAQ] Group Policy Preferences Scheduled Tasks Item not working when the option Run whether user is logged on or not is selected

  Scenario:
  We use one of the following Group Policy Preferences Scheduled Tasks item to deploy a task to clients:
  Computer Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Scheduled Task (At least Windows 7)
  Computer Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Immediate Task (At least Windows 7)
  User Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Scheduled Task (At least Windows 7)
  User Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Immediate Task (At least Windows 7)
  (Note that on some platforms, "At least Windows 7" is replaced with "Windows Vista and later.")
  After designating a user account to run the task, we select “Run whether user is logged on or not” option, and “The Do not store password…”
  check box is automatically grayed out (See Figure 1).
  Figure 1
  After finishing configuring the task item, on a client, we run command
  gpupdate/force to forcefully update group policy. However, on the client, when we check if the task is listed in Task Scheduler snap-in, the task is not displayed, and when we run
  gpresult/h report.html to collect group policy result for troubleshooting, we see an error as similar as shown in the following figure (Figure 2).
  Figure 2
  Cause:
  To make the scheduled task run whether the user is logged on or not, we need to store the password of the designated user account. However, for the content of the scheduled
  task item is stored in Sysvol where it’s not safe to store passwords, this function has been deprecated.
  Workaround:
  We can run the task with system account
  NT Authority\System, or we can use specific user accounts to run the task when the given user is logged on. (See Figure 3)
  Figure 3
  Reference:
  MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege: May 13, 2014
  http://support.microsoft.com/kb/2962486
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Hello Everyone,
  Succeeded !!!!!!!
  Even i was struggling with this same Problem to execute a batch via Window scheduler and set the setting to "Run whether the user is logged in or not".
  I tried many time but the batch runs with " Run
  whether user is logged on" and not with "Run
  whether user is logged on or not".
  what i discovered is that there was one mapped drive
  path in my batch file which was not the complete path like y:/AR.qvw actually what i did i changed that map path to the complete path like \\servnamename\d$\AR.qvw and the batch executed successfully with the setting "Run
  whether user is logged on or not"
  The
  conclusion is that check the dependency of the script on external resources because when you check this option "Run
  whether user is logged on or not" It actually conflicts. This my discovery.
  If
  you have any question write me on [email protected]
  Thanks
  & Regards,
  Arun

• Group Policy won't apply, No mapping between account names and security IDs was done.

  I am using Group Policy Preferences to remove users from the local admin group and add a local admin account.  This GPO is working on 90% of the Win7 machines on the network, but three laptops are not accepting the GPO.  I get the following error:
  Log Name:      Application
  Source:        Group Policy Local Users and Groups
  Date:          6/24/2014 8:49:28 AM
  Event ID:      4098
  Task Category: (2)
  Level:         Warning
  Keywords:      Classic
  User:          SYSTEM
  Computer:      laptop1.internal.com
  Description:
  The user 'Administrators' preference item in the 'Local Admin Policy - Remove Permissions {593ACD77-3663-4023-BEB8-938D83F7862E}' Group Policy object did not apply because it failed with error code '0x80070534 No mapping between account names and security
  IDs was done.' This error was suppressed.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Group Policy Local Users and Groups" />
      <EventID Qualifiers="34305">4098</EventID>
      <Level>3</Level>
      <Task>2</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-06-24T13:49:28.000000000Z" />
      <EventRecordID>68771</EventRecordID>
      <Channel>Application</Channel>
      <Computer>laptop1.internal.com</Computer>
      <Security UserID="S-1-5-18" />
    </System>
    <EventData>
      <Data>user</Data>
      <Data>Administrators</Data>
      <Data>Local Admin Policy - Remove Permissions {593ACD77-3663-4023-BEB8-938D83F7862E}</Data>
      <Data>0x80070534 No mapping between account names and security IDs was done.</Data>
    </EventData>
  </Event>
  I've searched high and low for an answer and nothing I find on-line seems to apply.  I also notice that the option to 'Run as Administrator' does not work.  If I right-click on cmd.exe and select 'run as administrator', the command box opens but
  I am not prompted for credentials and the command box does not have admin rights.  Not sure if this is related or not.
  Any help on this would be greatly appreciated.
  Thanks,
  Joe

  Hi,
  Delete your  remove action from the GPP and push it again, does this issue still occur?
  If it still exists, let’s collect the GPP log for analysis:
  Group policy Preference debug logging policy settings are located under:
  Computer Configuration\Administrative Templates\System\Group Policy
  Click Logging and tracing, select local users and group preference logging and trace.
  Meanwhile, just a similar issue, but it is worth trying:
  A user is added to the wrong group on a client computer that is running Windows 7 or Windows Server 2008 R2
  http://support.microsoft.com/kb/2280515
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support

• Proxy details keep deleting from field in Group Policy Preferences for IE 10 on windows 7 and 8

  We have a lot of users who on the last update and have seemed to manage to install IE 10 onto their windows 7 machines as now causing all sorts of issues. I know that IEM has been replaced in favour of Group Policy Preferences and I have build a windows
  8 machine just to create a group policy preference as you are unable to create the preferences from windows 7, thank you Microsoft!
  I have created a test OU and got a win 7 and a win 8 machine both with IE 10 for testing. I have created the preference settings, home page etc and disabled using the F keys the advanced features that we do not require as from reading in other post even
  if it is not ticked, if it is green then it will apply it, kinda defeats the using the tick but it is what it is!
  When we do a gpupdate it picks up the default homepage as well as other settings but the proxy settings is blank. I then went back into the preferences I created for IE 10 and checked the connections, LAN settings and the proxy server name is missing but
  both ticks are showing for the proxy settings and when you click on advanced it shows the proxy server and port details fine. I have been working on this now for 4 days and getting no where to a point were we just roll back any users on IE 10 back to IE 9.
  I have also unlinked any other gpo relating to Internet settings on the test OU just in case there are conflicts. Any ideas as where to go from here?

  In the end to get around the proxy settings I had to create a registry key preference with proxy and port details which seemed to have done the trick and now IE 10 is picking up the proxy details and displaying webpages

• Cannot Copy File with Group Policy Preferences

  Hi,
  I am trying to use a Group Policy Preference to copy a simple text file from a network share to a folder at the root of 'C:\' on the clients. It is not happening. I created the preference in the computer section of the GPO. It is set to create, as the file
  does not already exist on the client, with the archive bit on.
  Source: \\server.domain.com\folder\fileshare\file.txt
  Destination: C:\folder
  GPResult shows the clients are getting the GPO, but it seems as if that one setting and another is not being applied. I have no idea why this isn't working when other parts of the GPO are being applied. I read
  the documentation on the Technet page, but I must have missed something.
  Any ideas why this might not be working?
  Thanks
  Jason Watkins MCSE, MCSA, MCDBA, CCNA

  > Computers" has read access. Listing the actual file name in the
  > destination is something I would have never though to do.
  ...unless the path ends with an "\", it IS a file name, so if you had
  "C:\Folder" as the target, check your C:\ drive for a file called
  "Folder" :)
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Extreme slow login on Server 2008 R2 TS at Group Policy Preferences - Printers

  I see references to this problem everywhere, going back to 2010.  However I'm not finding any real answers.
  I have Group Policy Preferences installing printers to Terminal Server Users.  I have one policy that applies to 4 terminal servers.  One of them is a 2008 R2, the others are 2003 x64.  Only for the 2008 R2 server, after all of the printers
  show (in event viewer) as successfully loaded, there is a long hang.  I have many printers applied to me, and that results in my load time being the longest of all at about 3 minutes.  I am an administrator on the machine.  Others have the exact
  same problem, just a bit less pronounced depending on the number of printers. 
  The policy preference is set to UPDATE, so it's not loading the driver... again, the printer is already successfully applied.
  I've tried setting UAC to "Never" on the server.  No effect.  I've played with the Point and Print policy at both computer and user level, finally just setting both to disabled, but prior to that setting them to Enabled with the "do
  not show warning" on both settings.  No effect (which makes sense since that is for non-admins and I am having this problem as an admin).
  My logging pasted below shows this same thing in all cases.
  Is there an answer to this that I am just not finding?
  2013-12-06 09:11:44.133 [pid=0x388,tid=0xca0] Filters passed.
  2013-12-06 09:11:44.133 [pid=0x388,tid=0xca0] Adding child elements to RSOP.
  2013-12-06 09:11:44.133 [pid=0x388,tid=0xca0] Set user security context.
  2013-12-06 09:11:44.289 [pid=0x388,tid=0xca0] Set system security context.
  2013-12-06 09:14:13.873 [pid=0x388,tid=0xca0] Set user security context.
  2013-12-06 09:14:13.909 [pid=0x388,tid=0xca0] Set system security context.
  2013-12-06 09:14:13.909 [pid=0x388,tid=0xca0] Properties handled.
  2013-12-06 09:14:13.909 [pid=0x388,tid=0xca0] RunOnce value created [SUCCEEDED(S_FALSE)]

  Hi,
  Based on your description, I want to confirm whether we have used Item-level Targeting of GPP for printer deploying.
  GP Preferences settings that use Item- Level Targeting (ILT) are not inherently harmful. However, certain kinds of Item Level Targeting queries can
  take more time to run.
  Regarding this issue, the following article can be referred to for more information and the hotfix in the article can be downloaded to fix the issue.
  You experience a long domain logon time in Windows Vista, Windows 7, Windows Server 2008 or Windows Server 2008 R2 after you deploy Group Policy preferences
  to the computer
  http://support.microsoft.com/kb/2561285/en-us
  In addition, regarding group policy and logon impact, the following article can be referred to for more information.
  Group Policy and Logon Impact
  http://blogs.technet.com/b/grouppolicy/archive/2013/05/23/group-policy-and-logon-impact.aspx
  Best regards,
  Frank Shen

• Does using Group Policy Preferences to deploy printers require the print driver to be pre-installed?

  I'm trying to prepare our school system for Windows 7 (we currently use XP).  I would like to use the new Group Policy Preferences method of deploying printers.  I pushed out the XP client side extensions through WSUS.  In my test environment, I added the shared printer in group policy preferences.  My XP machine had the printers show up automatically, but my Windows 7 machine did not.  I realized that I had previously connected a printer of the same type to my XP machine before and the drivers were already installed.  To test this theory, I manually connected the shared printers to the Windows 7 machine, deleted them, then logged off and back on.  Now the printers are showing up from group policy.  My question is does using group policy preferences to deploy printers require the print driver to be pre-installed?  If not, then what am I doing wrong?  If so, is there a way to work around this?  Thanks for your help.
  EDIT:  To clarify, I am using the share method in GPP.  This is the error message I get in the event log:
  The user 'PRINTERNAME' preference item in the 'win7 printer test {946461A1-27F8-406F-A0B3-0A1A05AF34F6}' Group Policy object did not apply because it failed with error code '0x80070bcb The specified printer driver was not found on the system and needs to be downloaded.' This error was suppressed.

  This link have a description of resolution:
  http://technet.microsoft.com/en-us/library/cc725938.aspx
  Open the GPMC.
  Open the GPO where the printer connections are deployed, and navigate to Computer Configuration, Policies, Administrative Templates, Control
  Panel, and thenPrinters.
  Note
  The Point and Print Restrictions setting can also be found under User Configuration\Policies\Administrative Templates\Control Panel\Printers.
  This policy is ignored by Windows 7 and Windows Server 2008 R2, but is enforced by earlier editions of Windows including Windows XP with SP1, Windows Server 2003 with SP1, and Windows Server 2008. We recommend that you change
  this policy setting in both locations so that all down-level clients have a consistent experience.
  Right-click Point and Print Restrictions, and then click Properties.
  Click Enabled.
  Clear the following check boxes:
  Users can only point and print to these servers 
  Users can only point and print to machines in their forest 
  In the When installing drivers for a new connection box, select Do not show warning or elevation prompt.
  Scroll down, and in the When updating drivers for an existing connection box, select Show warning only.
  Click OK.

• Group Policy Preference Power Plan "Blocked By Group Policy"

  I noticed this error in the application event log of a Windows 7 PC:
  Log Name:      Application
  Source:        Group Policy Power Options
  Date:          3/21/2013 3:19:42 AM
  Event ID:      4098
  Task Category: (2)
  Level:         Warning
  Keywords:      Classic
  User:          SYSTEM
  Computer:      xxx
  Description:
  The computer 'Power Plan (Windows Vista and later)' preference item in the 'Windows 7 Desktop Power Plan {A078F08F-45CC-4209-A264-FE0CB5635A99}' Group Policy object did not apply because it failed with error code '0x800704ec This program is blocked by group
  policy. For more information, contact your system administrator.' This error was suppressed.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Group Policy Power Options" />
      <EventID Qualifiers="34305">4098</EventID>
      <Level>3</Level>
      <Task>2</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2013-03-21T10:19:42.000000000Z" />
      <EventRecordID>7687</EventRecordID>
      <Channel>Application</Channel>
      <Computer>xx</Computer>
      <Security UserID="S-1-5-18" />
    </System>
    <EventData>
      <Data>computer</Data>
      <Data>Power Plan (Windows Vista and later)</Data>
      <Data>Windows 7 Desktop Power Plan {A078F08F-45CC-4209-A264-FE0CB5635A99}</Data>
      <Data>0x800704ec This program is blocked by group policy. For more information, contact your system administrator.</Data>
    </EventData>
  </Event>
  How can I find out exactly why it is not working?  "Blocked by group policy" is not specific enough.

  Hi,
  You can also enable GPP tracing and logging for more information:
  Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure Power Options preference logging and tracing
  http://blogs.technet.com/b/askds/archive/2008/07/18/enabling-group-policy-preferences-debug-logging-using-the-rsat.aspx
  Regards,
  Cicely
  There is no such option "Configure Power Options preference logging and tracing" at Computer
  Configuration\Policies\Administrative Templates\System\Group Policy\.
  It alphabetical order Always use local ADM files ... is followed by Disallow interactive users from generating ...  Not

• Group Policy "Restricted Groups" (local groups) using group policy preferences

  I was recently tasked a solution with creating a group policy to manage RDP user access to a set of Active Directory computer objects.
  Part of the  solution was to create a policy so that this would only apply a specific security group(users) to a specific set of Active Directory computer objects within the OU to which it was applied so that other machines
  and/or user accounts in this OU remain un affected by this policy.
  The policy was to be able to include multiple sets of Security groups(users) for the associated machines isolating those security groups(users) to only their sets of Active Directory computer objects.
   Reduce the requirement to create multiple group policies to apply different "Local Group"/"Restricted groups" management for computer objects in the domain.
  I thouhgt about using System based policies and creating different WMI filters to target sets of AD Computer objects, but came to the conclusion this would not help due to the limited of WMI quries I would be able to create for a standard
  Image.
  So I then thought about group policy preferences and came up with the solution
  I created a new Group policy and created a new item for the local group, in this instance but not limited to "Remote Desktop users (built-in)" and added the security group(users).  In my case I did not need to use the "delete
  all member users" or "delete all member groups" as I wanted other groups in this local group for the computer objects to remain intact.
  Then what I did is set the "item-level-target" setting from "the common tab" on the GPP and set it to the security group which containd the AD computer objects the user accounts required access to.  I then did a couple of standard
  tests to confirm the local security group(users) appeared only on the machine in the item level target security group and applied to no other machines in the outside of SOM. 
  So with this in place, if I needed to create any other entries for different groups and access to specific machines all I need to do is create a new GPP item within this policy.
  Being mindful that system policies settings if applied to same OU will take preceedence over GPP settings.... 
  Thought I would just share this in-case anyone else has had similar requests/thoughts and or has other methods that they have used that they would like to share. 
  I am not sure either on the limit of entries that GPP have either so if anyone does know please post and possible links? 
  I have struggled to find an answer, however it could be that I am not asking the right question!

  good sharing...
  Best,
  Howtodo

• Group Policy Preferences Shortcut issues ( event ID 1085 )

  I am hoping someone will be able to help me with a problem that is causing our users a headache
  We have a Windows 2008 SP2 terminal server farm ( 1 gateway, 2 Terminal servers TS1 and TS2 ), we also use Group Policy Preferences to deliver app shortcuts to different AD user groups.
  TS1 and TS2 were built from the same image.  On TS1 users logon and get all the icons they are entitled to, on TS2 it is random to whether they get their shortcuts or not.   
  Both TS are rebooted daily and I have scripted removing any local profiles incase it was something left behind.
  Checking the event Logs on TS2 I see several errors that appear to relate to Group Policy and correspond to when users have connected in.
  any help with this issue would be appreciated.
  Here is the information from the System log:
  Log Name:      System
  Source:        Microsoft-Windows-GroupPolicy
  Date:          05/12/2014 15:32:26
  Event ID:      1085
  Task Category: None
  Level:         Warning
  Keywords:      
  User:          Username
  Computer:      TerminalServer
  Description:
  Windows failed to apply the Group Policy Shortcuts settings. Group Policy Shortcuts settings might have its own log file. Please click on the "More information" link.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
   <EventID>1085</EventID>
      <Version>0</Version>
      <Level>3</Level>
      <Task>0</Task>
      <Opcode>1</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime="2014-12-05T15:32:26.450Z" />
      <EventRecordID>478778</EventRecordID>
      <Correlation ActivityID="{CCB45268-E6F8-4127-97C8-A8544829F2DE}" />
      <Execution ProcessID="344" ThreadID="11212" />
      <Channel>System</Channel>
      <Computer>TerminalServer</Computer>
      <Security UserID="S-1-5-21" />
    </System>
    <EventData>
      <Data Name="SupportInfo1">1</Data>
      <Data Name="SupportInfo2">3892</Data>
      <Data Name="ProcessingMode">1</Data>
      <Data Name="ProcessingTimeInMilliseconds">6047</Data>
      <Data Name="ErrorCode">2147942413</Data>
      <Data Name="ErrorDescription">The data is invalid. </Data>
      <Data Name="DCName”>\\OurDomain</Data>
      <Data Name="ExtensionName">Group Policy Shortcuts</Data>
      <Data Name="ExtensionId">{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}</Data>
    </EventData>
  </Event>

  >      <Data Name="ErrorDescription">The data is invalid. </Data>
  Delete the history XML.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Group policy preference for creating printers setting the wrong printer as default

  Hi
  We have a a group policy preference applied to users.  At the moment we create a shared printer and set it as default for all users in a specific OU.  Now we need to add another shared printer.  I have updated the policy and set it to create
  the new shared printer and have set item level targeting to the same OU as the first printer.  I want to keep the existing printer as the default, however when the policy runs, the new printer is created fine but it is set as the default
  printer.  Is this because it has been added last ?  There doesn't seem to be a way of changing the order that the printers are applied.
  Both printers are Shared printers and are set to Create
  The existing printer (printer A) is set as the default printer.  It is targeted at the London OU.
  The new printer (printer B) has NOT been set as default.  It is targeted at the London OU.
  No other options have been set.
  When the policy is applied both printers are added but printer B is being set as the default.
  Any help would be appreciated.
  Thanks
  G

  Hi G,
  >>however when the policy runs, the new printer is created fine but it is set as the default printer.  Is this because it has been added last ?  There doesn't seem to be a way of changing the order that the printers are applied.
  Before going further, what's the operating systems of our clients? Here, I need to double confirm that the checkbox of
  Set this printer as the default printer... is not selected in the new GPP Printer item. Besides, we can change the orders of the printer items. To do this, select the printer item, right click, click All Tasks, and choose Move Up or Move
  Down to change the order.
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]