Group Policy Prevent users to access DNS

Hello
I have a problem with DNS in windows 2008R2. there is a policy prevent DNS resolving name to IP and I can ping any computer by IP put I cannot ping it by name although when I use "nslookup" on cmd the computer can see DNS server. Another problem I
can join Computer to domain put when I want to add a domain user to local admin group the computer cannot see the domain and user show as s-1-5-21 if I could add user.I don't know the policy and how to delete it.

thank's alot for your replaying.
But when any computer is in work group I can ping any computer on the domain using host name and IP . when I joined the computer to domain I can ping computers by Ip but when I ping it using host name I get this message
"Ping request could not find host ............. Please check the name and try again"
thank's
some thoughts...
check: System Properties > Computer Name > Change > More >
Primary DNS Suffix of this computer
Change primary DNS suffix when domain membership changes
http://technet.microsoft.com/en-us/library/cc794784(v=ws.10).aspx
also
http://gpsearch.azurewebsites.net/Default.aspx?PolicyID=203
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

Similar Messages

Configuring group policy for user profiles in Windows Server 2012 R2 Domain

Requesting some experts advise on configuring group policy for user profiles.
We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
The settings which I am concerned:
1. Folder Redirection: Desktop, Documents, Favorites.
2. Quota for Folder Redirection - 1 GB per user.
3. Map a networked drive - 1 GB per user.
4. Roaming profile - (Will ignore if it does not suit our requirement).
The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
Thanks a lot for your valuable time and efforts.

Hi,
>>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
This depends on where our outlook data files are stored. If these data files are stored under
drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
However, regarding your question, we can refer to the following thread to find the solution.
Roam outlook profiles without roaming profiles
http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
Configuring Folder Redirection
http://technet.microsoft.com/library/cc786749.aspx
Hope it helps.
Best regards,
Frank Shen

Event ID 1085 on DC - Failed to Apply the Group Policy Local Users and Groups Settings

I have a domain with 2 DCs. The primary DC is running Server 2012 and is raising Event ID 1085 every 10 minutes and 20 seconds.
Windows failed to apply the Group Policy Local Users and Groups settings. Group Policy Local Users and Groups settings might have its own log file. Please click on the "More information" link.
System
- Provider
[ Name] Microsoft-Windows-GroupPolicy
[ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
EventID 1085
Version 0
Level 3
Task 0
Opcode 1
Keywords 0x8000000000000000
- TimeCreated
[ SystemTime] 2014-10-20T20:09:03.706992400Z
EventRecordID 130087
- Correlation
[ ActivityID] {FDDFB8C5-9ECF-41B9-B2B4-3AD0B345A37A}
- Execution
[ ProcessID] 1000
[ ThreadID] 3280
Channel System
Computer SERVER.DOMAIN.NAME
- Security
[ UserID] S-1-5-18
- EventData
SupportInfo1 1
SupportInfo2 4404
ProcessingMode 0
ProcessingTimeInMilliseconds 10343
ErrorCode 183
ErrorDescription Cannot create a file when that file already exists.
DCName \\SERVER.DOMAIN.name
ExtensionName Group Policy Local Users and Groups
ExtensionId {17D89FEC-5C44-4972-B12D-241CAEF74509}
Everything I look up for Event ID 1085 seems to be about a different cause.
Any ideas?

I enabled tracing on a domain gpo and I still get the error when running gpupdate /force .
I'm also still getting Event 1085. Here's the trace file. I've anonymized the site/domain and the GUIDs.
2014-10-21 11:16:54.003 [pid=0x3e8,tid=0xcd0] Entering ProcessGroupPolicyExLocUsAndGroups()
2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] SOFTWARE\Policies\Microsoft\Windows\Group Policy\{GUID-1}
2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] BackgroundPriorityLevel ( 0 )
2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] DisableRSoP ( 0 )
2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] LogLevel ( 2 )
2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] Command subsystem initialized. [SUCCEEDED(S_FALSE)]
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] Background priority set to 0 (Idle).
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ----- Parameters
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] CSE GUID : {GUID-1}
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] Flags : ( X ) GPO_INFO_FLAG_MACHINE - Apply machine policy rather than user policy
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( X ) GPO_INFO_FLAG_BACKGROUND - Background refresh of policy (ok to do slow stuff)
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_SLOWLINK - Policy is being applied across a slow link
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_VERBOSE - Verbose output to the eventlog
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_NOCHANGES - No changes were detected to the Group Policy Objects
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_LINKTRANSITION - A change in link speed was detected between previous policy application and current policy application
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_LOGRSOP_TRANSITION - A change in RSoP logging was detected between the application of the previous policy and the application of the current policy.
2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( X ) GPO_INFO_FLAG_FORCED_REFRESH - Forced Refresh is being applied. redo policies.
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_SAFEMODE_BOOT - windows safe mode boot flag
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_ASYNC_FOREGROUND - Asynchronous foreground refresh of policy
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Token (computer or user SID): S-1-5-18
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Abort Flag : Yes (0x313be090)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] HKey Root : Yes (0x80000002)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Deleted GPO List : No
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Changed GPO List : Yes
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Asynchronous Processing : Yes
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Status Callback : No (0x00000000)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] WMI namespace : Yes (0x32273740)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] RSoP Status : Yes (0x320cc7f4)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Planning Mode Site : (none)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Computer Target : No (0x00000000)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] User Target : No (0x00000000)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Calculated list relevance. [SUCCEEDED(S_FALSE)]
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ----- Changed - 0
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Options : ( ) GPO_FLAG_DISABLE - This GPO is disabled.
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPO_FLAG_FORCE - Do not override the settings in this GPO with settings in a subsequent GPO.
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Options (raw) : 0x00000000
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Version : 19267878 (0x01260126)
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPC : LDAP://CN=Machine,CN={GUID-2},CN=Policies,CN=System,DC=SITE,DC=DOMAIN
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPT : \\SITE.DOMAIN\sysvol\SITE.DOMAIN\Policies\{GUID-2}\Machine
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPO Display Name : Default Domain Policy
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPO Name : {GUID-2}
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPO Link : ( ) GPLinkUnknown - No link information is available.
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPLinkMachine - The GPO is linked to a computer (local or remote).
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPLinkSite - The GPO is linked to a site.
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( X ) GPLinkDomain - The GPO is linked to a domain.
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPLinkOrganizationalUnit - The GPO is linked to an organizational unit.
2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GP Link Error
2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] lParam : 0x00000000
2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Prev GPO : No
2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Next GPO : Yes
2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Extensions : [{00000000-0000-0000-0000-000000000000}{GUID-3}][{GUID-1}{GUID-3}][{GUID-4}{GUID-5}{GUID-6}{GUID-7}{GUID-8}][{GUID-9}{GUID-10}][{GUID-11}{GUID-5}{GUID-6}]
2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] lParam2 : 0x3146f978
2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Link : LDAP://DC=SITE,DC=DOMAIN
2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Purge GPH : C:\ProgramData\Microsoft\Group Policy\History\{GUID-2}\Machine\Preferences\Groups\Groups.xml
2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Read GPE XML data file (592 bytes total).
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ----- Changed - 1
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Options : ( ) GPO_FLAG_DISABLE - This GPO is disabled.
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPO_FLAG_FORCE - Do not override the settings in this GPO with settings in a subsequent GPO.
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Options (raw) : 0x00000000
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Version : 1245203 (0x00130013)
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPC : LDAP://CN=Machine,CN={GUID-12},CN=Policies,CN=System,DC=SITE,DC=DOMAIN
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPT : \\SITE.DOMAIN\sysvol\SITE.DOMAIN\Policies\{GUID-12}\Machine
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPO Display Name : Default Domain Controllers Policy
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPO Name : {GUID-12}
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPO Link : ( ) GPLinkUnknown - No link information is available.
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPLinkMachine - The GPO is linked to a computer (local or remote).
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPLinkSite - The GPO is linked to a site.
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPLinkDomain - The GPO is linked to a domain.
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( X ) GPLinkOrganizationalUnit - The GPO is linked to an organizational unit.
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GP Link Error
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] lParam : 0x00000000
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Prev GPO : Yes
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Next GPO : No
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Extensions : [{00000000-0000-0000-0000-000000000000}{GUID-3}][{GUID-1}{GUID-3}][{GUID-9}{GUID-10}]
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] lParam2 : 0x324e8198
2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Link : LDAP://OU=Domain Controllers,DC=SITE,DC=DOMAIN
2014-10-21 11:16:54.127 [pid=0x3e8,tid=0xcd0] Purge GPH : C:\ProgramData\Microsoft\Group Policy\History\{GUID-12}\Machine\Preferences\Groups\Groups.xml
2014-10-21 11:16:54.127 [pid=0x3e8,tid=0xcd0] Read GPE XML data file (592 bytes total).
2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] Completed get next GPO. [SUCCEEDED(S_FALSE)]
2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] WQL : SELECT * FROM RSOP_PolmkrSetting WHERE polmkrBaseCseGuid = "{GUID-1}"
2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] Purged 2 old RSoP entries.
2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] Logging 2 new RSoP entries.
2014-10-21 11:16:54.159 [pid=0x3e8,tid=0xcd0] RSoP Entry 0
2014-10-21 11:16:54.174 [pid=0x3e8,tid=0xcd0] RSoP Entry 1
2014-10-21 11:16:54.174 [pid=0x3e8,tid=0xcd0] Completed get GPO list. [SUCCEEDED(S_FALSE)]
2014-10-21 11:16:54.174 [pid=0x3e8,tid=0xcd0] IsRsopPlanningMode() [SUCCEEDED(S_FALSE)]
2014-10-21 11:17:04.252 [pid=0x3e8,tid=0xcd0] Completed settings update (csePostProcess). [ hr = 0x800700b7 "Cannot create a file when that file already exists." ]
2014-10-21 11:17:04.252 [pid=0x3e8,tid=0xcd0] Completed CSE post-processing. [ hr = 0x800700b7 "Cannot create a file when that file already exists." ]
2014-10-21 11:17:04.267 [pid=0x3e8,tid=0xcd0] Leaving ProcessGroupPolicyExLocUsAndGroups() returned 0x000000b7

Processing of Group Policy failed - User Policy - Windows 7

OP:
http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/191f1ee1-a551-446b-9808-ff66a952bb25
When running a gpupdate I get the following message:
Updating Policy...
User policy could not be updated successfully. The following errors were encount
ered:
The processing of Group Policy failed. Windows could not authenticate to the Act
ive Directory service on a domain controller. (LDAP Bind function call failed).
Look in the details tab for error code and description.
Computer Policy update has completed successfully.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.
This only happens on one computer under a certain account; other accounts work fine and the problem account works fine on other computers. Therefore the problem is located on the Windows 7 computer.
I have tracked it down to an LDAP error code 49.
I tried the MS sollution (http://technet.microsoft.com/en-us/library/cc727283(v=ws.10).aspx) but the credentials are sound.
I can also connect to the DC with LDP.exe fine.
Here are the diagnostic read outs (GPResult was too long to post):
Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          2/29/2012 1:56:09 PM
Event ID:      1006
Task Category: None
Level:         Error
Keywords:
User:          Domain\UserAccount
Computer:      Win7-ComputerA.FQDomain
Description:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
    <EventID>1006</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2012-02-29T19:56:09.732842600Z" />
    <EventRecordID>32458</EventRecordID>
    <Correlation ActivityID="{CECE6DDC-E7CC-4563-8109-E62382F645D4}" />
    <Execution ProcessID="984" ThreadID="3688" />
    <Channel>System</Channel>
    <Computer>Win7-ComputerA.FQDomain</Computer>
    <Security UserID="S-1-5-21-416373151-1271962822-2142307910-40105" />
</System>
<EventData>
    <Data Name="SupportInfo1">1</Data>
    <Data Name="SupportInfo2">5012</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">1326</Data>
    <Data Name="ErrorCode">49</Data>
    <Data Name="ErrorDescription">Invalid Credentials</Data>
    <Data Name="DCName">
    </Data>
</EventData>
</Event>
Windows IP Configuration
   Host Name . . . . . . . . . . . . : WIN7-ComputerA
   Primary Dns Suffix . . . . . . . : FQDomain
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : FQDomain
                                       ParentDomain
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix . : FQDomain
   Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connecti
on
   Physical Address. . . . . . . . . : 00-21-CC-5F-CF-DF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 216.71.244.28(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, February 29, 2012 12:38:25 PM
   Lease Expires . . . . . . . . . . : Thursday, March 01, 2012 12:38:24 PM
   Default Gateway . . . . . . . . . : 216.71.244.1
   DHCP Server . . . . . . . . . . . : 216.71.244.2
   DNS Servers . . . . . . . . . . . : 216.71.244.2
                                       216.71.240.120
                                       216.71.240.132
   Primary WINS Server . . . . . . . : 216.71.244.2
   Secondary WINS Server . . . . . . : 216.71.240.130
                                       216.71.240.122
   NetBIOS over Tcpip. . . . . . . . : Enabled
Wireless LAN adapter Wireless Network Connection:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Intel(R) WiFi Link 1000 BGN
   Physical Address. . . . . . . . . : 8C-A9-82-B0-67-E8
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Hi,
It sound like port blocking issue, Seems your client system connecting 216.71.240.x DNS Servers as a logon server and which seems on different subnet
as per subnet mask, So there must be a router or firewall in between and so it might be Active directory ports are being blocked.
So first for testing purpose just remove other
216.71.240.x DNS
servers from TCP/IP configuration and clear dns cache
ipconfig/flushdns
and restart the system. check if it works.
or run this command on DC
dcdiag /test:dns
and share the error report.
Cheers!
Sanjay

Group Policy Preferences File Copy - Access is Denied on 2003 but not 2008 R2

Hello,
I have created a GPO which copies a file from a network share into a new folder under Program Files. This policy works just fine on a Windows 2008 box, but not on 2003. I've used "psexec -i -s cmd.exe" to verify system account permission to the
share. I am able to successfully browse and copy files from the share as the system account on both boxes.
However, when the GPO attempts to perform the file copy, it does not work, and generates the following error message:
Event Type: Warning
Event Source: Group Policy Files
Event Category: (2)
Event ID: 4098
Date: 8/28/2013
Time: 3:32:12 PM
User: NT AUTHORITY\SYSTEM
Computer: Server01
Description:
The computer 'file.txt' preference item in the 'TXT File Copy {9176122B-1A50-4AB8-91D9-6E8553727E18}' Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.
I am trying to avoid writing a login script, so I am hoping someone will be able to help me figure out why this works fine on Windows 2008 but not Windows 2003. Please note file names and paths are modified here for security reasons, but the principle is
the same.
My GPO is:
Computer Configuration\Preferences\Windows Settings\Files
File (Target Path: c:\Program Files\path\to\file\file.txt)
Source file: \\share\path\to\file\file.txt
Destination File: c:\program files\path\to\file\file.txt
Action: Update
Suppress errors on individual file actions: Disabled
Read-Only: Enabled
Hidden: Disabled
Archive: Enabled
Stop Processing items on this extension if an error occurrs on this item: No
Remove this item when it is no longer applied: No
Apply once and do not reapply: No
Item-level Targeting: None
Thanks

As a user, I am able to browse the share just fine using the alias. It is only when I try to access the share using the system account that I encounter a problem.
experiencing the exact same symptoms. in the tests below, server, client1, and client2 are all are native instances of microsoft windows server.
server: windows server 2008 R2 standard SP1
client1: windows server 2003 standard SP2
client2: windows server 2008 R2 standard SP1
registry setting "DisableLoopbackCheck": unconfigured on server; unconfigured on client1; unconfigured on client2
registry setting "DisableStrictNameChecking": configured as "1" on server; unconfigured on client1; unconfigured on client2
domain user on client1 attempt to access server by name: success
domain user on client1 attempt to access server by alias: success
domain user on client2 attempt to access server by name: success
domain user on client2 attempt to access server by alias: success
local system on client1 attempt to access server by name: success
local system on client1 attempt to access server by alias: failed (system error 5 has occurred. access is denied.)
local system on client2 attempt to access server by name: success
local system on client2 attempt to access server by alias: success
all tests done using "net view \\target", but similar results were seen when using "dir \\target\share" which the domain user and local system account have access to.
the differing behavior between client1 and client 2 suggests that server 2003 requires additional configuration to allow its local system account to access an SMB share by alias.
this problem prevents group policy features (such as software installation) from an aliased file server.

Group Policy client Service Error - Access is denied

I am
at domain admin working on windows 7 roaming profiles, testing with a
staff user. I am in a domain environment. I have changed the
profile path for a user to the folder I created for new windows 7 roaming
profiles. gave it all the permissions noted here and followed these steps
at Microsoft's deploying roaming profiles page for win 7.<o:p></o:p>
once I logged in the user,
it created their profile.v2 but I still couldn't access it. getting
access denied. so I went back and changed the staff roaming profile back
to the original profile path. didn't make any group policy changes.
but now she gets group policy client service failed to logon. access is
denied. I have deleted the .v2 profile that win 7 creates in her old
profile path, moved her profile path back to what is was before testing,
retested her xp profile which does work and she can login and work.
but the win 7 machines no matter where she logs in, will not work. they
all give the same error about group policy client service failed. no
other users are having this problem

Hi,
Regarding the issue here, have you checked the below thread?
Group
Policy Client Service Failed the logon - Access Denied: Windows 7 Ultimate/Server 2008 R2
Please take a try with the steps mentioned by Nina Liu.
QUOTE here:
At this time, let’s refer to the following steps for troubleshooting:
1. Open registry editor on the problematic Windows 7 machine (please log in as domain admin)
2. Highlight HKEY_USERS, choose File -> Load Hive, browse to the location of one failing roaming profile and open NTUSER.DAT file, click open
3. Under Key Name, enter any name you like, but remember what you have entered, such as enter "test"
4. Expand, HKEY_USERS, you should see new registry hive called "test" or any name you entered earlier
5. Right click on that "test" hive and choose permissions. Confirm that the following users have permissions:
- Administrators: Full Control
- SYSTEM: Full Control
- User (or group) that owns this profile: Full Control
6. If the permissions were wrong, correct them, then click on Advanced tab, on Advanced tab and enable "Replace permission entries on all child objects with entries
shown here that apply to child objects" and click Apply.
7. Highlight "test" registry hive, then click on File -> Unload Hive to release handle on NTUSER.DAT file.
8. Log off and log on with the failing roaming profile you have just modified.
Any process, please feel free to contact us.
Best regards
Michael Shao
TechNet Community Support

Best Practice: Deploying Group Policy to Users on different OUs

Greetings, everyone! I am needing some advice on how to deploy some group policy objects to specific users stored on different OUs.
Let me set the stage: I work for a large school district, and have recently taken over the district's career center. The idea behind the career center is that students from different high schools around the city come in to take classes based on their choice
of career, such as radio broadcasting or auto mechanic and such. The AD structure is set up so that each school has their own OU. When a user (staff, student, etc.) is assigned to a school OU, they automatically are added to
their school's security group (i.e. EASTHIGH-STUDENT), and that when any user moves from one school to another, we have to move their AD account to that school's OU, which will remove the security group from the old school and apply the new school
security group.
For the career center, since we have students coming from different buildings every day, rather than trying to find a way to move their AD account from their high school OU to the career center OU, the previous techs created generic accounts (such as tv001,
tv002, etc.) in AD and stored them in the career center OU. This way, teachers can assign students that particular generic account so that they can access the drives and printers from the career center, as well as access the career center network
drives while they are at their home high school.
Since I have moved to the career center, and apparently I have more knowledge about group policy than most of the techs in the district, the district system engineers want me to remove all of the generic accounts from the career center OU, and have students
use their own AD accounts. Obviously I also want to do this since the generic accounts are very confusing to me, but I'm trying to figure out the best way to do this.
For simplicity sake, I'm just going to start off by figuring out how to set up a group policy for mapping the career center drives. Now, I obviously know that the best way would be to create security groups for each career area, and that we would need
to add students to those groups so that only those particular students would get the GPO for the career center, but my question is where would I like the group policies to? Do I need to link it at the root of the domain so that every OU is hit?
Just curious about this.
Thanks!

Don't link it to the root.... apply the drive mapping as a policy at the OU or you could apply the drive mapping using Group Policy Preferences using security group targeting... .I would also strongly recommend you check out my articles
Best Practice: Active Directory Structure Guidelines
– Part 1
Best Practice: Group Policy Design Guidelines – Part 2
Hope it helps...

GPO to prevent users from accessing the root folder of their profile doesn't work

Hi,
Here's the scenario:
In a Windows 2012 RDS I created two groups called RemoteApp users and remote desktop users.
These groups are defined in the collection for the corresponding RD Session hosts.
These groups are not included in any other group, but they are located under an OU -called Remote Users.
In the domain controller I have created a GPO named "Restrict access to root drive" which is linked to the Remote Users OU.
The GPO I selected is - "Prevent users from adding files to the root of their users files folder"
This doesn't seem to work. I have waited more than a few hours to allow the 90 minutes update, plus used the gpupdate /force
but when a user clicks on the RemoteApp (Excel in this example) then access to the C: drive (which is the root folder of the user's profile) is enabled, and the user can create folders and save files under C:.
I tried to run gpresult for the specific user but the GPO I created wasn't mentioned.
I thought this would be a straight forward mechanism, but somehow it looks like something is missing.
I have read about loopback and expanding, but not sure if this is what needs to be done, and if yes - I'd appreciate if I can get step by step instructions. Everything I found so far was VERY vague.
Thanks !
One more detail that may be relevant - the DC is a Windows Server 2012, and the session host is a Windows 2012 R2.

> These groups are not included in any other group, but they are located
> under an OU -called Remote Users.
>
> In the domain controller I have created a GPO named "Restrict access to
> root drive" which is linked to the Remote Users OU.
>
The USER accounts need to be in the OU your GPO is linked to. Despite
their name, GPOs do NOT apply to groups, but to users (and computers).
Groups only provide an additional layer of filtering...
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

Group Policy Printer Error (0x80070005 Access Denied)

I am trying the deploy two network printers via group policy using Server 2008 R2 SP1. I created the GPO and added the printers from our print server under computer configuration so that it will apply to the computers, not just the users. After a computer in
the correct OU Gpupdates I recieve the following error in it's application event log:
WARNING: GROUP POLICY PRINTERS
Group Policy object did not apply because it failed with error code 0x80070005 Access is Denied. This error was suppresed.
Any suggestions or thoughts are appreciated. I have been dealing with this error and trying the figure it out for awhile now.

Hi,
This issue mostly can be caused due to the incorrect permission settings.
Please try to perform the troubleshooting steps the following Microsoft TechNet blog provides.
Group Policies and Access Denied
http://blogs.technet.com/b/matthewms/archive/2005/10/29/413275.aspx
Regards,
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

How to disable via Group Policy - "Any user who has a password doesn't need to enter it when waking this PC"

The setting can be found in the following location:
From the “Charm” bar, Settings>Change PC Settings>Users>Sign-in Options> click the “Change” button next to “Any user who has a password must enter it when waking this PC”.
I am looking to disable this option via Group Policy on our domain, but am unable to find a default policy related to this setting. I am searching Group Policy on a Server 2012 machine, and in local Group Policy in Windows 8, but have found nothing.
Hoping I'm just missing the location of this and someone can point me to the right place.
Regards,
-BN

There is no specific policy for this item. Please set “Require a password on wakeup” policy instead.
Niki Han
TechNet Community Support
I'm using Windows Server 2012 R2, and I can't find the above quoted policy, and don't know where to anymore where to look. I searched for "Require a password when the computer wakes up", but it took me to the "Define Power Buttons and Turn On
Password Protection" page of System Settings, but there's NOTHING there except the "When I press the power button". I really want to stop having to enter a password every time I wake up the monitor screen.
Capt. Dinosaur

Event 4098, Group Policy Local Users and Groups

Hello,
A few of our computers on the network are not replacing the local "Administrator (built-in)"account with our administrator account we set up through Group Policy. I recieve the follow error message from the Applicaiton Logs. I'm
not sure if this error is a PC issue instead of a Group Policy issue, because Group Policy seems to be working fine on our other PCs. Any suggestions/ideas would be helpful. Thank you.
Error message: The computer "Administrators (built-in) preference item in the "Security Policies {CD8199AF-99A8-41F8-8D28-C92DD9C57A51}" Group Policy object did not apply because it failed with error code '0x80070526 The specified group policy
already exists.' This error was suppressed.

Hi,
It seems that you have configured this security policy already, you can try run GPupdate /force command and then check if all security policies are applied in your computer:
Resultant Set of Policy
http://technet.microsoft.com/en-us/library/cc772175.aspx
you can use this command to retrieve the specific group policy:
http://technet.microsoft.com/en-us/library/ee461059.aspx
If you have any feedback on our support, please click
here
Alex Zhao
TechNet Community Support

Group Policy preventing Load - "Loading......"

We just locked down our lab computers with Group Policy and find that Quicktime won't finish loading. It starts, the splash screen comes up and it says "Loading..." but it doesn't appear to finish. Stays this way indefinitely.
Has anyone had any experience with this? Can anyone help with which policy might be causing this?
Thanks

QuickTime Player preferences
Other: Show Content Guide automatically
Remove the check mark.

Prevent users from accessing Exchange online from non ActiveSync Device

I will try and make this question as clear as I can-
We recently switched from an on-prem Exchange to Exchange online. Previously, the only three ways of accessing our email was VPN, ActiveSync and webmail. However, it now appears that any user can use any device that accepts an Exchange email account and
start getting their emails. I understand this is the idea of cloud email, but as a HIPAA organization, this presents a serious security risk. My question is this-how can I track how users access email? I know I can limit things based on IP(http://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx),
but then it would work if they had a VPN connection and we allow certain users to access our servers using their home PC if they use a VPN connection. But now they do not need that.
Is there any way to track what devices and users are accessing our hosted Exchange environment, or is this just the nature of hosted email?

Hi Dkurz8814,
using Office 365 / Exchange Online you are able to limit access to the Mailbox to OWA and ActiveSync only.
1. Please logon as an Administrator to the Office365 Admin Center and choose "Users" -> "Active Users".
2. Now click on your user and view the users properties. Choose more from the menu on the left.
3. Now choose "Edit Exchange Settings", and choose "Mailbox functions" on the left.
Now you find some Settings how to access to your mailbox. Disable POP3, IMAP, MAPI, .... so you can get the desired result. On that page you can also check for connected devices via ActiveSync.
You may also use the set-casmailbox to do the same
http://technet.microsoft.com/de-de/library/bb125264(v=exchg.150).aspx in case you need a more automatic tool.
Please let me know if that answered your question.
Regards,
Martin

Group policy preventing write access to hard drive for Windows Service

I recently stood up several SharePoint Servers which use various domain user accounts as service accounts. Everything was going fine until the servers were moved from the staging OU to the production OU which has a server hardening GPO applied to it. Once
this occurred, all of SharePoint's logging via the Tracing service broke--because this account doesn't run as Local Service, but rather one of the domain user accounts.
After examining the Application event log, I saw it filled with errors indicating the E:\Logs\ULS and E:\Logs\Usage were not accessible due to error 0x5 -- access denied.
I explicitly granted permissions to the service account to these folders, and gave Full Control perms. I then restarted the service, but the Access Denied errors persisted. I granted Full Control to the entire E: drive -- the root folder -- with inheritance,
and made sure the permissions were inherited. And yet the problem persisted.
I installed a different application which can log to different drives, and it writes to the E: drive just fine when run as Local System. If I change it to one of the domain service accounts, it too produces Access Denied errors trying to write to the E:
drive, regardless of the NTFS perms.
The E: drive is a hard drive, not a USB or removable drive.
I found several posts here that explain how to disable write access to USB and DVD media, but I cannot find anything how to block writing to a hard drive. The server hardening GPO contains thousands of different settings and it'll take days to comb through
them all. Does anyone know of a GPO setting that can block writing to a hard drive, regardless of NTFS perms?
The servers in question are running Windows Server 2012 standard (not R2).
UPDATE: If I grant the service account the ability to log on locally (i.e. add it to the local Users group), and open a command prompt with "Run as User," I can write to the E: drive just fine. But the access denied
persists when running as a service. This leads me to believe a GPO is blocking the write access to a
service user but allowing the same account when logging in as an interactive
user.

I created a test Windows service that does nothing more than open two StreamWriter objects -- one to write into E:\Logs\ULS and the other into C:\ProgramData\Logs. The former writes dummy text once per second, while the latter writes errors. So error messages
will get written into C:\ProgramData\Logs.
I set up this test Windows Service and set it up to use my SharePoint app pool account, and this was written to the error log - the first line indicates the account being used.
[8/22/2014 12:01:25 PM] - Error writer is initialized and ready. Execution context svc_SPSvcApp_J
[8/22/2014 12:01:25 PM] - Directory E:\Logs\ULS does not exist.
[8/22/2014 12:01:25 PM] - Failed to set up the log writer. Access to the path 'E:\Logs\ULS' is denied.
System.UnauthorizedAccessException: Access to the path 'E:\Logs\ULS' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost)
at System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost)
at ServiceLogWriter.Service1.Compose()
I then tried this with my Farm account. For TEST purposes, I TEMPORARILY put this account in the local Administrators group (I removed it after the test). And
STILL does not see the E: drive or any folders it contains.
[8/22/2014 12:05:08 PM] - Error writer is initialized and ready. Execution context svc_SPFarm_J
[8/22/2014 12:05:08 PM] - Quick test to look for things we KNOW exist on the Server. We know there is an E: drive, and we know there's a folder named E:\Logs\ULS.
[8/22/2014 12:05:08 PM] - Windows reports E:\ does not exist. This is bad.
[8/22/2014 12:05:08 PM] - Windows reports E:\Logs does not exist. This is very bad.
[8/22/2014 12:05:08 PM] - Windows reports E:\Logs\ULS does not exist. In the words of the late Captain Phil Harris, "This is bad. This is bad bad."
[8/22/2014 12:05:08 PM] - Directory E:\Logs\ULS does not exist (we'll try to create it).
[8/22/2014 12:05:08 PM] - Failed to set up the log writer. Access to the path 'E:\Logs\ULS' is denied.
System.UnauthorizedAccessException: Access to the path 'E:\Logs\ULS' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost)
at System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost)
at ServiceLogWriter.Service1.Compose()
Next I tried my own ID to run the same service. I'm a Domain Admin so I should have ruler of the roost perms
[8/22/2014 12:12:35 PM] - Error writer is initialized and ready. Execution context sawyemat
[8/22/2014 12:12:35 PM] - Quick test to look for things we KNOW exist on the Server. We know there is an E: drive, and we know there's a folder named E:\Logs\ULS.
[8/22/2014 12:12:35 PM] - Windows reports E:\ does not exist. This is bad.
[8/22/2014 12:12:35 PM] - Windows reports E:\Logs does not exist. This is very bad.
[8/22/2014 12:12:35 PM] - Windows reports E:\Logs\ULS does not exist. In the words of the late Captain Phil Harris, "This is bad. This is bad bad."
[8/22/2014 12:12:35 PM] - Directory E:\Logs\ULS does not exist (we'll try to create it).
[8/22/2014 12:12:35 PM] - Failed to set up the log writer. Access to the path 'E:\Logs\ULS' is denied.
System.UnauthorizedAccessException: Access to the path 'E:\Logs\ULS' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost)
at System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost)
at ServiceLogWriter.Service1.Compose()
Mind you I'm starting and stopping the service while logged in interactively -- I can CLEARLY SEE there's an E: drive and E:\Logs\ULS folder!
It is quite evident to me that there is a policy blocking Windows services from seeing the E:
drive.
Run this under the LocalSystem (SYSTEM) account, and all is well.
[8/22/2014 12:15:18 PM] - Error writer is initialized and ready. Execution context SYSTEM
[8/22/2014 12:15:18 PM] - Quick test to look for things we KNOW exist on the Server. We know there is an E: drive, and we know there's a folder named E:\Logs\ULS.
[8/22/2014 12:15:18 PM] - So far so good - Windows reports E:\ exists.
[8/22/2014 12:15:18 PM] - Windows reports E:\Logs exists.
[8/22/2014 12:15:18 PM] - Awesome - Windows reports E:\Logs\ULS exists.
[8/22/2014 12:15:18 PM] - Log writer is set up successfully.
[8/22/2014 12:15:25 PM] - Shutdown in progress.

Using WMI Filter to apply group policy to users on computers in a security group

Hello all,
I've got a bunch of computers that I want to apply some user side polices that affect all users that log on to these specific computers (they are used for exams).
Unfortunately it is company policy to have a flat OU structure and as such moving these computers into their own OU is out of the question. Which brings me to wanting to create a WMI filter to limit the policy to running on computers only within the security
group and then set the security filtering to "Authenticated Users". The policy will be linked to the all student computers OU where a few thousand machines sit, but will only apply to 20 or so machines (I know it's messy).
Anyway that brings me to my question, can someone point me in the right direction for how I would go about creating this WMI query?
Cheers

> I've got a bunch of computers that I want to apply some user side
> polices that affect all users that log on to these specific computers
> (they are used for exams).
That's what "Loopback" initially was designed for. Nowadays, we can use
some other tricks :)
http://evilgpo.blogspot.de/2012/02/loopback-demystified.html
http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

Group Policy Prevent users to access DNS

Similar Messages

Maybe you are looking for