Group Policy preventing Load - "Loading......"

We just locked down our lab computers with Group Policy and find that Quicktime won't finish loading. It starts, the splash screen comes up and it says "Loading..." but it doesn't appear to finish. Stays this way indefinitely.
Has anyone had any experience with this? Can anyone help with which policy might be causing this?
Thanks

QuickTime Player preferences
Other: Show Content Guide automatically
Remove the check mark.

Similar Messages

Group Policy Prevent users to access DNS

Hello
I have a problem with DNS in windows 2008R2. there is a policy prevent DNS resolving name to IP and I can ping any computer by IP put I cannot ping it by name although when I use "nslookup" on cmd the computer can see DNS server. Another problem I
can join Computer to domain put when I want to add a domain user to local admin group the computer cannot see the domain and user show as s-1-5-21 if I could add user.I don't know the policy and how to delete it.

thank's alot for your replaying.
But when any computer is in work group I can ping any computer on the domain using host name and IP . when I joined the computer to domain I can ping computers by Ip but when I ping it using host name I get this message
"Ping request could not find host ............. Please check the name and try again"
thank's
some thoughts...
check: System Properties > Computer Name > Change > More >
Primary DNS Suffix of this computer
Change primary DNS suffix when domain membership changes
http://technet.microsoft.com/en-us/library/cc794784(v=ws.10).aspx
also
http://gpsearch.azurewebsites.net/Default.aspx?PolicyID=203
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

Group policy preventing write access to hard drive for Windows Service

I recently stood up several SharePoint Servers which use various domain user accounts as service accounts. Everything was going fine until the servers were moved from the staging OU to the production OU which has a server hardening GPO applied to it. Once
this occurred, all of SharePoint's logging via the Tracing service broke--because this account doesn't run as Local Service, but rather one of the domain user accounts.
After examining the Application event log, I saw it filled with errors indicating the E:\Logs\ULS and E:\Logs\Usage were not accessible due to error 0x5 -- access denied.
I explicitly granted permissions to the service account to these folders, and gave Full Control perms. I then restarted the service, but the Access Denied errors persisted. I granted Full Control to the entire E: drive -- the root folder -- with inheritance,
and made sure the permissions were inherited. And yet the problem persisted.
I installed a different application which can log to different drives, and it writes to the E: drive just fine when run as Local System. If I change it to one of the domain service accounts, it too produces Access Denied errors trying to write to the E:
drive, regardless of the NTFS perms.
The E: drive is a hard drive, not a USB or removable drive.
I found several posts here that explain how to disable write access to USB and DVD media, but I cannot find anything how to block writing to a hard drive. The server hardening GPO contains thousands of different settings and it'll take days to comb through
them all. Does anyone know of a GPO setting that can block writing to a hard drive, regardless of NTFS perms?
The servers in question are running Windows Server 2012 standard (not R2).
UPDATE: If I grant the service account the ability to log on locally (i.e. add it to the local Users group), and open a command prompt with "Run as User," I can write to the E: drive just fine. But the access denied
persists when running as a service. This leads me to believe a GPO is blocking the write access to a
service user but allowing the same account when logging in as an interactive
user.

I created a test Windows service that does nothing more than open two StreamWriter objects -- one to write into E:\Logs\ULS and the other into C:\ProgramData\Logs. The former writes dummy text once per second, while the latter writes errors. So error messages
will get written into C:\ProgramData\Logs.
I set up this test Windows Service and set it up to use my SharePoint app pool account, and this was written to the error log - the first line indicates the account being used.
[8/22/2014 12:01:25 PM] - Error writer is initialized and ready. Execution context svc_SPSvcApp_J
[8/22/2014 12:01:25 PM] - Directory E:\Logs\ULS does not exist.
[8/22/2014 12:01:25 PM] - Failed to set up the log writer. Access to the path 'E:\Logs\ULS' is denied.
System.UnauthorizedAccessException: Access to the path 'E:\Logs\ULS' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost)
at System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost)
at ServiceLogWriter.Service1.Compose()
I then tried this with my Farm account. For TEST purposes, I TEMPORARILY put this account in the local Administrators group (I removed it after the test). And
STILL does not see the E: drive or any folders it contains.
[8/22/2014 12:05:08 PM] - Error writer is initialized and ready. Execution context svc_SPFarm_J
[8/22/2014 12:05:08 PM] - Quick test to look for things we KNOW exist on the Server. We know there is an E: drive, and we know there's a folder named E:\Logs\ULS.
[8/22/2014 12:05:08 PM] - Windows reports E:\ does not exist. This is bad.
[8/22/2014 12:05:08 PM] - Windows reports E:\Logs does not exist. This is very bad.
[8/22/2014 12:05:08 PM] - Windows reports E:\Logs\ULS does not exist. In the words of the late Captain Phil Harris, "This is bad. This is bad bad."
[8/22/2014 12:05:08 PM] - Directory E:\Logs\ULS does not exist (we'll try to create it).
[8/22/2014 12:05:08 PM] - Failed to set up the log writer. Access to the path 'E:\Logs\ULS' is denied.
System.UnauthorizedAccessException: Access to the path 'E:\Logs\ULS' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost)
at System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost)
at ServiceLogWriter.Service1.Compose()
Next I tried my own ID to run the same service. I'm a Domain Admin so I should have ruler of the roost perms
[8/22/2014 12:12:35 PM] - Error writer is initialized and ready. Execution context sawyemat
[8/22/2014 12:12:35 PM] - Quick test to look for things we KNOW exist on the Server. We know there is an E: drive, and we know there's a folder named E:\Logs\ULS.
[8/22/2014 12:12:35 PM] - Windows reports E:\ does not exist. This is bad.
[8/22/2014 12:12:35 PM] - Windows reports E:\Logs does not exist. This is very bad.
[8/22/2014 12:12:35 PM] - Windows reports E:\Logs\ULS does not exist. In the words of the late Captain Phil Harris, "This is bad. This is bad bad."
[8/22/2014 12:12:35 PM] - Directory E:\Logs\ULS does not exist (we'll try to create it).
[8/22/2014 12:12:35 PM] - Failed to set up the log writer. Access to the path 'E:\Logs\ULS' is denied.
System.UnauthorizedAccessException: Access to the path 'E:\Logs\ULS' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost)
at System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost)
at ServiceLogWriter.Service1.Compose()
Mind you I'm starting and stopping the service while logged in interactively -- I can CLEARLY SEE there's an E: drive and E:\Logs\ULS folder!
It is quite evident to me that there is a policy blocking Windows services from seeing the E:
drive.
Run this under the LocalSystem (SYSTEM) account, and all is well.
[8/22/2014 12:15:18 PM] - Error writer is initialized and ready. Execution context SYSTEM
[8/22/2014 12:15:18 PM] - Quick test to look for things we KNOW exist on the Server. We know there is an E: drive, and we know there's a folder named E:\Logs\ULS.
[8/22/2014 12:15:18 PM] - So far so good - Windows reports E:\ exists.
[8/22/2014 12:15:18 PM] - Windows reports E:\Logs exists.
[8/22/2014 12:15:18 PM] - Awesome - Windows reports E:\Logs\ULS exists.
[8/22/2014 12:15:18 PM] - Log writer is set up successfully.
[8/22/2014 12:15:25 PM] - Shutdown in progress.

Server 2012 R2 Group policy management with older Domain servers

Hi Guys,
I need your expert assistance with a issue I'm facing.
We have a client that has 3 domain controllers. The Primary DC is running Server 2003 R2, another one is running Server 2008, and the last DC is running Server 2008 R2. The forest functional level is Server 2000 & the domain functional level is Server
2003.
Currently Group policy is processing using a central store across the 3 domain controllers.
We have installed a new Server 2012 R2 Terminal server and need to apply group policies to the Server to lock it down.
We have a separate Server 2012 R2 server (say SERVER1) that is also joined to the domain that I have added the group policy management feature to so it can remotely manage group policy.
It seems to be pulling the all the group policy details from the central store so I can't see any of the server 2012 related settings on
SERVER1.
Are we going about this the correct way? how would we best manage the Server 2012 policies? I was thinking either somehow making the specific TS group policy only load in a local policy or templates somehow..

If you are using a central policy store, this is the expected (intended) behaviour.
You willl need to update the central store with the latest versions of the adm(x/l) files.
http://www.microsoft.com/en-us/download/details.aspx?id=36991
or grab them from a 2012(r2) instalaltion c:\Windows\PolicyDefinitions
MCP/MCSA/MCTS/MCITP

Prevent Load Balancing in a Remote Desktop Services Deployment

We need to prevent two Remote Desktop Session Hosts from load balancing between each other. Currently they are load balanced and users dont have a means of ensuring they end up on a particular server. Is there anyway that we can accomplish this?
Cheers

Hi,
You can try below group policy might useful in your case.
Computer configuration>Administrative Templates>Windows Components>Remote Desktop Services>Remote Desktop Session Host>RD Connection Broker
Use RD Connection Broker Load Balancing: Disable
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Outlook 2010 - Prevent fallback to Http via Group Policy

We use OL2010 with Exchange 2010 in a Windows 2008 R2 AD environment
We use VDI desktops for remote users, and therefore
never want to fallback from tcp to http (outlook anywhere)
Is there a way to configure Group Policy to ensure that:
(1) All accounts connect without the HTTP option (and with tcp)
(2) Outlook is prevented from falling back to Http even when the tcp connection is slow or unavailable
My understanding is that tcp/rcp will be faster than Http since we are only ever talking about LAN connections
The situation we want to avoid is the one where Outlook falls back to Http when the Exchange Server is taken down for maintenance, for example, due to Windows updates. This is an issue for us because of the use of VDI desktops which are not guaranteed to
be shut down during off-peak hours or during maintenance windows.
I cannot see any appropriate settings in the Office 2010 GP Administrative Templates
thanks

Make sure you have the correct adm:
http://support.microsoft.com/kb/2426686
The feature you probably want to disable is the
RPC/HTTP Connection Flags and set to None or 0. You'll have to test that out.
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

Installation blocked by group policy designed to prevent CryptoLocker

We have followed the steps outlined by bleepingcomputer.com to prevent as best we can the CryptoLocker virus. Link to article: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#prevent
Please update your Reader installer to not use %AppData%\Local\Temp\. The CryptoLocker prevention method involves blocking that and the following paths. I know many businesses using these techniques.
Block CryptoLocker executable in %AppData%
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.
Block CryptoLocker executable in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.
Block Zbot executable in %AppData%
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.
Block Zbot executable in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.
Block executables run from archive attachments opened with WinRAR:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.
Block executables run from archive attachments opened with 7zip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.
Block executables run from archive attachments opened with WinZip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.
Block executables run from archive attachments opened using Windows built-in Zip support:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.

Hi, I am using a toshiba personal laptop, windows 7 home premuim. No one else uses it, nor have i brought it to any buisness , other home, etc.
I have been blocked by group policy for 3 months. I have spend over 200 dollars on ITs to only tell me they have never seen this before, and to buy a new laptop.. I have no idea why i am the admin, and only user yet all i can open is aol.
I am at my wits end, and will go buy another laptop, deffenitly nothing like this one.. I have lost alot of time and money trying to fix this, late payments etc
thanks for any input
aimee
oh my isp is cox, and i have a router
reading this I am able to identify that you are contaminated with malware, it may has also affected your recovery
try recovery to factory fresh and then install Microsoft Security Essentials so that you have 1/2 a chance next time
Corsair Carbide 300R with window
Corsair TX850V2 70A@12V
Asus M5A99FX PRO R2.0 CFX/SLI
AMD Phenom II 965 C3 Black Edition @ 4.0 GHz
G.SKILL RipjawsX DDR3-2133 8 GB
EVGA GTX 6600 Ti FTW Signature 2(Gk104 Kepler)
Asus PA238QR IPS LED HDMI DP 1080p
ST2000DM001 & Windows 8.1 Enterprise x64
Microsoft Wireless Desktop 2000
Wacom Bamboo CHT470M
Place your rig specifics into your signature like I have, makes it 100x easier to understand!
Hardcore Games Legendary is the Only Way to Play!

Use Group Policy to prevent other network connections

I need to define a Group Policy which says that IF a user is in the companys Domain network that no other connections are avaiable. So if the user is not connected to the Domain network he should be able to connect to any network he wants.
Are there any possible solutions to this?
Best regards.

Hi,
>>Use Group Policy to prevent other network connections
As far as I know, group policy can’t help us do this. However, when a user is in the company and there is just domain network, he or she may not be able to connect to other
network.
Best regards,
Frank Shen

Prevent OL2010 PST creation through group policy; need menu number or policy ID

Greetings all and thanks in advance,
In a similar fashion as found here: http://social.technet.microsoft.com/Forums/pl-PL/outlook/thread/76081525-71d8-459e-a0cf-39d80a4c6cc7, I need to block the creation of Outlook Data files through this path: File > Account Settings >
Data Files (tab) > ADD
What is the menu number or policy ID of this item so I use it to disable from Group Policy?
Thanks,
Willis

I cannot find the specified command bar ID in the following link:
http://support.microsoft.com/kb/173604
However, we may prevent users from adding PSTs to Outlook profiles via GPO. The location is "gpedit.msc | Computer Configuration | User Configuration | Administrative Templates | Micrsoft Outlook 2010 | Miscellaneous | PST Settings | prevent users from adding
PSTs to Outlook profiles..."
Thanks.
Tony Chen
TechNet Community Support

Preventing Domain Group Policy from being applied

How can a user prevent the domain group policy from being applied to his machine? And How can I stop users from doing that?

Hi,
No, group policy is processed by order, that is, local GPO is processed first, and then domain policy is processed by order, which would overwrite settings in the earlier GPOs if there are conflict.
If you don’t want to apply the domain policy, apply a higher precedence policy or disjoin the domain.
Group Policy processing and precedence
http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx
Alex Zhao
TechNet Community Support

Group Policy to clear down MRU lists and to clear or to prevent user login details for programs such as Remote Desktop from being recorded

Hi there,
Please can anyone instruct me on how to set up Group Policy to clear down MRU lists and to clear or to prevent user login details for programs such as Remote Desktop from being recorded. Your help would be much appreciated.
Kind regards,
RocknRollTim
P.S. I was redirected by a forum user off the Microsoft Community forum.

Hi RocknRollTim,
Agree with Jason. Using a script will be a better option.
Just addition, for history of RDP Connections, please open Registry Editor and follow the path:
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default. Please check if find MRU registry items where the name (or the IP address) of the terminal server is kept in.
Please also follow the path: HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers. It contains
the list of all RDC (remote desktop client) connections that have ever been established from this computer.
When expand Server folder and select a node, you will see the UsernameHint key that show the name of the user connected by rdp.
Please back up registry items to avoid unexpected issues before any operation.
If any update, please feel free to let us know.
Hope this helps.
Best regards,
Justin Gu
Thank you for responding back Justin Gu and I agree with both you and Jason Miller that a script can easily achieve this task. Thank you all for your help.
Many thanks,
RocknRollTim

Having problem with svchost.exe/ntdll.dll errors causing GPSVC (Group Policy Client) to crash preventing users from logging into the server.

Recently (within the past 2 weeks) I have noticed a few of our servers will have problems with the svchost.exe application causing the GPSVC (Group Policy Client) to crash. The only fix at that point is to reboot the server since the GPSVC service is tied
to svchost.exe and therefore is protected from being manually restarted.
I noticed the following errors when this occurs:
Log Name: Application
Source: Application Error
Date: 7/23/2013 4:35:26 AM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: Server1.xxx.xxx.net
Description:
Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
Exception code: 0xc0000024
Fault offset: 0x00000000000cd7d8
Faulting process id: 0x46c
Faulting application start time: 0x01ce877f9476ac07
Faulting application path: C:\Windows\system32\svchost.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: d252d26d-f372-11e2-8ad4-005056ac00e8
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-07-23T08:35:26.000000000Z" />
<EventRecordID>158950</EventRecordID>
<Channel>Application</Channel>
<Computer>AAW19XM2.agency.nwie.net</Computer>
<Security />
</System>
<EventData>
<Data>svchost.exe</Data>
<Data>6.1.7600.16385</Data>
<Data>4a5bc3c1</Data>
<Data>ntdll.dll</Data>
<Data>6.1.7601.17725</Data>
<Data>4ec4aa8e</Data>
<Data>c0000024</Data>
<Data>00000000000cd7d8</Data>
<Data>46c</Data>
<Data>01ce877f9476ac07</Data>
<Data>C:\Windows\system32\svchost.exe</Data>
<Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
<Data>d252d26d-f372-11e2-8ad4-005056ac00e8</Data>
</EventData>
</Event>
All of our servers are running Server 2008 R2 Enterprise where we use Citrix to deliver desktop sessions to our users, but some are virtual and some are physical. This seemingly impacts our virtual machines more, and our VMs are hosted through VMWare, however,
about 5 months ago a similar error fired on a non-virtual machine:
Log Name: Application
Source: Application Error
Date: 2/27/2013 6:57:58 AM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: AAW29033
Description:
Faulting application name: svchost.exe_gpsvc, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
Exception code: 0xc0000024
Fault offset: 0x00000000000cd7d8
Faulting process id: 0x6c0
Faulting application start time: 0x01ce14e1af313fd9
Faulting application path: C:\Windows\system32\svchost.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: ed3d01c4-80d4-11e2-9128-b499baa9e5e8
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-02-27T11:57:58.000000000Z" />
<EventRecordID>286291</EventRecordID>
<Channel>Application</Channel>
<Computer>AAW29033</Computer>
<Security />
</System>
<EventData>
<Data>svchost.exe_gpsvc</Data>
<Data>6.1.7600.16385</Data>
<Data>4a5bc3c1</Data>
<Data>ntdll.dll</Data>
<Data>6.1.7601.17725</Data>
<Data>4ec4aa8e</Data>
<Data>c0000024</Data>
<Data>00000000000cd7d8</Data>
<Data>6c0</Data>
<Data>01ce14e1af313fd9</Data>
<Data>C:\Windows\system32\svchost.exe</Data>
<Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
<Data>ed3d01c4-80d4-11e2-9128-b499baa9e5e8</Data>
</EventData>
</Event>
I've searched and cannot seem to find any information as to what may be causing this, or even really where to start. Would someone be able to help me identify what might be causing this event, specific with the Exception code: 0xc0000024, which causes
the Group Policy Client service to stop?

You still out there looking at things? If so I have an update. The issue hasn't stopped, even though it did seemingly die down for awhile, however, it is now back with a vengeance.
I am able to force it to happen by killing the svchost process that is hosting GPSVC. If I run gpupdate /force, then logout/login it does get GPSVC running again. Furthermore, if I simply start svchost again via the Task Manager GPSVC starts running again.
When I access the server remotely with KVM it acts just like it does as if I'm logging into it via Citrix/RDP which for Admin IDs gives an error saying "Failed to connect to a windows service. Windows could not connect to the Group Policy Client service...",
however, normal user accounts just get a message when logging into the server "The Group Policy Client Service Failed the Logon. Access is denied."
I haven't opened a case with Microsoft yet, but we about ready to because of the increase in these errors.
If you have any further suggestions that would be great, otherwise I'll provide an update once I get word back from Microsoft.
**EDIT -- apparently I mistook the the server's SCM's actions as my own. I was able to successfully crash the GPSVC service by killing the hosting svchost process, however, after I crashed it and let it sit crashed for awhile when I attempted
to restart either by starting a svchost task, or running gpupdate /force it failed. Either that, or there is a timing issue where if we don't restart the svchost process, or run gpupdate /force quickly enough it won't be able to recover without a reboot.

Can I prevent a user from Deleting the Group Policy deployed power plan?

I have Power Manager version 3.20 installed and am using the Group Policy template to deploy a customized power plan. I do not want my users to have the ability to delete this custom plan, but I cannot find the option in the Group Policy to change the setting that would grey-out the Delete button in Power Manager.
I have located the registry value that changes the function of Power Manager, it is: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Lenovo\PWRMGRV\PowerSchemes\42617646-BC99-48E2-B3AF-C562C25F4098\ProhibitModification. If the value is 0, then the delete button is available. If the value is 5, then the delete button is greyed-out.
The problems is that the Power Plan ID number (the 42617646-BC99... part in the reg key above) changes from computer to computer. That ID string seems to be tied somehow to the specific computer. So, I cannot just create a Group Policy Preference to change that value in the registry, because that value is always going to have a different name.
The computers are all ThinkPad T400 model and are running Windows 7 Enterprise 64-bit.
Can anyone suggest a different method to change this setting? If not, is there any chance that the Power Manager application can be upgraded to include this control?
Thank you!

welcome to the forum!
to add to what gan said, page 6 of the power manager deployment guide covers this policy over active directory.
http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=TVAN-ADMIN#pmat
http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-70419
ThinkStation C20
ThinkPad X1C · X220 · X60T · s30 · 600

Is it possible to set GRoup Policy to prevent users manually changing Power Options?

Hello,
We use Dell laptops and there is a very well known issue that certain models freeze when they are docked.
I have adjusted the power settings under high performance plan, and updated this in the group policy, which I have tested and is all fine.
Basically, on the laptops now, the users can still change it from the GPO plan to balanced or power saver if they want to.
Is there a way of setting group policy so the other power options are greyed out or cannot be used?
Thanks!

Hi!
If the user is a local administrator on the client they will be able to change the plans. (They changes will be reverted when logging off though)
But if they are standard users, it should be grayed out already.
Check this link for more information, if there is a step that you might have missed when configuring the GPO. (Three pages/Parts)
http://blogs.technet.com/b/askds/archive/2008/03/21/managing-power-with-group-policy-part-3-of-3.aspx
Best regards
Andreas Molin
Andreas Molin | Site: www.guidestomicrosoft.com | Twitter: andreas_molin

Group Policy Guru? Group Policy and Windows 7 erratic and inconsistant.

(*If you don't feel like reading everything, skip to the bottom two paragraphs for my questions)
I've had a premier call open with MS since August. This week I had a Microsoft Technician in-house. Though we eliminated some possibilities, we're not really closer to a cause or solution.
Every time we work with an expert, I get a different explanation to describe the situation we are viewing.
Quick summery of the issue: We've been using Group Policy to manage most Windows XP and 7 settings for years, but starting the middle of last year, we began having clients with machines where some or all group policies would fail to apply.
These could be long assigned policies, new polices, or changes to policies. It would never affect everyone or even a majority at once, and the resolution is never the same. Sometimes a GPUDPATE /FORCE sometimes fixed automajically the next day,
sometimes (but very rarely) longer.
Troubleshooting History:
What we found in early troubleshooting, that these machines, had errors in Event Viewer for Netlogon, Time-Sync, and Group Policy. The other issue we noticed, was that our GPRESULT /H reports were missing security groups and the denied section was
nothing but SSID's. The first issue pointed me to:
Event ID 5719 and event ID 1129 may be logged when a non-Microsoft DHCP Relay Agent is used
I installed these Hot Fixes. No change to any of the errors in event viewer, or to our Group Policy problems.
Initial work with Premier Support found that Netlogon, Time-Sync, and Group Policy, were failing before loading of the network stack. The suggestion was to apply the group policy setting "Always wait for the network at computer startup and
logon". At the time, this seemed not to work. The policy was set on a test bed of laptops and desktops, and no changes in behavior were seen after 3 days.
Windows 7 Clients intermittently fail to apply group policy at startup
For some time after this, we were collecting GPSVC and NetTrace logs for Premeir Support, trying to document and troubleshoot the problem. Eventually we got fed up and asked our TAM to call in a pro to get this resolved. We were sent an engineer
for 3 days. For three days we banged away on this issue. We verified AD and replication health, we tried numerous fixes and workarounds. I learned 3 different desriptions of how Group Policy works, and in the end we thought we had a workaround
using the "Always wait for the network at computer startup and logon" because of a single success late in the day. On day 3 we tried replicating this fix, and quickly realized that the same issue we were having preventing other GPOs to apply,
were also preventing our "fix" GPO from applying. So we went the route of using a registry entry. I also had a problem that even though it was making the process more consistant, it was still taking 3 reboots for a Computer Policy, assigned
to a computer object via Security Group, to fully take affect on a computer.
I used the registry methods in the above article. It didn't work, no sign it was having the same affect the GPO had had.
Our support engineer claimed this was the proper method, but that path wasn't even close in a Windows 7 SP1 registry, and after creating all the keys that were not present, it still didn't work.
Always wait for the network at computer startup and logon - AzureWeb
We ran out of time, our engineer returned home.
I can understand how these errors indicate a problem applying Group Policy at boot. But to me it doesn't explain why it doesn't correct post boot, and after a GPUDPATE /FORCE and a reboot.
It also doesn't explain why we were working fine for years, then all of a sudden DHCP is being outrun by background services. (By the way logging showed DHCP wasn't significantly delayed, out boot process was actually excellent, health wise.)
Why all of a sudden is this not behaving optimly? No changes to network design or function. No changes to the domain since 2008 R2 was installed in 2011.
Today I'm reading through all these KB's and articles again, and took some time to read:
[Forum FAQ] Common steps to start troubleshooting Group Policy
application and it's links below.
We ran though all of that before and during the 3-day onsite. It's not getting us any closer to the cause or a solution.
I found and begin some deep reading in this link today. It has some additional information I will try to use next week:
Group Policy Basics - Part 3: How Clients Process GPOs
The one unanswered question I have is this. How is group policy supposed to apply to a computer, when that policy is applied to a AD Security Group, in which the computer object is a member?
Before we began having this problem, we would assign a computer GPO, then ask the user to reboot. If it were a user GPO, we'd ask the user to log off, or reboot. Either way, if we allowed a few minutes for AD and FRS replication, the user would
log back in with that new policy in affect. A new imaged machine would boot with all the GPO's linked to that domain and assigned to "Authenticated Users", already in affect. Admin groups would be present in administrators, proxy settings
would be set in Internet Explorer, etc.
Now I'm aked to beleive this was never the case from Premeier Support and Microsoft Engineers. That those policies require the equilent of a "GPUPDATE /FORCE" that was executed by the Local_System account. That 3 reboots may
be nessessary for a group policy to be applied. One for the AD Security Group to be applied. One for the Computer Policy to be applied. And a final one for the policy in the GPO to be applied to Windows.
Can someone confirm or correct this information please? It's imperitive to my troubleshootng.
There's no place like 127.0.0.1

That key is empty on all of my machines I have checked today. Working and problematic alike.
GPRESULT logs, when ran as me, historically would show the group polices applied, denied, and the AD group membership all by name. About 6 months ago I noticed this changed.
Now they show the applied GPO's by name, a few of the denied GPO's by name, most by SID, and only 2 to 3 AD groups, though PowerShell shows all the AD groups assigned. This happens after several AD security and distribution groups are added to the
machine (Radia software distribution uses Dist groups to assign software).
A check showed no groups with long legacy Kerberos keys.
When we make a change to AD Security Group membership, to assign or deny a Group Policy, is usually when we encounter this problem. It will usually fix itself in 24 hours of the machine being left up and running. But no amount of GPUPDATE /FORCE
and rebooting will cause the changes to take affect.
During this time, the Group Policies will show assigned to the computer in the GPRESULT log.
Yesterday I began looking into Spanning Tree configuration on our network being a possible cause for the boot up issues. I'm waiting on responses from our Network group to confirm our configuration.
There's no place like 127.0.0.1

Group Policy preventing Load - "Loading......"

Similar Messages

Maybe you are looking for