Group Policy "Restricted Groups" (local groups) using group policy preferences

Similar Messages

• Does using Group Policy Preferences to deploy printers require the print driver to be pre-installed?

  I'm trying to prepare our school system for Windows 7 (we currently use XP).  I would like to use the new Group Policy Preferences method of deploying printers.  I pushed out the XP client side extensions through WSUS.  In my test environment, I added the shared printer in group policy preferences.  My XP machine had the printers show up automatically, but my Windows 7 machine did not.  I realized that I had previously connected a printer of the same type to my XP machine before and the drivers were already installed.  To test this theory, I manually connected the shared printers to the Windows 7 machine, deleted them, then logged off and back on.  Now the printers are showing up from group policy.  My question is does using group policy preferences to deploy printers require the print driver to be pre-installed?  If not, then what am I doing wrong?  If so, is there a way to work around this?  Thanks for your help.
  EDIT:  To clarify, I am using the share method in GPP.  This is the error message I get in the event log:
  The user 'PRINTERNAME' preference item in the 'win7 printer test {946461A1-27F8-406F-A0B3-0A1A05AF34F6}' Group Policy object did not apply because it failed with error code '0x80070bcb The specified printer driver was not found on the system and needs to be downloaded.' This error was suppressed.

  This link have a description of resolution:
  http://technet.microsoft.com/en-us/library/cc725938.aspx
  Open the GPMC.
  Open the GPO where the printer connections are deployed, and navigate to Computer Configuration, Policies, Administrative Templates, Control
  Panel, and thenPrinters.
  Note
  The Point and Print Restrictions setting can also be found under User Configuration\Policies\Administrative Templates\Control Panel\Printers.
  This policy is ignored by Windows 7 and Windows Server 2008 R2, but is enforced by earlier editions of Windows including Windows XP with SP1, Windows Server 2003 with SP1, and Windows Server 2008. We recommend that you change
  this policy setting in both locations so that all down-level clients have a consistent experience.
  Right-click Point and Print Restrictions, and then click Properties.
  Click Enabled.
  Clear the following check boxes:
  Users can only point and print to these servers 
  Users can only point and print to machines in their forest 
  In the When installing drivers for a new connection box, select Do not show warning or elevation prompt.
  Scroll down, and in the When updating drivers for an existing connection box, select Show warning only.
  Click OK.

• Errer message while adding a computer account to a local group in Group Policy Preferences...

  Hi all;
  Suppose I want to add a computer account to Event Log Reader on local computers by using Group Policy Preferences. Look at the following figure:
  But after selecting the desired computer account and clicking OK, the following error message appears:
  Any ideas?
  Thanks
  Please VOTE as HELPFUL if the post helps you and remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading
  the thread.

  > But after selecting the desired computer account and clicking OK, the
  > following error message appears:
  Couldn't repro - worked in my domain for both a builtin group and a new one.
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• How can I setup a scheduled task to run a Powershell Script delivered as a Group Policy Preference

  I have a Powershell script I want to run only once when a user logs onto their system. This script would move all the PST files from the Local drive and the Home drive to a folder location within the users profile. I wanted to run this as a Windows 7 Scheduled Task using Group Policy Preferences. How can I get this to happen short of a logon script? I have updated all the machines to WMF 4.0 so could I use a Scheduled Job instead? I wanted to run the script as the logon user but elevated.#Start Outlook and Disconnect attached PST files.
  $Outlook = New-Object -ComObject Outlook.Application
  $namespace = $outlook.getnamespace("MAPI")
  $folder = $namespace.GetDefaultFolder("olFolderInbox")
  $explorer = $folder.GetExplorer()
  $explorer.Display()
  $myArray= @()
  $outlook.Session.Stores | where{ ($_.FilePath -like'*.PST') } | foreach{[array]$myArray+= $_.FilePath}
  for
  ($x=0;$x-le$myArray.length-1;$x++)
  $PSTPath= $myArray[$x]
  $PST= $namespace.Stores | ?{$_.FilePath -like$PSTPath}
  $PSTRoot= $PST.GetRootFolder() #Get Root Folder name of PST
  $PSTFolder= $Namespace.Folders.Item($PSTRoot.Name) #Bind to PST for disconnection
  $Namespace.GetType().InvokeMember('RemoveStore',[System.Reflection.BindingFlags]::InvokeMethod,$null,$Namespace,($PSTFolder)) #Disconnect .PST
  #Move All PST files to the default location while deleting the PST files from their original location.
  $SourceList = ("$env:SystemDrive", "$env:HOMEDRIVE")
  $Destination = ("$env:USERPROFILE\MyOutlookFiles")
  (Get-ChildItem -Path $SourceList -Recurse -Filter *.PST) | Move-Item -Destination $Destination
  #Attach all PST files from the default location.
  Add-type -assembly "Microsoft.Office.Interop.Outlook" | out-null
  $outlook = new-object -comobject outlook.application
  $namespace = $outlook.GetNameSpace("MAPI")
  dir “$env:USERPROFILE\MyOutlookFiles\*.pst” | % { $namespace.AddStore($_.FullName) }

  Mike,
  I do not understand what appears to be a regular expression above. I did add the PowerShell script to the HKCU RunOnce Key as suggested.
  Windows Registry Editor Version 5.00
  C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -sta -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File "C:\scripts\Windows PowerShell\Move-PST.ps1"
   I'm delivering this using Group Policy Preferences. It seems to fail or time out when run because the behavior is different if I run the script from within the PowerShell IDE. I added the parameters to the script and will try it again in the morning.

• Group policy Preferences server 2008 and windows 7

  Hi I have been struggling with an issue with group policy preferences for a while now with regard to pushing out printers to windows 7 (32/64 bit) Machines. I have two DC servers one is 2008 and the other is 2008 r2. I have setup the group policies on the
  2008 server as it is the only one i am allowed to access regularly to do this.
  Basically here is my problem. I have created multiple GPO's to send out printers from out print server to classrooms across the school district I work for, I have a mix of xp and windows 7 machines. I have the server setup with both 32 and 64bit drivers
  for all printers on that server, we have a mix of oki and hp and ricoh. I know all the connections work and the drivers work well, however when I push them out using the group policy, the windows 7 machines don't install the printers. The xp machines do this
  perfectly well when I install the client side extensions patch, but they just will not pull down on the 7 machines unless i install the printer first manually, then delete it and then run gpupdate. In that instance it will work, but obviously i don't want
  to have to go round thousands of computers doing this manually.
  Just as a side note, each classroom has its own user account and its own printer.
  If anyone has any advice as to how i can go about resolving this issue i would greatly appreciate it, this has been a problem i have been researching and trying to fix since January.......

  Hi,
  >>The xp machines do this perfectly well when I install the client side extensions patch, but they just will not pull down on the 7 machines unless i install the
  printer first manually, then delete it and then run gpupdate.
  Before going further, we can run command
  gpresult/h gpreport.html with admin privileges to collect group policy result on the troubled Windows 7 clients to check the issue. Besides, we can also check event logs in Event Viewer to see if some related error events were logged.
  Besides, I want to confirm if we have disabled
  Point and Print Restrictions under both User Configuration and Computer Configuration. To have a consistent experience, it’s recommended that we disable the policy setting in both locations if we are dealing with mixed-level clients.
  Regarding this point, the following article can be referred to for more information.
  Point and Print Restrictions policies are ignored in Windows Vista SP2, Windows Server 2008 SP2, and later Windows operating systems
  http://support.microsoft.com/kb/2307161/en-us
  Best regards,
  Frank Shen

• Registry Wizard not saving selections in Group Policy Preferences.

  Hello,
  I am trying to set registry keys for ODBC settings using Group Policy Preferences. All PC's in the domain are Windows 7. In testing, I was able to get this to work. Now that I am trying to create it for production, I am unable to get it to work.
  I am using the same PC to create for production that I used when I was testing.
  The steps I am taking are as follows:
  Create a new GPO. Edit the GPO and navigate to the registry node under Computer Configuration, Preferences where I create a new Collection Item. I then right click the new collection item and choose New - Registry Wizard. Using Local Computer,
  I navigate to [HKLM] > Software > Wow6432Node > ODBC > ODBC.ini
  Under the ODBC.ini key are all of the keys and data I want to include in my policy. When I check each key and put a check mark beside each data item in the lower window, my selections in the lower window are not being saved. The check mark
  shows up at the time but they are gone if I go back to check my work before hitting the finish button. If I go ahead and finish the policy anyway, I only get the keys, not the data items when the GPO is applied.
  I have found a work around but it is very cumbersome and isn't a good long term solution. The work around is to go ahead and create the policy, then go back into the collection and expand everything on the left and add each data value to each key one at
  a time using the All Tasks > Add - menu item.
  Any ideas why this is happening? I should also mention when I was "testing", I was hitting the same domain controller as I am when trying to build this for my "production" policy.
  Thanks in advance.

  Hello,
  Thanks for your reply. I am waiting on my account to be verified before I can post a screen shot.
  I did discover that if I go through and click on all the data items more than once, it appears to work. Basically, I went through each key and checked the data items, then went back to the top and started over again. All of the checks were gone, so I checked
  them again and clicked finish. I don't know if they were still missing but checking them twice seems to have worked.
  I can replicate the issue if I only check them once.

• Group Policy Preference Power Plan "Blocked By Group Policy"

  I noticed this error in the application event log of a Windows 7 PC:
  Log Name:      Application
  Source:        Group Policy Power Options
  Date:          3/21/2013 3:19:42 AM
  Event ID:      4098
  Task Category: (2)
  Level:         Warning
  Keywords:      Classic
  User:          SYSTEM
  Computer:      xxx
  Description:
  The computer 'Power Plan (Windows Vista and later)' preference item in the 'Windows 7 Desktop Power Plan {A078F08F-45CC-4209-A264-FE0CB5635A99}' Group Policy object did not apply because it failed with error code '0x800704ec This program is blocked by group
  policy. For more information, contact your system administrator.' This error was suppressed.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Group Policy Power Options" />
      <EventID Qualifiers="34305">4098</EventID>
      <Level>3</Level>
      <Task>2</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2013-03-21T10:19:42.000000000Z" />
      <EventRecordID>7687</EventRecordID>
      <Channel>Application</Channel>
      <Computer>xx</Computer>
      <Security UserID="S-1-5-18" />
    </System>
    <EventData>
      <Data>computer</Data>
      <Data>Power Plan (Windows Vista and later)</Data>
      <Data>Windows 7 Desktop Power Plan {A078F08F-45CC-4209-A264-FE0CB5635A99}</Data>
      <Data>0x800704ec This program is blocked by group policy. For more information, contact your system administrator.</Data>
    </EventData>
  </Event>
  How can I find out exactly why it is not working?  "Blocked by group policy" is not specific enough.

  Hi,
  You can also enable GPP tracing and logging for more information:
  Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure Power Options preference logging and tracing
  http://blogs.technet.com/b/askds/archive/2008/07/18/enabling-group-policy-preferences-debug-logging-using-the-rsat.aspx
  Regards,
  Cicely
  There is no such option "Configure Power Options preference logging and tracing" at Computer
  Configuration\Policies\Administrative Templates\System\Group Policy\.
  It alphabetical order Always use local ADM files ... is followed by Disallow interactive users from generating ...  Not

• Group Policy Preferences Shortcut issues ( event ID 1085 )

  I am hoping someone will be able to help me with a problem that is causing our users a headache
  We have a Windows 2008 SP2 terminal server farm ( 1 gateway, 2 Terminal servers TS1 and TS2 ), we also use Group Policy Preferences to deliver app shortcuts to different AD user groups.
  TS1 and TS2 were built from the same image.  On TS1 users logon and get all the icons they are entitled to, on TS2 it is random to whether they get their shortcuts or not.   
  Both TS are rebooted daily and I have scripted removing any local profiles incase it was something left behind.
  Checking the event Logs on TS2 I see several errors that appear to relate to Group Policy and correspond to when users have connected in.
  any help with this issue would be appreciated.
  Here is the information from the System log:
  Log Name:      System
  Source:        Microsoft-Windows-GroupPolicy
  Date:          05/12/2014 15:32:26
  Event ID:      1085
  Task Category: None
  Level:         Warning
  Keywords:      
  User:          Username
  Computer:      TerminalServer
  Description:
  Windows failed to apply the Group Policy Shortcuts settings. Group Policy Shortcuts settings might have its own log file. Please click on the "More information" link.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
   <EventID>1085</EventID>
      <Version>0</Version>
      <Level>3</Level>
      <Task>0</Task>
      <Opcode>1</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime="2014-12-05T15:32:26.450Z" />
      <EventRecordID>478778</EventRecordID>
      <Correlation ActivityID="{CCB45268-E6F8-4127-97C8-A8544829F2DE}" />
      <Execution ProcessID="344" ThreadID="11212" />
      <Channel>System</Channel>
      <Computer>TerminalServer</Computer>
      <Security UserID="S-1-5-21" />
    </System>
    <EventData>
      <Data Name="SupportInfo1">1</Data>
      <Data Name="SupportInfo2">3892</Data>
      <Data Name="ProcessingMode">1</Data>
      <Data Name="ProcessingTimeInMilliseconds">6047</Data>
      <Data Name="ErrorCode">2147942413</Data>
      <Data Name="ErrorDescription">The data is invalid. </Data>
      <Data Name="DCName”>\\OurDomain</Data>
      <Data Name="ExtensionName">Group Policy Shortcuts</Data>
      <Data Name="ExtensionId">{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}</Data>
    </EventData>
  </Event>

  >      <Data Name="ErrorDescription">The data is invalid. </Data>
  Delete the history XML.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Group Policy Preferences possible in ZCM11?

  Hi,
  i created a thread (http://forums.novell.com/novell/nove...esnt-work.html) because some GPOs are not working with ZCM11SP2. Now i figured out, that the Problem is the GPPs (Group Policy Preferences).
  THey are available since Windows Server 2008 or 2008R2, i'm not sure.
  With this GPPs you can map drives, set printers, change the registry, power management ...
  Is it possible to use this GPPs with ZCM Policies?
  Cheers

  Here is a bit of a primer:
  http://technet.microsoft.com/en-us/m...01.layout.aspx
  Note: You will need to use ADM and not ADMX if I recall.
  The key will be knowing what registry keys to set.
  For PowerSettings, there are some ADM files floating about the internet
  already.
  On 6/25/2012 12:46 PM, drops wrote:
  >
  > Hi Steffen,
  >
  > for folder redirection look here:
  > 'Cool Solutions: Local Group Policy Folder Redirection (HKCU User
  > Shell)' (http://www.novell.com/coolsolutions/tools/14324.html)
  >
  > it works with windows 7.
  >
  > For a lot of configuration settings i prefer bundles. e.g. registry
  > changes to HKLM.
  >
  > Power management: use powercfg.exe -IMPORT
  >
  > Printer: we use iprint policies. for local printers look at rundll32
  > PrintUI.dll, PrintUIEntry /?
  >
  >
  > With software simply use the Bundle - see your foxitreader example and
  > recommendation from Shaun.
  >
  > best regards
  >
  > Markus
  >
  >
  >
  > SteffenMuch;2203349 Wrote:
  >> Hi Craig,
  >> do you know a good "how to" for this? I didnt create a group policy
  >> template until now.
  >>
  >> Cheers,
  >> Steffen
  >>
  >>
  >> @Shaun:
  >> Thanks, i will look at this solution.
  >
  >
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Knowledge Partner
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• Group Policy Preferences

  I'm interested in applying group policy preferences to our new Windows 7 machines, partly to simplify my image-building process, via Zen 10 (soon Zen 11). However, I understand that these are not available through the Local Group Policy editor- so my question is, does anybody know how we could produce a set of Group Policy preference settings to deploy via Zen, without the presence of Active Directory?

  Make sure this option is not set on the policy in the ZCC.
  "After enforcement, force a re-login on the managed device, if necessary"
  On 5/24/2011 9:36 AM, jfansell wrote:
  >
  > Thanks- I was hoping to be able to utilise something that already
  > existed rather than using custom adm files- but we are now looking into
  > doing it that way now. Incidentally we do have a purely for testing AD
  > environment in which I created a test policy containing preferences, and
  > imported this into ZCM 10, still no joy even though the policy
  > preferences files appeared at the workstation (under
  > c:\Windows\System32\grouppolicy\...) they just weren't effective.
  > Presumably this is somehow a limitation of our environment (the AD is
  > completely disconnected from the users and workstations). It would be
  > nice if somehow the preferences were replicated in ZCM in the future.
  >
  >
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Knowledge Partner
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• Group Policy Preference: Problem Adding Network Locations

  Group Policy Preferences (GPP) do not currently support correctly creating shortcuts in Network Locations/My Network Places the way Windows produces them when you go through the "Add a network location" wizard. Unfortunately, the GPP simply creates a standard shortcut instead of creating a folder that contains target.lnk and desktop.ini (the way the "Add a network location" wizard does).
  I was curious to know when the GPP engine will be updated to correctly add Network Locations the way the "Add a network location" wizard does?
  Thanks.

  Talfr77,
  I would like to know what environment you tried this under.  I made policy like you described on a 2012 domain controller and the resulting shortcut worked fine on windows 8 clients and on the 2012 servers.
   However, the 2008 servers and windows 7 clients didn't work.  They simply got a folder with two files.   It would appear that the format of the target.lnk file may be different between versions of windows.  I took a target.lnk from a
  working shortcut made on a 2008 server and put in on a 2012 server and the result was it not recognizing the shortcut.
  It is also worth noting for anyone who wants to try this method, that in step 2 of Talfr77's directions he says to copy the desktop.ini file using the GPP file copy function to the subfolder with the target.lnk file.  He didn't mention how to accomplish
  that.   You can store the desktop.ini file anywhere on your network as long as the UNC path to it is accessible to the user.  I suggest you store it right in a subfolder of the GPO in the sysvol to keep things tidy.  So that UNC would be the
  source path. (example would be \\domain.local\SYSVOL\domain.LOCAL\Policies\{020DBAF4-2631-4246-8811-DE02F7613959}\desktop.ini) The destination path will be %appdata%\Microsoft\Windows\Network Shortcuts\<Subfolder name>\desktop.ini
  The same goes for his step 3 where you edit the folder attributes.  The folder you want to edit is %appdata%\Microsoft\Windows\Network Shortcuts\<Subfolder name>
  Karl

• [Forum FAQ] Group Policy Preferences Scheduled Tasks Item not working when the option Run whether user is logged on or not is selected

  Scenario:
  We use one of the following Group Policy Preferences Scheduled Tasks item to deploy a task to clients:
  Computer Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Scheduled Task (At least Windows 7)
  Computer Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Immediate Task (At least Windows 7)
  User Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Scheduled Task (At least Windows 7)
  User Configuration -> Control Panel Settings -> Scheduled Tasks -> New -> Immediate Task (At least Windows 7)
  (Note that on some platforms, "At least Windows 7" is replaced with "Windows Vista and later.")
  After designating a user account to run the task, we select “Run whether user is logged on or not” option, and “The Do not store password…”
  check box is automatically grayed out (See Figure 1).
  Figure 1
  After finishing configuring the task item, on a client, we run command
  gpupdate/force to forcefully update group policy. However, on the client, when we check if the task is listed in Task Scheduler snap-in, the task is not displayed, and when we run
  gpresult/h report.html to collect group policy result for troubleshooting, we see an error as similar as shown in the following figure (Figure 2).
  Figure 2
  Cause:
  To make the scheduled task run whether the user is logged on or not, we need to store the password of the designated user account. However, for the content of the scheduled
  task item is stored in Sysvol where it’s not safe to store passwords, this function has been deprecated.
  Workaround:
  We can run the task with system account
  NT Authority\System, or we can use specific user accounts to run the task when the given user is logged on. (See Figure 3)
  Figure 3
  Reference:
  MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege: May 13, 2014
  http://support.microsoft.com/kb/2962486
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Hello Everyone,
  Succeeded !!!!!!!
  Even i was struggling with this same Problem to execute a batch via Window scheduler and set the setting to "Run whether the user is logged in or not".
  I tried many time but the batch runs with " Run
  whether user is logged on" and not with "Run
  whether user is logged on or not".
  what i discovered is that there was one mapped drive
  path in my batch file which was not the complete path like y:/AR.qvw actually what i did i changed that map path to the complete path like \\servnamename\d$\AR.qvw and the batch executed successfully with the setting "Run
  whether user is logged on or not"
  The
  conclusion is that check the dependency of the script on external resources because when you check this option "Run
  whether user is logged on or not" It actually conflicts. This my discovery.
  If
  you have any question write me on [email protected]
  Thanks
  & Regards,
  Arun

• Proxy details keep deleting from field in Group Policy Preferences for IE 10 on windows 7 and 8

  We have a lot of users who on the last update and have seemed to manage to install IE 10 onto their windows 7 machines as now causing all sorts of issues. I know that IEM has been replaced in favour of Group Policy Preferences and I have build a windows
  8 machine just to create a group policy preference as you are unable to create the preferences from windows 7, thank you Microsoft!
  I have created a test OU and got a win 7 and a win 8 machine both with IE 10 for testing. I have created the preference settings, home page etc and disabled using the F keys the advanced features that we do not require as from reading in other post even
  if it is not ticked, if it is green then it will apply it, kinda defeats the using the tick but it is what it is!
  When we do a gpupdate it picks up the default homepage as well as other settings but the proxy settings is blank. I then went back into the preferences I created for IE 10 and checked the connections, LAN settings and the proxy server name is missing but
  both ticks are showing for the proxy settings and when you click on advanced it shows the proxy server and port details fine. I have been working on this now for 4 days and getting no where to a point were we just roll back any users on IE 10 back to IE 9.
  I have also unlinked any other gpo relating to Internet settings on the test OU just in case there are conflicts. Any ideas as where to go from here?

  In the end to get around the proxy settings I had to create a registry key preference with proxy and port details which seemed to have done the trick and now IE 10 is picking up the proxy details and displaying webpages

• Windows 2008 R2 - Group Policy Preference - folder option "Open with" Access denied

  Similar to this post:
  social.technet.microsoft.com/Forums/en-US/d42a81bc-96de-4af3-bc41-079e88e6ea4a
  We have Citrix terminal servers running Windows 2008 R2 and attempting to force PDF files to open with Acrobat versus PDF editing software we have installed for a small subset of users.  So I created a Group Policy Preference and added a OpenWith item
  to the Folder Options to use Acrobat as the default and linked it to a Users OU.  However, if I run gpresult the OpenWith setting fails with error code 0x80070005.  You can change it to not run in the user's security context which eliminates the
  error but then it won't actually do anything.
  The problem seems to be that when a user sets another program as their default via Windows Explorer the permissions on HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice get changed so that the user is specifically
  denied the ability to set that key.  Remove the special permissions added and the group policy succeeds and changes it back to the default ... until the user changes it back (intentionally or otherwise) and the permissions are changed again.
  Any ideas here?

  > Any ideas here?
  We use GPP Registry to achieve this goal, so we do not run into that
  issue (we unchecked "run in users context", so privs are not an issue)
  But I agree, this really should work as intended...
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Unable to make changes to LAN Settings in IE after Group Policy Preference is applied

  Hi all,
  I have an IE10 group policy preference on a Server 2008 R2 domain that is pushed out to Windows 7 SP1 x64 clients. This IE10 GPP is used to push out proxy settings etc. The GPP is applied fine, however when I go into LAN Settings in IE and make any
  changes such as unchecking "Use a proxy server..." these changes are not saved. As soon as I click OK and go back into LAN Settings it reverts back to the GPP settings. Are IE10 GPP's meant to allow a user to amend settings in IE? The users have
  permissions to write to the Connections key under Internet Settings in the registry. If I delete the Connections key (Which includes DefaultConnectionSettings and SavedLegacySettings) I can then make changes to the proxy (Although without the original settings).
  I know their are other, and better, methods of controlling proxy settings for users but unfortunately this is the way the customer has it implemented. All defaults for GP is applied such as refresh rate etc. I've tested IE10 on a Server 2012 R2 / Win8 environment
  with the exact same GPP settings and I can make changes to the LAN Settings. Is this possibly a bug? Any help would be appreciated.
  Thanks.

  Hi,
  So by now we could make it work by deleting the Connections key, in order to change the proxy settings of IE 10-Windows 7 in the Windows Server 2008 R2 environment?
  Besides, could it be convenient for us to perform some more tests here? How IE 10 of Windows 7 behaves in Server 2012 R2 environment? And Windows 8 in Server 2008 R2?
  Best regards
  Michael
  Michael Shao
  TechNet Community Support