Group Policy Scripts point to network location

I am having a very odd problem with my Windows server 2012. I have some login scripts that I would like to run, but when I try to place the scripts into the file folder I am getting access denied. While checking the path and all the permissions (I AM IN THE RIGHT GROUPS) I am getting a network share location, rather than the SYSVOL\domain\policies\etc.... the policy points to \\network\SYSVOL\domain\policies\etc....
Can someone tell me what is happening, and more importantly, how do I fix this?
This topic first appeared in the Spiceworks Community

Similar Messages

Group Policy Preference: Problem Adding Network Locations

Group Policy Preferences (GPP) do not currently support correctly creating shortcuts in Network Locations/My Network Places the way Windows produces them when you go through the "Add a network location" wizard. Unfortunately, the GPP simply creates a standard shortcut instead of creating a folder that contains target.lnk and desktop.ini (the way the "Add a network location" wizard does).
I was curious to know when the GPP engine will be updated to correctly add Network Locations the way the "Add a network location" wizard does?
Thanks.

Talfr77,
I would like to know what environment you tried this under. I made policy like you described on a 2012 domain controller and the resulting shortcut worked fine on windows 8 clients and on the 2012 servers.
However, the 2008 servers and windows 7 clients didn't work. They simply got a folder with two files. It would appear that the format of the target.lnk file may be different between versions of windows. I took a target.lnk from a
working shortcut made on a 2008 server and put in on a 2012 server and the result was it not recognizing the shortcut.
It is also worth noting for anyone who wants to try this method, that in step 2 of Talfr77's directions he says to copy the desktop.ini file using the GPP file copy function to the subfolder with the target.lnk file. He didn't mention how to accomplish
that. You can store the desktop.ini file anywhere on your network as long as the UNC path to it is accessible to the user. I suggest you store it right in a subfolder of the GPO in the sysvol to keep things tidy. So that UNC would be the
source path. (example would be \\domain.local\SYSVOL\domain.LOCAL\Policies\{020DBAF4-2631-4246-8811-DE02F7613959}\desktop.ini) The destination path will be %appdata%\Microsoft\Windows\Network Shortcuts\<Subfolder name>\desktop.ini
The same goes for his step 3 where you edit the folder attributes. The folder you want to edit is %appdata%\Microsoft\Windows\Network Shortcuts\<Subfolder name>
Karl

Using Office 2013 group policy template to define Trusted Locations and Template Locations doesn't work

User Configuration/Policies/Administrative Templates
- Using Office 2013 group policy template to define Trusted Locations and Template Locations doesn't work
Microsoft Word 2013/Word Options/Security/Trust Center/Trusted Locations
- Allow Trusted Locations on the network:
Enabled
- Trusted Location #1:
Enabled
Path: //server/sharedfoldername [Edit: Path:
\\server\sharedfoldername]
Date: June 10, 2013
Description: Trusted Location
Allow sub folders: Enabled
The policy appears to apply to the client correctly by adding the following registry key and values:
HKEY_CURRENT_USER\Software\Policies\Microsoft\office\15.0\word\security\trusted locations\location1
allowsubfolders: 1
date: June 10, 2013
Description: Trusted Location
Path: //server/sharedfoldername [Edit: Path:
\\server\sharedfoldername]
However, when you open Word Options/Trust Centre/Trust Centre Settings…/Trusted Locations
There are no trusted locations listed under ‘Policy Locations’
I have tried setting similar settings for setting the Shared Templates folder location and just like the trusted locations policy, the registry keys are created properly in HKEY_CURRENT_USER\Software\Policies however word doesn’t
seem to recognize these either.
This used to work flawlessly using the administrative templates for Word 2007 and 2010. Has anyone been able to get these policies to apply successfully, or know why office doesn’t recognize these settings from the Policies registry
Key?

This would have been an easy solution to the issue. Unfortunately it isn't the problem. This question was originally posted on another Microsoft site and
was transferred here and when it was transferred the path's changed from the original post:
\\server\sharedfodlername to //server/sharedfoldername. (I will edit the question to show up as it did in the original post) Not sure how that happened. This
is still an issue that I haven't been able to get working correctly.
As it turns out the 'New from Template' interface Word 2013 has developed is very bulky with large thumbnails and is not very customizable nor practical for an office
that has a large number of templates. Because I am unsatisfied with the display and performance of the 'New' template chooser I sought after a solution to change the way word creates a document from a template in another thread:
http://answers.microsoft.com/en-us/office/forum/office_2013_release-word/how-can-you-change-the-display-of-templates-in/d49194b9-a6b4-4768-8502-7d7b50e9dd65 working through this issue with Jay we were able to develop
some VB script with handles a very large number of templates in a list view and it works much faster than the built-in Word interface. The above thread is how I've worked around trying to define a shared template location and I am quite happy with it.

Use Group Policy to prevent other network connections

I need to define a Group Policy which says that IF a user is in the companys Domain network that no other connections are avaiable. So if the user is not connected to the Domain network he should be able to connect to any network he wants.
Are there any possible solutions to this?
Best regards.

Hi,
>>Use Group Policy to prevent other network connections
As far as I know, group policy can’t help us do this. However, when a user is in the company and there is just domain network, he or she may not be able to connect to other
network.
Best regards,
Frank Shen

Apply Group Policy to external clients

Is it possible to apply GPO's to clients on external networks such as their own personal networks. I'm looking at solutions such as authenticating them through a proxy on the perimeter network and are pushed to the Domain Controller to force these policies.
As it stands, the clients use a VPN client to gain access to the corporate network, and I know that group policy will use the Network Location Service to detect the Domain Controller, but the VPN connection is not mandatory and most be established by the client,
if this connection is not required for their job, the may never connect and not get updated GPO's.

Hi,
I agree with Joseph. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections are designed to connect automatically as soon as the computer connects to the Internet.
Regarding DirectAcces, the following articles can be referred to for more information.
Using DirectAccess
http://technet.microsoft.com/en-in/windows/dn168168.aspx
Windows Server 2012 Direct Access – Part 1 What’s New
http://blogs.technet.com/b/meamcs/archive/2012/05/03/windows-server-2012-direct-access-part-1-what-s-new.aspx
In addition, for this question mainly focuses on network, in order to get more and better help, we can also ask for suggestions in the following forum.
Network Access Protection
https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNAP
Best regards,
Frank Shen

Creating Group Policy Windows Server 2008 R2

Hello guys,
I want to implement a group policy/policies across the network to perform the following;
1) Restart users PCs across the network on the last Friday of every month
2) Update the PCs with Microsoft patches or updates if any during the restart
3) Send a notification message on
Wednesdays preceding that Friday to the users, informing them to save their work and close all the programs and files as their PCs will be restarted on Friday.
Any help on this would be greatly appreciated.
Thanks in advance
Cheers

Hi Sudhirhk,
You can configure a GPO via a script or schedueled task of GPP to restart PCs. Please refer to the following similar case:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/3608dd77-3727-4cc6-b3c6-cfcf1a486a2a/restart-computers-via-gpo?forum=winserverGP
What's more, you can also use schedueled task to send notification messages at the appointed time, please refer to the following similar case:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/34f06393-7a8a-4c29-bd2d-726266a55130/scheduled-task-email-notification-server-2012?forum=winserver8gen
In addtion, as for the updating, please refer to the following article:
Configure Automatic Updates by Using Group Policy
Please apply the GPO according to your requirements.
Regards,
Lany Zhang

Wireless Group Policy Problem - Half the policy applying

Hi
I'm at a loss for where to investigate this one so I'm hoping for some suggestions.
We have a single GPO to send out settings for wireless access to our network. On the wireless we have two SSIDs as below.
1. Staff SSID
My manager wanted to reduce the security issues with this as much as possible, so I've generated a GUID for the SSID name, set it not to broadcast the SSID and set the group policy to show the network as "<company
name> Staff". It uses WPA2-Enterprise with RADUIS authentication to silently pass the authentication credentials of the currently logged on user providing SSO.
2. Guests SSID
This uses a preshared WPA2 key and provides guests with internet access and is blocked from the local LAN.
The GPO is applied in such a way that company laptops are have the Staff SSID displayed in the available connection list, they're allowed to connect to it (as long as they're in the appropriate AD group for RADIUS authentication) but they are blocked from
connecting their laptops to the Guests SSID. The important thing is that this single GPO controls both settings.
On a few laptops we have been noticing that the blocking of the Guests SSID is working fine, but the Staff SSID is failing to show. Its as if only half the policy is applying. This is happening to only a small number of laptops which reside in the same AD
OUs and it doesn't matter who logs on, the same problem occurs. The laptop is able to view all other wireless networks in the vicinity.
I have logged in to one as myself (with Domain Admin permissions) and I get this problem, but on other laptops, the policy applies completely allowing me to connect to the Staff SSID while blocking the Guests SSID, as it should.
I've run a RSOP against the laptop which shows that the policy is applying (confirmed by the fact that the Guests SSID is blocked) and the only problem I can find in the event logs are for the EapHost service with event ID of 2002. I've followed the advice
in a few forum posts below but have been unsucccessful (not even sure if it's related to the GPO issue).
http://www.eventid.net/display-eventid-2002-source-Microsoft-Windows-EapHost-eventno-10874-phase-1.htm
http://www.sevenforums.com/network-sharing/336450-event-id-2002-source-eaphost-eap-method-dll-path-name-failed.html
Any suggestion would be greatly appreciated.

Hi Daverino,
Since RSOP shows that the policy has been applied, it should not be a grouppolicy issue.
According yourdescription, it seems that the system of the laptop has been changedby the user data.
Could you please post the original information about event 2002? It is useful for further troubleshooting.
Best Regards.
Steven Lee
TechNet Community Support

Remove "Mark All as Read" button with Group Policy from Outlook 2013

Under the Folder tab in Outlook 2013, there is a "Mark All as Read" icon. How can I permanently delete this icon? I remember doing so with Outlook 2003 / 2007 through a Group Policy setting. Not sure how to take care of that with Outlook 2013...I
think I need an ID code? I've tried right-clicking the icon and choosing Customize the Ribbon, but you can't remove the "Mark All as Read" as a single icon, you have to get rid of the entire Folder tab. Thanks!

Hi,
Yes, we can disable the “Mark All as Read” button in Outlook 2013 by using control IDs. Please follow the steps below to achieve the goal:
1. Press Windows key + R, type gpedit.msc in the
Run command and press Enter.
2. In the Group Policy Management Editor navigation pane, locate
User Configuration >
Administrative Templates > Microsoft Outlook 2013 > Disable Items in User Interface > Custom
3. In thedetails pane, double click to open
Disable command bar buttons and menu items.
4.
Choose Enabled, and then choose
Show.
5. In the Show Contents dialog box, under
Value, enter the control ID for the command that you want to disable. The control ID to disable
“Mark All as Read” button is 1906.
6. When you have finished entering control IDs, choose
OK, and then choose OK again to exit the
Disable commands dialog box.
For more information about control IDs, please refer:
http://technet.microsoft.com/en-us/library/cc179143(v=office.15).aspx
Hope this helps.
Best Regards.
Steve Fan
Forum Support
Come back and mark the replies as answers if they help and unmark them if they provide no help.
If you have any feedback on our support, please click
here

Replace Mapped Drives with UNC Paths via Group Policy Preferences

We are currently using Group Policy Preferences to map network drives to drive letters for our users. Given the risk of ransomware, etc. these days we want to provide users with a UNC link rather than a mapped drive letter. Can anyone tell me
the best way to do this?
Thanks,
Joe

> We are currently using Group Policy Preferences to map network drives to
> drive letters for our users. Given the risk of ransomware, etc. these
> days we want to provide users with a UNC link rather than a mapped drive
> letter. Can anyone tell me the best way to do this?
Create shortcuts :)
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

Hit with Virus that executed via PowerShell Scripting. Can I disable Powershell on my network via Group Policy and what implications does that have for me.

Our network was hit recently with virus previously unknown, O97M.Crigent. It is a nasty Macro virus that targets Microsoft Office Documents & Spreadsheets and uses a combination of Macros and Scripts via Powershell.
How do I disable PowerShell scripting via Group Policy?
Will this raise any issues such as random application or network failures or other issues?
Can I apply it to the entire domain or should I be selective and only apply it to the workstations?
Network Summary: Windows 2008 Active Directoy Server, 75% Windows 7, 25% Windows XP workstations.
DouglasOfSanMarcos

Disabling Windows PowerShell can be done with GPO:
Computer Configuration | Administrative Templates | Windows Components | Windows PowerShell
From GPO Description: "This setting exists under both "Computer Configuration" and "User Configuration" in the group policy editor. The "Computer Configuration" has precedence over "User Configuration."
By default this option is restricted any way on computers.
I would be very selective when apply it at all:
Workstations - I would apply to test group of workstations first, just to see that there are no side effects before applying to all computers.
Server - I wouldn't apply it at all. I have seen too many issues when setting this policy on Exchange and other systems.
If you are using a Group Policy to define a PowerShell logon, logoff or computer script, that script will disregard any execution policy set locally or through a GPO.
http://4sysops.com/archives/set-powershell-execution-policy-with-group-policy/
http://technet.microsoft.com/en-us/library/hh849812.aspx
Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

MSI not installing via Group Policy - Insists location does not exist

Hi
I am creating a group policy object whereby I am pointing my software package installation to \\192.168.1.3\GPO\MSOCached32bit.msi
The location has permissions for the machine accounts on both the share and the ntfs permissions with read only access.
I have created an OU and moved a Windows XP machine into it, linked the GPO and made sure that the XP machine is not using optimised log on.
From the machine I can reach the share and see the file from the path above.
However each time I reboot the machine I am testing on the installation fails, the exact error being:
The install of application MSO from policy MSO Installation failed. The error was : The installation source for this product is not available. Verify that the source exists and that you can access it.
This is rather odd, since I can see it, the machine account has permissions to see it and I cannot see what the problem is.
I have then gone on to enable verbose logging of the MSI installer which has produced the following:
=== Verbose logging started: 18/08/2011 15:36:18 Build type: SHIP UNICODE 3.01.4001.5512 Calling process: \??\C:\WINDOWS\system32\winlogon.exe ===
MSI (c) (AC:B0) [15:36:18:666]: Resetting cached policy values
MSI (c) (AC:B0) [15:36:18:666]: Machine policy value 'Debug' is 7
MSI (c) (AC:B0) [15:36:18:666]: ******* RunEngine:
           ******* Product: {96b77fe2-a045-4f3f-9a73-1bf359d0eaaf}
           ******* Action:
           ******* CommandLine:
MSI (c) (AC:B0) [15:36:18:666]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (AC:B0) [15:36:18:666]: Grabbed execution mutex.
MSI (c) (AC:B0) [15:36:18:736]: Cloaking enabled.
MSI (c) (AC:B0) [15:36:18:736]: Attempting to enable all disabled priveleges before calling Install on Server
MSI (c) (AC:B0) [15:36:18:736]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (B4:CC) [15:36:18:756]: Grabbed execution mutex.
MSI (s) (B4:D0) [15:36:18:766]: Resetting cached policy values
MSI (s) (B4:D0) [15:36:18:766]: Machine policy value 'Debug' is 7
MSI (s) (B4:D0) [15:36:18:766]: ******* RunEngine:
           ******* Product: {96b77fe2-a045-4f3f-9a73-1bf359d0eaaf}
           ******* Action:
           ******* CommandLine: CURRENTDIRECTORY="C:\WINDOWS\system32" CLIENTUILEVEL=3 CLIENTPROCESSID=940
MSI (s) (B4:D0) [15:36:18:766]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (B4:D0) [15:36:18:766]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (B4:D0) [15:36:18:766]: User policy value 'DisableMedia' is 0
MSI (s) (B4:D0) [15:36:18:766]: Machine policy value 'AllowLockdownMedia' is 0
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Media enabled only if package is safe.
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Looking for sourcelist for product {96b77fe2-a045-4f3f-9a73-1bf359d0eaaf}
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Adding {96b77fe2-a045-4f3f-9a73-1bf359d0eaaf}; to potential sourcelist list (pcode;disk;relpath).
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Now checking product {96b77fe2-a045-4f3f-9a73-1bf359d0eaaf}
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Media is enabled for product.
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Attempting to use LastUsedSource from source list.
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Processing net source list.
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Trying source \\192.168.1.3\GPO\.
MSI (s) (B4:D0) [15:36:19:427]: Note: 1: 1314 2: \\192.168.1.3\GPO\
MSI (s) (B4:D0) [15:36:19:427]: ConnectToSource: CreatePath/CreateFilePath failed with: -2147483648 1314 -2147483648
MSI (s) (B4:D0) [15:36:19:427]: ConnectToSource (con't): CreatePath/CreateFilePath failed with: -2147483648 -2147483648
MSI (s) (B4:D0) [15:36:19:427]: SOURCEMGMT: net source '\\192.168.1.3\GPO\' is invalid.
MSI (s) (B4:D0) [15:36:19:427]: Note: 1: 1706 2: -2147483647 3: MSOCached32bit.msi
MSI (s) (B4:D0) [15:36:19:427]: SOURCEMGMT: Processing media source list.
MSI (s) (B4:D0) [15:36:19:437]: Note: 1: 2203 2: 3: -2147287037
MSI (s) (B4:D0) [15:36:19:437]: SOURCEMGMT: Source is invalid due to missing/inaccessible package.
MSI (s) (B4:D0) [15:36:19:437]: Note: 1: 1706 2: -2147483647 3: MSOCached32bit.msi
MSI (s) (B4:D0) [15:36:19:437]: SOURCEMGMT: Processing URL source list.
MSI (s) (B4:D0) [15:36:19:437]: Note: 1: 1402 2: UNKNOWN\URL 3: 2
MSI (s) (B4:D0) [15:36:19:437]: Note: 1: 1706 2: -2147483647 3: MSOCached32bit.msi
MSI (s) (B4:D0) [15:36:19:437]: Note: 1: 1706 2: 3: MSOCached32bit.msi
MSI (s) (B4:D0) [15:36:19:437]: SOURCEMGMT: Failed to resolve source
MSI (s) (B4:D0) [15:36:19:437]: MainEngineThread is returning 1612
MSI (c) (AC:B0) [15:36:19:437]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (AC:B0) [15:36:19:437]: MainEngineThread is returning 1612
=== Verbose logging stopped: 18/08/2011 15:36:19 ===
As you can see from the above highlighted line, it says its invalid, but I cannot for the life of me understand why?
Thanks in advance for any help!

Hi,
This is not something related to the GPO issue. The issue is with MSI and the packaging. Condition the ResolveSource action.
Try Copying the MSI to local machine using a script and execute it.
ResolveSource actually requires that the original installation source is available whenever it is called. If your installer package is authored correctly, source must only be resolve in cases where the original RTM files are missing or during some patch
uninstall scenarios.
http://blogs.msdn.com/b/heaths/archive/2007/10/25/resolvesource-requires-source.aspx
http://msdn.microsoft.com/en-us/library/aa371232%28VS.85%29.aspx
http://www.appdeploy.com/messageboards/printable.asp?m=48703
If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before
implementing!

The processing of Group Policy failed because of lack of network connectivity to a domain controller

We are setting up a new AD environment with one AD/DC running DNS services, and a secondary DNS server configured with secondary zone. The problem is that none of the machines in the the domain are getting GPO.
When I run a gpupdate /force from a machine, I get the following output:
"Updating Policy...
User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were enc
ountered:
The processing of Group Policy failed because of lack of network connectivity to
a domain controller. This may be a transient condition. A success message would
be generated once the machine gets connected to the domain controller and Group
Policy has succesfully processed. If you do not see a success message for sever
al hours, then contact your administrator.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results."
While the system event log outputs the following:
"The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy
has succesfully processed. If you do not see a success message for several hours, then contact your administrator."
All the machines that were joined to the domain are able to resolve in forward and reverse lookups, ping the DC and ping each other so I dont understand how the error can be resolved.
Here are few things I have tried:
1. I came across this KB which checked ok for me: http://support.microsoft.com/kb/241515
2. Made a copy of the default GPO, applied to a OU with one machine, and made sure to remove any GPO links from above
3. Enabled the following two local Group policies on a test member:
GP slow link detection
Startup policy processing wait time
4. Modified firewall to allow everything on both member and DC
5. Verified DSN logs, SRV records, access to sysvol ( added authenticated users to sysvol)
I have yet to figure out the reason for this issue. Has anyone seen anything like this before?

1. I checked the NIC, it only has one IP. and I followed your article. I set the primary DNS to its own IP and the secondary DNS to the loopback ip
2. This is a new DC and DNS server. I dont have old records yet. I also check the DNS event logs. No errors
3. I made sure the member server is pointing only to the only DC/DNS server
4. Here is the output from the dcdiag.... everything passed except, the Netlogons part. I'm not sure what means or how to fix it yet:
Starting test: NetLogons
* Warning BUILTIN\Administrators did not have the "Access this
computer
"* from network" right.
[hostname] An net use or LsaPolicy operation failed with error
1, Incorrect function..
......................... hostname failed test NetLogons
Complete output:
> hostname
Server: hostname.domain.local
Address: X.X.X.95
> ^C
C:\Windows\system32>
C:\Windows\system32>nslookup
> set type=all
>
>
>
> _ldap._tcp.dc._msdcs.domainname
_ldap._tcp.dc._msdcs.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = hostname.domain.local
hostname.domain.local internet address = X.X.X.95
> ^C
C:\Windows\system32>cd ..
C:\Windows>cd SYSVOL
C:\Windows\SYSVOL>cd sysvol
C:\Windows\SYSVOL\sysvol>dir
Volume in drive C has no label.
Volume Serial Number is F624-CDB2
Directory of C:\Windows\SYSVOL\sysvol
10/29/2014 08:25 PM <DIR> .
10/29/2014 08:25 PM <DIR> ..
10/29/2014 08:25 PM <JUNCTION> domain.local [C:\Windows\SYSVOL\domain]
0 File(s) 0 bytes
3 Dir(s) 63,971,037,184 bytes free
C:\Windows\SYSVOL\sysvol>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = hostname
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\hostname
Starting test: Connectivity
......................... hostname passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\hostname
Starting test: Advertising
......................... hostname passed test Advertising
Starting test: FrsEvent
......................... hostname passed test FrsEvent
Starting test: DFSREvent
......................... hostname passed test DFSREvent
Starting test: SysVolCheck
......................... hostname passed test SysVolCheck
Starting test: KccEvent
......................... hostname passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... hostname passed test
KnowsOfRoleHolders
Starting test: MachineAccount
......................... hostname passed test MachineAccount
Starting test: NCSecDesc
......................... hostname passed test NCSecDesc
Starting test: NetLogons
* Warning BUILTIN\Administrators did not have the "Access this
computer
"* from network" right.
[hostname] An net use or LsaPolicy operation failed with error
1, Incorrect function..
......................... hostname failed test NetLogons
Starting test: ObjectsReplicated
......................... hostname passed test
ObjectsReplicated
Starting test: Replications
......................... hostname passed test Replications
Starting test: RidManager
......................... hostname passed test RidManager
Starting test: Services
......................... hostname passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000003F6
Time Generated: 03/04/2015 18:23:06
Event String:
Name resolution for the name ctldl.windowsupdate.com timed out after
none of the configured DNS servers responded.
......................... hostname passed test SystemLog
Starting test: VerifyReferences
......................... hostname passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : emcdsm
Starting test: CheckSDRefDom
......................... emcdsm passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... emcdsm passed test CrossRefValidation
Running enterprise tests on : domain.local
Starting test: LocatorCheck
......................... domain.local passed test LocatorCheck
Starting test: Intersite
......................... domain.local passed test Intersite
C:\Windows\SYSVOL\sysvol>

Group Policy - Computer Startup Scripts - Add/Set Default printer

Good Morning.
Let's say we have 2 offices, A and B, and only 1 user. The user is using Roaming Profiles. Each office has its own printer.
What I am trying to do, is make a Startup script that is specific to the COMPUTER being logged into so when any user logs into that computer, they get the printer in that office defined and set as default.
I am able to do this successfully with my script but ONLY if i have the script be on the USER side of GP (i.e. in the Logon script section)
That is great that that is working however, when my user goes to Office B, they still get mapped to Office A's printer if I use that method.
So I figured I could just modify my GP and run the same script from the STARTUP section of the computer, rather than the LOGON section of the user. It does not work.
Here is my script:
Set WRFCUNetwork = CreateObject("Wscript.Network")
PrinterPath = "\\fileserver\MAINTELLER"
PrinterDriver = "PrinterDriver"
WRFCUNetwork.AddWindowsPrinterConnection PrinterPath, PrinterDriver
WRFCUNetwork.SetDefaultPrinter "\\fileserver\MAINTELLER"
This is where I Have the script placed:
     Computer Configuration -> Windows Settings -> Scripts(Startup/Shutdown)
Once i'm in there, I double click Startup, click Add, and select my script which is named:
     MainPrinterSetup.vbs
I have this GP applied to ONE OU, and that OU has ONE computer in it (my test computer)
I login with a brand new user called "testuser" (creative, huh?) and basically nothing happens
except they log in and have some Microsoft Document Image Writer printer set as default (which by the way sure does slow the PC down to the point of it almost being broke if anyone actually tries to print to that by accident)
No Main Teller Printer, no anything.
The strangest part about this is, if i apply this script to the user LOGON scripts, it works fine, the printer is there, and is set as default. (but see above why that wont work for my situation)
So obviously the script works fine, but I guess i'm missing something when it comes to applying GP's to Computers rather than Users.
Can anyone shed some light as to why the script is not running (i'm guessing the script isn't even attempting to run, rather than failing, but i have no way to know that)
Thank you in advance!!
Derek Conlon
Network Administrator
WRFCU
EDIT: Here are the PC's info that i'm working on:
     Server: Windows Server 2003 Standard Edition (where my GP's are created and managed with AD)
     Target PC: Windows XP Professional SP3
EDIT #2: I manually navigated to the Script file after logging in and "opened" it and it added and set the default printer no problem. the issue is definately with the script running at startup.

I wanted to clarify a few things:
1. While it is true that printer connections are usually per user, it is definitely possible to create "global printers". There are a number of ways to do this, but two methods that come to mind are using:
a. "Rundll32 printui.dll,PrintUIEntry" option with the "/ga" switch. The "/ga" switch is the key here since it allows you to deploy printers "per machine" instead of "per user". More information
about this is available at:
http://members.shaw.ca/bsanders/NetPrinterAllUsers.htm
http://technet.microsoft.com/en-us/library/ee624057%28WS.10%29.aspx
http://www.computerperformance.co.uk/Logon/logon_printer_computer.htm
http://www.robvanderwoude.com/2kprintcontrol.php
b. The Print Management console that is available in Windows 2003 R2 and higher can help you deploy printers "per machine" in addition to "per user". More information about this is available at:
http://www.czsolution.com/print-management/print-management/print-management-console.htm#DeployingPrintersByGroupPolicy
http://technet.microsoft.com/en-us/library/cc753109%28WS.10%29.aspx
2. As Guy mentioned, Group Policy Preferences can help set the default printer. But there is another way to accomplish this. The problem with the computer startup portion is that it runs before the user logs in. And applying this script
in the login script section would not work per computer unless you used loopback processing. So another way to do this is to place a script that sets the default printer into the "All Users" startup folder. Items in the "All Users"
startup folder run for any user that logs into the computer, but it runs in the user's context. So, this script would effectively set the default printer on a "per machine" basis. The script method is a cruder way to approach the problem,
but it will help get the job done. Here are some resources on setting the default printer via script:
http://www.intelliadmin.com/index.php/2007/08/set-default-printer-from-a-script
http://www.computerperformance.co.uk/ezine/ezine17.htm

Can I enable "Use default gateway on remote network" on VPN connection using Group Policy?

Hi,
First timer here so please bear with me!
Environment: Domain Windows 2003, Clients: Windows 7 and Windows XP (with Client Side Extensions pushed out)
When creating a VPN connection on a client machine manually with default settings the "Use default gateway on remote network" found in [Connection Properties - Networking - IPv4 - Advanced] is enabled, which is good as we don't allow split-tunneling.
I have a test GPO that creates a new VPN Connection [Computer Config - Preferences - Control Panel - Network Options], but the above setting is unticked.
Am I missing something on the options for the GP preference to set this automtically?
I can write a script to directly change the C:\Users\All Users\Microsoft\Network\Connections\Pbk\rasphone.pbk file but would prefer if I could sort it all out using Group Policy.
Any help would be greatly appreciated!
Thanks a lot!
David

Shane,
There is actually a way to set the "Use default gateway on remote network" through Group Policy Preferences. And this may even be a better way to do it, because you may change this flag without touching any other settings, or other VPN connections.
(All VPN connections are stored in the same .pbk file.)
Here's the trick: Opening the .pbk file in notepad, I realized that this is actually an oldstyle ini-structured file. And Group Policy Preferences can update ini files! In the .pbk file the section names are the VPN connections names, like [My VPN],
and the property IpPrioritizeRemote is the flag "Use default gateway on remote network".
So, in Group Policy Management Editor, go to Preferences / Windows Settings / Ini Files.
Create a new object with Action = Update, and File Path =
C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk
(If this is where your file is located, I guess it is in c:\users if the VPN connection is made for a single user.)
Section Name should be the display name of your VPN connection, without the brackets.
Property Name = IpPrioritizeRemote
Property Value = 1
Peter, www.skov.com, Denmark
Peter :-)
This is great, but just one question. I also want to append a list of DNS Sufixes in order (when viewing a VPN properties, this is buried in
"Networking --> IPv4/6 --> Advanced --> DNS --> Append these DNS Suffixes (in order)". However, for the VPNs I have manually created with this list populated, I can't see any entries in the rasphone.pbk. Does anyone know
where these are stored?
Cheers.

Apply Network shortcuts via group Policy

I learned of a very special kind of shortcut in Mark Minasi's "Mastering Windows Server 2012 R2" (pg 966) that allows you to create a "network folder" which is termed "Add a network Location" when you actually create the shortcut
in File Explorer.
I want to use AD group policy to deploy such shortcuts, but I am not seeing a way. I am [somewhat] familiar with creating shortcuts using GP Preferences, but that does not seem to be applicable for creating Network Folders.

Hi,
You can achieve your requirement using either GP Preferences or logon script.
But comparing the two techniques GP Preferences is recommended.
This is because logon scripts increases the loading time during logon and may not load properly at random times.
To map the network folder using Preferences, open GPMC console -> Edit the GPO assigned to the desired scope of users -> click the ‘User Configuration’ folder, then click the ‘Preferences’ folder. You can see all of the user-relevant options you can set
in Preferences. Find Drive Maps under ‘Windows Settings'.
Checkout the below link on configuring Drive Maps using Preferences,
http://technet.microsoft.com/en-us/library/cc770902.aspx
Checkout the below thread on similar discussion,
http://social.technet.microsoft.com/Forums/windowsserver/en-US/71c19111-75b0-412c-889f-79154857d685/deploy-network-drive-gpo
Regards,
Gopi
www.jijitechnologies.com

Group Policy Scripts point to network location

Similar Messages

Maybe you are looking for