Group Policy solution/alternative?

Similar Messages

• Audit group policy deletion

  Is is possible to retrospectively find which user may have accidentally deleted a group policy object? 
  We need to find out if we had a security breach and possibly close that issue.
  darren hitchen

  As said above, without auditing enabled, its very hard to catch, which person has what changed.
  Here is how to enable auditing for Group Policy, and how to interpret the results :
  http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447951.aspx
  You may also walk through this another informative resource that covers all the required aspects to enable auditing and track the changes :
  http://blogs.msdn.com/b/canberrapfe/archive/2012/05/02/auditing-group-policy-changes.aspx
  Moreover, if you wish to audit such critical changes automatically, you may also consider on LepideAuditor suite (http://www.lepide.com/lepideauditor/group-policy.html) that could be a good
  alternative solution for you. It will let you track every critical changes into real time and alerts instantly by sending customized email notification.
  Lepide - Simplifying IT Management

• Mandatory Profiles, Group Policy Preferences, Synchronous processing

  Hello,
  I'm using Windows 8.1 Update to setup a lab of computers that will use standard user accounts with Mandatory Profiles and Group Policy to lock them down. Everything is working great with the exception of Group Policy Preferences. I am using GPP printers
  to add a shared printer to the computer lab and set the default. Due to asynchronous processing, the GPPs are applied only every other time. Since they are mandatory profiles, the settings are wiped out every time.
  I have enabled the GPO setting "Always wait for network at startup and logon" but it doesn't seem to have any effect. The Mandatory Profile is assigned in the user's AD object.
  From everything I can find on the issue, the problem seems to stem from the synchronous processing/asynchronous processing of group policy preferences, which explains the consistent alternating working. Fast logon optimization is always off when using a
  roaming user profile, which is the case of these standard users, to my understanding. I also configured cached logons to '0', disabling cached logons. The computers (configured to automatically sign in with SysInternals' Autologon) received an error (no logon
  servers available) trying to sign in before the network was ready, showing that they are ignoring the setting. Even with waiting for the network and signing in manually, the GPP printers are only successfully added every other time.
  http://technet.microsoft.com/en-us/library/jj573586.aspx
  2008R2 functional level
  I have created and recreated GPOs to test creating them on the DC and a Windows 8.1 Update computer, with no change in outcome.
  I have also tried setting Startup policy processing wait time, run logon scripts synchronously, and GPP Printers processing behaviors. For the latest testing, I created a new OU with blocked inheritance and created a new GPO with just the key settings to
  wait for network, install the printers, and use the mandatory profile. It still only worked every other time.
  I am currently at a loss for a good way to add the printers to the mandatory profiles. I have hacked them into the HKCU of the mandatory profile but I feel that is a kludge solution and not very sustainable. I have tried a logon PowerShell script but had
  no luck.
  TL;DR: Win8.1Update, Mandatory Profiles, standard user: Every other restart, GPP Printers are added perfectly and the desired outcome is reached. Every other, other restart the printers are not added.

  Hi,
  I'll involve other engineer to this thread for more discussion about your problem. Please wait patient.
  Thank you for your understanding!
  Roger Lu
  TechNet Community Support

• The Group Policy Client service failed the sign-in The universal unique identifier (UUID) type is not supported

  Hi guys,
  we created a custom WIM Image (Windows 8 Enterprise) with MDT 2012.
  Sysprept the Image, Deployed via SCCM 2012 SP1.
  Computers are Domainjoined. Error with standard Domain User.
  On some computers (not every computer) and not with every user on the first logon following error message arises:
  The Group Policy Client service failed the sign-in The universal unique identifier (UUID) type is not supported
  It works, when you log in a second time but this error isn't very nice. 
  Is there a solution for that?
  Kind Regards
  Martin

  Hi,
  The service is responsible for applying settings configured by administrators for the computer and users through the Group Policy component. This issue can be caused by various reasons based on the computer environment.
  Can you find any information in event log about this issue?
  Here is the related blog in which the steps can solve most of such issues if the issue continuously happen.
  http://blogs.msdn.com/b/moiqubal/archive/2012/03/04/how-to-fix-quot-the-group-policy-client-service-failed-the-logon-access-denied-quot-error.aspx
  Also, you can refer to the similar thread about this issue:
  http://social.technet.microsoft.com/Forums/en-US/4a644219-50ee-494d-b965-e64a8555109e/the-group-policy-client-service-failed-the-signin-the-universal-unique-identifier-uuid-type-is
  Since this issue can be related to SCCM, to better help you, please submit a new thread for further help:
  https://social.technet.microsoft.com/Forums/en-US/home?category=systemcenter2012configurationmanager
  Hope these could be helpful.
  Kate Li
  TechNet Community Support

• How do I setup Active Directory and Group Policy on Windows Server 2012?

  I work for a school district that uses a Windows 2012 server with about 400 Windows 7 PCs and 150 Mac PCs. We are set up with Roaming Profiles on the PCs and would like to be able to setup Active Directory, Group Policy, and Roaming Profiles on our macs. (We also have a mac server that they are using as a file server only) As we are a school, our funds are very low. Now for the questions...
  Is there a software that allow us to accomplish this?
  Is there a free solution or a very reduced price option to do this?
  I heard that http://www.centrify.com/products/mac-edition.asp may accomplish this and I read something about it on here but didn't know if this is what I was really trying to do becuase it was marked as "The Golden Triangle" and did not mention Raoming Profiles. This is the link though: https://discussions.apple.com/message/17200059#17200059
  Any help would be greatly appreciated.

  The above reply does not take into account that I am trying to use GROUP POLICY EDITOR to make it the default browser.

• Group Policy Guru? Group Policy and Windows 7 erratic and inconsistant.

  (*If you don't feel like reading everything, skip to the bottom two paragraphs for my questions)
  I've had a premier call open with MS since August. This week I had a Microsoft Technician in-house.  Though we eliminated some possibilities, we're not really closer to a cause or solution.
  Every time we work with an expert, I get a different explanation to describe the situation we are viewing.
  Quick summery of the issue:  We've been using Group Policy to manage most Windows XP and 7 settings for years, but starting the middle of last year, we began having clients with machines where some or all group policies would fail to apply. 
  These could be long assigned policies, new polices, or changes to policies.  It would never affect everyone or even a majority at once, and the resolution is never the same.  Sometimes a GPUDPATE /FORCE sometimes fixed automajically the next day,
  sometimes (but very rarely) longer.
  Troubleshooting History:
  What we found in early troubleshooting, that these machines, had errors in Event Viewer for Netlogon, Time-Sync, and Group Policy.  The other issue we noticed, was that our GPRESULT /H reports were missing security groups and the denied section was
  nothing but SSID's.  The first issue pointed me to:
  Event ID 5719 and event ID 1129 may be logged when a non-Microsoft DHCP Relay Agent is used
  I installed these Hot Fixes.  No change to any of the errors in event viewer, or to our Group Policy problems.
  Initial work with Premier Support found that Netlogon, Time-Sync, and Group Policy, were failing before loading of the network stack.  The suggestion was to apply the group policy setting "Always wait for the network at computer startup and
  logon".  At the time, this seemed not to work.  The policy was set on a test bed of laptops and desktops, and no changes in behavior were seen after 3 days.
  Windows 7 Clients intermittently fail to apply group policy at startup
  For some time after this, we were collecting GPSVC and NetTrace logs for Premeir Support, trying to document and troubleshoot the problem.  Eventually we got fed up and asked our TAM to call in a pro to get this resolved.  We were sent an engineer
  for 3 days.  For three days we banged away on this issue.  We verified AD and replication health, we tried numerous fixes and workarounds.  I learned 3 different desriptions of how Group Policy works, and in the end we thought we had a workaround
  using the "Always wait for the network at computer startup and logon" because of a single success late in the day.  On day 3 we tried replicating this fix, and quickly realized that the same issue we were having preventing other GPOs to apply,
  were also preventing our "fix" GPO from applying.  So we went the route of using a registry entry.  I also had a problem that even though it was making the process more consistant, it was still taking 3 reboots for a Computer Policy, assigned
  to a computer object via Security Group, to fully take affect on a computer.
  I used the registry methods in the above article.  It didn't work, no sign it was having the same affect the GPO had had.
  Our support engineer claimed this was the proper method, but that path wasn't even close in a Windows 7 SP1 registry, and after creating all the keys that were not present, it still didn't work.
  Always wait for the network at computer startup and logon - AzureWeb
  We ran out of time, our engineer returned home.
  I can understand how these errors indicate a problem applying Group Policy at boot.  But to me it doesn't explain why it doesn't correct post boot, and after a GPUDPATE /FORCE and a reboot.
  It also doesn't explain why we were working fine for years, then all of a sudden DHCP is being outrun by background services.  (By the way logging showed DHCP wasn't significantly delayed, out boot process was actually excellent, health wise.) 
  Why all of a sudden is this not behaving optimly?  No changes to network design or function.  No changes to the domain since 2008 R2 was installed in 2011.
  Today I'm reading through all these KB's and articles again, and took some time to read:
  [Forum FAQ] Common steps to start troubleshooting Group Policy
  application and it's links below.
  We ran though all of that before and during the 3-day onsite.  It's not getting us any closer to the cause or a solution.
  I found and begin some deep reading in this link today.  It has some additional information I will try to use next week:
  Group Policy Basics - Part 3: How Clients Process GPOs
  The one unanswered question I have is this.  How is group policy supposed to apply to a computer, when that policy is applied to a AD Security Group, in which the computer object is a member?
  Before we began having this problem, we would assign a computer GPO, then ask the user to reboot.  If it were a user GPO, we'd ask the user to log off, or reboot.  Either way, if we allowed a few minutes for AD and FRS replication, the user would
  log back in with that new policy in affect.  A new imaged machine would boot with all the GPO's linked to that domain and assigned to "Authenticated Users", already in affect.  Admin groups would be present in administrators, proxy settings
  would be set in Internet Explorer, etc.
  Now I'm aked to beleive this was never the case from Premeier Support and Microsoft Engineers.  That those policies require the equilent of a "GPUPDATE /FORCE" that was executed by the Local_System account.  That 3 reboots may
  be nessessary for a group policy to be applied.  One for the AD Security Group to be applied.  One for the Computer Policy to be applied.  And a final one for the policy in the GPO to be applied to Windows.
  Can someone confirm or correct this information please?  It's imperitive to my troubleshootng.
  There's no place like 127.0.0.1

  That key is empty on all of my machines I have checked today.  Working and problematic alike.
  GPRESULT logs, when ran as me, historically would show the group polices applied, denied, and the AD group membership all by name.  About 6 months ago I noticed this changed.
  Now they show the applied GPO's by name, a few of the denied GPO's by name, most by SID, and only 2 to 3 AD groups, though PowerShell shows all the AD groups assigned.  This happens after several AD security and distribution groups are added to the
  machine (Radia software distribution uses Dist groups to assign software).
  A check showed no groups with long legacy Kerberos keys.
  When we make a change to AD Security Group membership, to assign or deny a Group Policy, is usually when we encounter this problem.  It will usually fix itself in 24 hours of the machine being left up and running.  But no amount of GPUPDATE /FORCE
  and rebooting will cause the changes to take affect.
  During this time, the Group Policies will show assigned to the computer in the GPRESULT log.
  Yesterday I began looking into Spanning Tree configuration on our network being a possible cause for the boot up issues.  I'm waiting on responses from our Network group to confirm our configuration.
  There's no place like 127.0.0.1

• Using Office 2013 group policy template to define Trusted Locations and Template Locations doesn't work

  User Configuration/Policies/Administrative Templates
  - Using Office 2013 group policy template to define Trusted Locations and Template Locations doesn't work
  Microsoft Word 2013/Word Options/Security/Trust Center/Trusted Locations
  - Allow Trusted Locations on the network: 
  Enabled 
  - Trusted Location #1: 
  Enabled 
  Path:  //server/sharedfoldername   [Edit:  Path:
  \\server\sharedfoldername]
  Date: June 10, 2013
  Description: Trusted Location
  Allow sub folders: Enabled
  The policy appears to apply to the client correctly by adding the following registry key and values:
  HKEY_CURRENT_USER\Software\Policies\Microsoft\office\15.0\word\security\trusted locations\location1
  allowsubfolders: 1
  date: June 10, 2013
  Description: Trusted Location
  Path:  //server/sharedfoldername  [Edit: Path: 
  \\server\sharedfoldername]
  However, when you open Word Options/Trust Centre/Trust Centre Settings…/Trusted Locations
  There are no trusted locations listed under ‘Policy Locations’
  I have tried setting similar settings for setting the Shared Templates folder location and just like the trusted locations policy, the registry keys are created properly in HKEY_CURRENT_USER\Software\Policies however word doesn’t
  seem to recognize these either.
  This used to work flawlessly using the administrative templates for Word 2007 and 2010. Has anyone been able to get these policies to apply successfully, or know why office doesn’t recognize these settings from the Policies registry
  Key?

  This would have been an easy solution to the issue.  Unfortunately it isn't the problem.  This question was originally posted on another Microsoft site and
  was transferred here and when it was transferred the path's changed from the original post: 
  \\server\sharedfodlername to //server/sharedfoldername.  (I will edit the question to show up as it did in the original post) Not sure how that happened.  This
  is still an issue that I haven't been able to get working correctly.
  As it turns out the 'New from Template' interface Word 2013 has developed is very bulky with large thumbnails and is not very customizable nor practical for an office
  that has a large number of templates.   Because I am unsatisfied with the display and performance of the 'New' template chooser I sought after a solution to change the way word creates a document from a template in another thread: 
  http://answers.microsoft.com/en-us/office/forum/office_2013_release-word/how-can-you-change-the-display-of-templates-in/d49194b9-a6b4-4768-8502-7d7b50e9dd65 working through this issue with Jay we were able to develop
  some VB script with handles a very large number of templates in a list view and it works much faster than the built-in Word interface.  The above thread is how I've worked around trying to define a shared template location and I am quite happy with it.

• Configuring group policy for user profiles in Windows Server 2012 R2 Domain

  Requesting some experts advise on configuring group policy for user profiles.
  We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
  The settings which I am concerned:
  1. Folder Redirection: Desktop, Documents, Favorites.
  2. Quota for Folder Redirection - 1 GB per user.
  3. Map a networked drive - 1 GB per user.
  4. Roaming profile - (Will ignore if it does not suit our requirement). 
  The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
  Thanks a lot for your valuable time and efforts.

  Hi,
  >>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
  This depends on where our outlook data files are stored. If these data files are stored under
  drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
  However, regarding your question, we can refer to the following thread to find the solution.
  Roam outlook profiles without roaming profiles
  http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
  In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
  Configuring Folder Redirection
  http://technet.microsoft.com/library/cc786749.aspx
  Hope it helps.
  Best regards,
  Frank Shen

• Group Policy Deployment Acrobat Standard XI Version 11

  I was able to successfully create a Windows 2008 R2 SP1 Group Policy that would be able to distribute the Adobe Reader Application using the Adobe Customization Wizard XI. I tried to use the same procedure from the Adobe Acrobat Standard 11 download from the adobe licensing site and was unable to get the Group Policy to work. The error message that I am getting is...
  The install of application Adobe Acrobat XI Standard 11.0 from policy  Deploy Adobe Acrobat 11 failed. The error was : %%1603
  This is the procedure that I created for deployment of Adobe Acrobat XI using Group Policy.
  How to create a group policy deployment of Adobe Acrobat XI
  Overview:
  This procedure covers the steps needed to create a group policy that will deploy the Adobe Acrobat installation.
  Requirements
  •    Windows 2008 Group Policy
  •    Adobe Acrobat Customization Wizard
       o    ftp://ftp.adobe.com/pub/adobe/acrobat/win/11.x/11.0.00/misc/CustWiz11000_en_US.exe
  •    Adobe Acrobat XI (Version 11)
       o    download from adobe account
  Procedure:
  1.    Download the Adobe Acrobat XI package.
  2.    Extract the contents of the Adobe Acrobat XI package.
  a.    Type msiexec.exe /a AcroStan.msi
  b.    Click Next
  c.    Put in the Network Location Share where everyone can extract the installation.
  d.    Click Install
  e.    The package will then extract to the network location as indicated above.
  f.    Click Finish, once the installation has completed.
  g.    Open the Adobe Customization XI Wizard, and customize the package by selecting the AcroStan.msi file. 
  h.    Customize the AcroStan.MSI installation file   
  i.    Default viewer of PDF files: Make Acrobat the Default PDF Viewer
  ii.    Remove previous versions of Acrobat
  iii.    Run Installation: Silently
  iv.    If reboot is required at the end of installation: Suppress reboot
  i.    Shortcuts: Remove the desktop Shortcut
  j.    Online and Adobe Services: Disable Product Improvement Program: checked.
  k.   Generate Transform File
  i.    Click Transform > Generate Transform File
  ii.   Create an Setup.Ini file in the folder of the Distribution Package.
  iii.  Name the Transform File something useful like “CompanyConfigs”.
  3.    Create a Group Policy to deploy the software package. It is usually best to have a group policy for each software installation package.
  a.    Update the Domain Default Policy with Always install with elevated privileges. This will allow all software deployment packages to install. 
  i.    Computer Configuration > Policies > Windows Settings > Administrative Templates > Windows Components > Windows Installer > Always install with elevated privileges : Enabled.
  b.  Create a Group Policy to enable Windows 7 Verbose Mode
  i.    Computer Configuration > Policies > Administrative Templates > System > Verbose vs normal status messages : Enabled.
  c.    Create a Group Policy for the Software Installation
  i.     Computer Configuration > Policies > Software Settings
  ii.    Right click and select New > Package
  iii.   Click the AcroRead.msi
  iv.   Click Advanced
  v.    Click the Modifications Tab and click Add
  vi.   Optional: Click the Uninstall this application when it falls out of the scope of management.
  Note: This setting can be used to uninstall the application if the group policy ever changes in that the application should be removed.
  vii.    The package is now created …
  4.    Test the Client in a Virtual Machine
  a.    Go to a windows client and run “gpupdate /force”.
  b.    The system will then respond that it needs to restart the computer.
  c.    Type Yes, and allow the computer to reboot.
  d.    If Group Policy is not setup to allow for verbose messages in Windows 7 then the user will just see “Please wait…”, if verbose message is enabled the user will see “Installing Adobe Acrobat…”.
  Can someone please tell me what I am missing to get the group policy deployed? It has the same permissions as the Adobe Reader folder and I have done everything exactly the same, except that Adobe Standard has the license number, and owner information included in the Transform file (.mst).
  Thank you.

  Your case isn't unique. We've heard this a lot. While Acrobat has a small, very small percentage of settings available in the ADMX files,
  in case you don't know, PolicyPak software has a solution to manipulate, basically, near 100% of the settings in Acrobat Reader and Professional.
  You're welcome to check out how it works. These videos are for Acrobat X, but there is also tempaltes in the download for XI.
  Here are links to the pages with full how-to videos:
  http://www.policypak.com/products/manage-acrobat-reader-with-group-policy.html
  and
  http://www.policypak.com/products/manage-acrobat-x-pro-and-acrobat-x-standard-using-group- policy.html
  You can be up and running in 20 minutes, but note, it's NOT a template.. PolicyPak is full application management and lockdown system.

• Failed to Connect "Group Policy Client Service" Windows 7 x64

  This error pops up everytime boot / start-up. I've tried everything, for the last month.  including
  http://support.microsoft.com/kb/2421599 In the "Resolution Section" did step by step, But did not work for me...
  Also
  http://blogs.technet.com/b/mempson/archive/2010/01/10/userenvlog-for-windows-vista-2008-win7.aspx  Didn't work either.  :(
  Is this a Winlogin problem? Or does have to do with other computers in my homegroup?
  But in Safe Mode & Safe Mode with Networking, this issue does Not appear / pop-up at start up. "Group Policy Client Service"
  ""HP Premium Remote Services"" tells me that in order to fix, I have to Re-Install Windows. And have been in contact today with Hp Premium Remote Services for over 7 hours with NO Resolution!!
  Hate to make a Recovery Partition on a New PC, in order to Re-Install Windows...
  This is a Brand New HP Pavilion HPE H8-1234 AMD Processor that I installed on 7/23/2012. Running windows 7 64-bit home premium, OS: Internet Explorer 9.
  Have a copy of Windows 7 Ultimate using Anytime Upgrade, My question is would that rectify the "Group Policy Client Service" error?
  Always run MalwareBytes Anti-Malware and Hitman Pro, in addition with Norton, on a regular basis. So that I know my system is clean...
  Any MS Engineers or Tech's have any ideas, suggestions OR help, How to Fix this issue,With-Out having to use: System Recovery/Restore. To factory condition...
  Would be Very Greatly Appreciated! HELP Me Pleeeze !!!!
  ***Because this issue Baogles my Mind! After all I'am only dealing with half a Brain, LOL- Due to Brain Tumor Surgery...

  I FOUND SOLUTION TO THIS PROBLEM!
  I had this issue on my laptop since November, and it really bugged me.  I sifted through the event log and found the pattern of events that preceded the issue, and, probably, caused it.
  In short, the pattern is as follows: Windows updates run automatically as scheduled, and when reboot is initiated after the updates are finished, the computer crashes (probably during reboot sequence).  When it boots up, it reports that the last shutdown
  was unexpected, and the issue begins to occur.
  I spent 2 days trying to dig out a solution from the Internet, to no avail, until I came across
  this page.  It doesn't say anything about this particular problem, but it gives more information about SVCHOST process that starts many services, including Group Policy Client.  It looks like during reboot a vital registry settings were lost during
  crash and Group Policy Client "doesn't know" how to start.  Let me explain:
  There are two places to look in the registry:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services this path should contain
  gpsvc key (a folder), which is responsible for service parameters and configuration.  I found that the key was intact, so, you do not touch anything here - just check that the key exists.
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST This is the most important path you should look into, as it must contain the keys and values referred in the key #1.  Below are descriptions what must be present
  there.
  There must be Multi-String value called GPSvcGroup. My laptop was missing it.  So, you should create multi-string value named
  GPSvcGroup and assign it value GPSvc.
  Next, you must create a key (a folder) and name it GPSvcGroup - this key normally should be there, but, again, it was missin on my laptop.
  Then open newly-created GPSvcGroup folder and create 2 DWORD values:
  First called AuthenticationCapabilities and you must give it a value of 0x00003020 (or 12320 in decimal)
  Second is called CoInitializeSecurityParam and it must have value of 1.
  Once you complete all steps above, reboot the computer and the problem will be fixed.
  I am so relieved I was able to fix it, and hope this will help others with the similar issue.
  Here is the link to the video walkthrough if you have any troubles understanding what has to be done: http://youtu.be/4m5KEmckWK4
  I did try the above, but it did not fix my issue with the ""group policy client service failed the logon".
  This problem was happening on 5 different RDS Nodes. All I did was rename the Roaming Profile, then delete the locally stored profile on each RDS Server: right click COMPUTER > PROPERTIES > ADVANCED SYSTEM SETTINGS > USER PROFILES > delete the
  offending User(s).
  Hope that helps.
  Life is dangerous, no one has ever survived. So enjoy!

• Group Policy Client service does not start

  Hi,
  As soon as I (administrator on my PC) logon to Windows 7, I get a message saying that the Group Policy Client service failed to start. I'm not sure why I'm getting this error even though the dependencies are very much up and running..
  Below is the error message I get in the notification area as soon as I logon
  Failed to connect to a windows service
  Windows could not connect to the Group Policy Client service. This problem prevents stndard users from logging on to the system.
  As an administrative user, you can review the System Event Log for details about why the service didn't respond.

  I FOUND SOLUTION TO THIS PROBLEM!
  The crash of your computer caused that - you are absolutely right!
  I had this issue on my laptop since November, and it really bugged me.  I sifted through the event log and found the pattern of events that preceded the issue, and, probably, caused it.
  In short, the pattern is as follows: Windows updates run automatically as scheduled, and when reboot is initiated after the updates are finished, the computer crashes (probably during reboot sequence).  When it boots up, it reports that the last shutdown
  was unexpected, and the issue begins to occur.
  I spent 2 days trying to dig out a solution from the Internet, to no avail, until I came across
  this page.  It doesn't say anything about this particular problem, but it gives more information about SVCHOST process that starts many services, including Group Policy Client.  It looks like during reboot a vital registry settings were lost during
  crash and Group Policy Client "don't know" how to start.  Let me explain:
  There are two places to look in the registry:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services this path should contain
  gpsvc key (a folder), which is responsible for service parameters and configuration.  I found that the key was intact, so, you do not touch anything here - just check that the key exists.
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST This is the most important path you should look into, as it must contain the keys and values referred in the key #1.  Below are descriptions what must be present
  there.
  There must be Multi-String value called GPSvcGroup. My laptop was missing it.  So, you should create multi-string value named
  GPSvcGroup and assign it value GPSvc.
  Next, you must create a key (a folder) and name it GPSvcGroup - this key normally should be there, but, again, it was missin on my laptop.
  Then open newly-created GPSvcGroup folder and create 2 DWORD values:
  First called AuthenticationCapabilities and you must give it a value of 0x00003020 (or 12320 in decimal)
  Second is called CoInitializeSecurityParam and it must have value of 1.
  Once you complete all steps above, reboot the computer and the problem will be fixed.
  Video walkthrough for those who are not very technical is here: http://youtu.be/4m5KEmckWK4
  I am so relieved I was able to fix it, and hope this will help others with the similar issue.

• Group Policy Client service failed! Help!

  A few days ago I was booted out of my account, while watching a DVD. My system restarted itself, but not before flashing some sort of blue screen. Unfortunately I was unable to read the content of it. After restarting, I was presented with a light blue login screen, instead of my normal screen. However, my name and profile picture remained the same. I was able to login with my password, only to be informed that I had been set up with a temporary account. I was unable to access my files, and had no idea how to access my regular account. After logging out, and restarting in hopes that it would go back to normal... my system went into recovery mode, and afterwards presented me with the same temporary account login screen. Only this time, I was unable to login. Instead I received "The Group Policy Client service failed the logon. Access denied" message. I'm the only user (administrative), and my computer has no internet connection. So, I'm not sure if this is a simple error; a result from my low capacity battery needing to be replaced, or a virus. I've checked previous forums, but I've had no luck. I can't login to my computer at all, and it's very frustrating. I've also backed up my files, just in case my system has to be restored to its factory settings (I hope not). Could any one tell me how to resolve this? Please!
  - Frustrated (Pavilion dv6-1350us) User

  Hello @chigi93 ,
  Welcome to the HP Forums!
  I understand you were booted from your account and can now only log in with a temporary account.
  Windows does this when the main account is unavailable. The account most likely needs to be repaired.
  Please follow this document to fix a corrupted profile: Fix a corrupted user profile.
  If that doesn't work please go through this document: You receive a "The User Profile Service failed the logon” error message.
  Let me know if that works.
  Please click the "Kudos, Thumbs Up" at the bottom of this post if you want to say "Thanks" for helping!
  Please click "Accept as Solution" if you feel my post solved your issue, it will help others find the solution.
  The Great Deku Tree
  I work on behalf of HP.

• The group policy client service failed the logon access is denied.

  This one is starting to get on my nerves now. We've had 2 users suffering this problem on our Remote Desktop server.
  We are running two Windows Server 2008 SP2 domain controllers, with two Windows 2008 R2 servers running RD Gateway and Remote Desktop Server.
  The first user I had to recreate because of following instructions I googled because it caused the user to always logon with a temporary profile on the server and I could not resolve this.
  This user I have managed to cleanly delete the local logon profile.
  BOTH of these users are on roaming profiles, as are most of the users that are logging in to this server (for reasons that they move around the office). On the server, the user is listed twice one with a .v2 extension (XP machines at desks)
  The user we are having a problem with at the moment was working perfectly fine a couple of weeks ago when they last logged into the server.
  Could this be down to me setting an over ride on the settings that force people to logout completely after an hour of idle time, resulting in an unclean logoff?
  Some of the messages that are in the event log for when that user attempts to login:
  Event id: 1542
  Windows cannot load classes registry file.
  DETAIL - The system cannot find the file specified.
  Event ID: 6001
  The winlogon notification subscriber <Sens> failed a notification event.
  Event ID: 6004
  The winlogon notification subscriber <GPClient> failed a critical notification event.
  I'm also getting a constant batch of
  Event ID: 510
  Folder redirection policy application has been delayed until the next logon because the group policy logon optimization is in effect
  Any ideas why this should happen? I need a solution as soon as possible please as these users are running our sales department from home, and this user is due to be on the rota to do it this week! :)

  Andy, I have been struggling with this issue on a new 2008R2 server. Can
  you explain the commands you used to load ntuser.dat and usrclass.dat
  into the registry? This is a truly maddening issue.
  Thank you.
  On 1/10/2011 11:01 AM, Andy Murphy wrote:
  > Seems I have managed to over come this.
  >
  > After deleting the profile from within the Advanced System Settings >
  > User Profiles on the RD server I still couldn't logon (as said above
  > about clean deletion of the local profile)
  >
  > So I manually loaded the UsrClass.dat and NTUser.dat into the registry
  > as they were not there. To do this I did the following:
  >
  > Loaded NTUser.dat from the profile on the server as a hive under
  > HKEY_USERS to S-1-5-21-2055973500-2782184047-1828406536-1165
  >
  > Loaded UsrClass.dat from the profile.v2 on the server as a hive under
  > HKEY_USERS to S-1-5-21-2055973500-2782184047-1828406536-1165_Classes
  >
  > Then logged in as the user, and it works perfectly again (it did hang on
  > waiting for the session manager). To be sure I then copied the Default
  > user to that newly created profile on the RD server and logged in again,
  > no hangs. Perfect.
  >
  > Maybe this will solve a few other peoples problems with these related
  > errors.
  >

• How to restrict users working on Windows 7 clients from accessing Windows Explorer and other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2

  Dear All,
  We are having an infrastructure setup of around 500 client computers managed through group policy.
  Recently the domain controllers have been migrated from Windows Server 2003 to Server 2008 R2.
  Since this account requires extremely strict environment, we need to figure the solution for restricting the users from access anything locally.
  It would be great if you can assist me with the following query.
  How to restrict users logged on Windows 7 clients from accessing Windows Explorer and browsing other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2 ?
  Can we disable Network Tab on the left hand pane ?
  explorer.exe is blocked already, but users are able to enter the Windows Explorer by clicking on the name which is visible on the Start Menu.

  >   * explorer.exe is blocked already, but users are able to enter the
  >     Windows Explorer by clicking on the name which is visible on the
  >     Start Menu.
  You cannot block explorer.exe when you do not replace the shell - the
  desktop you see effectively IS explorer.exe...
  Your requirement sounds like you need a custom shell:
  http://gpsearch.azurewebsites.net/#2812
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Intermittend DNS resolution, timeserver, group policy updates errors in client logs in Win 2012 R2 single server environement

  We recently switched hardware and server software Win SBS 2008 to 2012R2 for a small network roughly 40 clients (Win7 Pro / Win 8.1 Pro) about 16 running concurrently at a given time and one network printer with the printer queue residing on the DC as well.
  I read that a single server environment might not be ideal in particular no fail-over but that is an accepted risk in this particular network here.
  Errors:
  Error 1043: Timeout during name resolution request
  Error 1129: Group policy updates could not be processed due to DC not available
  Error 5719: Could not establish secure connection to DC, DC not available
  Occasionally but disappears after a while
  Error 134: As a result of a DNS resolution timeout could not reach time server
  Symptoms
  On Win 7 Clients
  Network shares added through Group Policy will not show sometimes
  Network shares disconnect (red X) and when accessed return access authorization error after one or two clicks on the share finally grant access again
  When the issue with accessing network shares occurs, it usually also affects Internet access meaning a 'server not responding' error appears in the browser windows when trying to open just any web page
  nslookup during the incident returns cannot resolve error
  ipconfig on client shows correct default router (VDSL Router) and DHCP / DNS Domain Controller
  Also, the Win system log shows the above errors during these incidents, however, the nuimber of incidents vary from 20-30
  On Win 8.1 Clients
  Same as above with the slight variation for network shares apparently due to Server 2012 and Win 8.1 clients managing drive shares differently. However, network share refresh does not work with this clients. In most cases only a gpupdate /force returns
  drive shares but usually only for the active session. After logoff / logon the shares are gone again.
  The issue does appear to be load related since it occurs even if there are only one or two workstations active.
  Server Configuration
  Dell R320 PowerEdge 16GB / 4TB 7200RPM RAID10 / GBitEthernet
  Zyxel 1910-48 Port Switch
  VDSL 50Mbps Down / 20Mbps Up
  Since the DC is the only local DNS and there are no plans to add another one or move DNS to another server, the DNS server is configured with this own address as preferred DNS with three DNS forwarders 1) VDSL Router 2) ISP DNS1 3) ISP DNS2
  Currently only one Network card is active for problem determination reasons.
  There appears to be no consensus concerning IPV6 enabled or disabled, I tried both with no apparent effect
  I have set all network cards server and client to Full Duplex and the same speed, also disabled Offload functions within the adapter settings. Some but no consistent improvements.
  Best Practice Analyzer Results
  DNS server scavening not enabled
  Root hint server XYZ must respond to NS queries for the root zone
  More than one forwarding server should be configured (although 3 are configured)
  NIC1 should be configured to use both a preferred and alternate DNS (there is only one DNS in this network)
  I have found some instructions to apply changes to the clients through a host file but I would rather like to understand whether this DNS response time issue can be resolved on the server for example timing setting perhaps. Currently the DNS forwarders are
  set to 3 second.
  Since a few people have reported issues with DNS but most are working with multi DNS, DC environment I could not really apply any suggestions made there. perhaps there is anyone like me who is running a single server who has overcome or experience the same
  issues. Any help would be appreciated

  Hello Milos thx for your reply.. my comments below
  1. What does it "switched"? You may mean migration or new installation. We do not know...
  >> Switched is probably the incorrect term, replaced would be the appropriate wording. Before, there was a HP Proliant Server with SBS 2008 with distinct domain and now there is a Dell Server with MS 2012 R2 with a distinct domain. Client were
  removed from one (SBS) domain and added to the new Server 2012 domain. Other components did not change for example same Network Switch or VDSL Router, Workstations and Printer
  2. Two DCs are better alternative. Or backup very frequently. There are two groups of administrators. Those who have lost DC and those who will experience this disaster in near future.
  >> Correct, and I am aware of that
  3. NIC settings in W 7 and W 8.1, namely DNS points to DC (...and NOTHING else. No public IP or that of router DNS.))
  >> Correct, this is how it's currently implemented. Clients point to DC for DHCP and DNS and Default Router, no public IP or DNS. The only references to ISP DNS exist on the VDSL Router itself as provided through ISP when establishing VDSL
  Link and the list of Forwarders in the DNS Server configuration. However, I have just recently added the ISPs DNS as forwarders for test purposes and will probably learn tomorrow morning whether this had any effect for better or worse.
  4. Do nslookup to RR on clients. RR branch is saying client basic info on LDAP parameters of AD.
  >> Will post as soon as available
  5. I do not use forwarders and the system works
  >> Ok, does this mean it works for you in a similar or the same infrastructure setup or are you saying it is not required at all and I can remove any forwarder in a scenario like mine? If not required can you explain a bit more why it is not
  required apart from that it does work for you that way?
  6. DHCP should sit on DC (DHCP on router is disabled)
  >> Correct, no other device is configured to provide DHCP service other than DC and DHCP is currently running on DC
  7. NIC settings in DC points to itself (loopback address 127.0.0.1)
  >> Are you sure this is still correct and does apply to Server 2012? I am reading articles stating that it should be the servers own IP but local loop or should this be added as alternate DNS in addition to the servers own IP?
  8. Use IPCONFIG /FLUSHDNS whenever you change DNS settings.
  >> OK, that was not done every time I changed some settings but I can do that next week. Reboot alone would not suffice, correct?
  9. Test your system with dcdiag.
  >> See result below
  10. Share your findings.
  Regards
  Milos
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
    Home Server = GSERVER2
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
  Testing server: Default-First-Site-Name\GSERVER2
        Starting test: Connectivity
           ......................... GSERVER2 passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\GSERVER2
        Starting test: Advertising
           ......................... GSERVER2 passed test Advertising
        Starting test: FrsEvent
           ......................... GSERVER2 passed test FrsEvent
        Starting test: DFSREvent
           ......................... GSERVER2 passed test DFSREvent
        Starting test: SysVolCheck
           ......................... GSERVER2 passed test SysVolCheck
        Starting test: KccEvent
           ......................... GSERVER2 passed test KccEvent
        Starting test: KnowsOfRoleHolders
           ......................... GSERVER2 passed test
           KnowsOfRoleHolders
        Starting test: MachineAccount
           ......................... GSERVER2 passed test MachineAccount
        Starting test: NCSecDesc
           ......................... GSERVER2 passed test NCSecDesc
        Starting test: NetLogons
           ......................... GSERVER2 passed test NetLogons
        Starting test: ObjectsReplicated
           ......................... GSERVER2 passed test
           ObjectsReplicated
        Starting test: Replications
           ......................... GSERVER2 passed test Replications
        Starting test: RidManager
           ......................... GSERVER2 passed test RidManager
        Starting test: Services
           ......................... GSERVER2 passed test Services
        Starting test: SystemLog
           ......................... GSERVER2 passed test SystemLog
        Starting test: VerifyReferences
           ......................... GSERVER2 passed test VerifyReferences  
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test
           CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test
           CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : GS2
        Starting test: CheckSDRefDom
           ......................... GS2 passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... GS2 passed test CrossRefValidation  
     Running enterprise tests on : GS2.intra
        Starting test: LocatorCheck
           ......................... GS2.intra passed test LocatorCheck
        Starting test: Intersite
           ......................... GS2.intra passed test Intersite
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  *** gserver2.g2.intra can't find g2: Non-existent domain
  > gserver2
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  g2.intra
          primary name server = gserver2.g2.intra
          responsible mail addr = hostmaster.g2.intra
          serial  = 443
          refresh = 900 (15 mins)
          retry   = 600 (10 mins)
          expire  = 86400 (1 day)
          default TTL = 3600 (1 hour)
  > wikipedia.org
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  Non-authoritative answer:
  wikipedia.org   MX preference = 10, mail exchanger = polonium.wikimedia.org
  wikipedia.org   MX preference = 50, mail exchanger = lead.wikimedia.org
  polonium.wikimedia.org  internet address = 208.80.154.90
  polonium.wikimedia.org  AAAA IPv6 address = 2620:0:861:3:208:80:154:90
  lead.wikimedia.org      internet address = 208.80.154.89
  lead.wikimedia.org      AAAA IPv6 address = 2620:0:861:3:208:80:154:89
  Final benchmark results, sorted by nameserver performance:
   (average cached name retrieval speed, fastest to slowest)
    192.168.240.  6 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    + Cached Name   | 0,001 | 0,002 | 0,003 | 0,001 | 100,0 |
    + Uncached Name | 0,027 | 0,076 | 0,298 | 0,069 | 100,0 |
    + DotCom Lookup | 0,041 | 0,048 | 0,079 | 0,009 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               gserver2.g2.intra
                  Local Network Nameserver
    195.186.  4.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,023 | 0,025 | 0,000 | 100,0 |
    - Uncached Name | 0,025 | 0,071 | 0,274 | 0,065 | 100,0 |
    - DotCom Lookup | 0,039 | 0,040 | 0,043 | 0,001 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns8.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
    195.186.  1.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,023 | 0,026 | 0,001 | 100,0 |
    - Uncached Name | 0,025 | 0,072 | 0,299 | 0,066 | 100,0 |
    - DotCom Lookup | 0,039 | 0,042 | 0,049 | 0,003 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns7.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
      8.  8.  8.  8 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,033 | 0,040 | 0,079 | 0,011 | 100,0 |
    - Uncached Name | 0,042 | 0,113 | 0,482 | 0,097 | 100,0 |
    - DotCom Lookup | 0,049 | 0,079 | 0,192 | 0,039 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               google-public-dns-a.google.com
                   GOOGLE - Google Inc.,US
    UTC: 2014-11-03, from 14:33:12 to 14:33:29, for 00:17,648
  15: 40
  192.168.240.  6 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    + Cached Name   | 0,001 | 0,002 | 0,004 | 0,000 | 100,0 |
    + Uncached Name | 0,025 | 0,074 | 0,266 | 0,063 | 100,0 |
    + DotCom Lookup | 0,042 | 0,048 | 0,075 | 0,007 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               gserver2.g2.intra
                  Local Network Nameserver
    195.186.  1.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,024 | 0,029 | 0,001 | 100,0 |
    - Uncached Name | 0,024 | 0,073 | 0,289 | 0,067 | 100,0 |
    - DotCom Lookup | 0,039 | 0,041 | 0,043 | 0,001 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns7.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
    195.186.  4.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,024 | 0,029 | 0,001 | 100,0 |
    - Uncached Name | 0,025 | 0,073 | 0,286 | 0,065 | 100,0 |
    - DotCom Lookup | 0,041 | 0,066 | 0,180 | 0,037 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns8.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
      8.  8.  8.  8 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,033 | 0,038 | 0,077 | 0,009 | 100,0 |
    - Uncached Name | 0,042 | 0,105 | 0,398 | 0,091 | 100,0 |
    - DotCom Lookup | 0,049 | 0,066 | 0,141 | 0,025 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               google-public-dns-a.google.com
                   GOOGLE - Google Inc.,US
    UTC: 2014-11-03, from 14:39:59 to 14:40:12, for 00:13,363