Help with Group Policy

Similar Messages

• Deploying Files with Group Policy - Help Needed

  Hi,
  I am trying to use group policy to deploy files and folders to our server estate. The policy I have created first creates a folder on each server's C drive and then coppies a set of files to this folder from a network share. The folder creation works fine
  but the files copy fails. In the Application logs on the servers it displays the following error:
  The computer 'ILMT' preference item in the 'GPO - Servers_Production_ALL {CC026B58-FA3B-4399-AA00-AE8E844B2B47}' Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.
  Can anyone advise what exactly does not have access here? I don't know what I need to enable to get this to work.
  Can anyone help?
  Many thanks
  James

  The copy is on a file server share. presumably if I just give everybody read access to the share that would suffice?
  No it won't.
  "Sharing" requires several actions:
  a) create the folder
  b) share the folder
  c) grant NTFS permissions on the folder
  I think you've neglected action (c).
  For your scenario, you need to grant the "server computers" read permissions to the folder.
  You can add individual computer accounts, or a group, or "domain computers".
  (In a similar way, you could grant access to a user, a group, or "domain users")
  [if you need everybody (users) *AND* everything (computers), you could grant permissions to "authenticated users" since that principal includes *BOTH* users and also computers]
  Note that "domain computers" and "authenticated users" include all types of domain member computers, i.e. servers, workstations, etc.
  Also, note that granting a "computer account" access to a folder or share, does *NOT* mean that a user account on that computer can access the remote share, i.e. permission is granted to the computer account, and a logged-in user account on
  that computer does not inherit any kind of access to the remote share by virtue of being logged in.
  This means that the computer can access the share but the user cannot access the share. Because the computer account is an identity/principal of it's own accord.
  [None of which really has anything to do with Group Policy at all - it's how Windows does file sharing and ACLs... ;)
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• How to edit Printer Connections in GPO created through Print Management's "Deploy with Group Policy"

  Hi there,
  I have used the right-click "Deploy with Group Policy" in Print Management on Windows Server 2012 to deploy a printer connection to a GPO.   
  When you look at the GPO Settings, the Printer Connection is visible under User Configuration -> Policies -> Windows Settings -> Printer Connections -> Path: \ \ printserver\PrinterName.
  However, I cannot edit or delete that Printer Connection Path, which would be necessary if I had to rename or delete the printer referenced.  If you Edit the GPO, "Printer Connections" is not available under Windows
  Settings, only Scripts, Security Settings, Folder Redirection, and Policy-based QoS.
  Is there a way to edit the GPO's Printer Connections that are created with "Deploy with Group Policy"?
  Thanks for your help.

  Hi,   
  How do you want to edit the printer connection? Do you want to edit the path of printer connection?
  Based on my test, we can’t edit the printer connection directly in GPO. We can edit the path of printer connection in printer management.
  For detail steps, we can refer to the method Miles Zhang provided in the following link:
  Where is "Printer Connections set"?
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/77e2b4be-7372-4cb2-9d21-bca83f472fc3/where-is-printer-connections-set?forum=winserverGP
  Best Regards,
  Erin

• Pin Programs on the Windows 7 Taskbar & Start Menu with Group Policy (Windows Server 2008 R2)

  Dear ALL,
  I want to Pin Programs on the Windows 7 Taskbar & Start Menu with Group Policy (Windows Server 2008 R2) as per below description. Can someone please help me how to proceed and achieve this. 
  Pin the following applications to the Taskbar:
  Outlook
  Pin the following applications to the Start Menu:
  Outlook
  Excel
  Word
  Internet Explorer
  Software Center
  Regards,
  Amit Kumar Rao

  https://www.google.de/search?q=windows+7+pin+to+taskbar+vbs
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Deploy reader 10.1.3 with group policy

  I would like to install 10.1.3 with group policy.  I can download the .exe file but extracting it to be an .msi is a struggle.  These are Enterprise Windows 7 machines that already have adobe reader 10.1.1 on them.  Please help.  Thanks.

  Moving this discussion to the Adobe Reader forum.

• Excel 2003 problem with group policy

  When I manually install EMET Excel 2003 works. When Emet is installed via Group Policy Excel 2003 fails to open. Excel 2010 works whether EMET is installed locally or with Group Policy. Any ideas?

  I would try exporting the policy on both installs using emet_conf --export and comparing the 2 policies
  GBS Premier Field Engineer Cybersecurity Check out my blog http://blogs.technet.com/kfalde or better yet check out http://technet.com/wiki and start contributing :)

• Remove the "Safety" tab from IE 11 tools with group policy

  Is there any way to remove the "Safety" tab or it's contents from the
  tools button in the upper right hand corner of IE 11 with Group Policy 2008 r2. I am using a GPMC on a windows 8.1 computer running IE 11. All of the computers we manage are Windows 7 pro running IE 10 or IE 11. The computers I am trying to remove the "Safety"
  from are used as library catalog computers. We have them pretty well locked down with group policy and a squid server. I just need to remove the "Safety" or the contents in it. I would love to remove the "Tools" all together but haven't
  found a way. 
  I thought maybe I could use the "Force Full Screen" but need a back, forward
  and home button.

  Hi,
  There is no method to remove this button.
  If no, like that thread, firewall and proxy could meet your requirement.
  Creating Rules that Block Unwanted Outbound Network Traffic
  http://technet.microsoft.com/en-us/library/cc732306(v=ws.10).aspx
  For Proxy, you could use this group policy to disable user to change connection setting. Navigate to
  Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
  Find the following entry and enable it.
  disable changing connection settings
  Then don't grant admin permission to other user so that they cannot do any changing on computer.
  Karen Hu
  TechNet Community Support

• How to Managing Firefox Settings with Group Policy?

  Hi
  Is there any way to manage Firefox Settings through Windows group policy?
  I want to replace Firefox with IE in the network but don't know how to customize the settings with GPO.

  There are some third party solutions that have worked for others in the past:
  You would need a user.js file and a lock file with a list a preferences please see the instructions on how to do this:
  *[kb.mozillazine.org/Locking_preferences]
  *[https://mike.kaply.com/2014/12/16/managing-firefox-with-group-policy-and-policypak/]

• Remove "Mark All as Read" button with Group Policy from Outlook 2013

  Under the Folder tab in Outlook 2013, there is a "Mark All as Read" icon. How can I permanently delete this icon? I remember doing so with Outlook 2003 / 2007 through a Group Policy setting. Not sure how to take care of that with Outlook 2013...I
  think I need an ID code? I've tried right-clicking the icon and choosing Customize the Ribbon, but you can't remove the "Mark All as Read" as a single icon, you have to get rid of the entire Folder tab. Thanks!

  Hi,
  Yes, we can disable the “Mark All as Read” button in Outlook 2013 by using control IDs. Please follow the steps below to achieve the goal:
  1. Press Windows key + R, type gpedit.msc in the
  Run command and press Enter.
  2. In the Group Policy Management Editor navigation pane, locate
  User Configuration >
  Administrative Templates > Microsoft Outlook 2013 > Disable Items in User Interface > Custom
  3. In thedetails pane, double click to open
  Disable command bar buttons and menu items.
  4.
  Choose Enabled, and then choose
  Show.
  5. In the Show Contents dialog box, under
  Value, enter the control ID for the command that you want to disable. The control ID to disable
  “Mark All as Read” button is 1906.
  6. When you have finished entering control IDs, choose
  OK, and then choose OK again to exit the
  Disable commands dialog box.
  For more information about control IDs, please refer:
  http://technet.microsoft.com/en-us/library/cc179143(v=office.15).aspx
  Hope this helps.
  Best Regards.
  Steve Fan
  Forum Support
  Come back and mark the replies as answers if they help and unmark them if they provide no help.
  If you have any feedback on our support, please click
  here

• BitLocker - Conflict with Group Policy

  Hi;
  I am using Bitlocker on my Win 8.1 Pro, and it works ok when I encrypt my C: drive, I configured my computer to let it prompt for PIN number when I turn on my computer by using the following setting in Group Policy for "Require additional authentication
  at startup".
  Configure TPM startup: Allow TPM
  Configure TPM startup PIN: Require startup PIN with TPM
  Configure TPM startup key: Allow startup key with TPM
  Configure TPM startup key and PIN : Allow startup key and PIN with TPM
  I tried it and reboot my computer, it works fine and the computer prompt me for the PIN number after reboot.  However; when I tried to encrypt my USB key or another E: drive partition, I got the error below.  I tried to disable my group policy
  but no help.
  "the group policy settings for BitLocker startup options are in conflict and cannot be applied."
  KW - CNE,MCSE,VCP5

  Hi KANE.W,
  For BitLocker Group Policy settings, “Require additional authentication at startup” group policy has conflicts, if one authentication method is required, the other methods cannot be allowed.
  Based on your description, I am supposing that in “require additional authentication at startup”, If you choose to require an additional authentication method, other authentication methods cannot be allowed.
  For more information about conflicts of BitLocker group policy
  https://technet.microsoft.com/en-us/library/jj679890.aspx?f=255&MSPPError=-2147217396#BKMK_unlockpol1
  Regards
  D. Wu

• Issues adding TCP/IP Printer with Group Policy

  I have been trying to add a TCP/IP Printer using group policy, User Preferences. I can add a HP Laserjet 4600 Printer but I'm not able to add the second printer a Canon iRC4580. It keeps coming up with issues stating "The object selected does not match
  the type of destination source. Select again" I have read through multiple tech forums on this error and I have tried unlisting the printer and listing it again in the directory. I have also tried renaming it to a short name without spaces. neither of
  these have resolved the issue. I have also tried creating a new printer from scratch for the canon and this doesn't resolve it either.
  Anyone out there who can help.
  Windows 2012 R2
  Canon iRC4580 PCL6 driver (64bit)
  HP Colour LaserJet 4600 PCL driver (64bit)
  Thanks

  > It keeps coming up with issues stating "The object selected does not
  > match the type of destination source.
  Which action results in this message?
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Deploying Office 2013 with Group Policy

  I would like to deploy Office 2013 using group policy. I am new to group policy so am looking for some advice and guidance on the best way to deploy. I would like to deploy with no interaction with the user but yet display a message so that they
  know not to open Office. I would also like to create a custom registry setting so that if I need to re-install, all I have to do is delete the registry setting. I have tried a group policy for installing with OCT  settings (Basic, Suppress
  Model checked, No Cancel checked, Completion Notice checked) and modifying the Config.xml (<Display Level="Basic" CompletionNotice="yes" SuppressModal="yes" AcceptEula="yes" />) but I can not get it to display
  the installer screen so that users know it is installing. It does display the screen when running the setup.exe manually. I have a setting in the OCT that creates the registry setting and that is working correctly. My group policy is set to run the
  below bat file at startup in the Computer Configuration.
  setlocal
  REM *********************************************************************
  REM Environment customization begins here. Modify variables below.
  REM *********************************************************************
  REM Get ProductName from the Office product's core Setup.xml file, and then add "office15." as a prefix.
  set ProductName=Office15.Standard
  REM Set DeployServer to a network-accessible location containing the Office source files.
  set DeployServer="\\xxxxxx\setup.exe"
  REM Set LogLocation to a central directory to collect log files.
  set LogLocation=\\xxxxx\Logfiles
  REM *********************************************************************
  REM Deployment code begins here. Do not modify anything below this line.
  REM *********************************************************************
  IF NOT "%ProgramFiles(x86)%"=="" (goto ARP64) else (goto ARP86)
  REM Operating system is X64. Check for 32 bit Office in emulated Wow6432 uninstall key
  :ARP64
  reg query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Microsoft\Windows\CurrentVersion\Uninstall\%ProductName%
  if NOT %errorlevel%==1 (goto End)
  REM Check for 32 and 64 bit versions of Office 2013 in regular uninstall key.(Office 64bit would also appear here on a 64bit OS)
  :ARP86
  reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ProductName%
  if %errorlevel%==1 (goto Office) else (goto End)
  REM If 1 returned, the product was not found. Run setup here.
  :Office
  %DeployServer%
  echo %date% %time% Setup ended with error code %errorlevel%. &gt;&gt; %LogLocation%\%computername%.txt
  REM If 0 or other was returned, the product was found or another error occurred. Do nothing.
  :End
  Endlocal
  Any advice or guidance would be greatly appreciate on how to get a pop up message while software is installing or if there is a better way to deploy.

  > but I can not get it to display the installer screen so that users know
  > it is installing. It does display the screen when running the setup.exe
  > manually. I have a setting in the OCT that creates the registry setting
  > and that is working correctly. My group policy is set to run the
  > below bat file at startup in the Computer Configuration.
  Check http://gpsearch.azurewebsites.net/#2308 - if this is enabled, you
  will not be able to show "anything" in startup scripts...
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• How can I disable IPv6 EUI randomization with group policy?

  I need to turn off IPv6 EUI address randomization. It can be done in netsh (a few commands) or powershell (Set-NetIPv6Protocol -RandomizeIdentifiers Disabled).  How can I do this in group policy without scripting?

  Hi Jordan,
  Before going further, I hope that the suggestion provided by Martin can be helpful.
  It seems that we can't configure this setting via native policy.To configure IPv6 settings,
  we need to download ADMX files for IPv6. However, per the following article, the IPv6 settings that can be configured are:
  Enable all IPv6 components
  (Windows default)
  Disable all IPv6
  components (the setting you probably want)
  Disable 6to4
  Disable ISATAP
  Disable Teredo
  Disable Teredo and 6to4
  Disable all tunnel
  interfaces
  Disable all LAN and PPP
  interfaces
  Disable all LAN, PPP and tunnel
  interfaces
  Prefer IPv4 over IPv6
  How to Disable IPv6 through Group Policy
  http://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx
  TechNetSubscriber Support
  If you are TechNetSubscription user and have any feedback on our support quality, please
  send your feedback here
  Best regards,
  Frank Shen
  Please read the question before marking things as answers.

• Cannot Copy File with Group Policy Preferences

  Hi,
  I am trying to use a Group Policy Preference to copy a simple text file from a network share to a folder at the root of 'C:\' on the clients. It is not happening. I created the preference in the computer section of the GPO. It is set to create, as the file
  does not already exist on the client, with the archive bit on.
  Source: \\server.domain.com\folder\fileshare\file.txt
  Destination: C:\folder
  GPResult shows the clients are getting the GPO, but it seems as if that one setting and another is not being applied. I have no idea why this isn't working when other parts of the GPO are being applied. I read
  the documentation on the Technet page, but I must have missed something.
  Any ideas why this might not be working?
  Thanks
  Jason Watkins MCSE, MCSA, MCDBA, CCNA

  > Computers" has read access. Listing the actual file name in the
  > destination is something I would have never though to do.
  ...unless the path ends with an "\", it IS a file name, so if you had
  "C:\Folder" as the target, check your C:\ drive for a file called
  "Folder" :)
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Help with ipsecurity policy

  im working on a windows server 2012 standard machine and am trying to create an ip security policy rule, on windows server 2008 i could block ip address from the internal lan on a machine running rras and dhcp dns, but now if i assign a new ip security
  policy it does not effect the lan only the server computer someone help please

  Hi,
  Sorry to say that I am not clear about your needs. Did you mean that the older IPsec policy didn’t work after create a new one?  If I misunderstood
  anything, please feel free to let me know and I would appreciate if you can provide more detailed information.
  Please pay attention that only one policy can be assigned to a computer at a time. Assigning another policy will automatically unassign
  the currently assigned policy. In addition, you must create a mirrored policy on the other computer and assign that policy to that computer if you want to assign computer-to-computer IPsec policy. You need use Group Policy if you want to assign a policy to
  many computers.
  More information:
  How to Block an IP Address using IPSec How to Block an IP Address using IPSec
  https://www.serverintellect.com/support/windowsserversecurity/ipsec-blockip/
  Note: Microsoft is providing this information as a convenience to you. Please
  make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Best regards,
  Susie