How to implement " log on locally" via Domain Group Policy

Hello,
Thanks for always being very helpful.
My Goal:
I want to restrict one domain user to login to one computer only  (admin/root users to login to every computer).
I searched and I believe there is no such direct way to implement via the group policy unless I may add one GPO per user to implement"log on locally" from the group policy.
Do you have some VB script or other good way so I should not login to each computer one by one and edit the policy manually.
Thanks in advance.
Muhammad Asif Server Administrator Linux/Windows

I am sorry if I wasn't cleared, I am managing about 250 users and want accomplish from some centralized locations. I don't want to go to every machine and apply the changes.
I want to let one domain user to login to one system only.
I have the list of computer name VS username, and I want to apply from centralized location without login to each computer one by one.
Thanks a lot for the assistance.
Muhammad Asif Server Administrator Linux/Windows
The solution can only be applied once at the DC with ADUC or with Set-ADUSer as I posted.  It only needs to be run once from one DC.
¯\_(ツ)_/¯

Similar Messages

  • Cases in which Domain Group Policy settings would be reverted to default settings on a Win7 client

    Hi - I'm sure this info is out there somewhere, but I'm having a hard time finding it.  Basically, I'm trying to identify the cases in which settings deployed via Domain Group Policy on 2008R2/Win7SP1 would get reverted back to "default settings"
    on a Win7SP1 client that is still a member of the domain, and is in a proper OU, properly targeted, WMI filters should still evaluate true, etc...
    For instance, it appears that if machine-level registry settings contained within a LocalGPO file on a client get corrupted (C:\Windows\System32\GroupPolicy\Machine\registry.pol), all of those settings, plus all machine level administrative template settings
    defined in Domain Group Policy, get reverted to default settings (corresponds with Event ID 1096 in System Event Log where it references "LocalGPO").  I have not confirmed if this is the case for machine level settings defined outside of administrative
    templates in Domain Group Policy, or for any user level settings though.  (But I suspect not.)
    When a workstation is unable to talk to a Domain Controller in order to identify applicable Domain Group Policy settings (for instance, this issue:
    http://support.microsoft.com/kb/2421599/en-us), do administrative templates Domain Group Policy settings revert to defaults up until the next successful processing interval?  I don't believe
    so, but would like confirmation.
    Are there any other cases in which Domain Group Policy settings for a client still joined to the Domain would be reverted to defaults?
    And when a client is unjoined from the Domain, what Domain Group Policy settings would remain on the client?  I understand that some Domain Group Policy settings outside of administrative templates are "tattooed" to the registry.  Does
    anyone know of a full list of these settings?  I believe that most or all of the ones in Windows Settings\Security Settings are tattooed, and the only way to get these settings removed is to explicitly change them via registry edit or LocalGPO/Local Security
    Policy, after unjoining the domain.
    Any info/insight/links to other doc/etc would be much appreciated!

    Hi Shaun,
    >>If a client cannot talk to a domain controller at all, admin template settings still stay in-place on the client, correct?   
    As far as I know, it's not this case. If a client can't communicate with domain controllers, it means that the GPOs applied to the client are out of scope. As suggested by
    the article I provided, for native policy, "when a Group Policy object (GPO) goes out of scope, the policy setting is removed allowing the original configuration value to be used."
    >>What if a client looses network connectivity while reading Domain GPO?
    Group policy will be get updated when computers start up and users log on. Besides, for workstations, group policy will get refreshed at background with by default an interval
    of 90 minutes. As long as workstations can restore network connectivity, the group policy settings will get updated.
    >>Are there any other failure cases like this where some or all Group Policy settings (admin template or other areas) would get reverted?
    There are many reasons which can cause GP malfunction. However, Windows itself provides necessary tools for troubleshooting various issues. When GP malfunctions, we can check
    Event Viewer, collect group policy result, or generate group policy log to troubleshoot.
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
    Best regards,
    Frank Shen

  • Best practices on how to implement logging in custom application

    In the Enterprise Manager it is possible to display/browse the content of different log files generated by the application server modules.
    I have some custom web applications which currently use the log4j framework to write to log files. Is it possible to make these log files accesible for the Enterprise Manager ?
    Or what is the best practice on how to implement logging in custom applications which can be browsed in the Enterprise Manager (I do not want to use system.out)

    I thought that this could be done. An ex- colleague did this - but he didn't tell me how to solve this.
    But as it just took 10 minutes to solve this I believe it's fairly easy.
    cu
    Andreas

  • Preventing Domain Group Policy from being applied

    How can a user prevent the domain group policy from being applied to his machine? And How can I stop users from doing that?

    Hi,
    No, group policy is processed by order, that is,  local GPO is processed first, and then domain policy is processed by order, which would overwrite settings in the earlier GPOs if there are conflict.
    If you don’t want to apply the domain policy, apply a higher precedence policy or disjoin the domain.
    Group Policy processing and precedence
    http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx
    Alex Zhao
    TechNet Community Support

  • How to stop the sending attachment through mail group policy

    HI ,.,,,
           Our employees using the gmail and yahoo accounts sometimes . Due to security issues they dont send attachements how is possible to deny sending attachments in group policy
    ranki

    Hi,
    How do your employees using their personal mailbox? If they access it via Outlook, please refer to the suggestions Maffiow provided. If they access it via IE, we could not prevent them attaching
    file to their mailbox via Group Policy. As a workaround, you may prevent them accessing the third party mailbox webpage via Group Policy.
    For details, please refer to the following article.
    How to use Group Policy to Allow or Block URL’s
    http://www.grouppolicy.biz/2010/07/how-to-use-group-policy-to-allow-or-block-urls/
    Hope this helps.
    Best Regards,
    Andy Qi
    TechNet Subscriber Support
    If you are
    TechNet Subscription user and have any feedback on our support quality, please send your feedback
    here.
    Andy Qi
    TechNet Community Support

  • How to setup Autodiscovery for .local internal domains with Exchange 2013

    Hi,
    I need to know about how i set autodiscovery in local domain.I have local domain eg
    abc.local and domin which i received the emails externally is  xyz.com.
    I have deployed Exchange2013 recently with same above scenario inbound and outbound mails are working fine using OWA.But outlook clients cannot connect to Exchange server with in the LAN. 
    Please help me out how set auto discovery in local domain and another help i need how i configure the self sign certificate in this scenario.   

    You cannot use a self signed cert for RPC/HTTP connections (which is how the Outlook client is connecting exchange2013). Please check this http://social.technet.microsoft.com/Forums/exchange/en-US/aed4ede9-57c3-44c3-90b4-bdfb3a7f017d/exchange-2013-self-signed-certs-and-outlook-client-access?forum=exchangesvrgeneral 
    But you can use a certificate from an internal CA which you can install in your network issue a certificate for exchange. Please check this it will help you manage internal certificates for a PC and for a domain.  http://technet.microsoft.com/en-us/library/cc754841.aspx
    You dont need to configure autodiscover for internal domain added clients. If you have clients on the network which are not members of the domain, using Exchange, this could be Windows, MACs or mobile devices, then you should ensure that autodiscover.example.com
    resolves internally to the Exchange server via a split DNS system. http://exchange.sembee.mobi/network/split-dns.asp
    Please configure your external and internal URLs as well
    http://www.mustbegeek.com/configure-external-and-internal-url-in-exchange-2013/
    I recommend to buy a 3rd party certificate as it may create issue for external clients e.g.Outlook anywhere
    Thanks, MAS
    Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

  • How to implement logging functonolity in my java application

    Hi.
    I want to add logging functionality in my java project.Iam using jdk1.5.I have written following log4j.properties.This property file i need to keep it in com.format.src.property folder .All java files are there in com.format.src folder.
    log4j.rootCategory=DEBUG, FILE, CONSOLE
    ### A bootstrap file appender
    log4j.appender.FILE=org.jboss.logging.appender.FileAppender
    log4j.appender.FILE.File=${jboss.server.log.dir}/${HOSTSHORTNAME}-${jboss.server.name}-boot.log
    log4j.appender.FILE.layout=org.apache.log4j.PatternLayout
    log4j.appender.FILE.layout.ConversionPattern=%d{ABSOLUTE} %-5p [%c{1}] %m%n
    log4j.appender.FILE.Append=false
    log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
    log4j.appender.CONSOLE.Threshold=INFO
    log4j.appender.CONSOLE.Target=System.out
    log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
    log4j.appender.CONSOLE.layout.ConversionPattern=%d{ABSOLUTE} %-5p [%c{1}] %m%n
    Could you reply me the steps to implement logging in my project.
    Thanks in advance
    alex

    1) Put the Apache Commons Logging jar into your "lib" folder.
    2) Create your properties file as "log4j.properties"
    3) Keep it inside the folder where you have your "src" (ie. ur "src", "classes", & "log4j.properties" should be in the same folder)
    4) Import "org.apache.log4j.Logger;"
    5) Create an instance of "Logger" as follows;
    Logger log = Logger.getLogger(YourClassName.class.getName());
    6) Use the created "log" instance when applicable as follows:
    log.info("Whatever the message");
    log.debug("Whatever the message");
    log.error("Whatever the message");
    log.fatal("Whatever the message"); ...etc
    Hope u got it... Happy coding... :)
    Cheers,
    Asela.

  • Domain Group Policy changes causes clients to be unable to connect to WSUS for Windows Updates

    Domain Controller is Windows Server 2008 R2 64-bit, Group Policy Management version 6.0.0.1. WSUS server is Windows Server 2008 Enterprise 32-bit, Update Services version 3.2.7600.226. Client machines are Windows 7, some are 64-bit and some are 32-bit.
    Every time we make any changes to any of our Group Policies most of our clients stop getting their Windows Updates from the WSUS server within 2-3 days. This occurs when we add a new policy for a group of users, temporarily disable a policy or edit a policy.
    Check of the WindowsUpdate.log on affected client machines shows:
    2014-06-25 13:40:44:976  760 1610 PT WARNING: GetAuthorizationCookie failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
    2014-06-25 13:40:44:977  760 1610 PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80072ee2
    2014-06-25 13:40:44:977  760 1610 PT WARNING: PopulateAuthCookies failed: 0x80072ee2
    2014-06-25 13:40:44:977  760 1610 PT WARNING: RefreshCookie failed: 0x80072ee2
    2014-06-25 13:40:44:977  760 1610 PT WARNING: RefreshPTState failed: 0x80072ee2
    2014-06-25 13:40:44:977  760 1610 PT WARNING: PTError: 0x80072ee2
    2014-06-25 13:40:44:977  760 1610 Report WARNING: Reporter failed to upload events with hr = 80072ee2.
    A further check of the log files shows:
    2014-06-21 19:36:06:995  156 1b0c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <proxy server name:8080> Bypass List used : <(null)> Auth Schemes used : <>
    We do not use a proxy except for Internet connections. We configure IE with a pac file. This is set through Group Policy since we restrict user accounts from being able to set it. 
    The clients that are connecting to the WSUS server have these entries instead:
    2014-06-24 09:12:16:779  992 270 Agent Setting download properties on call A20329BC-3467-4B7E-B9F4-6AC6ACBA23E1: priority=3, interactive=1, owner is system=0, proxy settings=1, proxy session id=2
    I have a routine that will fix the problem but it is time-consuming and pulls me away from other things I should be doing:
    Run registry files on client machine (WindowsUpdate and AU) This is not always necessary and is already set by Group Policy and the affected clients already have the registry settings. No idea why it is necessary to do but it the steps below don't always
    work unless it is.
    netstop bits and netstop wuauserv
    ipconfig /flushdns
    Delete qmgr*.* files from Downloader folder
    Delete Software Distribution folder
    Run from command prompt:
    sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
    sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
    netstart bits and netstart wuauserv
    wuauclt /resetauthorization /detectnow
    Run Windows Updates again from Control Panel
    This routine always fixes the problem but I've found that I must do each step to guarantee success.
    How or where is the proxy setting being changed for WSUS that we see in the WindowsUpdate logs and how do I prevent this from happening? It is also curious that it happens to most but not all of the client machines. When it does happen it's not always the
    same client machines.

    You're right - the WSUS server is on the inside and does not need a proxy server. Tried running the netsh winhttp reset proxy command but was still not able to connect to the WSUS server. After running the netsh winhttp reset proxy command received response:
    Current WinHTTP proxy setting: Direct access <no proxy server>.
    Ran the command at 13:49 and then tried Windows Updates again. Here's snippet from the log file:
    2014-06-27 13:49:56:889  548 f6c AU Triggering AU detection through DetectNow API
    2014-06-27 13:49:56:890  548 f6c AU Triggering Online detection (interactive)
    2014-06-27 13:49:56:890  548 4b8 AU #############
    2014-06-27 13:49:56:890  548 4b8 AU ## START ##  AU: Search for updates
    2014-06-27 13:49:56:890  548 4b8 AU #########
    2014-06-27 13:49:56:893  548 4b8 AU <<## SUBMITTED ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
    2014-06-27 13:49:56:893  548 1260 Agent *************
    2014-06-27 13:49:56:893  548 1260 Agent ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2014-06-27 13:49:56:893  548 1260 Agent *********
    2014-06-27 13:49:56:893  548 1260 Agent   * Online = Yes; Ignore download priority = No
    2014-06-27 13:49:56:893  548 1260 Agent   * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1
    or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
    2014-06-27 13:49:56:893  548 1260 Agent   * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
    2014-06-27 13:49:56:893  548 1260 Agent   * Search Scope = {Machine}
    2014-06-27 13:49:56:893  548 1260 Setup Checking for agent SelfUpdate
    2014-06-27 13:49:56:893  548 1260 Setup Client version: Core: 7.6.7600.256  Aux: 7.6.7600.256
    2014-06-27 13:49:56:894  548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
    2014-06-27 13:49:56:901  548 1260 Misc  Microsoft signed: Yes
    2014-06-27 13:49:56:927  548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
    2014-06-27 13:49:56:934  548 1260 Misc  Microsoft signed: Yes
    2014-06-27 13:49:56:936  548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
    2014-06-27 13:49:56:943  548 1260 Misc  Microsoft signed: Yes
    2014-06-27 13:49:56:956  548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
    2014-06-27 13:49:56:962  548 1260 Misc  Microsoft signed: Yes
    2014-06-27 13:49:56:974  548 1260 Setup Determining whether a new setup handler needs to be downloaded
    2014-06-27 13:49:56:974  548 1260 Setup SelfUpdate handler is not found.  It will be downloaded
    2014-06-27 13:49:56:974  548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256"
    2014-06-27 13:49:56:976  548 1260 Setup Setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
    2014-06-27 13:49:56:976  548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
    2014-06-27 13:49:56:989  548 1260 Setup Setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
    2014-06-27 13:49:56:989  548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
    2014-06-27 13:49:57:007  548 1260 Setup Setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
    2014-06-27 13:49:57:007  548 1260 Setup SelfUpdate check completed.  SelfUpdate is NOT required.
    2014-06-27 13:49:57:165  548 1260 PT +++++++++++  PT: Synchronizing server updates  +++++++++++
    2014-06-27 13:49:57:165  548 1260 PT   + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =
    http://(FQDN of WSUS server)/ClientWebService/client.asmx
    2014-06-27 13:49:57:175  548 1260 PT WARNING: Cached cookie has expired or new PID is available
    2014-06-27 13:49:57:175  548 1260 PT Initializing simple targeting cookie, clientId = 6be4a1ae-3313-4855-bdb1-57e3312f03ec, target group = AGENCIES, DNS name = dpk2.clear-rcic.rcc.org
    2014-06-27 13:49:57:175  548 1260 PT   Server URL =
    http://(FQDN of WSUS server)/SimpleAuthWebService/SimpleAuth.asmx
    2014-06-27 13:50:57:280  548 1260 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(proxy server):8080> Bypass List used : <(null)> Auth Schemes used : <>
    2014-06-27 13:50:57:281  548 1260 PT   + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
    2014-06-27 13:50:57:281  548 1260 PT   + Caller provided proxy = No
    2014-06-27 13:50:57:281  548 1260 PT   + Proxy list used = webgate.rcc.org:8080
    2014-06-27 13:50:57:281  548 1260 PT   + Bypass list used = <NULL>
    2014-06-27 13:50:57:281  548 1260 PT   + Caller provided credentials = No
    2014-06-27 13:50:57:281  548 1260 PT   + Impersonate flags = 0
    2014-06-27 13:50:57:281  548 1260 PT   + Possible authorization schemes used =
    2014-06-27 13:50:57:281  548 1260 PT WARNING: GetAuthorizationCookie failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
    2014-06-27 13:50:57:281  548 1260 PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80072ee2
    2014-06-27 13:50:57:281  548 1260 PT WARNING: PopulateAuthCookies failed: 0x80072ee2
    2014-06-27 13:50:57:281  548 1260 PT WARNING: RefreshCookie failed: 0x80072ee2
    2014-06-27 13:50:57:281  548 1260 PT WARNING: RefreshPTState failed: 0x80072ee2
    2014-06-27 13:50:57:281  548 1260 PT WARNING: Sync of Updates: 0x80072ee2
    2014-06-27 13:50:57:281  548 1260 PT WARNING: SyncServerUpdatesInternal failed: 0x80072ee2
    2014-06-27 13:50:57:281  548 1260 Agent   * WARNING: Failed to synchronize, error = 0x80072EE2
    2014-06-27 13:50:57:282  548 1260 Agent   * WARNING: Exit code = 0x80072EE2
    2014-06-27 13:50:57:282  548 1260 Agent *********
    2014-06-27 13:50:57:282  548 1260 Agent **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2014-06-27 13:50:57:282  548 1260 Agent *************
    2014-06-27 13:50:57:282  548 1260 Agent WARNING: WU client failed Searching for update with error 0x80072ee2
    2014-06-27 13:50:57:302  548 e04 AU >>##  RESUMED  ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
    2014-06-27 13:50:57:302  548 e04 AU   # WARNING: Search callback failed, result = 0x80072EE2
    2014-06-27 13:50:57:302  548 e04 AU   # WARNING: Failed to find updates with error code 80072EE2
    2014-06-27 13:50:57:302  548 e04 AU #########
    2014-06-27 13:50:57:302  548 e04 AU ##  END  ##  AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
    2014-06-27 13:50:57:302  548 e04 AU #############
    2014-06-27 13:50:57:303  548 e04 AU Successfully wrote event for AU health state:0
    2014-06-27 13:50:57:303  548 e04 AU AU setting next detection timeout to 2014-06-27 22:50:57
    2014-06-27 13:50:57:304  548 e04 AU Setting AU scheduled install time to 2014-06-28 05:00:00
    2014-06-27 13:50:57:304  548 e04 AU Successfully wrote event for AU health state:0
    2014-06-27 13:50:57:305  548 e04 AU Successfully wrote event for AU health state:0
    2014-06-27 13:51:02:285  548 1260 Report REPORT EVENT: {BD25B39C-6570-454C-A046-AF3AF2DEBDD4} 2014-06-27 13:50:57:282-0400 1 148 101 {00000000-0000-0000-0000-000000000000} 0 80072ee2 AutomaticUpdates Failure Software
    Synchronization Windows Update Client failed to detect with error 0x80072ee2.
    2014-06-27 13:51:02:295  548 1260 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
    2014-06-27 13:51:02:295  548 1260 Report WER Report sent: 7.6.7600.256 0x80072ee2 00000000-0000-0000-0000-000000000000 Scan 101 Managed
    2014-06-27 13:51:02:295  548 1260 Report CWERReporter finishing event handling. (00000000)
    2014-06-27 13:51:48:184  548 4b8 AU ###########  AU: Uninitializing Automatic Updates  ###########
    2014-06-27 13:51:48:187  548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
    2014-06-27 13:51:48:187  548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
    2014-06-27 13:51:48:187  548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
    2014-06-27 13:51:48:187  548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
    2014-06-27 13:51:48:187  548 4b8 Report CWERReporter finishing event handling. (00000000)
    2014-06-27 13:51:48:252  548 4b8 Service *********
    2014-06-27 13:51:48:252  548 4b8 Service **  END  **  Service: Service exit [Exit code = 0x240001]
    2014-06-27 13:51:48:252  548 4b8 Service *************
    2014-06-27 13:51:53:002  548 160c Misc ===========  Logging initialized (build: 7.6.7600.256, tz: -0400)  ===========
    2014-06-27 13:51:53:002  548 160c Misc   = Process: C:\Windows\system32\svchost.exe
    2014-06-27 13:51:53:002  548 160c Misc   = Module: c:\windows\system32\wuaueng.dll
    Ran a batch file which resets the AU and WindowsUpdate registry keys and then runs the steps listed above:
    regedit /s C:\WindowsUpdate.reg
    regedit /s C:\AU.reg
    net stop bits
    net stop wuauserv
    Ipconfig /flushdns
    del C:\ProgramData\Microsoft\Network\Downloader\qmgr*.*
    del  /F /Q C:\Windows\SoftwareDistribution\*.*
    sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
    sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
    net start bits
    net start wuauserv
    wuauclt /resetauthorization /detectnow
    After this runs, am able to connect to WSUS server for updates. I mentioned Group Policy changes because this only breaks after the Group Policy changes. It doesn't affect every client machine but most of them. Was wondering how the proxy gets reset from
    none to the proxy server for Windows Updates?

  • How can I disable IPv6 EUI randomization with group policy?

    I need to turn off IPv6 EUI address randomization. It can be done in netsh (a few commands) or powershell (Set-NetIPv6Protocol -RandomizeIdentifiers Disabled).  How can I do this in group policy without scripting?

    Hi Jordan,
    Before going further, I hope that the suggestion provided by Martin can be helpful.
    It seems that we can't configure this setting via native policy.To configure IPv6 settings,
    we need to download ADMX files for IPv6. However, per the following article, the IPv6 settings that can be configured are:
    Enable all IPv6 components
    (Windows default)
    Disable all IPv6
    components (the setting you probably want)
    Disable 6to4
    Disable ISATAP
    Disable Teredo
    Disable Teredo and 6to4
    Disable all tunnel
    interfaces
    Disable all LAN and PPP
    interfaces
    Disable all LAN, PPP and tunnel
    interfaces
    Prefer IPv4 over IPv6
    How to Disable IPv6 through Group Policy
    http://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx
    TechNetSubscriber Support
    If you are TechNetSubscription user and have any feedback on our support quality, please
    send your feedback here
    Best regards,
    Frank Shen
    Please read the question before marking things as answers.

  • ITunes won't work because of domain group policy

    Hi my work just implemented a really stupid group policy through our domain that dissallows any file named iTunes.exe to run. The good news is I can rename iTunes.exe and get iTunes to work. That bad news is once I rename iTunes.exe the iPod service is unable to start. The iPod service I assume is what automatically launches iTunes when you plug in your iPod. Does anyone know if a way to let the iPod service and any other file that depends on iTunes.exe that I have renamed it?

    I don't have a solution for you, but as a system administrator I feel I must comment.
    I don't know about where you work -- but at my job, deliberate circumvention of policy is "abuse" and is considered grounds for termination. The computer you use at work is not yours; it belongs to the company you work for.
    If you have a problem with the policy you should take it up with the administrators or your management -- not try to circumvent it. Perhaps the policy is based on a misunderstanding that you could clear up! You (your computer, really) might even be granted an exception to the policy.

  • Deploy Acrobat Reader 10.1.3 via MSI Group Policy

    The purpose of this thread is to identify EASIEST way to create/obtain an MSI file of the LATEST VERSION of Acrobat Reader (currently 10.1.3 as of 7/19/2012) to be deployed via GPO.  I am not concerned with customizations of Reader settings as I have accomplished this already using Group Policy.
    It sounds so easy, but I have found it to be quite frustrating and extremely time consuming to figure this out.
    Here's what I have so far:
    To download the full installer from Adobe, you must first apply on Adobe's website to distribute Reader:
    http://www.adobe.com/products/reader/rdr_distribution1.html
    Once you submit the request, a short time later you'll get an e-mail with a link to download the full exe file of reader 10.1.3. 
    Here's a link that explains how to extract an MSI from this exe:
    http://blogs.adobe.com/dmcmahon/2010/06/16/how-to-extract-an-msi-file-from-the-exe-
    for-adobe-reader/
    Even with following those steps, I do not end up with an MSI file which will install 10.1.3.
    To try another route:
    There is also an Adobe FTP site.  If you navigate down into the Reader 10.1.0 folder there is an MSI file.  Good - but it's the old version.
    You would think that if you navigate into the 10.1.3 folder there would be an MSI there as well.
    Unfortunately there is not.  However, there is an MSP file found in the misc folder:
    I have tried several methods that are supposed to combine the MSP file with the MSI file - they have not worked.
    I have also tried several methods of modifying MSI files, and using the Adobe Cusomization wizard downloadable here:  http://www.adobe.com/support/downloads/detail.jsp?ftpID=4950
    I am unable to end up with a deployable MSI file for Reader 10.1.3.
    It's amazing that it's so complicated to deploy the latest version of Adobe Reader to my users.
    Does anyone have a comprehensive answer to this simple problem?  I do not want a link to a document with 20 pages explaining the theory of MSP files.  I am looking for a concise, step by step method to obtain an MSI for 10.1.3 quickly and easily.
    Thanks!

    First there isn't a single MSI file that will install Adobe Reader 10.1.3 available. There are two ways in which you can create an installer package that will install Adobe Reader 10.1.3. 
    1.  Bootstrapper
    -  Bootstrapper uses the Setup.ini file to create a chained installation process and is run from Setup.exe with a limited amount of installation switches available. 
    The process is documented in the Enterprise Administration Guide:  http://kb2.adobe.com/cps/837/cpsid_83709/attachments/Acrobat_Enterprise_Administration.pdf #page=77
    Here is a reference video on the process:  http://www.youtube.com/watch?v=9zYTUyOIcNk
    2.  AIP (Administrative Installation Point)
    - AIP uses the Windows Installer to create a decompressed updated full MSI based installer.  The process is documented in the Enterprise Administration Guide:  http://kb2.adobe.com/cps/837/cpsid_83709/attachments/Acrobat_Enterprise_Administration.pdf #page=70
    Here is a reference video on the process: http://www.youtube.com/watch?v=05XOKX0150w&feature=relmfu
    * Please note, that each installation method has it's advantages and disadvantages. Those aspects of each installation type need to be seriously considered for your specific environment and what will and will not work for the IT group and user groups within your enterprise before you decide upon one of them.
    Regards,
    Steve

  • How to use tacacs+ authentication to assign a group policy at login in Cisco ASA

    Hi everyone
    As title, anyone knows how it works?
    I only found it can work with LDAP authentication, but not in TACACS+
    http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html#noaccessgp
    please give me a hand, thanks.

    Hi Karten,
    I have the similar requirement and I used the ACS and configure Auth profile and map the RADIUS class (25) value as ASA group-policy name (even tried with tunnel-group name), but it does not work. It allows whatever vpn group that user select regardless of the user groups he belongs to.
    I use two ACS local users and put them in two different groups and maped those two groups with two different Access rules in the ACS and pointed to correct Auth profile etc.
    I am not sure what could be the issue and appreciate if you can advise.
    thanks in advance.

  • Default domain Group Policy

    Hello,
    In my new company, I noticed that the default domain controllers policy has been (largely) modified.
    I thought it was a best practice to keep it clean (In case of restore).
    So I would like to create a new GPOs for my DCs to move some of those settings out of the default domain policy.
    For example, "Add workstations to domain". If I want to create a new policy for this particular setting, what kind of rules am I supposed to follow to make sure that my new setting will be applied before the default DC policy ?
    Is the GPO Link order enough ?
    Thank you

    Hi,
    Just a confirmation, did you mean that want to overwrite some settings in the
    Default Domain Controllers Policy?
    Within each domain, site, and OU, the
    Link Order controls the order in which GPOs are applied. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the
    Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest
    Link Order is processed last, and therefore has the highest precedence. Since Default Domain Controllers Policy is linked to the Domain Controllers organizational unit, you can create a new GPO and link it to this Domain Controllers organizational
    unit, then control thier order of them via Link Order.
    If anything I misunderstand or any update, please feel free to let us know.
    Hope this helps.
    Best regards,
    Justin Gu

  • Mail for exchange and domain group policy removing...

    Hi,
    I currently administer 2 domains,  both server 2003 with exchange 2003.  On the one domain I can configure any of our e series ( e51/e71/e72/e6) via MFE and permanently accept the untrusted SSL certificate. When I configure MFE to our other domain the option to accept the untrusted certificate has vanished..!
    Anyone have any ideas?  I'm sure that it's a group policy setting but I cannot spot it!

    turbominor wrote:
    No certificates have been generated bar the ones that exchange installed by default
    Hmm, I don't recall ever realizing that.  Lol.  In that case, what are you using as a root certificate?  Nothing...which explains why the cert is untrusted?  (As connections to your first Exchange server work normally, apparently you don't need a root cert for a secure connection?)  I used to get mine from http://www.cacert.org/ and installed the root cert either manually or through a device management server.
    I wasn't completely sure where I was going with my question, but just did a few web searches.  Apparently Symbian phones don't like installing self-signed certificates. "Accepting a certificate permanently" does install the cert, although I'm not sure that's quite the same thing.  You might skim http://discussions.nokia.com/t5/Eseries-and-Communicators/E72-Email-Accept-Certificate-Permanently/m... in case any of that is relevant.

  • How to disable attachment preview in Outlook 2013 - group policy

    How do I disable attachment preview in Outlook 2013 in GPO?

    Hi,
    We may follow the steps below to disable attachment preview in Outlook 2013:
    1. Download
    Office 2013 Administrative Template files, and then follow the instructions in the "Loading the ADMX templates" section of the
    Use Group Policy to enforce Office 2010 settings article to load the ADMX templates.
    2. Navigate to User Configuration > Administrative Templates > Microsoft Outlook 2013 > Outlook Options > Preferences > Email Options
    3. Double-click Do not allow attachment previewing in Outlook from the right pane.
    4. Select Enable bullet.
    5. Click OK.
    6. Run gpupdate /force command to force an update of GPO settings.
    7. Start Outlook and you should see the attachment previewing feature is disabled.
    Regards,
    Steve Fan
    TechNet Community Support
    It's recommended to download and install
    Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
    programs.

Maybe you are looking for