Making a change in Group Policy in Safe Mode or rather trying...
I need to make a change in the domain controller group policy in the following:
We are trying to emulate using smart cards on our system. So I got a set of instructions which basically said to access the Local Group Policy editor under Computer Configuration>Windows Settings>Security Settings>Local Policies>Security
Options and change 'Interactive logon: Require smart card' to 'enabled'.
Then go to the registry: 'HKLM\Software\Mocrosoft\Windows\CurrentVersion\Policies\System' and change the DWORD value of 'scforceoption' from '1' to '0'. So if you don't want to use a smart card, you can hit Esc and logon with userid/password.
Well, since I want this to happen on all our servers and workstations, I set it in the domain group policy instead of locally.
Under 'Computer Configuration>Policies>Windows Settings>Local Policies>Security Options>Interactive Logon: Require smart cards - enable'
Now it wants a smart card only. Of course we don't have them. Yes, I am mightily embarrassed.
I am in Safe Mode with Networking, but it doesn't let me get into the Group Policy. Is there a way to get in?
Win 2008 R2 with all the nasty STIGs of course.
Stef<with my fingers crossed>
oh dear :(
the policy setting, and the registry key/value, you have mentioned, are exactly one and the same thing.
it doesn't quite make sense, that you would enable this setting via GPedit and then also disable in the registry editor - you are setting the value to be=1, then setting the exact same value to be=0.
when wishing to use smartcards, but, not enforce the use of smartcards, you don't need to do any of this at all.
when the smartcard drivers are installed, the credentialsUI automatically changes (it detects the SC provider) and offers SClogin methods. This has been my experience over quite a few years since Win2000, and includes Win7.
I'm not sure about Win8 + smartcards, I haven't spent time with that combination yet.
It *might* be possible for you to try:
on a workstation (a domain member),login with a local account. (that part may not work).
when logged on to the workstation, open regedit, and navigate to the regkey for scforceoption. edit the ACL on that regkey to revoke/deny all permissions to all security principals *EXCEPT* for your local account.
(this should stop the GP CSE from applying the domain GP setting to the regkey).
then, reboot the workstation, logon with a domain admin account, and edit your Domain GP to remove the scforceoption setting. allow Domain GP to replicate. then try another member workstation or server to see how it goes.
I haven't ever tried this, but if you can logon and edit that setting, you'll be ok.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)
Similar Messages
-
Why does it say in the Firefox Safe Mode article that all of the changes are temporary while in Safe Mode, then later it says "Note: The following changes cannot be undone."?
When you open Firefox in Safe Mode, it automatically disables your custom settings, themes, and add-ons. THOSE changes are temporary.
However, if you click any of the boxes underneath the line, "You can make some or all of these changes permanent", and then choose "Make Changes and Restart", everything you checked will be forever changed, even when you start Firefox again in 'normal' mode. [See attached image for a preview of the Safe Mode options].
To be clear:
1. If you check any of the boxes but do NOT select "Make changes and restart", those things will not be changed at all in safe mode.
2. If you select any of the boxes and you DO select "Make changes and restart", you will permanently lose any of the items you checked (bookmarks (except for backups), user preferences, etc.).
If you performed the action in step 2 above, you will only be able to restore those things if you have a previously created back-up of your Mozilla Profiles folder (not the same as the Firefox program folder).
Hope this helps. -
i have read up on all about crashes and i cant even open it in safe mode :( i have tried deleting it and reinstalling it but the problem still persists. What would you suggest i do and is there any way i canget hold of firefox 6 for mac?
Does the regular Firefox 8 release version work or does the version crash as well?
*Firefox 8.0.x: http://www.mozilla.com/en-US/firefox/all.html
Create a new profile as a test to check if your current profile is causing the problems.
See "Basic Troubleshooting: Make a new profile":
*https://support.mozilla.com/kb/Basic+Troubleshooting#w_8-make-a-new-profile
There may be extensions and plugins installed by default in a new profile, so check that in "Tools > Add-ons > Extensions & Plugins" in case there are still problems.
If that new profile works then you can transfer some files from the old profile to that new profile, but be careful not to copy corrupted files.
See:
*http://kb.mozillazine.org/Transferring_data_to_a_new_profile_-_Firefox -
since ff13 update to ff13.1 my browser wont open and also wont open in safe mode and i tried to download ff13.0 but it wont open also. so i dont know what to do?
here the other promblem
-
(10.6.8 Intel core duo 2009)
Hi,
I have a grey screen and grey rotating wheel startup probs. I have tried repairing with the disk utility, resetting PRAM, booting in safe mode (which gave a subset of the errors that 'disk repair' did- namely- 'invalid sibling link,invalid record count, invalid node structure, invalid key length) and finally trying to get to archive&install the o/s, but it cannot find the destination volume. Is an erase the only option? PS I have backed up most files individually, but my daughter did not back up any from her user account. Any help would be appreciated. JGray, Blue or White screen at boot, w/spinner/progress bar
Why is my computer slow?
..Step by Step to fix your Mac
https://discussions.apple.com/community/notebooks/macbook_pro?view=documents -
This problem began when I updated AVG to the 2012 trial version. I thenchanged over to the 2012 free edition, but the problem persists, so I think it has something to do with AVG. A scan revealed two trogan infections on the system, which Super Anti Spyware removed sucessfully. I have had this problem for about three days. In safe mode Firefox logs ontpo Gmail sucseefully.
Does the AVG system tray icon indicate AVG is enabled?<br />
''Hover the cursor over that icon and a tooltip should show AVG status.'' -
not connecting to internet? no add-ons visible? safe mode does not function?
Thanks for checking in, BDAQua.
Problem solved.
In the docs that came with my Powerlogix accelerator card, I found this sentence buried:
"If you reset the PRAM, the NVRAM code for OS9 compatibility is cleared, so you will have to boot from the Firmawre Update CD and perform this process again in order to boot in OS9."
The "process" it's referring to is the process of setting up the NVRAM for booting into OS9 from the CD.
Fortunately, I was able to find the disk, and it worked as expected. I can now, once again boot into OS9.
Conclusion: My (unadvised) attempt to load Leopard on this old machine apparently reset the PRAM on the accelerator card and cleared the NVRAM code for OS9 boot. Although I did attempt to reset the NVRAM via Open Firmware, it did not reset it on the accelerator card.
So, thank you BDAQua, for your "Ah yes" . . . that's all I needed to steer me in the right direction.
Gratefully,
tupester -
Script to override Group policy (Disable Addins and change default file type)
Hi there,
I am developing a solution for our customer that requires Office 2010 64-bit, which I have.
However my company's group policy, (I believe), keeps adding in a template manager for corporate documents, this template is 32-bit and is incompatible with my version of office. This means that everytime I open or close excel I get a warning of incompatibility.
This is irritating, as is the fact that the default new file type keeps switching back of xls, which causes me problems since my macro's need to create xlsx files, for the customer.
Now I believe that both of these are set by the group policy and while they a fine for most people, due to my unusual roll, it causes me irritations I would would rather avoid.
Since I know it will not be possible to change the group policy for the handful of people who are effected like this, I am looking for some help to, e.g. automatically run a script to adjust these settings on my local machine to make my life easier.
Thanks for your help,
Vincent.Try using
Process Monitor for looking the key.
For example, you may set the required value through the group policy and see what windows registry keys are changed. -
Windows 2008 R2 group policy not applied on some of the computers
Dear All,
I have windows 2008 r2 as domain controller and configured group policy. when I am changing existing group policy most of the computers not affecting with update policy.
is there any server or any other method required to configure?
every time i need to update group policy manually on computers.
pls help
SUNIL PATEL SYSTEM ADMINISTRATORYou have an issue with AD DS replication.Ensure all domain controllers are in sync
-
Hello everybody,
We have a problem since few weeks with printers deployment.
Intermittently, they are not deployed and we have errors 4098 in Event ID with codes :
- '0x8007000a The environment is incorrect'
- '0x8007007a The data area passed to a system call is too small'
- '0x80070005 Access denied'
Our server is a Windows 2008 R2 and clients are Windows7.
We have already read these topics :
http://social.technet.microsoft.com/Forums/windowsserver/en-US/24dfd6c0-b460-40a7-ad18-13e404b361e7/group-policy-printers-dissapearing-from-client-machines-intermittently
It was already enabled (Computer Configuration\Administrative Templates\System\Group Policy\Printers Policy Processing ->
Do not apply during periodic background processing)
http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_26220975.html
We have tried to delete printers at logoff but nothing changed.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/7d3809c4-9f36-4412-9c9f-d82614ba3eb9/printers-not-applied-error-4098-0x80070005-access-is-denied
By default we have everybody can print. To be sure, we have added "Domain Computers" but same result.
We have tried to create :
- New GPO to deploy old printers queues => no changes.
- New printers queues and deploy with old GPO => no changes.
- New GPO to deploy new printers queue => no changes.
Our GPO is set like this :
- [Computer configuration/Policies/Administrative Templates/System/Group Policy]
○ Configure printers preference extension policy processing => all enabled
○ Configure user Group Policy loopback processing mode => Merge
- [User configuration/Preferences/Control Panel Settings/Printers/Shared Printer/printername]
○ General => Sharepath
\\server\printername
○ Common => Remove this item when it is no longer applied
In a desperate hope we have reinstall completely some clients but we still have sometimes "Environment is incorrect".
We don't know anymore what to do…
Can you help us please ?Hello,
Do you have installed the latest Microsoft hotfixes on your server / client
KB2537549 - Cannot deploy a printer by using a GPO if read-only domain controllers
are exclusively used in the domain environment in Windows 7 or in Windows Server 2008 R2. This hotfix contains the most current version of PRINTER Group Policy Preferences for Windows 7/2008 Post SP1.
KB2647753 - Update rollup for the printing core components in Windows 7 and
Windows Server 2008 R2.
KB2526028 - Printing performance decreases in Windows 7 or in Windows Server
2008 R2.
KB2618574 - Print Spooler service saves the NetBIOS name of the print server
in Windows 7 or in Windows Server 2008 R2
A list of other post-SP1 hotfixes can be found here...
Links to post
SP1 hotfixes for Windows 7 Service Pack 1
Links
to post SP1 hotfixes for Windows Server 2008 R2 Service Pack 1
List of performance
hotfixes post SP1 for Windows 7 SP1
Jan -
Server 2012 R2 Group policy management with older Domain servers
Hi Guys,
I need your expert assistance with a issue I'm facing.
We have a client that has 3 domain controllers. The Primary DC is running Server 2003 R2, another one is running Server 2008, and the last DC is running Server 2008 R2. The forest functional level is Server 2000 & the domain functional level is Server
2003.
Currently Group policy is processing using a central store across the 3 domain controllers.
We have installed a new Server 2012 R2 Terminal server and need to apply group policies to the Server to lock it down.
We have a separate Server 2012 R2 server (say SERVER1) that is also joined to the domain that I have added the group policy management feature to so it can remotely manage group policy.
It seems to be pulling the all the group policy details from the central store so I can't see any of the server 2012 related settings on
SERVER1.
Are we going about this the correct way? how would we best manage the Server 2012 policies? I was thinking either somehow making the specific TS group policy only load in a local policy or templates somehow..If you are using a central policy store, this is the expected (intended) behaviour.
You willl need to update the central store with the latest versions of the adm(x/l) files.
http://www.microsoft.com/en-us/download/details.aspx?id=36991
or grab them from a 2012(r2) instalaltion c:\Windows\PolicyDefinitions
MCP/MCSA/MCTS/MCITP -
Group Policy Shortcuts Fail: The system cannot find the path specified.
The executable I'm pointing to is under C:\Foldername\file.exe
I know it's there, I tested it, I pasted the very same path into the run dialog, it works. The path is correct, so why can't group policy find it?
I even tried putting the exe in the root of C:\ and pointing the shortcut there, it can't even see it there. Is it blind? I can see it. I'm looking right at it.I fixed it myself. Turns out Microsoft's error messages are obnoxiously non-helpful. The error was referring to the icon path not the target file path. I had to select programs from the drop down list and then set the path.
It would help if Microsoft would document this a lot better, and perhaps enhance their event log errors so that they don't send people on confusing wild goose chases that drive people insane. -
Windows 2008 R2 Standard Group Policy to Add Device and Printer in start menu of Windows 7 Users
i need to add for Device and printers option in start menu of windows 7 client log on system,how to assign the group policy enable?
Hi,
Are you trying to put a software icon to start for easy of end user use? If so you can refer the following related third party article solution:
The related third party article:
How to Push Shortcuts to the Desktop With Group Policy
http://www.ehow.com/how_8390530_push-shortcuts-desktop-group-policy.html
Hope this helps.
*** This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites;
therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure
that you completely understand the risk before retrieving any software from the Internet. *** -
Group Policy Management of One Drive
We are looking into deploying Onedrive for our school with 1TB Drives and are upgrading to Windows 8.1 devices as well. These devices will not have 1 TB of storage local to their workstations/tablets/laptops. While I know that it is possible to set Onedrive
as the default and even force all files to be online, what I would like to know is Is there a way to force synchronization in a way where only the Recently used files are available offline?
For Example I would like a file to keep the last 100 files accessed from One Drive local but still have it synchronize with Onedrive to make sure that the files are backed up whenever internet access is available. I'd even be happy with the ability to set
a policy where any file used for the last 15 days is synchronized locally with OneDrive and kept offline, but on day 16 of it not being accessed, the file gets synchronized and then removed from local with only a pointer to the online file.
If anyone knows if this or something like this is possible it would be really beneficial especially if its controlled by group policy.Hi,
Just confirm, are you trying to deploy OneDrive or OneDrive for Business? Please note they are two different products,
How is OneDrive for Business different from OneDrive? Please refer to:
http://office.microsoft.com/en-001/sharepoint-server-help/what-is-onedrive-for-business-HA102822076.aspx?CTT=1#differences
Regards,
Melon Chen
TechNet Community Support -
I removed the kernal extensions and now Mac won't boot in safe mode
Hey guys. I did a severly boneheaded thing. In an attempt to see what extensions were necessary I copied them to a folder on my desktop. I then deleted the kernal extensions but did not empty the trash. Upon restart, crunch. I can't seem to get the computer to boot in safe mode. I tried a number of things but none of them have worked. The computer continually crashes into a kernal panic. I am using 10.4 and would like to try and reinstall the OS but I can't even get the computer to boot from the install dvd.
Any help or insight would be sincerely appreciated. Thanks guys.
-Boneheadedly yours,
SeanYou need to get into single use mode for steps one and two that are listed below.
This page will tell you how to get into single user mode.
http://support.apple.com/kb/HT1492
Basically, you hold down the command + s key then powering on your machine. The command key has a little apple symbol on the lower left. It is between the alt/option key and the space bar. On a PC keyboard, it will be the windows key, I think.
You can get into the terminal when you boot off of an install dvd.
Here is an overview of the terminal commands. Lets assume that your account has a short user name of mac.
Macintosh-HD -> Applications -> Utilities -> Terminal
#What is my short user name? Type the whoami command.
mac $ whoami
mac
mac $
#How to list all of your disks.
# The ls command is for list
mac $ ls /Volumes/
Audio CD Macintosh-HD Spotless Tiger-ext
mac $
# Let's say your flash drive is named Spotless
# cd is change directory
mac $ cd /Volumes/Spotless
# pwd is Print Working Directory. A directory is the Unix name for a folder. You are always in a directory.
mac $ pwd
/Volumes/Spotless
mac $
# The ls command is for list
# l is long
# F is type of file where / is directory. For directories, the slash is pasted to the end of the name.
mac $ ls -lF
total 134704
-rw-r--r-- 1 mac staff 64560 Mar 3 2009 A-picture-of-Youpi-key.png
drwxr-xr-x 83 mac staff 2822 Nov 7 14:52 Applescript files/
drwxrwxrwx 12 mac staff 408 Dec 13 2008 Christmas Cards/
drwxr-xr-x 9 mac staff 306 Dec 21 17:39 Christmas Cards 2009/
... trimmed ... What does all this mean?
drwxrwxrwx
d = directory
r = read
w = write
x = executeable program
drwxrwxrwx
|| | |
|| | all other users not in first two types
|| |
|| group
||
|owner
|
What type of entry is this? d = directory, - = file, etc.
Every Unix resource: files, folders, etc has an owner, group, other
A Unix resource has one owner.
A Unix resource has one group. A group contains a list of users.
To gain access to a file, you can be the owner, in the group, or not the owner and not in the group hence you end up as other. The owner, group, or other has read, write, or execute permissions.
# l is long
# a is all to show hidden files & folders
mac $ ls -lFa
total 134736
drwxr-xr-x 41 mac staff 1496 Dec 22 17:11 .
drwxrwxrwt 8 root admin 272 Dec 24 13:55 ..
-rwxrwxrwx 1 mac staff 15364 Dec 23 12:52 .DS_Store*
drwx------ 4 mac staff 136 Jan 22 2009 .Spotlight-V100
drwxrwxrwt 5 mac staff 170 Sep 14 16:36 .TemporaryItems
d-wx-wx-wx 4 mac staff 136 Dec 31 1969 .Trashes
-rw-r--r-- 1 mac staff 64560 Mar 3 2009 A-picture-of-Youpi-key.png
drwxr-xr-x 83 mac staff 2822 Nov 7 14:52 Applescript files
drwxrwxrwx 12 mac staff 408 Dec 13 2008 Christmas Cards
drwxr-xr-x 9 mac staff 306 Dec 21 17:39 Christmas Cards 2009
... trimmed ...
# mv is move or rename
mv -i the-name the-new-name
# You can just rename the file back to what it was with mv command.
mv -i old-name new-name
Here is what these commands mean:
cd is change directory
pwd is a print working directory
ls is list
sudo is Super user do
mv is move or rename
For cryptic comments, you can always uses the manual command which is man. For example:
man mv
# Type the letter q to quit.
In case you have spaces in your filenames or directories, you need to escape them. See examples:
mac $ ls -l ~/"see it"
-rw-r--r-- 1 mac staff 3171 Oct 26 23:38 /Users/mac/see it
mac $
mac $ cd /Users/mac/Desktop/ttt\ html\ copy/
Do you know about tabbing? Type in a few letters of a name then press the tab key. The computer will type out the rest of the name if it is unique.
Press the up arrow key to see the previous command(s).
To edit a command, use the left arrow key to more left and the right arrow key to move right. Use the delete key to delete the key to the left. Type a letter to insert.
history to see many previous commands.
mac $ history
1 pwd
2 man ls
3 history
You may copy then paste from this list.
http://discussions.apple.com/thread.jspa?threadID=2692161&tstart=0
Robert
Maybe you are looking for
-
Is there a way to put an item under more than one calendar at the same time?
I use the calendar to keep track of not only my schedule, but my entire family's. For years I had a calendar labeled 'kids.' Now as they're getting older it would be easier to have an individual calendar for each child. Easier for me to track where t
-
I am trying to download Photoshop CS6 onto my Mac from the Adobe website, but I do not have a serial number. I made an Adobe ID, but the serial number is not under "My Products" nor have I received an email including a serial number. I do not know ho
-
Total no of records in a recordset?
I creating an application in which I send a query to database. Then loop through the ResultSet object and increment a counter to find the total no. of records in it, and then a generate JLabel array equal to the size of counter which is application's
-
Starting a podcast/ video show.
I have a 2012 imac 16gb ram, fusion drive souped up processor, a 2013 macbook air, heil pr40 microphone, i think i have everything i need to start it. But is there a way to video stream without using the isight camera and use a canon and what softwa
-
Does anyone know if this is possible to import an iPhoto Slideshow into iDVD?