Manual client deployment not picking up Group Policy provided registry settings
We are having an issue with some laptops and machines that are turned off overnight not downloading necessary items for the SCCM 2012 client install. We are going through the upgrade from 2007 to 2012 and are manually installing the client
through the SCCM console. Now that we have gotten the majority of our clients up to the 2012 version, we are planning to push the client going forward through WSUS. Unfortunately, BITS is not allowing the update to come down in the time that some
machines are on the network.
After some digging, we have concerns that the Group Policy setting for the command line properties are being ignored.
We have the Group policy set as follows:
/mp:oursccmserver.domain.com / service / forceinstall / BITSPriority:FOREGROUND SMSSITECODE=PRISITE FSP=OURFSP.domain.com
However, the command line entry in the ccmsetup.log file on machines that have received the client as well as those not installing is showing the following:
- Ccmsetup command line: "C\Windows\ccmsetup\ccmsetup.exe" /runservice /config:MobileClient.tcf
- Command line parameters for ccmsetup have been specified. No registry lookup for command line parameters is required.
Can someone tell me why it is not picking up the settings in the registry? we have verified the settings are hitting the machines from GP, just does not seem to be using them which is why we thing it is allowing BITS to throttle the download of the
pre-reqs.
Thanks in advance for any suggesstions/help.
Sorry for not updating this...
After digging for days on this and contemplating calling MSFT support, I happened to check the Client Push installation properties and found the Install properties had been removed from each of our sites (1 primary and 2 secondary's).
Although we do not have Client Push enabled for a variety of reasons, the properties have to be set for the manual push of the client from the console. Once we re-entered the command line options for the Push install properties, manual installation
from the console is working as expected.
Similar Messages
-
Deployment of software through Group policy does not work
Hi all,
I am trying to deploy a program through Group policy, specifically winrar, any client computer is able to install the program. Please find below the events from the workstation:
Log Name: Application
Source: Microsoft-Windows-WMI
Date: 4/27/2014 10:06:01 PM
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: IRCLIENT0001.corp.healthcareinnovation.com
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because
of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 4/27/2014 10:04:49 PM
Event ID: 1085
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: IRCLIENT0001.corp.healthcareinnovation.com
Description:
Windows failed to apply the Software Installation settings. Software Installation settings might have its own log file. Please click on the "More information" link.
Log Name: System
Source: Application Management Group Policy
Date: 4/27/2014 10:04:49 PM
Event ID: 108
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: IRCLIENT0001.corp.healthcareinnovation.com
Description:
Failed to apply changes to software installation settings. Software changes could not be applied. A previous log entry with details should exist. The error was : %%1612
Log Name: System
Source: Application Management Group Policy
Date: 4/27/2014 10:04:48 PM
Event ID: 102
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: IRCLIENT0001.corp.healthcareinnovation.com
Description:
The install of application WinRAR from policy Basic Computers GPO failed. The error was : %%1612
I am using windows server 2008 R2 and all my clients are running Windows 7 Enterprise and they are working over a domain, note that I am using VMware.
Below there are a list of the troubleshooting steps that have been already applied:
*Disable the the firewall both in the server and in the clients
*Grant read access to the folder where the the program is shared for installation, it was added the authenticated users and domain computers.
*Group policy modifications:
-> User Account Control
Policy Setting Winning GPO
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Elevate without prompting Basic Computers GPO
- User Account Control: Detect application installations and prompt for elevation Disabled Basic Computers GPO
- User Account Control: Only elevate UIAccess applications that are installed in secure locations Disabled Basic Computers GPO
- User Account Control: Run all administrators in Admin Approval Mode Disabled Basic Computers GPO
--> System/Group Policy
Policy Setting Winning GPO
- Startup policy processing wait time Enabled Basic Computers GPO
Amount of time to wait (in seconds): 120
--> System/Logon
Policy Setting Winning GPO
- Always wait for the network at computer startup and logon Enabled Basic Computers GPO
Thank you very much for your time.Hi Marco,
Based on your description, we can enable diagnostic logging of Group Policy Software Installation processing to troubleshoot the issue.
Regarding this point, the following article can be referred to for more information.
How to troubleshoot software installations by using Windows application management debug logging
http://support.microsoft.com/kb/249621
Once you get the log, you may upload it to OneDrive and provide us the download link.
In addition, the following article provides a step-to-step guidance for deploying software via group policy and can be referred to for double check.
How to use Group Policy to remotely install software in Windows Server 2008 and in Windows Server 2003
http://support.microsoft.com/kb/816102
Best regards,
Frank Shen -
Deploying Office 2013 with Group Policy
I would like to deploy Office 2013 using group policy. I am new to group policy so am looking for some advice and guidance on the best way to deploy. I would like to deploy with no interaction with the user but yet display a message so that they
know not to open Office. I would also like to create a custom registry setting so that if I need to re-install, all I have to do is delete the registry setting. I have tried a group policy for installing with OCT settings (Basic, Suppress
Model checked, No Cancel checked, Completion Notice checked) and modifying the Config.xml (<Display Level="Basic" CompletionNotice="yes" SuppressModal="yes" AcceptEula="yes" />) but I can not get it to display
the installer screen so that users know it is installing. It does display the screen when running the setup.exe manually. I have a setting in the OCT that creates the registry setting and that is working correctly. My group policy is set to run the
below bat file at startup in the Computer Configuration.
setlocal
REM *********************************************************************
REM Environment customization begins here. Modify variables below.
REM *********************************************************************
REM Get ProductName from the Office product's core Setup.xml file, and then add "office15." as a prefix.
set ProductName=Office15.Standard
REM Set DeployServer to a network-accessible location containing the Office source files.
set DeployServer="\\xxxxxx\setup.exe"
REM Set LogLocation to a central directory to collect log files.
set LogLocation=\\xxxxx\Logfiles
REM *********************************************************************
REM Deployment code begins here. Do not modify anything below this line.
REM *********************************************************************
IF NOT "%ProgramFiles(x86)%"=="" (goto ARP64) else (goto ARP86)
REM Operating system is X64. Check for 32 bit Office in emulated Wow6432 uninstall key
:ARP64
reg query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Microsoft\Windows\CurrentVersion\Uninstall\%ProductName%
if NOT %errorlevel%==1 (goto End)
REM Check for 32 and 64 bit versions of Office 2013 in regular uninstall key.(Office 64bit would also appear here on a 64bit OS)
:ARP86
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ProductName%
if %errorlevel%==1 (goto Office) else (goto End)
REM If 1 returned, the product was not found. Run setup here.
:Office
%DeployServer%
echo %date% %time% Setup ended with error code %errorlevel%. >> %LogLocation%\%computername%.txt
REM If 0 or other was returned, the product was found or another error occurred. Do nothing.
:End
Endlocal
Any advice or guidance would be greatly appreciate on how to get a pop up message while software is installing or if there is a better way to deploy.> but I can not get it to display the installer screen so that users know
> it is installing. It does display the screen when running the setup.exe
> manually. I have a setting in the OCT that creates the registry setting
> and that is working correctly. My group policy is set to run the
> below bat file at startup in the Computer Configuration.
Check http://gpsearch.azurewebsites.net/#2308 - if this is enabled, you
will not be able to show "anything" in startup scripts...
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Deploy Office 2013 using Group Policy
Below are a list of questions I have regarding setting up Office 2013 deployment automation. We are looking to deploy Office 2013 Business Click-to-Run using a group policy. We have already setup the deployment using the Office Deployment Tool and have
the configuration file all setup. The more automation we can provide the better to give the end users to best/fastest experience with this upgrade.
How do we automate the deployment process using a group policy?
Is there a way to have the Office 2013 deployment auto activate using the users credentials? We will be using the same password for all the user accounts for the deployment then having them change it later once everything is up and running. Would like to
avoid having to go around and help each user activate the software as well.
We would like to uninstall all previous versions of Office from the workstations that we're deploying Office 2013 to?
Thank you!Below are a list of questions I have regarding setting up Office 2013 deployment automation. We are looking to deploy Office 2013 Business Click-to-Run using a group policy. We have already setup the deployment using the Office Deployment Tool and
have the configuration file all setup. The more automation we can provide the better to give the end users to best/fastest experience with this upgrade.
How do we automate the deployment process using a group policy?
Is there a way to have the Office 2013 deployment auto activate using the users credentials? We will be using the same password for all the user accounts for the deployment then having them change it later once everything is up and running. Would like to
avoid having to go around and help each user activate the software as well.
We would like to uninstall all previous versions of Office from the workstations that we're deploying Office 2013 to?
1. Because Office (in all forms) requires setup.exe to orchestrate the installations, classic Group Policy Software Installation (which requires an MSI file) is not suitable. This has been the case since Office2007. If you are constrained to use GP, you
will need to use GP Startup Scripts. There is guidance for this, in the Office resource kit library on TechNet.
http://technet.microsoft.com/en-us/library/ff602181(v=office.15).aspx
2. Retail editions of Office, typically require you to login to the Microsoft Account where the license is associated, to validate the Office license. If you are using a product key method instead, you can use the PIDKEY element in your configuration.xml
http://technet.microsoft.com/en-US/library/jj219426(v=office.15).aspx
3. You'll need to tackle this yourself (there is no way to do this via C2R configuration). You could include the relevant uninstall-previous-version logic within your GP Startup Script (as a step prior to installing Office C2R). You'll need to cater for
whatever previous-versions might exist in your environment, and whatever the relevant uninstallation methods are for each previous-version.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Hello
My subca certificate was about to expire so I renewed it with the same key and since then my wireless will not connect. I get the following error from NPS:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
AD\4411CB8CD34A2AA$
Account Name:
host/4411CB8CD34A2AA.ad.***.org
Account Domain:
AD
Fully Qualified Account Name:
AD\4411CB8CD34A2AA$
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name:
OS-Version:
Called Station Identifier:
f4-1f-c2-e6-0e-40:***-private
Calling Station Identifier:
e0-06-e6-c2-96-b7
NAS:
NAS IPv4 Address:
10.0.2.85
NAS IPv6 Address:
NAS Identifier:
DOM-WLC1
NAS Port-Type:
Wireless - IEEE 802.11
NAS Port:
13
RADIUS Client:
Client Friendly Name:
NPS Proxy 1
Client IP Address:
10.0.2.12
Authentication Details:
Connection Request Policy Name:
Wireless Clients
Network Policy Name:
Wireless Clients
Authentication Provider:
Windows
Authentication Server:
DOM-DC1.ad.****.org
Authentication Type:
EAP
EAP Type:
Microsoft: Smart Card or other certificate
Account Session Identifier:
Logging Results:
Accounting information was written to the local log file.
Reason Code:
295
Reason:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
How do i make the policy provider trust this new certificate that was created? When i renewed the certificate everything looks good on the subca and root ca. The new certificate is not in the nps servers so i tried manually importing it and that still did
not work. I noticed when i open the wireless network policy properties under constraints and open the Microsoft: Smart Card or other certificate eap type the new certificate is not in there. Any suggestions? Thank you!can you copy client certificate to NPS server and run the following command against this certificate:
certutil -verify -urlfetch path\clientcert.cer
and show us the output.
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell File Checksum Integrity Verifier tool. -
Hi all.
I have stanalone offline RootCA, and enterprise domain SubCA on DC on Windows 2012 server. I have Windows 2003 Terminal Server, users logon to TS via smart cards - and this work fine.
Now I added Windows server 2012 as "Terminal Server".
Now I added Windows server 2012 R2 as "Terminal Server".
I configured both servers identically.
Users can logon via smart card to Windows Server 2012.
Users CAN NOT logon via smart card to Windows Server 2012 R2.
When user trying to logon via smart card, they have information:
"An untrusted cartification authority was detected while processing the domain controller certificate used for authentication. Additional information..."
I run a certutil.exe -scinfo on both Windows 2012/2012R2 servers.
I found differences in the (~) same place in the output log.
On Windows 2012:
Exclude leaf cert:
b4 44 8f fb fb b4 5f 03 39 76 dc cc e8 da 02 e0 d0 cc b6 32
Full chain:
c8 3d 07 12 ea 4d 0e 5a 8c 50 fc 56 2e 51 f1 68 6a 26 90 77
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.4.1.311.20.2.2 Smart Card Logon
On Windows 2012 R2:
Exclude leaf cert:
78 7e 6c 60 3f 20 c6 f6 e8 74 c8 36 e3 d3 88 ac 12 60 41 32
Full chain:
b8 a9 fa 6c db 07 cd 32 86 17 8c 88 02 ba d0 4b 8c ac 2d 58
Issuer: CN=XXX CA, OU=Certification Services, O=XX, C=XX
NotBefore: 2013-11-22 12:42
NotAfter: 2014-11-22 12:42
Subject: CN=XX Test, OU=XX, OU=UXX, DC=XX, DC=com
Serial: 7a0084f
SubjectAltName: Other Name:Principal Name=XX@XX
Template: Smartcard Logon Behalf 2048
1d 2a bb dc 2a 9c 70 0d b5 35 47 44 ee 61 60 ab 71 97 66 ff
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478)
I run a certutil -verify xx.cer on both Servers 2012/2012R2 and on both servers have the ~exact same thing.
Windows 2012:
Exclude leaf cert:
f6 0e 96 da c7 08 9a 78 12 97 a6 b6 22 df 57 9d e7 03 41 df
Full chain:
f0 fb 19 66 e8 6c 4f ea b4 d5 ea 6d 5e 38 54 07 b0 9f 52 96
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.4.1.311.20.2.2 Smart Card Logon
1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
Windows 2012 R2:
Exclude leaf cert:
84 18 5b 9d 06 61 60 73 c6 37 80 f4 25 33 c4 d3 5e ef 4a 93
Full chain:
63 8e 9e 37 78 c9 93 bb 4d da f4 e3 4b 7e 2b 14 49 28 0f 5d
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.4.1.311.20.2.2 Smart Card Logon
1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
Whether Windows 2012R2 is not trying to build a certificate path, treating smart card logon certificate as (Sub)CA certificate?
Previous and probably wrong idea:
The only thing that comes to my mind is my SubCA.
I have two CA Certyficates:
Certyficate #0 (expired)
Certyficate #1 <- valid.
I guess that all Windows before Windows 2012 R2 build certyficafion chain from valid (second #1) certyficate. Windows 2012 R2 take first and we have:
"A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
[ value] 800B0112 "
This is a bug or feature?
How I can fix this without removal Certificate #0 from my SubCA?
Best regards
Jacek Marek
MCSA Windows Server 2012Hi,
Glad to hear that the issue is solved!
Thank you very much for your sharing!
Please feel free to let us know if you encounter any issues in the future.
Best Regards,
Amy -
Hi all.
I have stanalone offline RootCA, and enterprise domain SubCA on DC on Windows 2012 server. I have Windows 2003 Terminal Server, users logon to TS via smart cards - and this work fine.
Now I added Windows server 2012 as "Terminal Server".
Now I added Windows server 2012 R2 as "Terminal Server".
I configured both servers identically.
Users can logon via smart card to Windows Server 2012.
Users CAN NOT logon via smart card to Windows Server 2012 R2.
When user trying to logon via smart card, they have information:
"An untrusted cartification authority was detected while processing the domain controller certificate used for authentication. Additional information..."
The only thing that comes to my mind is my SubCA.
I have two CA Certyficates:
Certyficate #0 (expired)
Certyficate #1 <- valid.
I guess that all Windows before Windows 2012 R2 build certyficafion chain from valid (second #1) certyficate. Windows 2012 R2 take first and we have:
"A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
[ value] 800B0112 "
This is a bug or feature?
How I can fix this without removal Certificate #0 from my SubCA?
Best regards
Jacek Marek
MCSA Windows Server 2012Hi,
I run a certutil.exe -scinfo on both Windows 2012/2012R2 servers.
I found differences in the (~) same place in the output log.
On Windows 2012:
Exclude leaf cert:
b4 44 8f fb fb b4 5f 03 39 76 dc cc e8 da 02 e0 d0 cc b6 32
Full chain:
c8 3d 07 12 ea 4d 0e 5a 8c 50 fc 56 2e 51 f1 68 6a 26 90 77
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.4.1.311.20.2.2 Smart Card Logon
On Windows 2012 R2:
Exclude leaf cert:
78 7e 6c 60 3f 20 c6 f6 e8 74 c8 36 e3 d3 88 ac 12 60 41 32
Full chain:
b8 a9 fa 6c db 07 cd 32 86 17 8c 88 02 ba d0 4b 8c ac 2d 58
Issuer: CN=XXX CA, OU=Certification Services, O=XX, C=XX
NotBefore: 2013-11-22 12:42
NotAfter: 2014-11-22 12:42
Subject: CN=XX Test, OU=XX, OU=UXX, DC=XX, DC=com
Serial: 7a0084f
SubjectAltName: Other Name:Principal Name=XX@XX
Template: Smartcard Logon Behalf 2048
1d 2a bb dc 2a 9c 70 0d b5 35 47 44 ee 61 60 ab 71 97 66 ff
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478)
I run a certutil -verify xx.cer on both Servers 2012/2012R2 and on both servers have the ~exact same thing.
Windows 2012:
Exclude leaf cert:
f6 0e 96 da c7 08 9a 78 12 97 a6 b6 22 df 57 9d e7 03 41 df
Full chain:
f0 fb 19 66 e8 6c 4f ea b4 d5 ea 6d 5e 38 54 07 b0 9f 52 96
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.4.1.311.20.2.2 Smart Card Logon
1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
Windows 2012 R2:
Exclude leaf cert:
84 18 5b 9d 06 61 60 73 c6 37 80 f4 25 33 c4 d3 5e ef 4a 93
Full chain:
63 8e 9e 37 78 c9 93 bb 4d da f4 e3 4b 7e 2b 14 49 28 0f 5d
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.4.1.311.20.2.2 Smart Card Logon
1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
Any idea, or I must open case with Microsoft support?
Best regards
Jacek Marek
MCSA Windows Server 2012 -
Uninstall Lync 2010 client, Install Lync 2013 using Group Policy/VB/MS Customisation Tool
Hi, I am using Group Policy/vb/Lync customization tools to deploy 2013 and remove 2010. The machines have Office 2010. The vb script is as below:
Dim objShell 'As Object
Dim objFSO 'As FileSystemObject
'-- SET OBJECTS
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("WScript.Shell")
strComputerName = objShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
Dim WshNetwork : Set WshNetwork = WScript.CreateObject("WScript.Network")
objShell.Run """\\xxxxxxxxx - Do not Remove\Lync Install 2013 2010\Lync 2013 Outlook 2010\setup.exe"""
I have amended the OCT with relevant settings, Lync 2013 installs but Lync 2010 does not uninstall. Here is how i have it set:
In the Office Customization Tool - Set-up - Add Installation and Run Programs,
In target - pointing to the Lync2010 exe file (on above share)
In Arguments - /silent /uninstall
Is this correct?
Also, i would have thought that, Remove Previous Installations, it would have an option to remove Lync2010?
Anyway..pulling my hair out here!
Hope you can help.Hi,
Based on your description, we can refer to the following threads for help.
Slient Unninstall of Lync 2010 on client machines script required
http://social.technet.microsoft.com/Forums/lync/en-US/69e32128-4581-4be5-9a44-b5d133e1f480/slient-unninstall-of-lync-2010-on-client-machines-script-required
Scripting a Lync 2010 client Uninstall
http://social.technet.microsoft.com/Forums/en-US/a65bd0d0-daa1-4616-8725-63f349fdde86/scripting-a-lync-2010-client-uninstall?forum=lyncconferencing
For this issue is more related to Lync, in order to get better help, we can ask the question in the following TechNet dedicated Lync forum.
Lync 2010 and OCS - Lync Clients and Devices
http://social.technet.microsoft.com/Forums/lync/en-US/home?forum=ocsclients&filter=alltypes&sort=lastpostdesc
In addition, for it also involves scripts, we can also ask for help in the following scripting forum.
The Official Scripting Guys Forum
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG&filter=alltypes&sort=lastpostdesc
Hope it helps.
Best regards,
Frank Shen -
Group Policy Preferences IE9 settings inconsistently applying on Windows 7 Clients
We have two Windows 2008 R2 Domain Controllers.
We have only Windows 7 SP1 clients.
We have a mix of IE 9, 10 ,11 on the clients.
We moved to using GPP to control IE Proxy settings some considerable time ago.
We recently needed add a site the the proxy exceptions list. This appeared to work. However we discovered that for IE 10+ the setting was not effective. So we spun up a Windows 8.1 VM with RSAT and added a new IE Settings object into GP targeting IE
11. This appeared to have the desired effect.
After a while some (and it appears only some) IE9 machines, found their proxy settings reverting. This could be resolved by closing IE down and issuing a gpupdate /force command. However the issue would re-occur for these users, and they would be required
to close their browser and re-issue update /force again.
Furthermore (this may or may not be linked) we have been seeing JavaScript disabled warnings from OWA from some machines running IE11.
Any thoughts on troubleshooting this would be appreciated.
NickWould you please let me know if the issue only occurred on all Windows 7 with IE 9 installed machines? Or
only some Windows 7 with IE 9 installed machines have this issue?
The issue is affecting about 20-25% of machines. Generally after a logon they are fine, but then after a background gp refresh they pick up 'old' settings for the bypass proxy list.
Would you please let me know how did you configure the GPP settings?
We opened up an existing GPO that contained our previous Internet Explorer GPP settings on our first domain controller (which appears to have IE11 installed) made the changes to the existing
GPP IE Settings.
We then noticed that the settings hadn't taken on IE11 machines, so we used a windows 8.1 RTM VM with RSAT installed to add an additional "Internet Explorer 8: Internet Explorer 11" only
set of preferences. The IE8/9/10 preferences had priority of 1 the IE 11 preferences a priority of 2
I think the original GPP settings were created from a Windows 7 machine with IE9 and the Enterprise Hotfix Rollup installed.
Did you configure it in one GPO and applied to all machines?
Yes.
Have you tried to just configure it separately on Windows 2008 R2 DC and applied it to these Windows 7 with IE 9 installed machines?
Not yet. We currently have a some LOB activities that require one of the sites in the proxy bypass list. I do not want to risk breaking that until later on this week.
How to enable Group Policy Preferences support for IE9
http://www.grouppolicy.biz/2011/03/how-to-enable-group-policy-preferences-support-for-ie9/
We have the enterprise hotfix rollup installed on the Clients. However
it appears it is not installed on the DCs.
Further examination of the output of a gpresult /h shows that legacy settings from the IE Maintenance object within the GPO match the settings we see applying from time to time. Is that possible? How can we remove the IE Maintenence settings from the
GPO to test? -
WMI Filters Folder NOT Found in Group Policy Management Console.
We have a Small Business Server 2011 Standard Edition install that is Hosting a Domain that was migrated to it from Windows Server 2003 Standard Edition. All seems to be working. We have a few problems that we are trying to work on one at a time when this
issue was brought to light.
We were trying to push the installation of a client software via group policy and in the process to have it pushed by the server, we had to configure several wmi filters in the group policy management in the SBS 2011. We opened the console and found
that the WMI Filters Folder is nowhere to be found.
We would like to find out what can be the cause and resolution of this problem. I would like to find out how to get the WMI Filters folder back in the Management Console and be able to create the filters that will help us deploy the client software
we need to provide to our users using the group policies.
Has anyone experienced this problem. Can we just go into the group policy management console and create the object and then import the default filters into that object we created. The filters were exported from another sbs 2011 standard edition
install that has the wmi filters folder in the GPMC.
Need help on this situation. Have very little experience in troubleshooting GPO's and GPMC's issues.
Thank you
JFMHi,
>>I need to find out if there is a way to get the WMI Filters Object Folder back or find a way to recreate it.
Based on the description, we can use LDP.exe to check if the following object is missing in Active Directory:
CN=Windows2003Update, CN=DomainUpdates, CN=System, DC=domain, DC=com
Regarding how to use LDP.exe to view AD object, the following article can be referred to as reference.
How to Use Ldp.exe to View Entire Directory Tree and Locate the Microsoft Exchange Container
http://support.microsoft.com/kb/252335
If the object is missing, we can follow the solutions described in the following article to check if the object was deleted and we need to restore it if this is true.
Step 2: Restore a Deleted Active Directory Object
https://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx
If the object is there, we can check if proper access permissions have been configured for it.
If the object is missing but not deleted, this may be related to the migration process. If this is true, we can ask for suggestions in the following SBS forum.
Small Business Server
https://social.technet.microsoft.com/Forums/en-US/home?forum=smallbusinessserver
In addition, regarding migrating Active Directory to SBS 2011 Standard, the following articles can be referred to for more information.
Prepare your Source Server for Windows SBS 2011 Standard migration
https://technet.microsoft.com/en-us/library/gg615494.aspx
SBS 2011 Standard Migrations – Keys to Success
http://blogs.technet.com/b/sbs/archive/2011/07/01/sbs-2011-standard-migrations-keys-to-success.aspx
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
MSI not installing via Group Policy - Insists location does not exist
Hi
I am creating a group policy object whereby I am pointing my software package installation to \\192.168.1.3\GPO\MSOCached32bit.msi
The location has permissions for the machine accounts on both the share and the ntfs permissions with read only access.
I have created an OU and moved a Windows XP machine into it, linked the GPO and made sure that the XP machine is not using optimised log on.
From the machine I can reach the share and see the file from the path above.
However each time I reboot the machine I am testing on the installation fails, the exact error being:
The install of application MSO from policy MSO Installation failed. The error was : The installation source for this product is not available. Verify that the source exists and that you can access it.
This is rather odd, since I can see it, the machine account has permissions to see it and I cannot see what the problem is.
I have then gone on to enable verbose logging of the MSI installer which has produced the following:
=== Verbose logging started: 18/08/2011 15:36:18 Build type: SHIP UNICODE 3.01.4001.5512 Calling process: \??\C:\WINDOWS\system32\winlogon.exe ===
MSI (c) (AC:B0) [15:36:18:666]: Resetting cached policy values
MSI (c) (AC:B0) [15:36:18:666]: Machine policy value 'Debug' is 7
MSI (c) (AC:B0) [15:36:18:666]: ******* RunEngine:
******* Product: {96b77fe2-a045-4f3f-9a73-1bf359d0eaaf}
******* Action:
******* CommandLine:
MSI (c) (AC:B0) [15:36:18:666]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (AC:B0) [15:36:18:666]: Grabbed execution mutex.
MSI (c) (AC:B0) [15:36:18:736]: Cloaking enabled.
MSI (c) (AC:B0) [15:36:18:736]: Attempting to enable all disabled priveleges before calling Install on Server
MSI (c) (AC:B0) [15:36:18:736]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (B4:CC) [15:36:18:756]: Grabbed execution mutex.
MSI (s) (B4:D0) [15:36:18:766]: Resetting cached policy values
MSI (s) (B4:D0) [15:36:18:766]: Machine policy value 'Debug' is 7
MSI (s) (B4:D0) [15:36:18:766]: ******* RunEngine:
******* Product: {96b77fe2-a045-4f3f-9a73-1bf359d0eaaf}
******* Action:
******* CommandLine: CURRENTDIRECTORY="C:\WINDOWS\system32" CLIENTUILEVEL=3 CLIENTPROCESSID=940
MSI (s) (B4:D0) [15:36:18:766]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (B4:D0) [15:36:18:766]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (B4:D0) [15:36:18:766]: User policy value 'DisableMedia' is 0
MSI (s) (B4:D0) [15:36:18:766]: Machine policy value 'AllowLockdownMedia' is 0
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Media enabled only if package is safe.
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Looking for sourcelist for product {96b77fe2-a045-4f3f-9a73-1bf359d0eaaf}
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Adding {96b77fe2-a045-4f3f-9a73-1bf359d0eaaf}; to potential sourcelist list (pcode;disk;relpath).
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Now checking product {96b77fe2-a045-4f3f-9a73-1bf359d0eaaf}
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Media is enabled for product.
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Attempting to use LastUsedSource from source list.
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Processing net source list.
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Trying source \\192.168.1.3\GPO\.
MSI (s) (B4:D0) [15:36:19:427]: Note: 1: 1314 2: \\192.168.1.3\GPO\
MSI (s) (B4:D0) [15:36:19:427]: ConnectToSource: CreatePath/CreateFilePath failed with: -2147483648 1314 -2147483648
MSI (s) (B4:D0) [15:36:19:427]: ConnectToSource (con't): CreatePath/CreateFilePath failed with: -2147483648 -2147483648
MSI (s) (B4:D0) [15:36:19:427]: SOURCEMGMT: net source '\\192.168.1.3\GPO\' is invalid.
MSI (s) (B4:D0) [15:36:19:427]: Note: 1: 1706 2: -2147483647 3: MSOCached32bit.msi
MSI (s) (B4:D0) [15:36:19:427]: SOURCEMGMT: Processing media source list.
MSI (s) (B4:D0) [15:36:19:437]: Note: 1: 2203 2: 3: -2147287037
MSI (s) (B4:D0) [15:36:19:437]: SOURCEMGMT: Source is invalid due to missing/inaccessible package.
MSI (s) (B4:D0) [15:36:19:437]: Note: 1: 1706 2: -2147483647 3: MSOCached32bit.msi
MSI (s) (B4:D0) [15:36:19:437]: SOURCEMGMT: Processing URL source list.
MSI (s) (B4:D0) [15:36:19:437]: Note: 1: 1402 2: UNKNOWN\URL 3: 2
MSI (s) (B4:D0) [15:36:19:437]: Note: 1: 1706 2: -2147483647 3: MSOCached32bit.msi
MSI (s) (B4:D0) [15:36:19:437]: Note: 1: 1706 2: 3: MSOCached32bit.msi
MSI (s) (B4:D0) [15:36:19:437]: SOURCEMGMT: Failed to resolve source
MSI (s) (B4:D0) [15:36:19:437]: MainEngineThread is returning 1612
MSI (c) (AC:B0) [15:36:19:437]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (AC:B0) [15:36:19:437]: MainEngineThread is returning 1612
=== Verbose logging stopped: 18/08/2011 15:36:19 ===
As you can see from the above highlighted line, it says its invalid, but I cannot for the life of me understand why?
Thanks in advance for any help!Hi,
This is not something related to the GPO issue. The issue is with MSI and the packaging. Condition the ResolveSource action.
Try Copying the MSI to local machine using a script and execute it.
ResolveSource actually requires that the original installation source is available whenever it is called. If your installer package is authored correctly, source must only be resolve in cases where the original RTM files are missing or during some patch
uninstall scenarios.
http://blogs.msdn.com/b/heaths/archive/2007/10/25/resolvesource-requires-source.aspx
http://msdn.microsoft.com/en-us/library/aa371232%28VS.85%29.aspx
http://www.appdeploy.com/messageboards/printable.asp?m=48703
If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before
implementing! -
Manual BRS system not picking the doc for clearing the payment
While processing Manual bank statement if i am using referance doc no system not picking doc no for clearing the bank payment. So that after finishing BRs I am matching the doc manually, in f-04. This is taking long time for processing. Anyone can tell me why ref doc no not working and to make it to work, or else any problem is there to use the field. please solve my query.
Edited by: MANISFICO1 on Aug 1, 2011 11:49 AMHi:
Please follow as given and hopefully you will be able to resolve the issue.
1...Go to SPRO...Financial Accounting....Bank...Business transactions...Payment Transactions...Manual Bank Statement..Create a new transaction with sign - and do not assign anything in posting rule for now and enter 15 in Algorithm field , save.
2...In define posting keys and posting rules...create an account symbol for the one you did in step 1..In Assign account to account symbol please use account symbol created earlier and acc mode + and currency should be + too. In GL Account area please list the outgoing GL which you are using for outgoing postings..
In create key for posting rule define a posting rule and now go back to step 1 and assign the posting rule you created to the transaction type
In define posting rules please maintain posting rule as define above...in posting area assign 1. give nothing in first posting key.assign account symbol as created earlier...now give give posting key 50..give account credit Bank...and a suitable document you use for posting BRS...In posting type give 4.
Your Manual Bank statement is ready ....
Go to FS00 select your bank outgoing GL account there and in create/bank.interest tab double click on Field status group..in general data make assignment number mandatory for posting...
Go to FB50....post and outgoing transaction using the GL given above it will require you to enter assignment number enter 123 and post.
In FF67 Select the new statement , proceed with your normal data entry and give the transaction you created in above , enter value date, amount and in bank ref field enter 123 as given in FB50.
Save and post it. Now it should work.
Regards -
Deploying Java Certificates with Group Policy
Migrating workstations from MSJVM to Sun Java JRE 1.4.2_08. In the past with MSJVM enabled Certificate acceptatance could be achieved trhough Group Policy. Now with JRE enabled certificates for Secure site and signed applet have to manually be accepted. How can I centrally manage these certificates for all of our workstations. Preferablly using Group Polcy.
-Thanks> but I can not get it to display the installer screen so that users know
> it is installing. It does display the screen when running the setup.exe
> manually. I have a setting in the OCT that creates the registry setting
> and that is working correctly. My group policy is set to run the
> below bat file at startup in the Computer Configuration.
Check http://gpsearch.azurewebsites.net/#2308 - if this is enabled, you
will not be able to show "anything" in startup scripts...
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
W7 client machine stuck on startup "Group Policy Files Policy"
we have some w7 machine getting stuck on boot up before ctrl-alt-del, once verbose message was turned on for troubleshooting, we noticed they were stuck at "applying group policy files policy".
we had let it wait for more than 60 minutes at time and it would still be stuck. (thou mouse / kb still responsive)
this problem however, is not re-produceable on demand, if we power off the machine, it boots back up with no issues.
checking the group policy log, we didn't find anything weird, but was not sure if that's the right place to look thou.
we do have two group policy preferences pushing out host files as well as desktop shortcuts, might that be the culprit?
thanks!> we do have two group policy preferences pushing out host files as well
> as desktop shortcuts, might that be the culprit?
My recommendation: Use Group Policy Preferences as you like, but do NOT
use the "Files" extension.
Why? GP Processing at Boot/Logon is a synchronous foreground process
that cannot be interrupted (as you are already experiencing ;-)).
Replace GPP Files with a script that runs some robocopy commands. Start
this script through a scheduled task at boot or logon, so that it can
run asynchronously in the background, not disturbing the user experience.
regards, Martin
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating! -
Enable auto update while deploying Reader 11 via group policy
I would like to push the latest adobe reader 11 out via group policy. I have tried using the adobe customization wizard but I am unable to set the installs to auto update. They default to download the update and prompt the user. I do'nt want the user to be prompted at all. I just want it to automatically update. Is there an easy way to deploy this?
I would like it to be like flash. You can deploy the mms.cfg file and it configured flash to auto update.
Thanks,
JustinI would like to push the latest adobe reader 11 out via group policy. I have tried using the adobe customization wizard but I am unable to set the installs to auto update. They default to download the update and prompt the user. I do'nt want the user to be prompted at all. I just want it to automatically update. Is there an easy way to deploy this?
I would like it to be like flash. You can deploy the mms.cfg file and it configured flash to auto update.
Thanks,
Justin
Maybe you are looking for
-
I have about 130 gigs of movies on my iTunes and was wondering if I can just put them on my backup hard drive and remove them from my main computer to free up the space.
-
Here is the error I am getting everytime I switch to "Output" in Bridge CS6: TypeError: undefined is not an object: onResizeO buildUIStack(true, "Cabinet") buildUIStack(JTabbedPalette:[object TabbedP alette II. true, 'Cabinet') switch T o([T abbed Pa
-
The calender on the OS 7 upgrade is very hard to read due to my vision
I find it very hard to read due to my vision. The lase version was vae better for me. <Re-Titled By Host>
-
10.5 is not that smooth on my G5 powermac - suggestions why?
Hello everyone; Just a quick question on OS 10.5. I just upgraded from 10.4 and I have to say that 10.5 is not as smooth as I thought it would be on my machine. I have a Dual 1.8 Gh/z G5 Powermac with 1.5gig of RAM and a 128mb ATI graphics card and a
-
Help in connecting ATT Uverse with MAC OS 7.2
After over an hour on the phone with ATT they tell me the problem in conecting to the internet with my new ATT Gateway modum is that I'm running Lion 7.2 They said i needed to talk to apple. Help needed here!