MBAM Group Policy Problems

I am trying to install and configure MBAM 2.0. I have installed all of the components on two separate servers. Server 1 has sccm 2012
integration and gpo policy templates. Server two has the rest. When I load Group Policy Management the templates do not appear. I have manually extracted and copied the templates in the local policy definitions and still nothing. Any ideas?

By default the Group Policy Management console will look for templates at a central SYSVOL location (a so called central store). Likely you have a PolicyDefinitions folder in
\\domain.com\sysvol\domain.com\Policies and then you need to add the MBAM ADMX and ADML files to that location to be able to see those settings when managing group policies. The reason for this is
that the central store has precedence over local group policy templates.
Blogging about Windows for IT pros at
www.theexperienceblog.com

Similar Messages

Wireless Group Policy Problem - Half the policy applying

Hi
I'm at a loss for where to investigate this one so I'm hoping for some suggestions.
We have a single GPO to send out settings for wireless access to our network. On the wireless we have two SSIDs as below.
1. Staff SSID
My manager wanted to reduce the security issues with this as much as possible, so I've generated a GUID for the SSID name, set it not to broadcast the SSID and set the group policy to show the network as "<company
name> Staff". It uses WPA2-Enterprise with RADUIS authentication to silently pass the authentication credentials of the currently logged on user providing SSO.
2. Guests SSID
This uses a preshared WPA2 key and provides guests with internet access and is blocked from the local LAN.
The GPO is applied in such a way that company laptops are have the Staff SSID displayed in the available connection list, they're allowed to connect to it (as long as they're in the appropriate AD group for RADIUS authentication) but they are blocked from
connecting their laptops to the Guests SSID. The important thing is that this single GPO controls both settings.
On a few laptops we have been noticing that the blocking of the Guests SSID is working fine, but the Staff SSID is failing to show. Its as if only half the policy is applying. This is happening to only a small number of laptops which reside in the same AD
OUs and it doesn't matter who logs on, the same problem occurs. The laptop is able to view all other wireless networks in the vicinity.
I have logged in to one as myself (with Domain Admin permissions) and I get this problem, but on other laptops, the policy applies completely allowing me to connect to the Staff SSID while blocking the Guests SSID, as it should.
I've run a RSOP against the laptop which shows that the policy is applying (confirmed by the fact that the Guests SSID is blocked) and the only problem I can find in the event logs are for the EapHost service with event ID of 2002. I've followed the advice
in a few forum posts below but have been unsucccessful (not even sure if it's related to the GPO issue).
http://www.eventid.net/display-eventid-2002-source-Microsoft-Windows-EapHost-eventno-10874-phase-1.htm
http://www.sevenforums.com/network-sharing/336450-event-id-2002-source-eaphost-eap-method-dll-path-name-failed.html
Any suggestion would be greatly appreciated.

Hi Daverino,
Since RSOP shows that the policy has been applied, it should not be a grouppolicy issue.
According yourdescription, it seems that the system of the laptop has been changedby the user data.
Could you please post the original information about event 2002? It is useful for further troubleshooting.
Best Regards.
Steven Lee
TechNet Community Support

Active-X update group policy problem

I am having problems distributing
install_flash_player_active_x.msi via a group policy in our MS AD.
I am familiar with creating GPOs. I used a GPO to distribute
Adobe Reader without any problems, but this active-X update will
not apply via a gpo. The error I get is: The install of application
Adobe Flash Player 9 ActiveX (2) from policy Adobe_Flash_Patch
failed. The error was : The installation source for this product is
not available. Verify that the source exists and that you can
access it.
I created an administration install and used the same shared
distribution folder as I did for Adobe Reader so I know that this
error is not due to permissions. Any help would be gratefully
appreciated.

> 9. The Database Security Editor appears. You need to add the user or
> group that you want the *Security* tab to be removed from.
What EXACT group was entered in your GPO there?
And if you want to revert, it is most probably NOT sufficient to simply
unlink the GPO, but you need to implement a second GPO that grants the
required read rights (aka "removes the deny entry")
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

Bitlocker and MBAM Group Policy

I am in the process of setting up Bitlocker on all office computers, use an MBAM server to store the keys and to use group policy to manage it. I have setup a server with MBAM and installed MBAM client software on a test computer. But while configuring
group policy, I'm a little confused. Under Computer Configuration there are settings for both Bitlocker and MDOP MBAM and they are more or less the same. Which one do I use or do I use both?

Hi,
Please check out these links:
How to Edit MBAM 1.0 GPO Settings
http://technet.microsoft.com/en-us/library/jj571495.aspx
Planning for MBAM 1.0 Group Policy Requirements
http://technet.microsoft.com/en-us/library/jj571500.aspx
Tracy Cai
TechNet Community Support

Launch problem opening PSE 13 from a read only desktop applied by group policy

PSE 13 won't launch. What is different between opening PSE 13 and other programs? On a normal login it opens. Are there special requirements?

Hi,
Thanks for posting your issue in the forum.
Based on your description, I suspect that maybe Software Restriction Policy has been configured in the domain. At this time, I suggest we could try to collect the following information to narrow
down the cause of the issue.
GPMC.log
==================
a. On domain controller, click Start ->Run, type GPMC.MSC, it will load the GPMC console.
b. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper
user in the wizard)
c. Right click
the resulting group policy result and click the "Save Report…" => save report to save the report to a HTML file.
Once we get the report, please check if the Software Restriction Policy has been configured and applied to the problematic computers and users. If so, please disable the policy setting to see
if the issue persists.
In addition, please try to refer to the following articles for detailed information about Software Restriction Policy and how to troubleshoot Group Policy problems.
Software Restriction Policies
http://technet.microsoft.com/en-us/library/hh831534.aspx
Troubleshooting Group Policy Problems
http://technet.microsoft.com/en-us/library/cc787386(v=ws.10).aspx
Hope this helps.
Best Regards,
Andy Qi
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback
on our support quality, please send your feedback here.
Andy Qi
TechNet Community Support

Group Policy Guru? Group Policy and Windows 7 erratic and inconsistant.

(*If you don't feel like reading everything, skip to the bottom two paragraphs for my questions)
I've had a premier call open with MS since August. This week I had a Microsoft Technician in-house. Though we eliminated some possibilities, we're not really closer to a cause or solution.
Every time we work with an expert, I get a different explanation to describe the situation we are viewing.
Quick summery of the issue: We've been using Group Policy to manage most Windows XP and 7 settings for years, but starting the middle of last year, we began having clients with machines where some or all group policies would fail to apply.
These could be long assigned policies, new polices, or changes to policies. It would never affect everyone or even a majority at once, and the resolution is never the same. Sometimes a GPUDPATE /FORCE sometimes fixed automajically the next day,
sometimes (but very rarely) longer.
Troubleshooting History:
What we found in early troubleshooting, that these machines, had errors in Event Viewer for Netlogon, Time-Sync, and Group Policy. The other issue we noticed, was that our GPRESULT /H reports were missing security groups and the denied section was
nothing but SSID's. The first issue pointed me to:
Event ID 5719 and event ID 1129 may be logged when a non-Microsoft DHCP Relay Agent is used
I installed these Hot Fixes. No change to any of the errors in event viewer, or to our Group Policy problems.
Initial work with Premier Support found that Netlogon, Time-Sync, and Group Policy, were failing before loading of the network stack. The suggestion was to apply the group policy setting "Always wait for the network at computer startup and
logon". At the time, this seemed not to work. The policy was set on a test bed of laptops and desktops, and no changes in behavior were seen after 3 days.
Windows 7 Clients intermittently fail to apply group policy at startup
For some time after this, we were collecting GPSVC and NetTrace logs for Premeir Support, trying to document and troubleshoot the problem. Eventually we got fed up and asked our TAM to call in a pro to get this resolved. We were sent an engineer
for 3 days. For three days we banged away on this issue. We verified AD and replication health, we tried numerous fixes and workarounds. I learned 3 different desriptions of how Group Policy works, and in the end we thought we had a workaround
using the "Always wait for the network at computer startup and logon" because of a single success late in the day. On day 3 we tried replicating this fix, and quickly realized that the same issue we were having preventing other GPOs to apply,
were also preventing our "fix" GPO from applying. So we went the route of using a registry entry. I also had a problem that even though it was making the process more consistant, it was still taking 3 reboots for a Computer Policy, assigned
to a computer object via Security Group, to fully take affect on a computer.
I used the registry methods in the above article. It didn't work, no sign it was having the same affect the GPO had had.
Our support engineer claimed this was the proper method, but that path wasn't even close in a Windows 7 SP1 registry, and after creating all the keys that were not present, it still didn't work.
Always wait for the network at computer startup and logon - AzureWeb
We ran out of time, our engineer returned home.
I can understand how these errors indicate a problem applying Group Policy at boot. But to me it doesn't explain why it doesn't correct post boot, and after a GPUDPATE /FORCE and a reboot.
It also doesn't explain why we were working fine for years, then all of a sudden DHCP is being outrun by background services. (By the way logging showed DHCP wasn't significantly delayed, out boot process was actually excellent, health wise.)
Why all of a sudden is this not behaving optimly? No changes to network design or function. No changes to the domain since 2008 R2 was installed in 2011.
Today I'm reading through all these KB's and articles again, and took some time to read:
[Forum FAQ] Common steps to start troubleshooting Group Policy
application and it's links below.
We ran though all of that before and during the 3-day onsite. It's not getting us any closer to the cause or a solution.
I found and begin some deep reading in this link today. It has some additional information I will try to use next week:
Group Policy Basics - Part 3: How Clients Process GPOs
The one unanswered question I have is this. How is group policy supposed to apply to a computer, when that policy is applied to a AD Security Group, in which the computer object is a member?
Before we began having this problem, we would assign a computer GPO, then ask the user to reboot. If it were a user GPO, we'd ask the user to log off, or reboot. Either way, if we allowed a few minutes for AD and FRS replication, the user would
log back in with that new policy in affect. A new imaged machine would boot with all the GPO's linked to that domain and assigned to "Authenticated Users", already in affect. Admin groups would be present in administrators, proxy settings
would be set in Internet Explorer, etc.
Now I'm aked to beleive this was never the case from Premeier Support and Microsoft Engineers. That those policies require the equilent of a "GPUPDATE /FORCE" that was executed by the Local_System account. That 3 reboots may
be nessessary for a group policy to be applied. One for the AD Security Group to be applied. One for the Computer Policy to be applied. And a final one for the policy in the GPO to be applied to Windows.
Can someone confirm or correct this information please? It's imperitive to my troubleshootng.
There's no place like 127.0.0.1

That key is empty on all of my machines I have checked today. Working and problematic alike.
GPRESULT logs, when ran as me, historically would show the group polices applied, denied, and the AD group membership all by name. About 6 months ago I noticed this changed.
Now they show the applied GPO's by name, a few of the denied GPO's by name, most by SID, and only 2 to 3 AD groups, though PowerShell shows all the AD groups assigned. This happens after several AD security and distribution groups are added to the
machine (Radia software distribution uses Dist groups to assign software).
A check showed no groups with long legacy Kerberos keys.
When we make a change to AD Security Group membership, to assign or deny a Group Policy, is usually when we encounter this problem. It will usually fix itself in 24 hours of the machine being left up and running. But no amount of GPUPDATE /FORCE
and rebooting will cause the changes to take affect.
During this time, the Group Policies will show assigned to the computer in the GPRESULT log.
Yesterday I began looking into Spanning Tree configuration on our network being a possible cause for the boot up issues. I'm waiting on responses from our Network group to confirm our configuration.
There's no place like 127.0.0.1

Group Policy processing failure on 2008 when MIX Domain 2003 with DC 2008

Dear I try to add additional Windows 2008 Domain to My Domain controller 2003 and I ma Receiving Group policy error in DC 2008 With Event ID 1055
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
<EventID>1055</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-03-06T14:36:44.411955300Z" />
<EventRecordID>3859</EventRecordID>
<Correlation ActivityID="{28DAD258-26D0-4C1E-A4B7-F37DEE04C8F1}" />
<Execution ProcessID="952" ThreadID="3276" />
<Channel>System</Channel>
<Computer>PRIMARYDC.Qtit.com</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">1632</Data>
<Data Name="ProcessingMode">0</Data>
<Data Name="ProcessingTimeInMilliseconds">1578</Data>
<Data Name="ErrorCode">5</Data>
<Data Name="ErrorDescription">Access is denied.</Data>
</EventData>
</Event>
I install See KB939820 for a hotfix applicable to Microsoft DC 2003 regrading to he KRBTGT account
Refer Url : http://support.microsoft.com/kb/939820
I run dcdiag /v on and repadmin /showrepl at DC 2008
the dcdiag /v result
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine PRIMARYDC, is a Directory Server.
Home Server = PRIMARYDC
* Connecting to directory service on server PRIMARYDC.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=Qtit,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=Qtit,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=SECONDAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\PRIMARYDC
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... PRIMARYDC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\PRIMARYDC
Starting test: Advertising
The DC PRIMARYDC is advertising itself as a DC and having a DS.
The DC PRIMARYDC is advertising as an LDAP server
The DC PRIMARYDC is advertising as having a writeable directory
The DC PRIMARYDC is advertising as a Key Distribution Center
The DC PRIMARYDC is advertising as a time server
The DS PRIMARYDC is advertising as a GC.
......................... PRIMARYDC passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
A warning event occurred. EventID: 0x800034C8
Time Generated: 03/06/2014 10:18:56
Event String:
The File Replication Service has detected an enabled disk write cache on the drive containing the directory c:\windows\ntfrs\jet on the computer PRIMARYDC. The File Replication Service might not recover when power to
the drive is interrupted and critical updates are lost.
A warning event occurred. EventID: 0x800034C8
Time Generated: 03/06/2014 10:53:21
Event String:
The File Replication Service has detected an enabled disk write cache on the drive containing the directory c:\windows\ntfrs\jet on the computer PRIMARYDC. The File Replication Service might not recover when power to
the drive is interrupted and critical updates are lost.
......................... PRIMARYDC passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
Skip the test because the server is running FRS.
......................... PRIMARYDC passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... PRIMARYDC passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... PRIMARYDC passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=SECONDAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
Role Domain Owner = CN=NTDS Settings,CN=SECONDAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
Role PDC Owner = CN=NTDS Settings,CN=SECONDAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
Role Rid Owner = CN=NTDS Settings,CN=SECONDAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
Role Infrastructure Update Owner = CN=NTDS Settings,CN=SECONDAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
......................... PRIMARYDC passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC PRIMARYDC on DC PRIMARYDC.
* SPN found :LDAP/PRIMARYDC.Qtit.com/Qtit.com
* SPN found :LDAP/PRIMARYDC.Qtit.com
* SPN found :LDAP/PRIMARYDC
* SPN found :LDAP/PRIMARYDC.Qtit.com/QTIT
* SPN found :LDAP/e3d8c76c-1b59-4de6-9f7f-c438df9a2863._msdcs.Qtit.com
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/e3d8c76c-1b59-4de6-9f7f-c438df9a2863/Qtit.com
* SPN found :HOST/PRIMARYDC.Qtit.com/Qtit.com
* SPN found :HOST/PRIMARYDC.Qtit.com
* SPN found :HOST/PRIMARYDC
* SPN found :HOST/PRIMARYDC.Qtit.com/QTIT
* SPN found :GC/PRIMARYDC.Qtit.com/Qtit.com
......................... PRIMARYDC passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC PRIMARYDC.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=ForestDnsZones,DC=Qtit,DC=com
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=Qtit,DC=com
* Security Permissions Check for
DC=DomainDnsZones,DC=Qtit,DC=com
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=Qtit,DC=com
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=Qtit,DC=com
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=Qtit,DC=com
(Configuration,Version 3)
* Security Permissions Check for
DC=Qtit,DC=com
(Domain,Version 3)
......................... PRIMARYDC failed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\PRIMARYDC\netlogon
Verified share \\PRIMARYDC\sysvol
......................... PRIMARYDC passed test NetLogons
Starting test: ObjectsReplicated
PRIMARYDC is in domain DC=Qtit,DC=com
Checking for CN=PRIMARYDC,OU=Domain Controllers,DC=Qtit,DC=com in domain DC=Qtit,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com in domain CN=Configuration,DC=Qtit,DC=com on 1 servers
Object is up-to-date on all servers.
......................... PRIMARYDC passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=Qtit,DC=com
Latency information for 18 entries in the vector were ignored.
18 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=Qtit,DC=com
Latency information for 18 entries in the vector were ignored.
18 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=Qtit,DC=com
Latency information for 20 entries in the vector were ignored.
20 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=Qtit,DC=com
Latency information for 20 entries in the vector were ignored.
20 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=Qtit,DC=com
Latency information for 20 entries in the vector were ignored.
20 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
* Replication Site Latency Check
......................... PRIMARYDC passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 14607 to 1073741823
* SecondAD.Qtit.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 14107 to 14606
* rIDPreviousAllocationPool is 14107 to 14606
* rIDNextRID: 14124
......................... PRIMARYDC passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... PRIMARYDC passed test Services
Starting test: SystemLog
* The System Event log test
A warning event occurred. EventID: 0x0000A001
Time Generated: 03/06/2014 16:04:05
Event String:
The Security System could not establish a secured connection with the server ldap/PRIMARYDC.Qtit.com/[email protected]. No authentication protocol was available.
An error event occurred. EventID: 0x0000041F
Time Generated: 03/06/2014 16:06:35
Event String:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
An error event occurred. EventID: 0x0000041F
Time Generated: 03/06/2014 16:11:36
Event String:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
An error event occurred. EventID: 0x0000041F
Time Generated: 03/06/2014 16:16:38
Event String:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
An error event occurred. EventID: 0x0000041F
Time Generated: 03/06/2014 16:21:39
Event String:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
An error event occurred. EventID: 0x0000041F
Time Generated: 03/06/2014 16:26:41
Event String:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 16:30:46
Event String:
Driver TOSHIBA e-STUDIO16/20/25 PCL 6 required for printer TOSHIBA e-STUDIO16/20/25 PCL 6 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 16:30:48
Event String:
Driver Microsoft XPS Document Writer v4 required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 16:30:49
Event String:
Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 16:31:14
Event String:
Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 16:31:16
Event String:
Driver Microsoft XPS Document Writer v4 required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 16:31:16
Event String:
Driver WebEx Document Loader required for printer WebEx Document Loader is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x0000041F
Time Generated: 03/06/2014 16:31:42
Event String:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
......................... PRIMARYDC failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=PRIMARYDC,OU=Domain Controllers,DC=Qtit,DC=com and backlink on
CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
are correct.
The system object reference (serverReferenceBL)
CN=PRIMARYDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=Qtit,DC=com
and backlink on
CN=NTDS Settings,CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
are correct.
The system object reference (frsComputerReferenceBL)
CN=PRIMARYDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=Qtit,DC=com
and backlink on CN=PRIMARYDC,OU=Domain Controllers,DC=Qtit,DC=com are
correct.
......................... PRIMARYDC passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : Qtit
Starting test: CheckSDRefDom
......................... Qtit passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Qtit passed test CrossRefValidation
Running enterprise tests on : Qtit.com
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\PRIMARYDC.Qtit.com
Locator Flags: 0xe00031fc
PDC Name: \\SecondAD.Qtit.com
Locator Flags: 0xe00001bd
Time Server Name: \\PRIMARYDC.Qtit.com
Locator Flags: 0xe00031fc
Preferred Time Server Name: \\PRIMARYDC.Qtit.com
Locator Flags: 0xe00031fc
KDC Name: \\PRIMARYDC.Qtit.com
Locator Flags: 0xe00031fc
......................... Qtit.com passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... Qtit.com passed test Intersite
repadmin /showrepl Result
******************************8
==== INBOUND NEIGHBORS ===================================
DC=Qtit,DC=com
Default-First-Site-Name\SECONDAD via RPC
DSA object GUID: c5ef6e17-77f0-43f6-8d39-5497c563f
Last attempt @ 2014-03-06 16:41:04 was successful.
CN=Configuration,DC=Qtit,DC=com
Default-First-Site-Name\SECONDAD via RPC
DSA object GUID: c5ef6e17-77f0-43f6-8d39-5497c563f
Last attempt @ 2014-03-06 16:41:39 was successful.
CN=Schema,CN=Configuration,DC=Qtit,DC=com
Default-First-Site-Name\SECONDAD via RPC
DSA object GUID: c5ef6e17-77f0-43f6-8d39-5497c563f
Last attempt @ 2014-03-06 15:53:01 was successful.
DC=DomainDnsZones,DC=Qtit,DC=com
Default-First-Site-Name\SECONDAD via RPC
DSA object GUID: c5ef6e17-77f0-43f6-8d39-5497c563f
Last attempt @ 2014-03-06 16:27:31 was successful.
DC=ForestDnsZones,DC=Qtit,DC=com
Default-First-Site-Name\SECONDAD via RPC
DSA object GUID: c5ef6e17-77f0-43f6-8d39-5497c563f
Last attempt @ 2014-03-06 15:53:01 was successful.
I try to down the DC 2003 and access \\Qtit.com it success open the syslog on DC 2008
Any help or advice

Hi,
Were there other error codes logged in Event Viewer?
Regarding Event ID 1055, the following article can be referred to for troubleshooting.
Event ID 1055 — Group Policy Preprocessing (Security)
http://technet.microsoft.com/en-us/library/cc727272(v=ws.10).aspx
Based on the report you posted, this issue may be related to FRS replication service. As a result, we can use ntfrsutl tool to check whether the replication service is healthy.
Regarding this point, the following articles can be referred to for more information.
Troubleshooting File Replication Service
http://technet.microsoft.com/en-us/library/bb727056.aspx
Ntfrsutl
http://technet.microsoft.com/en-us/library/hh875636.aspx
In addition, we can also try doing a non-authoritative Sysvol restore on Windows Server 2008 DC to see whether the issue persists.
Using the BurFlags registry key to reinitialize File Replication Service replica sets
http://support.microsoft.com/kb/290762/en-us
Hope it helps.
Best regards,
Frank Shen

"This program is blocked by group policy"

Hi all.
I have searched Google a fair bit on this but shockingly I just can't find an actual answer. The Group Policy forum is where I should have started rather than finally come to :)
I am no genius with GP, I use it in the most basic ways in very small orgs. My users appear to all have the same problem, when they insert a removable media device that has software on it that might run or autorun, I get the "This program
is blocked by group policy, contact your admin" message. I don't believe this ccurs with removable media just as just plain USB storage sticks. So far the two examples I know of are for an Internet providers USB broadband mobility stick, and
another user that is using some Kodak products (SD card, camera, and even the Kodak CD I think).
Environment is 2008 R2, Win7 Pro workstations, all users are local admin on their machine. All users are in the default Users container, and all computers are in the Computer container. To my recollection I have never set a GPO that would directly
or indirectly cause all users problems like this. The only thing that has had indirect consequences that I know of in the past, was because we use many of the options available under Folder Redirection, including redirecting the Desktop. In some
cases, when a user has tried to launch an exe or what not that was on the desktop, it failed because it's trying to launch in truth on their user folder on the server, not really on the Windows Desktop. I'm not sure if that might impact my current problem.
To start, where can I go to actually check GPO's for this? Is this the Software Restriction Policy? If so, which one governs, the one in User Configuration or Copmputer Configuration? In both cases I went to GPMC and under both, it would
say I had to go to the Actions menu to create a New Software Restriction policy. I did so (just picking the item in the Actions menu), and the resutlt was some choices under the actual GPO now, none of which I've yet configured.
So, I need to torublesahoot this ut also to know where such a thing causing this error message would be set under normal circumstances. Also, could antivirus cause this? I can't see the error saying "group policy" if it did though.
Thank you very much.

Hi,
Thanks for posting your issue in the forum.
Based on your description, I suspect that maybe Software Restriction Policy has been configured in the domain. At this time, I suggest we could try to collect the following information to narrow
down the cause of the issue.
GPMC.log
==================
a. On domain controller, click Start ->Run, type GPMC.MSC, it will load the GPMC console.
b. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper
user in the wizard)
c. Right click
the resulting group policy result and click the "Save Report…" => save report to save the report to a HTML file.
Once we get the report, please check if the Software Restriction Policy has been configured and applied to the problematic computers and users. If so, please disable the policy setting to see
if the issue persists.
In addition, please try to refer to the following articles for detailed information about Software Restriction Policy and how to troubleshoot Group Policy problems.
Software Restriction Policies
http://technet.microsoft.com/en-us/library/hh831534.aspx
Troubleshooting Group Policy Problems
http://technet.microsoft.com/en-us/library/cc787386(v=ws.10).aspx
Hope this helps.
Best Regards,
Andy Qi
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback
on our support quality, please send your feedback here.
Andy Qi
TechNet Community Support

Group Policy Msi status Log

Hi
I am embedded developer. i don't have any knowledge about group policy and active directory. I need help ...please
we are launching msi , from group policy method for all client machine. (that Msi contains silent mode application, application run when msi launch).
My Question is:
1.How to i know msi launched successfully in all client machine. if msi could failed in any other client machine, how to i know?
2. Any other log will be created in server machine? if yes, How to i see that?
3. From server, How to i know my application launched successfully in client machine? I wont check all client machine one by one?
Ranjith

Hi Ran_619,
According to my description, you would like to know how to check if the msi was installed sucessfully from the server. Right?
Based on my knowledge, there are no related logs which can record the result of Windows Installer. You can enable enable software installation logging on the client computer to help you troubleshoot issues that may occur when you install software packages:
Log on to the administration computer as the administrator.
Click Start, Run, and then run Regedit to add the following registry value (or modify it, if the value already exists):
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
Enter the following:
     Value: AppmgmtDebugLevel
    Value Type: REG_DWORD
    Value Data: 9B (Hexadecimal)
For your information, please refer to the following artilces to lget more help:
Enable Logging for Software Installation Client Side Extension
How to Enable Microsoft Installer logging and Verbose logging to gather additional troubleshooting Information
Fixing Group Policy problems by using log files
Regards,
Lany Zhang

Group Policy Oddity

Howdy Folks
I have configured a group policy object to install Acrobat Reader X on my domain, but I'm seeing a strange problem.
One a single machine, Reader doesn't install itself, and requires manual installation. When the system is restarted, the program is uninstalled automatically and the whole process begins again. Every other machine in the organisation is okay.
Has anyone seen anything like this before, and have any recommendations for me?

Hi,
Thanks for posting your issue in the forum.
Based on your description, I suspect that maybe Software Restriction Policy has been configured in the domain. At this time, I suggest we could try to collect the following information to narrow
down the cause of the issue.
GPMC.log
==================
a. On domain controller, click Start ->Run, type GPMC.MSC, it will load the GPMC console.
b. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select
the proper user in the wizard)
c. Right click
the resulting group policy result and click the "Save Report…" => save report to save the report to a HTML file.
Once we get the report, please check if the Software Restriction Policy has been configured and applied to the problematic computers and users. If so, please disable the policy setting to see
if the issue persists.
In addition, please try to refer to the following articles for detailed information about Software Restriction Policy and how to troubleshoot Group Policy problems.
Software Restriction Policies
http://technet.microsoft.com/en-us/library/hh831534.aspx
Troubleshooting Group Policy Problems
http://technet.microsoft.com/en-us/library/cc787386(v=ws.10).aspx
Hope this helps.
Best Regards,
Elaine
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Having problem with svchost.exe/ntdll.dll errors causing GPSVC (Group Policy Client) to crash preventing users from logging into the server.

Recently (within the past 2 weeks) I have noticed a few of our servers will have problems with the svchost.exe application causing the GPSVC (Group Policy Client) to crash. The only fix at that point is to reboot the server since the GPSVC service is tied
to svchost.exe and therefore is protected from being manually restarted.
I noticed the following errors when this occurs:
Log Name: Application
Source: Application Error
Date: 7/23/2013 4:35:26 AM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: Server1.xxx.xxx.net
Description:
Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
Exception code: 0xc0000024
Fault offset: 0x00000000000cd7d8
Faulting process id: 0x46c
Faulting application start time: 0x01ce877f9476ac07
Faulting application path: C:\Windows\system32\svchost.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: d252d26d-f372-11e2-8ad4-005056ac00e8
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-07-23T08:35:26.000000000Z" />
<EventRecordID>158950</EventRecordID>
<Channel>Application</Channel>
<Computer>AAW19XM2.agency.nwie.net</Computer>
<Security />
</System>
<EventData>
<Data>svchost.exe</Data>
<Data>6.1.7600.16385</Data>
<Data>4a5bc3c1</Data>
<Data>ntdll.dll</Data>
<Data>6.1.7601.17725</Data>
<Data>4ec4aa8e</Data>
<Data>c0000024</Data>
<Data>00000000000cd7d8</Data>
<Data>46c</Data>
<Data>01ce877f9476ac07</Data>
<Data>C:\Windows\system32\svchost.exe</Data>
<Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
<Data>d252d26d-f372-11e2-8ad4-005056ac00e8</Data>
</EventData>
</Event>
All of our servers are running Server 2008 R2 Enterprise where we use Citrix to deliver desktop sessions to our users, but some are virtual and some are physical. This seemingly impacts our virtual machines more, and our VMs are hosted through VMWare, however,
about 5 months ago a similar error fired on a non-virtual machine:
Log Name: Application
Source: Application Error
Date: 2/27/2013 6:57:58 AM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: AAW29033
Description:
Faulting application name: svchost.exe_gpsvc, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
Exception code: 0xc0000024
Fault offset: 0x00000000000cd7d8
Faulting process id: 0x6c0
Faulting application start time: 0x01ce14e1af313fd9
Faulting application path: C:\Windows\system32\svchost.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: ed3d01c4-80d4-11e2-9128-b499baa9e5e8
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-02-27T11:57:58.000000000Z" />
<EventRecordID>286291</EventRecordID>
<Channel>Application</Channel>
<Computer>AAW29033</Computer>
<Security />
</System>
<EventData>
<Data>svchost.exe_gpsvc</Data>
<Data>6.1.7600.16385</Data>
<Data>4a5bc3c1</Data>
<Data>ntdll.dll</Data>
<Data>6.1.7601.17725</Data>
<Data>4ec4aa8e</Data>
<Data>c0000024</Data>
<Data>00000000000cd7d8</Data>
<Data>6c0</Data>
<Data>01ce14e1af313fd9</Data>
<Data>C:\Windows\system32\svchost.exe</Data>
<Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
<Data>ed3d01c4-80d4-11e2-9128-b499baa9e5e8</Data>
</EventData>
</Event>
I've searched and cannot seem to find any information as to what may be causing this, or even really where to start. Would someone be able to help me identify what might be causing this event, specific with the Exception code: 0xc0000024, which causes
the Group Policy Client service to stop?

You still out there looking at things? If so I have an update. The issue hasn't stopped, even though it did seemingly die down for awhile, however, it is now back with a vengeance.
I am able to force it to happen by killing the svchost process that is hosting GPSVC. If I run gpupdate /force, then logout/login it does get GPSVC running again. Furthermore, if I simply start svchost again via the Task Manager GPSVC starts running again.
When I access the server remotely with KVM it acts just like it does as if I'm logging into it via Citrix/RDP which for Admin IDs gives an error saying "Failed to connect to a windows service. Windows could not connect to the Group Policy Client service...",
however, normal user accounts just get a message when logging into the server "The Group Policy Client Service Failed the Logon. Access is denied."
I haven't opened a case with Microsoft yet, but we about ready to because of the increase in these errors.
If you have any further suggestions that would be great, otherwise I'll provide an update once I get word back from Microsoft.
**EDIT -- apparently I mistook the the server's SCM's actions as my own. I was able to successfully crash the GPSVC service by killing the hosting svchost process, however, after I crashed it and let it sit crashed for awhile when I attempted
to restart either by starting a svchost task, or running gpupdate /force it failed. Either that, or there is a timing issue where if we don't restart the svchost process, or run gpupdate /force quickly enough it won't be able to recover without a reboot.

Group Policy upgrade to SP2 problem

Hi guys,
We are having the following issue. We have upgraded our XP group policy to SP2. Now each time users login, the first thing they see is a 'restrictions' window saying "this operation has been canceled due to restrictions in effect on this computer."
I wonder how I can figure out which group policy setting is causing this? The same policy worked when the policy was an SP1 policy, but once updated to SP2 it will give that error message. Thank you.

Jakub,
It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
- Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
- You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/

Fireworks 8 Installation Problem via Group Policy

Hi,
We are trying deploy Studio 8 across our site using the
provided MSI's and Group Policy following this guide -
http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=332882
I have created the mst files for all products and set them to
be deployed by group policy. Dreamweaver, Flash, Contribute, Flash
Video Encoder and Flash Extensions Manager all install fine however
Fireworks will not, looking in the event log it doesn't even
attempt to install. All folders have the same permissions, the MSI
& MSTs are all part of the same Group Policy Object using the
"Software Installation" method with the same permissions.
Fireworks will install using MSIEXEC from the command line so
the package and mst are fine.
Has anyone else come across this problem?
Thanks
Matt

We are having the same issue here at our NSW High School. I
have traced the problem to be that Fireworks wants to deploy in
Chinese (instead of English) and because of this it will not
install. I am looking for a way to convert the msi file to an mst
so I can choose English as the default install language.
Hope this info is useful

Windows 8.1 mandatory profile Group Policy printer problems

We're a school district that is using mandatory profiles for the students. We use both Win 7 and Win 8.1 on the workstations. We're having a problem with group policy printer deployment on just the Windows 8 Workstations. I've tried using both the deployment
method in policies and the Preferences with Item level targeting and on the windows 8 ones its always intermittent. Sometimes you login and get the printers or some of them and sometimes not. Other times if you log out and back on etc. I've been troubleshooting
this for a week and have found with Win 7 it seems to always work but on our Win 8.1 ones about 50/50. The error in the Event log for that printer is this.
Group Policy Object did not apply because it failed with error code '0x80070057 The parameter is incorrect.' This error was suppressed.
What I've found that if I create a test account that does not use the mandatory profile the printers always map. Even on Windows 8.1. So far thats the only commonality. Can anyone tel me what I can look at with this. If they never worked that would be an
easier problem but its not consistent.
Thanks
Jason

Hi Jason, Did you ever find a fix for this as we are having exactly the same problem only with windows 8.1 computers using mandatory profiles and it's driving me mad. Any help would be much appreciated Thanks Dan

Flash 10 msi problems through Group Policy

Here's the problem:
We've signed up to Adobe to get there official corporate Flash and Shockwave msi's for network distribution. They have been set in Group Policy and sent down to our machines. It says its installing and when you check add\remove programs both are installed. Some flash\shockwave sites are fine others say that flash 10 is not installed 'do we want to update' or we get this message "can't verify publisher.. swflash.cab". If logged on as an administrator we can run the update and all is fine, this however defeats the purpose of the GP distribution.
When the msi's are run manually on a machine they work perfectly, so the problem exists while being sent through Group Policy. The clients\PC's are running XP and are fresh builds (there are no older versions of Flash on them).
I've looked online for similar cases, but nothing. Has anyone else encountered this issue? or have any ideas why the install will not fully go down?

Don't worry, I've sorted it.
An ex employee had created a package with flash 8 installing alongside\inside another one (totally unrelated to what should have been going down). Which meant the flash 10 was getting overwritten. It's been removed, and everything works fine.
Bye.

MBAM Group Policy Problems

Similar Messages

Maybe you are looking for