Servers take an endless time at applying group policy settings
We have some Windows 2008R2 RDS servers that have been given a syspreped image. After a few day in production, and several nightly reboots, the servers start to hang at applying group policy setting. I have created a gpsvc.log file. What can be wrong with
these servers?
When i reboot the server without network connection, the reboot time is fine. The user login still takes forever.
GPSVC(fc.4ec) 08:38:21:227 MachinePolicyCallback: Setting status UI to Beleid Group Policy Services toepassen...
GPSVC(fc.4ec) 08:38:21:227 ProcessGPOList: No changes. CSE will not be passed in the IwbemServices intf ptr
GPSVC(fc.1a4) 08:38:21:227 Message Status = <Beleid Group Policy Services toepassen...>
GPSVC(fc.1a4) 08:38:21:227 Setting GPsession state = 1
GPSVC(fc.5b4) 08:38:21:820 ProcessGroupPolicyCompletedExInternal: Entering. Extension = {827D319E-6EAC-11D2-A4EA-00C04F79F83A}, dwStatus = 0x0
GPSVC(fc.5b4) 08:38:21:867 GetWbemServices: CoCreateInstance succeeded
GPSVC(fc.4ec) 08:38:22:475 ProcessGroupPolicyCompletedExInternal: Entering. Extension = {91FBB303-0CD5-4055-BF42-E512A681B325}, dwStatus = 0x0
GPSVC(fc.4ec) 08:38:22:491 GetWbemServices: CoCreateInstance succeeded
GPSVC(5dc.5e0) 08:38:24:285 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x2a0
GPSVC(5dc.5e0) 08:38:24:285 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.1b0) 08:38:24:285 Target = Machine
GPSVC(5dc.5e0) 08:38:24:285 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(5dc.5e0) 08:38:24:285 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(fc.1b0) 08:38:24:285 Target = Machine, ChangeNumber 0
GPSVC(5dc.5e0) 08:38:24:285 CGPNotify::RegisterForNotification: Entering with target S-1-5-18 and event 0x3d4
GPSVC(5dc.5e0) 08:38:24:285 Client_InitialRegisterForNotification: User = S-1-5-18, changenumber = 0
GPSVC(fc.1b0) 08:38:24:285 Target = S-1-5-18
GPSVC(fc.1b0) 08:38:24:285 Could not find user by sid, finding user by session id
GPSVC(fc.1b0) 08:38:24:285 Caller requesting for user notification/lock is from session 0
GPSVC(5dc.5e0) 08:38:24:285 Client_RegisterForNotification: User = S-1-5-18, changenumber = 0
GPSVC(5dc.5e0) 08:38:24:285 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(fc.1b0) 08:38:24:285 Could not find user by sid, finding user by session id
GPSVC(fc.1b0) 08:38:24:285 Caller requesting for user notification/lock is from session 0
GPSVC(62c.64c) 08:38:25:330 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x1d4
GPSVC(62c.64c) 08:38:25:330 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.1b0) 08:38:25:330 Target = Machine
GPSVC(62c.64c) 08:38:25:330 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(62c.64c) 08:38:25:330 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(298.2c0) 08:38:28:310 CGPNotify::RegisterForNotification: Entering with target Machine and event 0xab0
GPSVC(298.2c0) 08:38:28:310 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.1b0) 08:38:28:310 Target = Machine
GPSVC(298.2c0) 08:38:28:310 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(298.2c0) 08:38:28:310 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(fc.1b0) 08:38:28:310 Target = Machine, ChangeNumber 0
GPSVC(fc.7c0) 08:38:39:401 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x93c
GPSVC(fc.7c0) 08:38:39:401 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.95c) 08:38:39:401 Target = Machine
GPSVC(fc.7c0) 08:38:39:401 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.7c0) 08:38:39:401 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(fc.95c) 08:38:39:401 Target = Machine, ChangeNumber 0
GPSVC(53c.580) 08:40:20:755 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x608
GPSVC(53c.580) 08:40:20:755 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.1c4) 08:40:20:755 Target = Machine
GPSVC(53c.580) 08:40:20:755 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(53c.580) 08:40:20:755 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(53c.580) 08:40:21:098 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x64c
GPSVC(53c.580) 08:40:21:098 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.1c4) 08:40:21:113 Target = Machine
GPSVC(53c.580) 08:40:21:113 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(53c.580) 08:40:21:113 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(53c.564) 08:40:21:238 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x67c
GPSVC(53c.564) 08:40:21:238 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.1c4) 08:40:21:238 Target = Machine
GPSVC(53c.564) 08:40:21:238 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(53c.564) 08:40:21:238 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(200.f6c) 08:41:11:501 CGPNotify::RegisterForNotification: Entering with target Machine and event 0x350
GPSVC(200.f6c) 08:41:11:501 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.1c4) 08:41:11:501 Target = Machine
GPSVC(200.f6c) 08:41:11:501 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(200.f6c) 08:41:11:501 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(fc.1c4) 08:41:11:891 Target = Machine
GPSVC(fc.1c4) 08:41:11:891 Target = Machine, ChangeNumber 0
GPSVC(fc.7d0) 08:41:11:985 Target = Machine
GPSVC(fc.7d0) 08:41:11:985 Target = Machine, ChangeNumber 0
GPSVC(fc.7d0) 08:41:11:985 Sid = (null), dwTimeout = 600000, dwFlags = 268435456
GPSVC(fc.7d0) 08:41:11:985 LockPolicySection called for user <Machine>
GPSVC(fc.7d0) 08:41:11:985 Async Lock called
GPSVC(fc.7d0) 08:41:11:985 Reader has to wait for lock. ReaderID : 1.
GPSVC(fc.7d0) 08:41:11:985 Registering wait for lock notification
GPSVC(fc.9d8) 08:41:13:015 CGPNotify::RegisterForNotification: Entering with target Machine and event 0xcbc
GPSVC(fc.9d8) 08:41:13:015 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.7d0) 08:41:13:015 Target = Machine
GPSVC(fc.9d8) 08:41:13:015 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.9d8) 08:41:13:015 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(fc.9d8) 08:41:13:015 CGPNotify::RegisterForNotification: Entering with target Machine and event 0xd24
GPSVC(fc.9d8) 08:41:13:015 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.7d0) 08:41:13:015 Target = Machine
GPSVC(fc.9d8) 08:41:13:015 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.9d8) 08:41:13:015 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(200.1060) 08:43:10:223 CGPNotify::UnregisterNotification: Entering with event 0x350
GPSVC(200.1060) 08:43:10:223 CGPNotify::AbortAsyncRegistration: No asyn registration is pending
GPSVC(200.1060) 08:43:10:223 CGPNotify::UnregisterNotification: Canceling pending calls
GPSVC(200.1060) 08:43:10:223 Client_CompleteNotificationCall: failed with 0x71a
GPSVC(200.1060) 08:43:10:223 CGPNotify::UnregisterNotification: Cancelled pending calls
GPSVC(200.1060) 08:43:10:223 CGPNotify::UnregisterNotification: Exiting with dwStatus = 0x0
GPSVC(fc.1054) 08:43:16:252 Target = Machine
GPSVC(fc.1054) 08:43:16:252 Target = Machine, ChangeNumber 0
GPSVC(fc.1138) 08:43:24:188 CGPNotify::RegisterForNotification: Entering with target Machine and event 0xeac
GPSVC(fc.1138) 08:43:24:188 Client_InitialRegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.7d0) 08:43:24:188 Target = Machine
GPSVC(fc.1138) 08:43:24:188 Client_RegisterForNotification: User = machine, changenumber = 0
GPSVC(fc.1138) 08:43:24:188 CGPNotify::RegisterForNotification: Exiting with status = 0
GPSVC(fc.1054) 08:43:29:418 Target = Machine
GPSVC(fc.1054) 08:43:29:418 Target = Machine, ChangeNumber 0
GPSVC(fc.1054) 08:43:50:304 Target = Machine
GPSVC(fc.1054) 08:43:50:304 Target = Machine, ChangeNumber 0
GPSVC(fc.1374) 08:51:06:327 Found the Waiting Rpc Reader in the waiting list. Removing it...
GPSVC(fc.1374) 08:51:06:327 Lock timeout
Gert MCITP SA, EA & VA
Hi,
From the log you submit, I found the following error:
GPSVC(f0.13fc) 03:00:18:665 Client_CompleteNotificationCall: failed with 0x525
GPSVC(2f0.baf4) 03:00:18:665 CGPNotify::OnNotificationTriggered: Completenotification failed with 1317
GPSVC(518.e980) 03:00:18:665 Client_CompleteNotificationCall: failed with 0x6ba
GPSVC(f0.13fc) 03:00:18:665 CGPNotify::OnNotificationTriggered: Trying to recover from error 1722
GPSVC(518.e980) 03:00:18:665 CGPNotify::RegisterNotificationAsynchronously: Starting async registration
GPSVC(3b8.3e0) 03:04:19:034 Client_RegisterForNotification: CheckRegisterForNotification returned error 0x6d9
GPSVC(3b8.3e0) 03:04:19:034 CGPNotify::RegisterForNotification: Service not RUNNING. waiting
GPSVC(3b8.3e0) 03:04:19:034 CGPNotify::RegisterForNotification: Trying to recover from error 1753
GPSVC(3b8.3e0) 03:04:19:034 CGPNotify::RegisterNotificationAsynchronously: Starting async registration
GPSVC(100.4c8) 03:05:07:753 ProcessGPOs: OpenThreadToken failed with error 1008, assuming thread is not impersonating
GPSVC(100.13f4) 07:54:09:864 GetOldSidString: Failed to open profile profile guid key with error 2
GPSVC(658.2354) 09:52:41:726 Client_ProcessRefresh: ProcessRefresh returned error 0x5b4
GPSVC(658.2354) 09:52:41:726 GetGPOList: Client_ProcessRefresh failed with 0x5b4.
GPSVC(658.2354) 09:52:41:726 Exiting RefreshPolicyForPrincipal with status = 1460
GPSVC(100.1a7c) 10:48:26:711 CGPAdminEventInitFailure::Initialize(): FormatMessage failed to look up error code (0x4005) due to error 317. Can not log error description.
GPSVC(100.219c) 10:48:26:711 ProcessGPOList: Extension Internet Explorer Branding was not able to log data. Error = 0x80004005, dwRet = 1252,leaving the log dirty
GPSVC(100.19b4) 10:48:27:491 ProcessGPOList: Extension Internet Explorer Branding was not able to log data. Error = 0x80004005, dwRet = 1252,leaving the log dirty
1. Please try to renamed the files on the folder c:\windows\system32\GroupPolicy to .old and ran Gpupdate /force.
2. Please verify the DNS set correctly and DNS Client Service is enabled. Restart the DNS Client Service.
Hope this helps!
Best Regards
Elytis Cheng
TechNetSubscriber
Support
If
you are TechNetSubscription user
and have any feedback on our support quality, please send your feedback here.
Elytis Cheng
TechNet Community Support
Similar Messages
-
Stuck at Applying Group Policy Printers Policy on Windows 2008 Servers
xp clients seem to be fine and map all printers at logon. The 2k8 servers all hang at logon for 30min or more at the Applying Group Policy Printers Policy. The print server is a DC in the same domain and it does not experience the issues at logon and gets to the desktop immediately.
a DHCP workstation
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
U:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : CP0030621
Primary Dns Suffix . . . . . . . : us.tms.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : us.tms.local
us.tms.local
tms.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : us.tms.local
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-19-BB-5F-EE-75
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.1.10.165
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.1.10.1
DHCP Server . . . . . . . . . . . : 10.1.10.27
DNS Servers . . . . . . . . . . . : 10.1.10.27
10.1.10.28
Lease Obtained. . . . . . . . . . : Monday, August 24, 2009 8:24:12 AM
Lease Expires . . . . . . . . . . : Saturday, August 29, 2009 8:24:12 A
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Net
ork)
Physical Address. . . . . . . . . : 00-0D-3A-A6-BA-28
win2k3 web server which logs in successfully
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
U:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : wlfdweb01
Primary Dns Suffix . . . . . . . : us.tms.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : us.tms.local
tms.local
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC7782 Gigabit Server Adapter #2
Physical Address. . . . . . . . . : 00-14-C2-C3-DA-3A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.10.29
Subnet Mask . . . . . . . . . . . : 255.255.254.0
IP Address. . . . . . . . . . . . : 10.1.10.30
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.1.10.1
DNS Servers . . . . . . . . . . . : 10.1.10.27
10.1.10.28
Print Server that logs in fine (also a DC and DNS Server)
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
U:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : wlfddc02
Primary Dns Suffix . . . . . . . : us.tms.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : us.tms.local
tms.local
Ethernet adapter Local Area Connection 4:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC373i Multifunction Gigabit Server Ad
apter #2
Physical Address. . . . . . . . . : 00-1C-C4-EF-B7-A4
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.1.10.28(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.1.10.1
DNS Servers . . . . . . . . . . . : 10.1.10.28
10.1.10.27
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{9FB5C233-FB93-471F-873E-6DFDFCFED
2AE}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
server that hangs at applying group policy printers (the other dc and dns server for the domain)
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
U:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : wlfddc01
Primary Dns Suffix . . . . . . . : us.tms.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : us.tms.local
tms.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-0F-1F-68-D6-42
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.1.10.27(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.1.10.1
DNS Servers . . . . . . . . . . . : 127.0.0.1
10.1.10.25
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{C0EEED04-498A-42FC-9C42-86A37BD4D
8D5}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes -
User Group Policy Settings not applied to new user profiles at first logon
Good Afternoon,
We have an issue that occurs to a new user when they first log on to their machines. They log on and a new profile creates from the Default User Profile. We can see that a number of our Group Policy Settings applied as "User Configuration" are
not applying.A log off and back on is required before the policies apply.
Any thoughts to this behaviour please?
Regards
LeeB
Lee Bowman MCITP MCTSHi,
How about your problem now? How many system encounter this problem? Is all policy couldn't be applied? Is there any feedback when using gpresult to check policy applied status?
As Group Policy applies after user identity authentication, generally speaking, user logoff and back doesn't helpful with this problem.
When this problem occures, have you checked event log if it identify this problem?
Roger Lu
TechNet Community Support -
Cases in which Domain Group Policy settings would be reverted to default settings on a Win7 client
Hi - I'm sure this info is out there somewhere, but I'm having a hard time finding it. Basically, I'm trying to identify the cases in which settings deployed via Domain Group Policy on 2008R2/Win7SP1 would get reverted back to "default settings"
on a Win7SP1 client that is still a member of the domain, and is in a proper OU, properly targeted, WMI filters should still evaluate true, etc...
For instance, it appears that if machine-level registry settings contained within a LocalGPO file on a client get corrupted (C:\Windows\System32\GroupPolicy\Machine\registry.pol), all of those settings, plus all machine level administrative template settings
defined in Domain Group Policy, get reverted to default settings (corresponds with Event ID 1096 in System Event Log where it references "LocalGPO"). I have not confirmed if this is the case for machine level settings defined outside of administrative
templates in Domain Group Policy, or for any user level settings though. (But I suspect not.)
When a workstation is unable to talk to a Domain Controller in order to identify applicable Domain Group Policy settings (for instance, this issue:
http://support.microsoft.com/kb/2421599/en-us), do administrative templates Domain Group Policy settings revert to defaults up until the next successful processing interval? I don't believe
so, but would like confirmation.
Are there any other cases in which Domain Group Policy settings for a client still joined to the Domain would be reverted to defaults?
And when a client is unjoined from the Domain, what Domain Group Policy settings would remain on the client? I understand that some Domain Group Policy settings outside of administrative templates are "tattooed" to the registry. Does
anyone know of a full list of these settings? I believe that most or all of the ones in Windows Settings\Security Settings are tattooed, and the only way to get these settings removed is to explicitly change them via registry edit or LocalGPO/Local Security
Policy, after unjoining the domain.
Any info/insight/links to other doc/etc would be much appreciated!Hi Shaun,
>>If a client cannot talk to a domain controller at all, admin template settings still stay in-place on the client, correct?
As far as I know, it's not this case. If a client can't communicate with domain controllers, it means that the GPOs applied to the client are out of scope. As suggested by
the article I provided, for native policy, "when a Group Policy object (GPO) goes out of scope, the policy setting is removed allowing the original configuration value to be used."
>>What if a client looses network connectivity while reading Domain GPO?
Group policy will be get updated when computers start up and users log on. Besides, for workstations, group policy will get refreshed at background with by default an interval
of 90 minutes. As long as workstations can restore network connectivity, the group policy settings will get updated.
>>Are there any other failure cases like this where some or all Group Policy settings (admin template or other areas) would get reverted?
There are many reasons which can cause GP malfunction. However, Windows itself provides necessary tools for troubleshooting various issues. When GP malfunctions, we can check
Event Viewer, collect group policy result, or generate group policy log to troubleshoot.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
In our deployment, EMET 5 seems to be ignoring group policy settings from immediately after the first group policy refresh post-boot.
Settings are being applied to the computer correctly, and are appearing in the registry correctly, and on boot, a set of Event ID 50 events are logged containing ConfigAppmitGPO (and similar for the other settings) elements with the correct settings.
Upon the first group policy refresh, further eventID 50 events are logged, with empty ConfigAppmitGPO elements.
Investigation with Process Monitor seems to indicate this is a race condition between Group Policy Registry settings being refreshed (which deletes the entries) and the EMET service reading out these settings from the registry (which appears to be triggered
by Group Policy application or by a notification on the registry keys themselves)
This is reproducible on Windows 7 and Windows 8.1.
Is there any way to arrange for settings to be applied correctly at all times, or is this a bug that will need to be fixed in a future update?We're experiencing the exact same behavior currently. I was starting to think I was going crazy. Glad to know others are experiencing the same behavior.
I've found that using the method from pervious versions to read and update settings from Group Policy, using "emet_conf.exe --refresh" still works, and upon every execution, the event log shows the GPO settings being read and applied. While I welcome the
move to have EMET update from GPO settings without requiring running a separate task, as it stands now in its current condition, it is a step back.
Scott Ladewig http://www.ladewig.com -
Happy Friday everybody -
I'm working on implementing Microsoft RDS 2012\VDI for the folks here at work. I've read - online - a lot of articles on VDI and RDS 2012 - and have a working model that is working somewhat satisfactorily. I haven't seen much online about steps
I could take in Local Group Policy on my Windows 8.1 'gold image' - or for that matter Domain level group policy - that can assist in creating a better, more reliable/robust Windows 2012 VDI environment.
Anybody out there got any information or opinions or advice on Group Policy settings for VDI environments?
Thanks again, everyone!
Adrian
anrHi Adrian,
Thank you for posting in Windows Server Forum.
In regards to your issue you can refer beneath article for detail information.
1. Group Policy Best Practices for VDI Environments
2.Some Basic Group Policy Settings for VDI
Hope it helps!
Thanks.
Dharmesh Solanki -
Backup & Restore non-administrators Group Policy Settings
Hi,
I'm trying to setup a few reference images of Windows 7 which will be deployed to our client computers. The baseline Group Policies are configured through Local Group Policies set in the image. I've setup a Master GPO machine on which to build the policies
and test them.
The Local Group Policies have been set for Local Computer Configuration, Local User Configuration and for Local Non-Administrators Configuration. The thinking is that members of the local Administrators group on the computer are unrestricted and still have
the ability to do most things. Users which log onto the computer abide by the more restrictive Non-Administrators Group Policy settings.
Using the "LocalGPO.wsf" script I'm able to backup and restore Computer and User Configuration which affects all users of the machine but it does not backup the Non-Administrators Policies. Is this possible?
After some digging around in the "GPOPack.wsf" files I've found that the Machine & All Users Policies are restored by the "LocalPol.exe" file. This utility has command line switches for '-m' machine and '-u' user. So I'm guessing
that it's not possible to restore the Non-Administrators Policies?
For what it was worth I've tried copying the "Registry.pol" file from "%windir%\System32\GroupPolicyUsers\S-1-5-32-545\User" folder on the GPO Master machine and placed the file in the same location on target computer. A test which had
one value set worked on the reference computer but when the policies were copied form the GPO Master machine, the target computer ignored all the settings.
Any ideas how to backup/restore Local Machine Non-Administrator Group Polices?
Thanks!Not entirely sure of the specific policies you're dealing with, but you would typically use the Microsoft Security Compliance Manager to create GPO packs that you would then apply using the Apply Local GPO Package task sequence step in MDT.
I'd encourage you to look over the Applying Group Policy Object Packs section of the
Using the Microsoft Deployment Toolkit.docx file in the MDT 2013 documentation for more details.
MDT 2013 documentation can be downloaded here: LINK -
Good morning,
I have two policies for WSUS, one that auto-reboots the client and one that allows for manual reboots. I'm sure this is very obvious, but i'm wanting to make sure I do this correctly.
What's the easiest way to apply the policy for manual/auto reboots without having to go through my entire active directory tree and link it to each OU containing mixed computers?
I hope this makes sense, but I know i can set security groups and then set it for the scope, but if I go that route is there a way to apply it to all Domain Computers, EXCEPT those who are a member of security group "MPS - WSUS Manual" for example?
Any input here is greatly appreciated
Thank youIf all the machines that you want to have the manual option are in a few select OUs then you could apply the auto reboot GPO to the root of the domain, and then link the manual GPO just to those GPOs containing the relevant machines. As explained here
http://technet.microsoft.com/en-gb/library/cc785665(v=ws.10).aspx a policy applied to an OU overrides a policy applied to the domain as a whole.
While I'm not sure, from your description I'm guessing that's the case, and they're actually mixed in throughout the domain? In which case, the other option might be to make use of group policies order or precedence. As described here
http://blogs.msdn.com/b/muaddib/archive/2012/08/22/determine-gpo-precedence-with-gpmc-gpresult.aspx you'll see that the order that the GPOs are listed makes a difference to the order that they are applied, and the last to be applied takes precedence over
those that come before. Therefore using that, if you applied the reboot policy to everyone, and then applied the manual one with a security filter so it only applied to your "MPS - WSUS Manual" group such that it had a higher precedence, all machines would
receive the first GPO, but those machines in that group would have that overridden by the second policy. -
Apply Group Policy to external clients
Is it possible to apply GPO's to clients on external networks such as their own personal networks. I'm looking at solutions such as authenticating them through a proxy on the perimeter network and are pushed to the Domain Controller to force these policies.
As it stands, the clients use a VPN client to gain access to the corporate network, and I know that group policy will use the Network Location Service to detect the Domain Controller, but the VPN connection is not mandatory and most be established by the client,
if this connection is not required for their job, the may never connect and not get updated GPO's.Hi,
I agree with Joseph. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections are designed to connect automatically as soon as the computer connects to the Internet.
Regarding DirectAcces, the following articles can be referred to for more information.
Using DirectAccess
http://technet.microsoft.com/en-in/windows/dn168168.aspx
Windows Server 2012 Direct Access – Part 1 What’s New
http://blogs.technet.com/b/meamcs/archive/2012/05/03/windows-server-2012-direct-access-part-1-what-s-new.aspx
In addition, for this question mainly focuses on network, in order to get more and better help, we can also ask for suggestions in the following forum.
Network Access Protection
https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNAP
Best regards,
Frank Shen -
How can I apply group policy but exception some users like administrator?
Hello all.
How can I set a group policy and apply it to users exception the administrator ?
Cheers.Hello,
please see
http://www.grouppolicy.biz/2015/03/how-to-stop-local-administrators-from-bypassing-group-policy/if you talk about local administrator accounts. In shortyou CAN'T.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
Windows Update Group Policy Settings?
I browsed through SCCM 2012 documentation for an answer of what to set in a GPO when wanting to use SCCM 2012 SP1 to handle updates.
At the moment I have:
WSUS/Reporting pointing to wsus server and its appropriate ports
Allow Automatic Updates immediate installation: Enabled
All signed updates from intranet Microsoft Updates: Enabled
Configure Automatic Updates: Enabled
Configure automatic Updating - 4 Auto download and schedule the install
Scheduled install day: Every Friday
Scheduled install time: 21:00
Enabling Windows Update Power Management to auto wakeup the system to install Enabled
No auto-restart with logged on users for scheduled automatic updates installations: Enabled
Reschedule Automatic Updates scheduled installation: Disabled
I didn't see any hint, perhaps it is there and I missed it, on what might be the prescribed settings for a GPO.
What is happening is Windows 8ish is drawing a band across the screen and reporting that your computer needs to reboot; and then reboots. From what I could tell in the WindowsUpdate.log file is that round the time it was observed rebooting smsexec
requested a reboot. But oddly I also saw in the Windows Update log was a reboot was scheduled to expire on the 26th, two days after the observed behavior and I also saw that other reboot requests either expired or had been scheduled.
What I have recently done to various Windows Update deployments was to remove the check boxes for Deadline behavior to prevent Software Updates and System restarts outside the Maintenance Window and also checked Device restart behavior
Suppress system restart on the following devices Servers and Workstations.
At the moment I would like to figure out what the GPO settings should be and also how to determine what had requested reboot and when and if the reboot actually happened.
Thanks!This blog series by Jason should help you with that (it's still applicable):
http://blog.configmgrftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
http://blog.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/
My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude -
Specify Office 2013 kms host trough group policy settings
Hello.
Can someone please help me get the right registry key for Office 2013. I want to specify kms host for my clients in domain - trough group policy. Dont want to use dns or config.xml to specify the host.
For Windows i use this key, activation works greate.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\KeyManagementServiceName (REG_SZ)
Have found the key for Office 2010 but cant use this for 2013
HKLM\Software\Microsoft\OfficeSoftwareProtectionPlatform\KeyManagementServiceName (REG_SZ).
I have searched the web but cant find the key.
I realy need some help here.
Best regards
Nils S.Have found the key for Office 2010 but cant use this for 2013
HKLM\Software\Microsoft\OfficeSoftwareProtectionPlatform\KeyManagementServiceName (REG_SZ).
I have searched the web but cant find the key.
Hi,
according to the documentation, it is the same registry key ?
http://technet.microsoft.com/en-us/library/ee624350(v=office.15).aspx#section1
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
How to install Windows Updates on a 2012 Domain Controller w/Group Policy Settings
Hello All,
I'm having an issue installing Windows Updates on my Windows Server 2012 Standard with AD DS role, acting as a backup DC.
I have Group Policies setup for the Domain Controllers to download updates from my WSUS server but not to install them. When I go to my Windows Server 2003 R2 Domain Controller, I can install updates via the "Install Updates and Shutdown". That
option doesn't show up on the 2012 server. I can see from my WSUS server and the event viewer that the updates are being downloaded to the 2012 server........just no option for me to install the updates.
Am I just missing something or will I need to change the way my Group Policy is setup to allow installs and/or downloads? Any help would be greatly appreciated!
TonySo I've totally removed the GPO settings for configuring updates on the Default Domain Controllers OU and I can get the Windows Server 2003 Server to get updates from Windows Updates, but the 2012 Server still won't show me how to download or install any
updates. It just states on the log-in screen that there are "Windows Updates Sign in and install important updates".
Well guess what Microsoft! I've signed in and still don't see where I can install updates!!!
I guess because you've set AU=3.
There doesn't seem to be much documented in depth about AU/WUAgent (not in the history of forever), but Lawrence and others in the WSUS forum do cover a lot of related question about the agent and also GP settings.
Lawrence has blogged a lot of detail about the registry settings which are available for AU/WU, and how some of those settings are not practically of any use since WinXP.
So, even though your question isn't about WSUS, the WSUS forum is a great place to visit for help for WUAgent etc.
Anyway, "where can I install updates?" :
on the Start screen, Search for "Windows Update"
or
Settings charm
Change PC Settings
Update and Recovery
Windows Update
or
Control Panel\System and Security\Windows Update
Some further (light) discussion on the "new" behaviour:
http://blogs.msdn.com/b/b8/archive/2011/11/14/minimizing-restarts-after-automatic-updating-in-windows-update.aspx
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
I do have the iOS 4.2.1 version for my iPod. Please give me a few solutions of how to fix this problem, thanks.
How are you "downloading" them?
USB?
wifi?
How long is a long time? -
Using WMI Filter to apply group policy to users on computers in a security group
Hello all,
I've got a bunch of computers that I want to apply some user side polices that affect all users that log on to these specific computers (they are used for exams).
Unfortunately it is company policy to have a flat OU structure and as such moving these computers into their own OU is out of the question. Which brings me to wanting to create a WMI filter to limit the policy to running on computers only within the security
group and then set the security filtering to "Authenticated Users". The policy will be linked to the all student computers OU where a few thousand machines sit, but will only apply to 20 or so machines (I know it's messy).
Anyway that brings me to my question, can someone point me in the right direction for how I would go about creating this WMI query?
Cheers> I've got a bunch of computers that I want to apply some user side
> polices that affect all users that log on to these specific computers
> (they are used for exams).
That's what "Loopback" initially was designed for. Nowadays, we can use
some other tricks :)
http://evilgpo.blogspot.de/2012/02/loopback-demystified.html
http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))
Maybe you are looking for
-
How do I convert a file located in my e-mail (that is secured) from PDF to Word. I can't seem to save the PDF file anywhere.
-
I bought my dad a new ipod nano and a jbl wireless speaker from the same apple store. Everything worked perfectly with the bluetooth connectivity the first day. Then my dad accidentally hit the "forget this device" button when he was trying to turn t
-
I lost my recovery key to my applied I changed my phone number and forgot change number to account. I do not remember password, I was needing to know I cant change phone number somehow or be ask security question to reset password.
-
P_trace & p_debug as a report parameter
I want to pass enable debug & trace for the report . I need to pass the parameter p_trace and p_debug for enabling trace & debug . I just want to know how I handle this parameter & enable trace & debug
-
CCM2.0 Config in NW2004S (PI7.0) - Error with assigning pw to xiapplccm
Hi, I've run into a situation that I don't understand while I was trying to activate CCM 2.0 XI settings. While activating my changes, the activation failed due to a missing password entry in the GeneratedReceiverChannel_RFC communication channel. Th