Setting NTFS Folder ACLs via GPO not working on 2012 R2

Similar Messages

• Installing Flash Player 11.8.800.94 via GPO not working properly

  Hello,
  i've installed Flash Player 11.8.800.94 via GPO.
  Installation works fine, but there is no flash player available in Firefox or Internet Explorer.
  Deployed both Flash Players.
  Tried to reinstall Flash Player 11.8.800.94 for Firefox, but it's still not active.
  Windows 7, 64bit
  Greetings,
  Michael

  Hello Comvel.
  RE:
  Hello,
  i haven't fixed it yet.
  I've deployed the last few version of flash player without any problems.
  I haven't found any new things in the admin guide.
  The plugins don't show up in both browsers. I can't enable them.
  On the most importent clients, i've installed flash player manually.
  I know it has been a few months since your post but, I was wonderingif you were able to find a solution for this that didn't involve manual installations. I've recently deployed 11.8.800.175 and am running into the same problems. Some work stations are just fine. But others, (both windows 7 and xp, all IE8) are not working. When navigating to a site like youtube, theres a banner that says update is needed. When you go to manage add-ons there is no shock object/add on.

• Themes Applied via GPO Not Working in Build 9926?

  I've built 2 machines side by side, one using build 9879 and the other using 9926.  They were both built using the exact same process.  They are both in the same OU and have the exact same GPOs applied.
  The custom theme that I apply using Group Policy works correctly on the 9879 machine, but I've got nothing on the 9926 machine.  Just a black screen.
  Build 9879:
  Build 9926:

  For what it's worth, after multiple reboots (3x) the custom theme and wallpaper were correctly applied.
  Still, the GPO settings were applied correctly and immediately on build 9879 but it took 3 reboots for it to apply on build 9926.

• I tried to update my photo albums in my Iphone 4S. I could not, and the old photos were removed. I tried again to copy the albums in the Iphone from a PC Windows XP folder and it does not work.

  I tried to update my photo albums in my Iphone 4S. I could not, and the old photos were removed. I tried again to copy the albums in the Iphone from a PC Windows XP folder and it does not work.

  You can't activate any GSM iPhone without a valid sim card installed in the phone.
  So, yes, you need to get a sim card.

• Hi all, Since I updated to Mavericks I am having trouble with Safari showing all the buttons/clickable options, but they are gray and will not work. Specifically, the Trash Can/Delete and the "Move to" folder button simply do not work. Any ideas?

  Hi all, Since I updated to Mavericks I am having trouble with Safari showing all the buttons/clickable options, but they are gray and will not work. Specifically, the Trash Can/Delete and the "Move to" folder button simply do not work. Any ideas?

  Please post a screenshot that shows what you mean. Be careful not to include any private information.
  Start a reply to this message. Click the camera icon in the toolbar of the editing window and select the image file to upload it. You can also include text in the reply.

• What works in 2008R2 is not working in 2012 SP1

  Setup:
  Visual studio 2010 and 2012.
  Database: both 2008R2 and 2012 SP1
  Issue:
  I have a CLR routine that does bulk update.
  I have trigger on the tables that are being updated.
  Using the same code and the same data, This bulk update query works in 2008, but does not work in 2012, WHEN there is more than one record to be updated.
  My query is simply an update statement, updating table 1 from fields in table 2
  I get no errors when I trace through it in Visual studio 2012, the data simply doesn't update.
  However, if I run it in studio manager, I will get a range of errors, like, 'statement is terminated', or  that there was an error in the trigger, or that it completed successfully, but the data does not update.
  Disabling and re-enabling the trigger works, but that's not a good idea, and since I have many bulk update queries (and have been plagued with issues for the sites that have updated to 2012), I need a solution.
  Any one run into this?  Any ideas about what I can do?

  Well, earlier you said:
  sometimes I get 'the statement was terminated' (nothing else), or I get some error occurred in the trigger, or I get query completed, but the data did not update.
  So there is some confusion about what exactly is occurring.  But without code, there is nothing to do but speculate.  Now you say that when there are multiple records that match the criteria it does not work.  I assume that your context here
  is the update statement - when it updates multiple rows the trigger does not have the desired effect.  If that is not correct, it would help if you could clarify a specific (and hopefully simple) scenario for this case. 
  But based on this information, it seems that the trigger may have an assumption built into it that is not appropriate.  A trigger does not execute for each row - it executes at the statement level and the virtual tables (inserted and deleted) can contain
  any number of rows (from zero - yes, zero - to any number).  Often developers do not realize that the logic must be written to handle a variety of rows; rather they assume that only 1 row is present.  I would also suggest that perhaps a
  similar assumption is made in the update statement you posted - but I don't know the relationship between the 2 tables (Invoice and Cust) so I could be wrong. Perhaps the update statement joins a customer to multiple invoices in some cases (rather than
  an assumed 1 invoice per customer)? Perhaps there is some other oddity that is not evident from a distance.  

• Windows 8 Folder Redirection/offline files not working

  I am trying to deploy 4 brand new HP Laptops running windows 8 Professional into a windows 2008 domain however folder redirection is not working
  These users have folder redirection enabled via group policy and this works fine under their old laptops in windows 7
  For windows 8 I see an error in the event log :
  Error 7023 - The offline files service terminated with the following error : the system cannot find the path specified
  I also get this error if I manually try to start the offline files service.
  This is happening on all 4 brand new laptops. All latest available updates installed.

  I am trying to deploy 4 brand new HP Laptops running windows 8 Professional into a windows 2008 domain however folder redirection is not working
  These users have folder redirection enabled via group policy and this works fine under their old laptops in windows 7
  For windows 8 I see an error in the event log :
  Error 7023 - The offline files service terminated with the following error : the system cannot find the path specified
  I also get this error if I manually try to start the offline files service.
  This is happening on all 4 brand new laptops. All latest available updates
  installed.
  The error as you have already observed is a critical error  blocking the service from running. So that must be about the computer software configuration.
  You claim brand new, latest updates etc. - however to use i.e. folder redirection, gpo's etc. you're modifying the software configuraton. I.e. not quite brand new or unchanged (except for those may be important changes, guess those machines are indeed brand
  new or just bought ... however still in change as any other software managed machines)
  For some reason could be corruption of system configuration, but how? Unlike coincidence of 3 of 4 computers failing to start that services? I.e. have you done any changes to offline files etc, scripts or some stuff with gpo's.
  Try exploring the Windows log and take a look at the detail for the error events.
  Use process monitor from Microsoft to trace what happens when you try to start the Windows service ...
  Just tips for determining the bug ...
  Out-of-the-box this should not happen ... for folder redirection and offline files ... it's actually the Windows client going to get those files ... so take a look at the client and try to trace the bug.
  My best guess is something is changed on the client - and your customized system or software is doing it. Or something wrong with the configuration. I.e. if you have relocated the CSC cache ...
  In my experience the best way to debug this problem is to use Process Monitor ... and i.e. come up with a fix based on the observations i.e. if you have relocated the csc cache to some place where it is actually not available or incorrectly configured
  (i.e. take a look at the Result column and looked for failed operations in context with CSC cache operations)
  If you don't know how to do this - don't relocate the CSC cache ... (i.e. if you did this to conserve space on i.e. your SDD's with i.e. smaller capacity than legacy-HD). The real problem is the Folder Redirection Client on the Window Client going to
  pin the entire folder hierarchy of the users workspace, i.e. documents. Either move files out of that area or use group policy to disable pining entire user "storage area". Microsoft should make the Folder Redirection Client more flexiable, i.e. add option
  to exclude part of folder hierarchy. But you can do this by using gpo to disable folder redirection auto-cache of all files - and then instead have users explicitly pin their mobile folders. However for some folders like favorites, desktop and so on you can
  actually use batch and wmic to set pin of some folders containing usually less data using a startup script and gpo. That Works ... and simulates i.e. excluding the stored data in user libraries like documents, videos, music ...
  ... anyway added this based on a "suspension" on what you are really trying to obtain ... but the solution is not to move the CSC cache to aqquire more space, i.e. a user can put 1 TB in their videos ... the solution is to program the Folder Redirection
  Client differently ... untill Microsoft add that functionality.

• Set NTFS folder permissions

  When creating new file servers we always need to set up the NTFS rights manually and that takes forever...
  Instead I would like to have a powershell command/script that configures the NTFS security settings on the folders.
  I have two needs that hopefuly some of you allready have a solution on,
  1, NTFS Settings on a homefolder share:
  Users should be able to access the location of all user folders (ex:
  \\server\users\). Then the user should only be able to create folder(s). Without access to any other users files or folders. The user should have have full r/w access to his/her created folder.
  Below you can see my settings as it is when I created it with Windows Explorer, how can I accomplish this this with Powershell instead?
  2, I need the commands to set following NTFS settings on a folder:
  A List Group: I want to add a AD group that should only be able to access the folder (not any subfolder or files).
  A Read Group: I want to add a AD group that should be able to read all files and subfolders in a folder.
  A  Write Group: I want to add a AD group that should be able to read and write on all files/subfolders in a folder.
  See sceenshot below how it looks today from Windows Explorer:

  Hi,
  First of all, thanks all for your quick answers to me..
  I decided to go with
  Mike Laughlin's answer. But I think I still need some more help from you all :)
  This is what my script do:
  I have a string that takes the computername and then remove the numbers in the end of the name to get the sitename (ex computername VEGAS001 will be VEGAS , which is the sitename)
  On D:\Fileshares I have my folderstructure, here I create all department folders under the "sitename" folder (ex D:\Fileshares\Vegas\) with the script. This works fine to create...
  Then the last is to set the NTFS rights on all the folders with the module Mike recomended.
  Here I try to set rights on different groups, but it doesnt work with my string $sitename (ex: Domain\$sitename_L_HR_W  = Domain\VEGAS_L_HR_W)
  It creates a setting in the NTFS security , but it's not the correct one (see below) , its just a none existing GUID number..
  I tried to add different symbols such as + " ' between/in the AD Group name
  Ex: Domain\$sitename+_L_HR_R /
  Domain\$sitename+"_L_HR_R" ,
  but without any success
  Sometimes it didnt add the GUID above, sometimes just a long error message that I couldnt understand.
  I guess for anyone with some more PowerShell skills then me will be able to fix this easy? :)
  Here is my code....
  #Import the PowerShell Module (PowerShellAccessControl)
  Import-Module PowerShellAccessControl
  # Configure sitename as an string
  $sitename = $env:computername
  $sitename = $sitename.Substring(0,$sitename.Length-3)
  # Create folder structure
  New-Item D:\Fileshares\$sitename$\DATA\Administration\IT -type directory
  New-Item D:\Fileshares\$sitename$\DATA\Administration\Finance -type directory
  # Configure NTFS settings on folder
  Get-Item D:\Fileshares\$sitename$\DATA\Administration\IT | Add-AccessControlEntry -FolderRights Read -Principal Domain\$sitename_L_IT_R -AceType AccessAllowed -AppliesTo ChildObjects,ChildContainers,Object -Apply -Force
  Get-Item D:\Fileshares\$sitename$\DATA\Administration\IT | Add-AccessControlEntry -FolderRights modify -Principal Domain\$sitename_L_IT_W -AceType AccessAllowed -AppliesTo ChildObjects,ChildContainers,Object -Apply -Force
  Get-Item D:\Fileshares\$sitename$\DATA\Administration\HR | Add-AccessControlEntry -FolderRights Read -Principal Domain\$sitename_L_HR_R -AceType AccessAllowed -AppliesTo ChildObjects,ChildContainers,Object -Apply -Force
  Get-Item D:\Fileshares\$sitename$\DATA\Administration\HR | Add-AccessControlEntry -FolderRights modify -Principal Domain\$sitename_L_HR_W -AceType AccessAllowed -AppliesTo ChildObjects,ChildContainers,Object -Apply -Force

• Flash Player deploy by GPO - not working

  I've been attempting to get Flash Player 10 (distributable verision, install_flash_player_10_active_x.msi) to deploy accross our network - three sites, around 100 computers total.
  I've assigned it to Group Policy, the client machines pull it down and install successfully (it even shows up in Add/Remove programmes).
  However it doesn't work. Whenever any user goes to a flash-based website they get a message telling them to download and install flash.
  Has anyone else experienced this?
  All our clients are running Win XP and IE8

  In case this might help someone else - I've now given up with installing flash via GPO, and decided to try
  to install via a vbscript computer start up script that I knocked together this morning. In case it might help someone else, copy is included below:
  Basically - put msizap.exe from windows installer sdk + the adodb flash uninstaller/msi file in the directory (strNetworkPath)
  Script then does the following:
  1) Calls adobe's uninstaller exe in silent mode to clean up what adobe can - then what it leaves behind we do ourselves:
  2) removes c:\windows\temp\installax.exe if it exists
  3) searches for and deletes from registry any Managed applications references containing (Adobe Flash Player 10 ActiveX) - in our case, i've already told GPO's to remove flash player - so it's erroring on uninstall at the moment)
  4) Search for any installed msi applications  called 'adobe flash player 10 activex' and runs MSIZAP on them ( seems adobe uninstaller doesn't completely remove the local msi references ;/)
  5) copies MSI down frmo network to windows temp
  6) msiexec /qb msi
  7) delete the msi file
  Sub InstallFlashPlayer()
      ' Network Path to:
      ' msizap.exe
      ' flash installer
      ' flash uninstaller
      strNetworkPath = "\\path\to\flash"
      strFlashVersion = "flash10k.ocx"
      strTempFolder = "C:\WINDOWS\temp"
      strFlashMSI = "install_flash_player_10_1_85_3_active_x.msi"
      On Error Resume Next
      Set WshShell = WScript.CreateObject("WScript.Shell")
      Set fso = WScript.CreateObject("Scripting.FileSystemObject")
      file1 = fso.FileExists ("C:\WINDOWS\system32\Macromed\Flash\" & strFlashVersion)
      if file1 = true then exit sub
      WshShell.Run strNetworkPath & "\uninstall_flash_player.exe -uninstall",7, true
      file1 = fso.FileExists (strTempFolder & "\installax.exe")
      if file1 = true then fso.DeleteFile strTempFolder & "\installax.exe"
      Const HKEY_LOCAL_MACHINE = &H80000002
      strComputer = "."
      Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
          strComputer & "\root\default:StdRegProv")
      strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt"
      oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
      For Each subkey In arrSubKeys
  strName = WshShell.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt\" & subkey & "\Deployment Name")
          Select Case Err
              Case 0:
                  ' Key successfully read
                  If strname = "Adobe Flash Player 10 ActiveX" Then
                      strProduct = WshShell.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt\" & subkey & "\Product ID")
                      'Error Handling if any? - resume next
        WshShell.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt\" & subkey & "\"
        WshShell.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt\" & strProduct
                  End If
             Case Else:
                 ' Some error - skip
                 Err.clear
          End Select
      Next
    Dim installer : Set installer = Nothing
    Set installer = Wscript.CreateObject("WindowsInstaller.Installer") : CheckError    
    Dim product, products, info, productList, version
  On Error Resume Next
  Set products = installer.Products : CheckError
  For Each product In products
    guid  = product
                  name = installer.ProductInfo(product, "ProductName")  : CheckError
    if name = "Adobe Flash Player 10 ActiveX" Then
                      WshShell.Run strNetworkPath & "\MsiZap.Exe TWA! " & guid, 7, true
                      WshShell.Run strNetworkPath & "\MsiZap.Exe TW! " & guid, 7, true
                  end if
  Next
  Set products = Nothing
      fso.CopyFile strNetworkPath & "\" & strFlashMSI, strTempFolder & "\" & strFlashMSI, true
      WshShell.Run "C:\WINDOWS\system32\msiexec.exe /I """ &  strTempFolder & "\" &strFlashMSI & """ /qb-!", 7, true
      fso.DeleteFile strTempFolder & "\" & strFlashMSI
      On Error Goto 0 
  End Sub
  Sub CheckError
  Dim message, errRec
  If Err = 0 Then Exit Sub
  message = Err.Source & " " & Hex(Err) & ": " & Err.Description
  If Not installer Is Nothing Then
    Set errRec = installer.LastErrorRecord
    If Not errRec Is Nothing Then message = message & vbNewLine & errRec.FormatText
  End If
  Wscript.Echo message
  Wscript.Quit 2
  End Sub
  InstallFlashPlayer

• Sync Google Contacts via iTunes not working

  Hi
  Just got a new Macbook with Yosemite and am syncing my Google Mail, Calendar, Contacts with the Macbook without difficulty,  I have disabled iCloud syncing for Mail, Calendar, and Contacts. 
  Now, I want to get Google Contacts set up on my old iPhone 3G (iOS 4.2.1) as a stop gap before getting a new iPhone down the line.  However, I can't find a reliable way of getting my Google Contacts on to the iPhone 3G.
  Exchange Sync and CardDAV do not work.  I don't mind syncing via iTunes but I can't set this up either.  Despite telling iTunes to sync 'All Contacts' it won't sync those from my Google account.  Only contacts in 'On My Mac' group sync across, but I don't want to manually keep track of and copy new Google contacts into this group just to sync.
  Why won't iTunes sync the Google contacts group - currently it is the only group in my OS X Contacts.
  I have reset sync and reinitialised the iPhone to factory image - neither works.
  Any advice appreciated.

  try rebooting the appletv.
  also, you have a first generation appletv but have posted in the second generation appletv forum.

• Export to exchange folder in HTML format not working

  Hi All
  I am trying to export report in HTML format directly to exchange folder and sending it as mail. I am using below code for it but it is not working for html format only. I am able to export other formats (rpt, pdf, word, excel...) using below snippet.
  Crazy thing is that it doesn't give any error or exception. It just ignores the code. It will great if someone can sneak in below code and point out what I am doing wrong.
  Dim destination As ExportDestination = ExportDestination.ExchangeFolder
  Dim options As New HTMLFormatOptions
  options.HTMLFileName = "report1.rpt"
  options.HTMLBaseFolderName = System.IO.Path.GetTempPath()
  ExportToExchangeFolder(format, options)
  Private Sub ExportToExchangeFolder(ByVal format As ExportFormat, ByVal options As ExportFormatOptions)
      Dim myExchangeOpts As ExchangeFolderDestinationOptions = ExportOptions.CreateExchangeFolderDestinationOptions()
      Dim myExportOpts As New ExportOptions
      myExchangeOpts.DestinationType = ExchangeDestinationType.ExchangePostDocMessage
      myExchangeOpts.Profile = "Outlook"
      myExchangeOpts.FolderPath = "[email protected]#Drafts"
      myExportOpts.ExportDestinationOptions = myExchangeOpts
      myExportOpts.ExportDestinationType = ExportDestinationType.ExchangeFolder
      myExportOpts.ExportFormatType = ExportFormatType.HTML32
      myExportOpts.ExportFormatOptions = options
      report.Export(myExportOpts)
  End Sub

  Hi Saurabh,
  The logic does not make sense.... Open a report up in CR Designer and export to HTML, notice it creates a few folders and a bunch of files, depending on the options you select.
  It's not one file so what you should do is export to disk, use a third party API set to zip up the files and folders and then e-mail the zip file to the server/user.
  Actually what you should do is not give the users that option, PDF works for viewing through a browser so use it, easiest way to do this.
  And because you are attempting to send HTML through E-mail there are all sorts of security issues sending that format and lots of permissions required. Best to avoid it.
  Don

• Outlook Safe Senders List GPO not working

  Hi
  I followed These instruction
  https://social.technet.microsoft.com/Forums/office/en-US/c0714d7d-2a42-4b0f-9f1d-63234c7278a0/appending-outlook-safe-senders-list-via-gpo
  but my Safe Senders List still not applied
  Any ideas?
  My Environment Office 2010,Exchange 2010, Windows 7x64

  Hi Ben,
  Please close Outlook and only use OWA (Outlook Web Access) to receive the messages from
  [email protected] and check whether the messages are going to Junk E-mail folder or not. If it is listed in junk e-mail folder in OWA, it indicates the message is marked as Spam by Exchange server
  instead of Outlook side.
  If it is marked as Spam by Exchange server, please add this email address to the server safe sender list.
  Create a domain or user-based safe sender or blocked sender list using transport rules
  http://technet.microsoft.com/en-us/library/dn198251(v=exchg.150).aspx
  Safe sender and blocked sender lists FAQ
  http://technet.microsoft.com/en-us/library/dn133608(v=exchg.150).aspx
  Regards,
  Winnie Liang
  TechNet Community Support

• Javascript calls via getURL not working anymore

  After upgrading to flash player 9,0,115,0 a simple call like
  getURL("javascript(alert'message')); doesn't work anymore on
  Internet Explorer (it fails without any error in policyfiles.txt,
  but it still work on Firefox). My IE version is 7.
  I can't use ExternalInterface 'cause i need to publish as
  Flash Player 7 AS2.0.
  Any comment or suggestion?

  I have a similar problem. When running a local HTML file,
  using IE7 and FP 9,0,115,0, all the getURL function calls cease to
  work.
  If I downgrade to FP8, still using IE7, everything works.
  If I downgrade to IE6, still using FP9.0.115.0, everything
  works.
  If I load the HTML via HTTP (instead of local), using IE7 and
  FP9.0.115.0, everything works.
  If I use Firefox, with FP9.0.115.0, everything works.
  So, the function calls fail only when the swf is contained on
  a
  local HTML file, using
  IE7, and
  FP9.0.115.0. The problem is, most of our customers have that
  software profile, and all of them need to load the content locally
  (its very heavy for network transmission).
  All the getURLs are like this:
  getURL("javascript:someFunction()");
  We're setting the 'allowScriptAccess' to 'always'.
  Also, if we put the OBJECT tag inside the HTML (instead on an
  external JS file), the function calls still do not work.

• Ssh via vpn not working in Snow Leopard

  On a MacBook Pro with Snow Leopard, I want to log into a remote server on my employer's lan via ssh over a vpn connection. The vpn works because I can access a local twiki on that lan with no problem, but I can't run ssh or even ping. This is not a DNS issue because it happens even with explicit numerical IPv4 addresses.
  On an older G4 iBook with Tiger, ssh and ping both work. I can run the two laptops side by side with simultaneous VPN connections; and Tiger will succeed, but Snow Leopard fails. Turning off the firewall on the MacBook Pro makes no difference. Could someone please give me an idea of what is going on?
  I can't get help from my employer's IT staff because we are a Windows operation and would just as soon switch me over to Windows 7. Thanks.
  Clint

  My problem seems to be due to an advanced option in the Snow Leopard VPN preference to "Send all traffic over VPN connection." The domain that I was trying to reach is actually not on my company LAN, but successful ssh'ing to it seems to require that the request to come from a LAN IP address. Without the traffic redirection option, Snow Leopard tries to invoke ssh through my home IP address, which will then time out without making a connection. I think that Tiger automatically redirects traffic to the VPN whenever it is active.
  (Note that when setting a VPN preference, it does not go into effect until after leaving the Network preference pane.)

• GPO not working for new Users (Background)

  Terminal Server 2012 in a hosted environment
  I've set the below policy to set a default background wich can be changed by the users after this.
  The target is an networkdrive. (The Reason behind this is that we have multiple resellers that all have the same networkdrive but pointing to a different store) Lets just say for this example that is P:/Background/ResellerBackground.jpg
  The policy is Linked to the Resellers OU.
  This works perfectly for all the existing users.
  For new users this is not working at all. It does run the policy but it create the profile after running the policies.
  So the above setting gets overruled by the default windows server 2012 background. The RunOnce atribute is set now, so it will not load it again.
  I have read a lot of different sollutions so far, but none are working in this environment. (From changing the default Hive to changing the default picture etc)
  One sollution came close, but not working perfectly either, this is removing the RunOnce atribute from the register, and letting the new users log in again. You do not wanna let new users login twice.
  Before Windows 7/8/2012, in XP it just copied the default user and then the policies ran. So here the problem does not exist. Now it makes the profile after running the policies.
  Anyone having an idea to resolve this issue? 

  Hi,
  Before going further, what’s the value in the wallpaper registry entry
  value data for new users?
  >>One sollution came close, but not working perfectly either, this is removing the RunOnce atribute from the register, and letting the new users log in again. You
  do not wanna let new users login twice.
  If we choose this solution, we can try running cmd command
  gpupdate/force to see whether it can work.
  Another workaround is we can do it from scratch. We can create a new GPO to deploy wallpaper for these new users. The steps are the same as previous ones, just using
  Security Filtering to apply this new GPO to new users, and unlinking and deleting the GPO after the policy getting updated.
  Best regards,
  Frank Shen