Shutdown workstations inactivity from domain group policy
I need to find a way to have workstations shut down after the user has walked away or has been inactive
meaning no keyboard, or mouse activity. Need to have the machines shut down. I have Active Directory on Windows 2003 server R2 Standard Edition SP 2. If I can have this done by active directory I would like to know how.
If it is not possible to do so with Active Directory I would like to know of any other suggestions to do this.
I have some questions:
1. What research have you done on your own so far? (If you haven't researched it on your own, why haven't you done so, before asking?)
2. Is this a scripting question? (If so, please post the script and tell what errors, if any, you are getting.)
-- Bill Stewart [Bill_Stewart]
Similar Messages
-
Preventing Domain Group Policy from being applied
How can a user prevent the domain group policy from being applied to his machine? And How can I stop users from doing that?
Hi,
No, group policy is processed by order, that is, local GPO is processed first, and then domain policy is processed by order, which would overwrite settings in the earlier GPOs if there are conflict.
If you don’t want to apply the domain policy, apply a higher precedence policy or disjoin the domain.
Group Policy processing and precedence
http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx
Alex Zhao
TechNet Community Support -
Cases in which Domain Group Policy settings would be reverted to default settings on a Win7 client
Hi - I'm sure this info is out there somewhere, but I'm having a hard time finding it. Basically, I'm trying to identify the cases in which settings deployed via Domain Group Policy on 2008R2/Win7SP1 would get reverted back to "default settings"
on a Win7SP1 client that is still a member of the domain, and is in a proper OU, properly targeted, WMI filters should still evaluate true, etc...
For instance, it appears that if machine-level registry settings contained within a LocalGPO file on a client get corrupted (C:\Windows\System32\GroupPolicy\Machine\registry.pol), all of those settings, plus all machine level administrative template settings
defined in Domain Group Policy, get reverted to default settings (corresponds with Event ID 1096 in System Event Log where it references "LocalGPO"). I have not confirmed if this is the case for machine level settings defined outside of administrative
templates in Domain Group Policy, or for any user level settings though. (But I suspect not.)
When a workstation is unable to talk to a Domain Controller in order to identify applicable Domain Group Policy settings (for instance, this issue:
http://support.microsoft.com/kb/2421599/en-us), do administrative templates Domain Group Policy settings revert to defaults up until the next successful processing interval? I don't believe
so, but would like confirmation.
Are there any other cases in which Domain Group Policy settings for a client still joined to the Domain would be reverted to defaults?
And when a client is unjoined from the Domain, what Domain Group Policy settings would remain on the client? I understand that some Domain Group Policy settings outside of administrative templates are "tattooed" to the registry. Does
anyone know of a full list of these settings? I believe that most or all of the ones in Windows Settings\Security Settings are tattooed, and the only way to get these settings removed is to explicitly change them via registry edit or LocalGPO/Local Security
Policy, after unjoining the domain.
Any info/insight/links to other doc/etc would be much appreciated!Hi Shaun,
>>If a client cannot talk to a domain controller at all, admin template settings still stay in-place on the client, correct?
As far as I know, it's not this case. If a client can't communicate with domain controllers, it means that the GPOs applied to the client are out of scope. As suggested by
the article I provided, for native policy, "when a Group Policy object (GPO) goes out of scope, the policy setting is removed allowing the original configuration value to be used."
>>What if a client looses network connectivity while reading Domain GPO?
Group policy will be get updated when computers start up and users log on. Besides, for workstations, group policy will get refreshed at background with by default an interval
of 90 minutes. As long as workstations can restore network connectivity, the group policy settings will get updated.
>>Are there any other failure cases like this where some or all Group Policy settings (admin template or other areas) would get reverted?
There are many reasons which can cause GP malfunction. However, Windows itself provides necessary tools for troubleshooting various issues. When GP malfunctions, we can check
Event Viewer, collect group policy result, or generate group policy log to troubleshoot.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
How to implement " log on locally" via Domain Group Policy
Hello,
Thanks for always being very helpful.
My Goal:
I want to restrict one domain user to login to one computer only (admin/root users to login to every computer).
I searched and I believe there is no such direct way to implement via the group policy unless I may add one GPO per user to implement"log on locally" from the group policy.
Do you have some VB script or other good way so I should not login to each computer one by one and edit the policy manually.
Thanks in advance.
Muhammad Asif Server Administrator Linux/WindowsI am sorry if I wasn't cleared, I am managing about 250 users and want accomplish from some centralized locations. I don't want to go to every machine and apply the changes.
I want to let one domain user to login to one system only.
I have the list of computer name VS username, and I want to apply from centralized location without login to each computer one by one.
Thanks a lot for the assistance.
Muhammad Asif Server Administrator Linux/Windows
The solution can only be applied once at the DC with ADUC or with Set-ADUSer as I posted. It only needs to be run once from one DC.
¯\_(ツ)_/¯ -
Set inactivity time via group policy or registry
Hi,
I have been asked to enable the "Show me as away when I've been inactive for X minutes" option within Skype's general settings for everybody in the company and also set the time option to 5 minutes.
I so far can't find a Group Policy template that allows this however I was wondering if there was a simple registry setting that would enable this? That way I could just push out the registry setting company wide.
Would anybody be able to point me in the right direction for this?
Thanks
DavidHi,
No, I think there is no change from old “Win32_TSPermissionsSetting”. You can use the same class for remote control.
You may use WMI to change the listener's security descriptor. For example, you may use the AddAccount method to add a group to the default RDP-Tcp listener and grant it Full Control (below is using wmic logged in locally):
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE(TerminalName="RDP-Tcp") CALL AddAccount "DOMAIN\group",2
After making a permission change you should log off any users that will be the target of a log off so that the change will take effect (quoted from
this thread).
Apart you can also try below policy setting.
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections
User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections
Set rules for remote control of Remote Desktop Session Host server user sessions: Enable
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Domain Group Policy changes causes clients to be unable to connect to WSUS for Windows Updates
Domain Controller is Windows Server 2008 R2 64-bit, Group Policy Management version 6.0.0.1. WSUS server is Windows Server 2008 Enterprise 32-bit, Update Services version 3.2.7600.226. Client machines are Windows 7, some are 64-bit and some are 32-bit.
Every time we make any changes to any of our Group Policies most of our clients stop getting their Windows Updates from the WSUS server within 2-3 days. This occurs when we add a new policy for a group of users, temporarily disable a policy or edit a policy.
Check of the WindowsUpdate.log on affected client machines shows:
2014-06-25 13:40:44:976 760 1610 PT WARNING: GetAuthorizationCookie failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2014-06-25 13:40:44:977 760 1610 PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: PopulateAuthCookies failed: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: RefreshCookie failed: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: RefreshPTState failed: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 PT WARNING: PTError: 0x80072ee2
2014-06-25 13:40:44:977 760 1610 Report WARNING: Reporter failed to upload events with hr = 80072ee2.
A further check of the log files shows:
2014-06-21 19:36:06:995 156 1b0c Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <proxy server name:8080> Bypass List used : <(null)> Auth Schemes used : <>
We do not use a proxy except for Internet connections. We configure IE with a pac file. This is set through Group Policy since we restrict user accounts from being able to set it.
The clients that are connecting to the WSUS server have these entries instead:
2014-06-24 09:12:16:779 992 270 Agent Setting download properties on call A20329BC-3467-4B7E-B9F4-6AC6ACBA23E1: priority=3, interactive=1, owner is system=0, proxy settings=1, proxy session id=2
I have a routine that will fix the problem but it is time-consuming and pulls me away from other things I should be doing:
Run registry files on client machine (WindowsUpdate and AU) This is not always necessary and is already set by Group Policy and the affected clients already have the registry settings. No idea why it is necessary to do but it the steps below don't always
work unless it is.
netstop bits and netstop wuauserv
ipconfig /flushdns
Delete qmgr*.* files from Downloader folder
Delete Software Distribution folder
Run from command prompt:
sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
netstart bits and netstart wuauserv
wuauclt /resetauthorization /detectnow
Run Windows Updates again from Control Panel
This routine always fixes the problem but I've found that I must do each step to guarantee success.
How or where is the proxy setting being changed for WSUS that we see in the WindowsUpdate logs and how do I prevent this from happening? It is also curious that it happens to most but not all of the client machines. When it does happen it's not always the
same client machines.You're right - the WSUS server is on the inside and does not need a proxy server. Tried running the netsh winhttp reset proxy command but was still not able to connect to the WSUS server. After running the netsh winhttp reset proxy command received response:
Current WinHTTP proxy setting: Direct access <no proxy server>.
Ran the command at 13:49 and then tried Windows Updates again. Here's snippet from the log file:
2014-06-27 13:49:56:889 548 f6c AU Triggering AU detection through DetectNow API
2014-06-27 13:49:56:890 548 f6c AU Triggering Online detection (interactive)
2014-06-27 13:49:56:890 548 4b8 AU #############
2014-06-27 13:49:56:890 548 4b8 AU ## START ## AU: Search for updates
2014-06-27 13:49:56:890 548 4b8 AU #########
2014-06-27 13:49:56:893 548 4b8 AU <<## SUBMITTED ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
2014-06-27 13:49:56:893 548 1260 Agent *************
2014-06-27 13:49:56:893 548 1260 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates]
2014-06-27 13:49:56:893 548 1260 Agent *********
2014-06-27 13:49:56:893 548 1260 Agent * Online = Yes; Ignore download priority = No
2014-06-27 13:49:56:893 548 1260 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1
or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
2014-06-27 13:49:56:893 548 1260 Agent * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
2014-06-27 13:49:56:893 548 1260 Agent * Search Scope = {Machine}
2014-06-27 13:49:56:893 548 1260 Setup Checking for agent SelfUpdate
2014-06-27 13:49:56:893 548 1260 Setup Client version: Core: 7.6.7600.256 Aux: 7.6.7600.256
2014-06-27 13:49:56:894 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2014-06-27 13:49:56:901 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:927 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab:
2014-06-27 13:49:56:934 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:936 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2014-06-27 13:49:56:943 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:956 548 1260 Misc Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wsus3setup.cab:
2014-06-27 13:49:56:962 548 1260 Misc Microsoft signed: Yes
2014-06-27 13:49:56:974 548 1260 Setup Determining whether a new setup handler needs to be downloaded
2014-06-27 13:49:56:974 548 1260 Setup SelfUpdate handler is not found. It will be downloaded
2014-06-27 13:49:56:974 548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256"
2014-06-27 13:49:56:976 548 1260 Setup Setup package "WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2014-06-27 13:49:56:976 548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
2014-06-27 13:49:56:989 548 1260 Setup Setup package "WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2014-06-27 13:49:56:989 548 1260 Setup Evaluating applicability of setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256"
2014-06-27 13:49:57:007 548 1260 Setup Setup package "WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~amd64~~7.6.7600.256" is already installed.
2014-06-27 13:49:57:007 548 1260 Setup SelfUpdate check completed. SelfUpdate is NOT required.
2014-06-27 13:49:57:165 548 1260 PT +++++++++++ PT: Synchronizing server updates +++++++++++
2014-06-27 13:49:57:165 548 1260 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =
http://(FQDN of WSUS server)/ClientWebService/client.asmx
2014-06-27 13:49:57:175 548 1260 PT WARNING: Cached cookie has expired or new PID is available
2014-06-27 13:49:57:175 548 1260 PT Initializing simple targeting cookie, clientId = 6be4a1ae-3313-4855-bdb1-57e3312f03ec, target group = AGENCIES, DNS name = dpk2.clear-rcic.rcc.org
2014-06-27 13:49:57:175 548 1260 PT Server URL =
http://(FQDN of WSUS server)/SimpleAuthWebService/SimpleAuth.asmx
2014-06-27 13:50:57:280 548 1260 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(proxy server):8080> Bypass List used : <(null)> Auth Schemes used : <>
2014-06-27 13:50:57:281 548 1260 PT + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
2014-06-27 13:50:57:281 548 1260 PT + Caller provided proxy = No
2014-06-27 13:50:57:281 548 1260 PT + Proxy list used = webgate.rcc.org:8080
2014-06-27 13:50:57:281 548 1260 PT + Bypass list used = <NULL>
2014-06-27 13:50:57:281 548 1260 PT + Caller provided credentials = No
2014-06-27 13:50:57:281 548 1260 PT + Impersonate flags = 0
2014-06-27 13:50:57:281 548 1260 PT + Possible authorization schemes used =
2014-06-27 13:50:57:281 548 1260 PT WARNING: GetAuthorizationCookie failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
2014-06-27 13:50:57:281 548 1260 PT WARNING: Failed to initialize Simple Targeting Cookie: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: PopulateAuthCookies failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: RefreshCookie failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: RefreshPTState failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: Sync of Updates: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 PT WARNING: SyncServerUpdatesInternal failed: 0x80072ee2
2014-06-27 13:50:57:281 548 1260 Agent * WARNING: Failed to synchronize, error = 0x80072EE2
2014-06-27 13:50:57:282 548 1260 Agent * WARNING: Exit code = 0x80072EE2
2014-06-27 13:50:57:282 548 1260 Agent *********
2014-06-27 13:50:57:282 548 1260 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates]
2014-06-27 13:50:57:282 548 1260 Agent *************
2014-06-27 13:50:57:282 548 1260 Agent WARNING: WU client failed Searching for update with error 0x80072ee2
2014-06-27 13:50:57:302 548 e04 AU >>## RESUMED ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
2014-06-27 13:50:57:302 548 e04 AU # WARNING: Search callback failed, result = 0x80072EE2
2014-06-27 13:50:57:302 548 e04 AU # WARNING: Failed to find updates with error code 80072EE2
2014-06-27 13:50:57:302 548 e04 AU #########
2014-06-27 13:50:57:302 548 e04 AU ## END ## AU: Search for updates [CallId = {9CE06AB2-E859-4B4D-8D1A-193AD89623C5}]
2014-06-27 13:50:57:302 548 e04 AU #############
2014-06-27 13:50:57:303 548 e04 AU Successfully wrote event for AU health state:0
2014-06-27 13:50:57:303 548 e04 AU AU setting next detection timeout to 2014-06-27 22:50:57
2014-06-27 13:50:57:304 548 e04 AU Setting AU scheduled install time to 2014-06-28 05:00:00
2014-06-27 13:50:57:304 548 e04 AU Successfully wrote event for AU health state:0
2014-06-27 13:50:57:305 548 e04 AU Successfully wrote event for AU health state:0
2014-06-27 13:51:02:285 548 1260 Report REPORT EVENT: {BD25B39C-6570-454C-A046-AF3AF2DEBDD4} 2014-06-27 13:50:57:282-0400 1 148 101 {00000000-0000-0000-0000-000000000000} 0 80072ee2 AutomaticUpdates Failure Software
Synchronization Windows Update Client failed to detect with error 0x80072ee2.
2014-06-27 13:51:02:295 548 1260 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
2014-06-27 13:51:02:295 548 1260 Report WER Report sent: 7.6.7600.256 0x80072ee2 00000000-0000-0000-0000-000000000000 Scan 101 Managed
2014-06-27 13:51:02:295 548 1260 Report CWERReporter finishing event handling. (00000000)
2014-06-27 13:51:48:184 548 4b8 AU ########### AU: Uninitializing Automatic Updates ###########
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 DnldMgr FATAL: DM:CBitsJob::SetCallbackHandler: SetNotifyInterface failed with 0x80080008.
2014-06-27 13:51:48:187 548 4b8 Report CWERReporter finishing event handling. (00000000)
2014-06-27 13:51:48:252 548 4b8 Service *********
2014-06-27 13:51:48:252 548 4b8 Service ** END ** Service: Service exit [Exit code = 0x240001]
2014-06-27 13:51:48:252 548 4b8 Service *************
2014-06-27 13:51:53:002 548 160c Misc =========== Logging initialized (build: 7.6.7600.256, tz: -0400) ===========
2014-06-27 13:51:53:002 548 160c Misc = Process: C:\Windows\system32\svchost.exe
2014-06-27 13:51:53:002 548 160c Misc = Module: c:\windows\system32\wuaueng.dll
Ran a batch file which resets the AU and WindowsUpdate registry keys and then runs the steps listed above:
regedit /s C:\WindowsUpdate.reg
regedit /s C:\AU.reg
net stop bits
net stop wuauserv
Ipconfig /flushdns
del C:\ProgramData\Microsoft\Network\Downloader\qmgr*.*
del /F /Q C:\Windows\SoftwareDistribution\*.*
sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
net start bits
net start wuauserv
wuauclt /resetauthorization /detectnow
After this runs, am able to connect to WSUS server for updates. I mentioned Group Policy changes because this only breaks after the Group Policy changes. It doesn't affect every client machine but most of them. Was wondering how the proxy gets reset from
none to the proxy server for Windows Updates? -
Hello,
In my new company, I noticed that the default domain controllers policy has been (largely) modified.
I thought it was a best practice to keep it clean (In case of restore).
So I would like to create a new GPOs for my DCs to move some of those settings out of the default domain policy.
For example, "Add workstations to domain". If I want to create a new policy for this particular setting, what kind of rules am I supposed to follow to make sure that my new setting will be applied before the default DC policy ?
Is the GPO Link order enough ?
Thank youHi,
Just a confirmation, did you mean that want to overwrite some settings in the
Default Domain Controllers Policy?
Within each domain, site, and OU, the
Link Order controls the order in which GPOs are applied. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the
Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest
Link Order is processed last, and therefore has the highest precedence. Since Default Domain Controllers Policy is linked to the Domain Controllers organizational unit, you can create a new GPO and link it to this Domain Controllers organizational
unit, then control thier order of them via Link Order.
If anything I misunderstand or any update, please feel free to let us know.
Hope this helps.
Best regards,
Justin Gu -
Mail for exchange and domain group policy removing...
Hi,
I currently administer 2 domains, both server 2003 with exchange 2003. On the one domain I can configure any of our e series ( e51/e71/e72/e6) via MFE and permanently accept the untrusted SSL certificate. When I configure MFE to our other domain the option to accept the untrusted certificate has vanished..!
Anyone have any ideas? I'm sure that it's a group policy setting but I cannot spot it!turbominor wrote:
No certificates have been generated bar the ones that exchange installed by default
Hmm, I don't recall ever realizing that. Lol. In that case, what are you using as a root certificate? Nothing...which explains why the cert is untrusted? (As connections to your first Exchange server work normally, apparently you don't need a root cert for a secure connection?) I used to get mine from http://www.cacert.org/ and installed the root cert either manually or through a device management server.
I wasn't completely sure where I was going with my question, but just did a few web searches. Apparently Symbian phones don't like installing self-signed certificates. "Accepting a certificate permanently" does install the cert, although I'm not sure that's quite the same thing. You might skim http://discussions.nokia.com/t5/Eseries-and-Communicators/E72-Email-Accept-Certificate-Permanently/m... in case any of that is relevant. -
ITunes won't work because of domain group policy
Hi my work just implemented a really stupid group policy through our domain that dissallows any file named iTunes.exe to run. The good news is I can rename iTunes.exe and get iTunes to work. That bad news is once I rename iTunes.exe the iPod service is unable to start. The iPod service I assume is what automatically launches iTunes when you plug in your iPod. Does anyone know if a way to let the iPod service and any other file that depends on iTunes.exe that I have renamed it?
I don't have a solution for you, but as a system administrator I feel I must comment.
I don't know about where you work -- but at my job, deliberate circumvention of policy is "abuse" and is considered grounds for termination. The computer you use at work is not yours; it belongs to the company you work for.
If you have a problem with the policy you should take it up with the administrators or your management -- not try to circumvent it. Perhaps the policy is based on a misunderstanding that you could clear up! You (your computer, really) might even be granted an exception to the policy. -
Managing Workstation server from domain server
Hello,
I am trying to manage server Foundation 2012 which is not joined to domain from domain computer. For that I need to run command:
Set-Item WSMan:localhostClientTrustedHosts -Value <YourtargetServernameHere> –Force
but I get error:
Item : This command cannot be used in the current path because this cmdlet is not supported at this level of Provider path.
But what path should be? I cannot figure it out. I dont even understand what the error exactly means. Thank you.
Pete
sfsHi Pete,
Please try the cmdlet below and feedback:
Set-Item WSMan:\localhost\Client\TrustedHosts –Value "Ip address"
Best Regards,
Anna -
Windows 8 and IE10 and 11 not accepting Proxy Settings via Group Policy from windows server 2003
Hi
We are still running Windows Server 2003 with a Win7 and Win8 desktop environment. I can control Win7 IE9 settings,
But Win8 systems are running IE10. We have an internal proxy server.
Is there any way to force the proxy settings to the Win8/IE10 or 11 systems .
i have tried with The IE 10 .adm template and applied gpo,but does not have any proxy settings for ie10 and no changes were applies
please can anyone help me regarding this
i want to apply GPO from windows server 2003 to windows 8 ie10/11
Thanks
KNCHi,
I agree with Zanderol24, we can install RSAT on a windows8 client, and then we can use Group Policy Management to manage group policy from the client.
For more information about RSAT, we can refer to the following link:
Remote Server Administration Tools (RSAT) for Windows Client and Windows Server (dsforum2wiki)
http://social.technet.microsoft.com/wiki/contents/articles/2202.remote-server-administration-tools-rsat-for-windows-client-and-windows-server-dsforum2wiki.aspx
For more detailed information about how to use GPP to configure the proxy setting for ie10 and ie11, we can refer to the following link:
How to configure Group Policy Preference settings for Internet Explorer 11 in Windows 8.1 or Windows Server 2012 R2
http://support.microsoft.com/kb/2898604
When we use GPPs you need to be aware of the F5-F8 keys:
Red / Green: GP Preferences doesn’t work even though the policy applied and after gpupdate \force
http://blogs.technet.com/b/grouppolicy/archive/2008/10/13/red-green-gp-preferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-force.aspx
Besides, aside from using group policy to manage IE, IEAK can also be used to do this.
For IEAK, the following article can be referred to for more information.
Internet Explorer Administration Kit (IEAK) Information and Downloads
http://technet.microsoft.com/en-in/ie/bb219517.aspx
Best Regards,
Erin -
Making a change in Group Policy in Safe Mode or rather trying...
I need to make a change in the domain controller group policy in the following:
We are trying to emulate using smart cards on our system. So I got a set of instructions which basically said to access the Local Group Policy editor under Computer Configuration>Windows Settings>Security Settings>Local Policies>Security
Options and change 'Interactive logon: Require smart card' to 'enabled'.
Then go to the registry: 'HKLM\Software\Mocrosoft\Windows\CurrentVersion\Policies\System' and change the DWORD value of 'scforceoption' from '1' to '0'. So if you don't want to use a smart card, you can hit Esc and logon with userid/password.
Well, since I want this to happen on all our servers and workstations, I set it in the domain group policy instead of locally.
Under 'Computer Configuration>Policies>Windows Settings>Local Policies>Security Options>Interactive Logon: Require smart cards - enable'
Now it wants a smart card only. Of course we don't have them. Yes, I am mightily embarrassed.
I am in Safe Mode with Networking, but it doesn't let me get into the Group Policy. Is there a way to get in?
Win 2008 R2 with all the nasty STIGs of course.
Stef<with my fingers crossed>oh dear :(
the policy setting, and the registry key/value, you have mentioned, are exactly one and the same thing.
it doesn't quite make sense, that you would enable this setting via GPedit and then also disable in the registry editor - you are setting the value to be=1, then setting the exact same value to be=0.
when wishing to use smartcards, but, not enforce the use of smartcards, you don't need to do any of this at all.
when the smartcard drivers are installed, the credentialsUI automatically changes (it detects the SC provider) and offers SClogin methods. This has been my experience over quite a few years since Win2000, and includes Win7.
I'm not sure about Win8 + smartcards, I haven't spent time with that combination yet.
It *might* be possible for you to try:
on a workstation (a domain member),login with a local account. (that part may not work).
when logged on to the workstation, open regedit, and navigate to the regkey for scforceoption. edit the ACL on that regkey to revoke/deny all permissions to all security principals *EXCEPT* for your local account.
(this should stop the GP CSE from applying the domain GP setting to the regkey).
then, reboot the workstation, logon with a domain admin account, and edit your Domain GP to remove the scforceoption setting. allow Domain GP to replicate. then try another member workstation or server to see how it goes.
I haven't ever tried this, but if you can logon and edit that setting, you'll be ok.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Group policy remains in effect
I have a workstation (windows xp) that I am trying to log into. I have a ZCM 10 group policy bundle that is assigned to the limited user on the workstation. The workstation for some reason has picked up wrong DHCP information and is trying to connect to a 192.168 network (which does not exist). Since it is not connected to my network, it cannot connect to the ZCM server, so no matter what user I log into on the workstation (including administrator), the group policy is in effect and it restricts everything. I cannot get into network connections to correct the DHCP error.
How can I get the ZCM agent on the workstation to stop enforcing the group policy? Remember, this policy prevents me from accessing the control panel, command prompt, anything in the system try (no Zenworks Z), everything.
matt beckstromOriginally Posted by mbeckstrom
I have a workstation (windows xp) that I am trying to log into. I have a ZCM 10 group policy bundle that is assigned to the limited user on the workstation. The workstation for some reason has picked up wrong DHCP information and is trying to connect to a 192.168 network (which does not exist). Since it is not connected to my network, it cannot connect to the ZCM server, so no matter what user I log into on the workstation (including administrator), the group policy is in effect and it restricts everything. I cannot get into network connections to correct the DHCP error.
How can I get the ZCM agent on the workstation to stop enforcing the group policy? Remember, this policy prevents me from accessing the control panel, command prompt, anything in the system try (no Zenworks Z), everything.
matt beckstrom
There is no easy way to manually remove an effective group policy on a workstation... other than logging in on the domain/source that has set the policy. If PC is set to a wrong ip, but has done that via DHCP... Good thing to check if there is not some device, application or server handing out DHCP for the 192.168 network.
This is a physical machine I presume? Might be an option to swap out or place an extra nic in the PC and see if it will get a correct address on that one.. as the one installed is primarily returning to the given 192.168.x.x address.
Cheers,
Willem -
I get a Group Policy Disk Quota failure at every system start
This is very long, my apologies
I asked this question about a month ago and then had some medical problems so I'm starting over again.
Whenever I start my system I get a message on the screen that the system is trying to run Group Policy for Disk Quotas. To my knowledge I've never set a disk quota policy and I can't find any indication that one is currently set. I freely admit
that I could be responsible for this. I might have done something in the early days of the system because it wasn't happening for the first month or two.
This time I did more reading and found a procedure on TechNet at:
"http://technet.microsoft.com/en-us/library/cc749336(WS.10).aspx" which led me step by step through the procedure, although I still can't make sense of the results.
So far I've verified that there are no policies set and that all the hard drives (3) have the Disk Quota bit 'disabled'. I did this as 'Administrator'.
The results from the TechNet procedure turned out to be quite long but I'm listing it here in hope that someone in the community will be familiar with this problem and be able to use the information to figure out the problem.
Here are the results:
From: TechNet Group Policy Testing
( "http://technet.microsoft.com/en-us/library/cc749336(WS.10).aspx" )
1 - Troubleshooting using the Group Policy operational log
a - Determine the instance of Group Policy processing
(Before you view the Group Policy operational log, you must first determine
the instance of Group Policy processing that failed.)
My ActivityID from the Group Policy operational log = C87E5BC2-FD21-4794-B678-787AB587D8D5
2 - Create a custom view, via a query, of the Group Policy instance
My resultant query:
<QueryList><Query Id="0" Path="Application"><Select Path="Microsoft-Windows-GroupPolicy/Operational">*[System/Correlation/@ActivityID='{C87E5BC2-FD21-4794-B678-787AB587D8D5}']</Select></Query></QueryList>
3 - Results of running the query from step 2 are listed below, in chronological order, including the complete 'detail' sections from each event.
event 4000
Event Description(s) = Computer startup
BEGIN DETAIL SECTION-----------------------------------------------------------------------------
- System
- Provider
[ Name] Microsoft-Windows-GroupPolicy
[ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
EventID 4000
Version 1
Level 4
Task 0
Opcode 1
Keywords 0x4000000000000000
- TimeCreated
[ SystemTime] 2010-05-15T13:29:33.598400000Z
EventRecordID 22707
- Correlation
[ ActivityID] {C87E5BC2-FD21-4794-B678-787AB587D8D5}
- Execution
[ ProcessID] 1280
[ ThreadID] 1784
Channel Microsoft-Windows-GroupPolicy/Operational
Computer GROK
- Security
[ UserID] S-1-5-18
- EventData
PolicyActivityId {C87E5BC2-FD21-4794-B678-787AB587D8D5}
PrincipalSamName WORKGROUP\GROK$
IsMachine 1
IsDomainJoined false
IsBackgroundProcessing false
IsAsyncProcessing false
IsServiceRestart false
ReasonForSyncProcessing 2
END DETAIL SECTION-------------------------------------------------------------------------------
event 5320
Event Description(s) = Checking for Group Policy client extensions that are not part of the system.
Event Description(s) = Service configuration update to standalone is not required and will be skipped.
BEGIN DETAIL SECTION------------------------------------------------------------------------------
- System
- Provider
[ Name] Microsoft-Windows-GroupPolicy
[ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
EventID 5320
Version 0
Level 4
Task 0
Opcode 0
Keywords 0x4000000000000000
- TimeCreated
[ SystemTime] 2010-05-15T13:29:33.614000000Z
EventRecordID 22711
- Correlation
[ ActivityID] {C87E5BC2-FD21-4794-B678-787AB587D8D5}
- Execution
[ ProcessID] 1280
[ ThreadID] 1784
Channel Microsoft-Windows-GroupPolicy/Operational
Computer GROK
- Security
[ UserID] S-1-5-18
- EventData
InfoDescription %%4161
END DETAIL SECTION-------------------------------------------------------------------------------
event 5313
Event Description(s) = The following Group Policy objects were not applicable because they were filtered out :
BEGIN DETAIL SECTION------------------------------------------------------------------------------
- System
- Provider
[ Name] Microsoft-Windows-GroupPolicy
[ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
EventID 5313
Version 0
Level 4
Task 0
Opcode 0
Keywords 0x4000000000000000
- TimeCreated
[ SystemTime] 2010-05-15T13:29:33.614000000Z
EventRecordID 22710
- Correlation
[ ActivityID] {C87E5BC2-FD21-4794-B678-787AB587D8D5}
- Execution
[ ProcessID] 1280
[ ThreadID] 1784
Channel Microsoft-Windows-GroupPolicy/Operational
Computer GROK
- Security
[ UserID] S-1-5-18
- EventData
DescriptionString None
GPOInfoList
END DETAIL SECTION-------------------------------------------------------------------------------
event 5311
Event Description(s) = The loopback policy processing mode is "No loopback mode".
BEGIN DETAIL SECTION------------------------------------------------------------------------------
- System
- Provider
[ Name] Microsoft-Windows-GroupPolicy
[ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
EventID 5311
Version 0
Level 4
Task 0
Opcode 0
Keywords 0x4000000000000000
- TimeCreated
[ SystemTime] 2010-05-15T13:29:33.614000000Z
EventRecordID 22708
- Correlation
[ ActivityID] {C87E5BC2-FD21-4794-B678-787AB587D8D5}
- Execution
[ ProcessID] 1280
[ ThreadID] 1784
Channel Microsoft-Windows-GroupPolicy/Operational
Computer GROK
- Security
[ UserID] S-1-5-18
- EventData
PolicyProcessingMode 0
END DETAIL SECTION-------------------------------------------------------------------------------
event 5312
Event Description(s) = List of applicable Group Policy objects:
Event Description(s) = Local Group Policy
BEGIN DETAIL SECTION------------------------------------------------------------------------------
- System
- Provider
[ Name] Microsoft-Windows-GroupPolicy
[ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
EventID 5312
Version 0
Level 4
Task 0
Opcode 0
Keywords 0x4000000000000000
- TimeCreated
[ SystemTime] 2010-05-15T13:29:33.614000000Z
EventRecordID 22709
- Correlation
[ ActivityID] {C87E5BC2-FD21-4794-B678-787AB587D8D5}
- Execution
[ ProcessID] 1280
[ ThreadID] 1784
Channel Microsoft-Windows-GroupPolicy/Operational
Computer GROK
- Security
[ UserID] S-1-5-18
- EventData
DescriptionString Local Group Policy
GPOInfoList <GPO ID="Local Group Policy"><Name>Local Group Policy</Name><Version>524296</Version><SOM>Local</SOM><FSPath>C:\Windows\System32\GroupPolicy\Machine</FSPath><Extensions>[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{3610EDA5-77EF-11D2-8DC5-00C04FA31A66}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}]</Extensions></GPO>
END DETAIL SECTION-------------------------------------------------------------------------------
event 4016
Event Description(s) = Starting Microsoft Disk Quota Extension Processing.
Event Description(s) = List of applicable Group Policy objects: (Changes were detected.)
Event Description(s) = Local Group Policy
BEGIN DETAIL SECTION------------------------------------------------------------------------------
- System
- Provider
[ Name] Microsoft-Windows-GroupPolicy
[ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
EventID 4016
Version 0
Level 4
Task 0
Opcode 1
Keywords 0x4000000000000000
- TimeCreated
[ SystemTime] 2010-05-15T13:29:33.614000000Z
EventRecordID 22714
- Correlation
[ ActivityID] {C87E5BC2-FD21-4794-B678-787AB587D8D5}
- Execution
[ ProcessID] 1280
[ ThreadID] 1784
Channel Microsoft-Windows-GroupPolicy/Operational
Computer GROK
- Security
[ UserID] S-1-5-18
- EventData
CSEExtensionId {3610EDA5-77EF-11D2-8DC5-00C04FA31A66}
CSEExtensionName Microsoft Disk Quota
IsExtensionAsyncProcessing false
IsGPOListChanged true
GPOListStatusString %%4102
DescriptionString Local Group Policy
ApplicableGPOList <GPO ID="Local Group Policy"><Name>Local Group Policy</Name></GPO>
END DETAIL SECTION-------------------------------------------------------------------------------
event 5320
Event Description(s) = Finished checking for non-system extensions.
BEGIN DETAIL SECTION------------------------------------------------------------------------------
- System
- Provider
[ Name] Microsoft-Windows-GroupPolicy
[ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
EventID 5320
Version 0
Level 4
Task 0
Opcode 0
Keywords 0x4000000000000000
- TimeCreated
[ SystemTime] 2010-05-15T13:29:33.614000000Z
EventRecordID 22713
- Correlation
[ ActivityID] {C87E5BC2-FD21-4794-B678-787AB587D8D5}
- Execution
[ ProcessID] 1280
[ ThreadID] 1784
Channel Microsoft-Windows-GroupPolicy/Operational
Computer GROK
- Security
[ UserID] S-1-5-18
- EventData
InfoDescription %%4165
END DETAIL SECTION-------------------------------------------------------------------------------
event 4016
Event Description(s) = Starting Audit Policy Configuration Extension Processing.
Event Description(s) = List of applicable Group Policy objects: (No changes were detected.)
Event Description(s) = Local Group Policy
BEGIN DETAIL SECTION------------------------------------------------------------------------------
- System
- Provider
[ Name] Microsoft-Windows-GroupPolicy
[ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
EventID 4016
Version 0
Level 4
Task 0
Opcode 1
Keywords 0x4000000000000000
- TimeCreated
[ SystemTime] 2010-05-15T13:31:21.987200000Z
EventRecordID 22718
- Correlation
[ ActivityID] {C87E5BC2-FD21-4794-B678-787AB587D8D5}
- Execution
[ ProcessID] 1280
[ ThreadID] 1784
Channel Microsoft-Windows-GroupPolicy/Operational
Computer GROK
- Security
[ UserID] S-1-5-18
- EventData
CSEExtensionId {F3CCC681-B74C-4060-9F26-CD84525DCA2A}
CSEExtensionName Audit Policy Configuration
IsExtensionAsyncProcessing true
IsGPOListChanged false
GPOListStatusString %%4101
DescriptionString Local Group Policy
ApplicableGPOList <GPO ID="Local Group Policy"><Name>Local Group Policy</Name></GPO>
END DETAIL SECTION-------------------------------------------------------------------------------
event 7016
Event Description(s) = Completed Microsoft Disk Quota Extension Processing in 108374 milliseconds.
BEGIN DETAIL SECTION-------------------------------------------------------------------------------------
- System
- Provider
[ Name] Microsoft-Windows-GroupPolicy
[ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
EventID 7016
Version 0
Level 2
Task 0
Opcode 2
Keywords 0x4000000000000000
- TimeCreated
[ SystemTime] 2010-05-15T13:31:21.987200000Z
EventRecordID 22717
- Correlation
[ ActivityID] {C87E5BC2-FD21-4794-B678-787AB587D8D5}
- Execution
[ ProcessID] 1280
[ ThreadID] 1784
Channel Microsoft-Windows-GroupPolicy/Operational
Computer GROK
- Security
[ UserID] S-1-5-18
- EventData
CSEElaspedTimeInMilliSeconds 108374
ErrorCode 2147942402
CSEExtensionName Microsoft Disk Quota
CSEExtensionId {3610EDA5-77EF-11D2-8DC5-00C04FA31A66}
END DETAIL SECTION-----------------------------------------------------------------------------------------
event 5016
Event Description(s) = Completed Microsoft Disk Quota Extension Processing in 108374 milliseconds.
BEGIN DETAIL SECTION----------------------------------------------------------------------------------------
- System
- Provider
[ Name] Microsoft-Windows-GroupPolicy
[ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
EventID 5016
Version 0
Level 4
Task 0
Opcode 2
Keywords 0x4000000000000000
- TimeCreated
[ SystemTime] 2010-05-15T13:31:22.314800000Z
EventRecordID 22720
- Correlation
[ ActivityID] {C87E5BC2-FD21-4794-B678-787AB587D8D5}
- Execution
[ ProcessID] 1280
[ ThreadID] 1784
Channel Microsoft-Windows-GroupPolicy/Operational
Computer GROK
- Security
[ UserID] S-1-5-18
- EventData
CSEElaspedTimeInMilliSeconds 312
ErrorCode 2147483658
CSEExtensionName Audit Policy Configuration
CSEExtensionId {F3CCC681-B74C-4060-9F26-CD84525DCA2A}
END DETAIL SECTION-----------------------------------------------------------------------------------------
Event 8000
Event Description(s) = Completed computer boot policy processing for WORKGROUP\GROK$ in 108 seconds.
BEGIN DETAIL SECTION----------------------------------------------------------------------------------------
- System
- Provider
[ Name] Microsoft-Windows-GroupPolicy
[ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
EventID 8000
Version 1
Level 4
Task 0
Opcode 2
Keywords 0x4000000000000000
- TimeCreated
[ SystemTime] 2010-05-15T13:31:22.330400000Z
EventRecordID 22721
- Correlation
[ ActivityID] {C87E5BC2-FD21-4794-B678-787AB587D8D5}
- Execution
[ ProcessID] 1280
[ ThreadID] 1784
Channel Microsoft-Windows-GroupPolicy/Operational
Computer GROK
- Security
[ UserID] S-1-5-18
- EventData
PolicyElaspedTimeInSeconds 108
ErrorCode 0
PrincipalSamName WORKGROUP\GROK$
IsMachine 1
IsConnectivityFailure false
END DETAIL SECTION-----------------------------------------------------------------------------------------
End of results.
Thanks to all,
wegrok
Win7 Ultimate x64, 8 GB ram, AMD Phenom 9950 Quad-proc @2.6Ghz, HD = 1TB ASUS M4N72-E mobo, Video = NVIDIA GeForce 8800 GT w/ Dell 2407 Digital Monitor -------------------------------------------------------------------------------------------------------Did you ever have luck tracking this down? Im getting this error and have no clue where it is coming from. I have not enabled gp disk quotas, but I do have a network share on a domain member server that has quotas attached to each users folder.
I removed the quotas and still get this error when I manually perform a gpupdate. -
How to Add multiple entry to the group policy security filtering
How to Add multiple entry to the group policy security filtering
Is there any way we can add multiple entry to the Domain group policy Security filtering tab.Currently its not allowing to add more then one entry at a time.
Getting Error like "only one name can be entered,and the name cannot contain a semicolon.Enter a valid name"Hi
Are you trying to add more users or groups through Group Policy Management Security Filtering tab?
Try right clicking on the policy and then edit
Then in Editor Right click on the name of the policy and Properties
Security tab and add user or group from this tab. Just make sure if you are adding user or groups "Select this object type" has
the correct option also "From this Location" is set to your entire directory not the local server.
Update us with the above.
Thanks
Maybe you are looking for
-
How can i get my camera to work
my camera stopped working on skype. how do i fix this?
-
Dear SAP guru's Our requirement is VBFA-VBELN table need to bring the invoice no BKPF accounting document no and store in Field -BKTXT Scenerio Sales order ( order type OR) ( T#codeVa01)-Delivery note -LF type ( VL02 gets created automatically
-
Query to obtain tables in SH schema using data-dictionary views/tables.
Hi, I have just installed Oracle 10g Database. Logged on to SQL Plus by scott (changed the password as prompted). I want to see the tables in SH schema (which comes by default with Oracle 10g database). The problem, I am facing is: I can see the sche
-
Change the value of a uiXML frameset after frame displays.
I have a frameset - after it displays the frames I want to change the targetframe in the frameset, is there a way to alter the bound value of the targetframe? is there a way on a page load to fire an event that would alter the targetframe? perhaps on
-
Firefox locks up, which then locks up my whole computer for about 30-45 seconds when browsing websites. Sometimes it happens over and over and over, sometimes I can go a week without a problem. It's not a particular website...just random. I've tried