User Group Policy Settings not applied to new user profiles at first logon
Good Afternoon,
We have an issue that occurs to a new user when they first log on to their machines. They log on and a new profile creates from the Default User Profile. We can see that a number of our Group Policy Settings applied as "User Configuration" are
not applying.A log off and back on is required before the policies apply.
Any thoughts to this behaviour please?
Regards
LeeB
Lee Bowman MCITP MCTS
Hi,
How about your problem now? How many system encounter this problem? Is all policy couldn't be applied? Is there any feedback when using gpresult to check policy applied status?
As Group Policy applies after user identity authentication, generally speaking, user logoff and back doesn't helpful with this problem.
When this problem occures, have you checked event log if it identify this problem?
Roger Lu
TechNet Community Support
Similar Messages
-
We want to deploy to all our desktop the pac file to configure proxy. We have a Windows 2008 R2 server, and i've enabled the GPO "Make proxy settings per-machine (rather than per user)", and i've add a registry key AutoConfigURL in "HKLM\Software\Microsoft\Windows\Current
Version\Internet Settings" with the pac file link.
I've tested on my pc, and all was configured without any problem. I've try to login to my computer with another user (without admin rights) and the automatic configuration proxy was compiled and not modificable. It's seems that all works.
But, our users are not local admin, so i've tried to deploy the GPO in a collegue computer. I've forced the update of GPO, checked on registry that all new keys are added, and i've reboot the pc. When i've check on IE settings, autoconfig URL was empty and
grey. I'm disconnected from user and i've login to the pc with a local admin. With my surprise, the IE settings was compiled. When i'm come bac to the user profile the IE settings was compiled and not modificable.
The problem is: i've over 750 users in 3 countries, and i don't want grant them the local admin permissions. How can i configure proxy settings via GPO without login to every machine at least one time?> have a Windows 2008 R2 server, and i've enabled the GPO "Make proxy
> settings per-machine (rather than per user)", and i've add a registry
> key AutoConfigURL in "HKLM\Software\Microsoft\Windows\Current
> Version\Internet Settings" with the pac file link.
In the past, we experienced various issues with machine proxy settings,
so we don't use them anymore. The simple approach:
Block access to the connections page through ADM template settings and
deploy the proxy through GPP Internet Settings.
This is what we do (with a pac file, too), and it works well :)
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Folder Redirection policy is not applied to a user, when the server target is changed.
After server target is changed via group policy, when user login (roaming profile)first time, the the new server target has not been applied, instead it's pointing to the old folder redirection path.
But if we reset the windows profile (roaming ), the new folder redirection works, can you please specify a solutions that the new folder redirection works when the user login for the first time. so it reduce the time on resetting users profile.
it seems that we need to delete the old folder redirection path from the user profile (roaming user profile) via group policy or similar solutions..
Many Thanks> But when the specific users login they all get the same error, it
Is the old server removed from the domain? Seems so - or some other
authentication related issue, hard to tell from here...
> seems that the roaming user profiles still keeps the old server details,
Yes - if you change redirection targets, FR moves content from old to
new, and only if this ends sucessfully, it will update the redirection
target.
Make the old redirection target accessible to the user and you'll be fine.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Urgent Group Policy Issue - not applying despite saying it does
Thank you for this urgent help. Auditors checking this out tomorrow morning.
We have a GPO that sets the eventlog audit settings for success or failure security events. The scope is set to Authenticated Users.
When I run the group policy wizard in GPMC it shows the settings applying to one of our servers in that OU.
When I run gpresult/z from that server it shows the policy applying to that server.
But when I go into gpedit.msc the security audit settings are all set to "not defined" and they are grayed out so I can't edit them manually.
As a test I set the GPO to deny applying to that server. I ran gpudpate/force on the system and then gpresult and it shows the GPO now not applying. But the settings are still set to not defined and still not editable. they are not being set by any other GPO.
In the event logs I only see three GPO errors but they are unrelated. A separate GPO is having issues creating user accounts. No other GPOs apply.
Quick help would be fantastic.
Server runs on Windows Server 2008 R2 (I can edit GPO but not the domain ones and I don't have access to the domain controllers).OK, After several hours I figured it out. Turns out there's bugs and odd functionality.
If someone ever tested the 'advanced audit settings' (which I did in the same GPO at some point) then it sets a registry key to disable the use of the older basic audit settings. But when you stop using those advanced settings in your GPO it doesn't remove
that registry bit. So I used the GPO to undo that setting. This was the first step. This is found Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > "Audit: Force audit policy subcategory
settings (Windows Vista or later) to override audit policy category settings" to DISABLED.
Even though this is done, sometimes the GPO files on the domain controllers don't remove the old audit settings. So in the comments of another thread I found out you may have to go to
\\domain-fqdn\SYSVOL\domain-fqdn\Policies\{your-policy-id-where-this-setting-was-originally-set}\Machine\Microsoft\Windows NT\ and delete the Audit folder which is left behind due to some odd bug. If you don't do this even after doing the next step the
next gpupdate will bring that security setting above back down.
Next you have to reset your audit settings on your PC to the defaults. Unfortunately there is no way to do this. Auditpol /clear does not accomplish this. The only way to do this is to take the audit settings from another working system, export them and
then 'restore' those same settings to the affected server. To do this:
1. On 'working system' run cmd.exe as administrator and export the audit settings to a folder like this:
auditpol /backup /file:c:\working-auditpol-settings.txt
2. Copy that file to the broken system such as the C:\ drive and run this on the broken system:
auditpol /restore /file:c:\working-auditpol-settings.txt
Open GPEDIT.MSC and verify the audit settings are back to normal. Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Then run gpupdate/force on the formerly broken system. Close gpedit.msc and reopen and verify the settings were not overwritten. If you skipped the sysvol audit folder deletion step they may come back.
Hope this helps someone. -
Group policy is not applying in windows 8
There is different behavior on Windows 7 and Windows 8 on desktop wallpaper. In Windows 7, when we log into the system,
the cached wallpaper file will re-generated automatically.
But in Windows 8, if the wallpaper path didn’t change, the cached wallpaper will not re-generate.
After I deleted below file and log off/log on I can see the desktop wallpaper automatically changed on Windows 8.
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
So I think you can apply this deletion operation to the domain controller as a log
off and shut downscript, the script which is as below.
(you can also write a .bat file by yourself and the content is :del
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper)
Any solution on a doamin area pcs is not changing wallpaper by default in windows 8 i do the above but it applies only for a client machine. i want this to all windows 8 pcs in domain...please check this
try this. Run regedit and navigate to the following key in the Registry Editor:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
Right click on Policies > New > KEY > name it as ActiveDesktop.
Next in the right side, right-click > New > DWORD > name it as
NoChangingWallPaper.
The DWORD value 1 will restrict change in desktop wallpaper. To
allow change give it value as 0.
Reboot. -
I can't determine how a group policy is being applied. Please help. Thank you.
Hi,
I'm having a problem trying to find how a particular policy is being applied on my domain (I've inherited this domain). When ever a user logs into a domain, the computer get's a new local group policy. One particular attribute is that the local
admin account get's renamed:
I can't figure out where it's coming from. I've run gpresult, and I'm assuming it's the default domain policy.
But when I go to the domain controller and look at the default domain policy, the entry is empty:
I'm really at a loss. However, I really don't think it's the default domain policy, but I can't figure out what else it could be?
Any help would be greatly appreciated. Thanks!!! -TimDoes this help
C:\Users\***>gpresult /z
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 2/12/2015 at 1:57:06 PM
RSOP data for ****\*** on H9MHD12 : Logging Mode
OS Configuration: Member Workstation
OS Version: 6.1.7601
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\***
Connected over a slow link?: No
COMPUTER SETTINGS
CN=H9MHD12,CN=Computers,DC=***,DC=com
Last time Group Policy was applied: 2/12/2015 at 1:03:12 PM
Group Policy was applied from: ***.***.Com
Group Policy slow link threshold: 500 kbps
Domain Name: ****
Domain Type: Windows 2000
Applied Group Policy Objects
Default Domain Policy
Local Group Policy
The computer is a part of the following security groups
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
H9MHD12$
Domain Computers
System Mandatory Level
Resultant Set Of Policies for Computer
Software Installations
N/A
Startup Scripts
N/A
Shutdown Scripts
N/A
Account Policies
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 42
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: N/A
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: N/A
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 1
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: N/A
Audit Policy
N/A
User Rights
N/A
Security Options
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: RequireLogonToChangePassword
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: NewAdministratorName
Computer Setting: Enabled
N/A
Event Log Settings
N/A
Restricted Groups
N/A
System Services
N/A
Registry Settings
N/A
File System Settings
N/A
Public Key Policies
N/A
Administrative Templates
GPO: Local Group Policy
KeyName: Software\Policies\Microsoft\Windows\ScPnp\EnableScP
nP
Value: 0, 0, 0, 0
State: Enabled
USER SETTINGS
CN=*******,OU=Users,OU=Corporate,OU=***,DC=***,DC=com
Last time Group Policy was applied: 2/12/2015 at 1:33:14 PM
Group Policy was applied from: ***.***.Com
Group Policy slow link threshold: 500 kbps
Domain Name: ***
Domain Type: Windows 2000
Applied Group Policy Objects
Default Domain Policy
The following GPOs were not applied because they were filtered out
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
The user has the following security privileges
Bypass traverse checking
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Change the time zone
Create symbolic links
Increase a process working set
Resultant Set Of Policies for User
Software Installations
N/A
Logon Scripts
N/A
Logoff Scripts
N/A
Public Key Policies
N/A
Administrative Templates
N/A
Folder Redirection
N/A
Internet Explorer Browser User Interface
N/A
Internet Explorer Connection
N/A
Internet Explorer URLs
N/A
Internet Explorer Security
N/A
Internet Explorer Programs
N/A -
Group Policy Pref - Mapped Drives Not Applying to One User
Hi All,
I’m new to this list, so please excuse any etiquette slip ups.
I have three users at a site. All their machines are running Windows XP Service Pack 3 and have client side extensions installed. I created a group policy to map their default drives using GP User Preferences.
Each of the drives is set to "update".
As an example of the policy created XML is as follows:
<Drive clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="H:" status="H:"
image="2" changed="2009-11-25 05:13:58"
uid="{8A44D2F4-AAE5-4F43-AEEC-D36F08EA619C}" desc="Maps the users H drive to
ServerName\users$\%username%" bypassErrors="1"><Properties action="U"
thisDrive="NOCHANGE" allDrives="NOCHANGE" userName=""
path="\\ServerName\users$\%username%" label="Home (ServerName)"
persistent="1" useLetter="1" letter="H"/></Drive>
and
<Drive clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="J:" status="J:"
image="0" changed="2009-11-30 03:52:58"
uid="{535CD462-A45D-4363-ADA1-2316D5ECC703}" desc="Maps J drive for users to
\\ServerName\apps" bypassErrors="1"><Properties action="C"
thisDrive="NOCHANGE" allDrives="NOCHANGE" userName=""
path="\\ServerName\Apps" label="Apps (ServerName)" persistent="1"
useLetter="1" letter="J"/></Drive>
The group policy is applied to an OU for that site.
All three users are in the same OU.
All three users are also in the same “xxsitecode Users” group.
2 of the users log into their pc and get the mapped drives with no issue, but one user doesn’t.
There are no other login scripts and the user has no manually mapped drives.
He does have a H drive mapped using the profile field in his AD object as a temp measure. But every 90 mins any other manually mapped drives are removed by the policy.
We don’t use roaming profiles
To trouble shoot I have tried
- Reinstalling client side extensions
- Re-joining the pc to the domain
- Running gpupdate from the command prompt to see if any event logs are generated (none are)
- Manually mapping the drives to make sure there is network access etc – I can manually map them/he can access them.
- Creating the user a new account, when he logs in using that account he gets his mapped drives on all PC’s
- Getting the user to log into a different pc, when he does this he doesn’t get his drives – so it’s not his machine or profile
- Manually checking the security on the user object in AD against one of the users who gets their drives mapped
I'm sure the GP is fine because it works for two other users and the testing isolates his user account as the issue.
The Policy I’m having issues with is xxxx Mapped Drives/ Printers
I have posted this issue on the tech net GP discussion groups page, but haven’t had any replies.
Any suggestions would be appreciated.
SimoneWhat's interesting is that I applied a new GP to users - it has one policy setting and one preferences setting. He only gets the policy setting.. aka he gets the wallpaper but not the homepage.
Also, Jorke asked me to post the gpresult /z .
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 10/02/2010 at 2:19:34 PM
RSOP results for DOMAIN\USER on MACHINENAME : Logging Mode
OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: DOMAIN
Domain Type: Windows 2000
Site Name: SITECODE
Roaming Profile:
Local Profile: C:\Documents and Settings\USER.DOMAIN
Connected over a slow link?: No
COMPUTER SETTINGS
CN=MACHINENAME,OU=Laptops,OU=SITECODE,DC=DOMAIN,DC=com,DC=au
Last time Group Policy was applied: 10/02/2010 at 1:06:38 PM
Group Policy was applied from: XXXXXADC.DOMAIN.com.au
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
Allow Remote Assistance
au-mdwsus
Default Domain Policy
Legal Notice
Proxy Settings
Logon as service, operating system
AU-WSUS
Desktop Background & Home Page
Reg Permissions for default desktop
Local Admin & Local Power Users
The following GPOs were not applied because they were filtered out
SITECODE Mapped Drives/ Printers
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
AVD Rollout
Filtering: Disabled (GPO)
The computer is a part of the following security groups:
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
MACHINENAME$
Domain Computers
CERTSVC_DCOM_ACCESS
Resultant Set Of Policies for Computer:
Software Installations
N/A
Startup Scripts
GPO: Desktop Background & Home Page
Name: image.bat
Parameters:
LastExecuted: 7:55:34 PM
Name: swiftdesktop.vbs
Parameters:
LastExecuted: 7:55:35 PM
Shutdown Scripts
N/A
Account Policies
Audit Policy
User Rights
Security Options
Event Log Settings
Restricted Groups
System Services
Registry Settings
File System Settings
Public Key Policies
N/A
Administrative Templates
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: au-mdwsus
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: au-mdwsus
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\CurrentVersion\Winlogon
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: au-mdwsus
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: Desktop Background & Home Page
Setting: Software\Policies\Microsoft\Internet Explorer\Security
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: au-mdwsus
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled
GPO: AU-WSUS
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit
State: Enabled
GPO: au-mdwsus
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List
State: Enabled
GPO: Allow Remote Assistance
Setting: Software\policies\Microsoft\Windows NT\Terminal Services
State: Enabled
USER SETTINGS
CN=Matthew Luhrs,OU=Users,OU=SITECODE,DC=DOMAIN,DC=com,DC=au
Last time Group Policy was applied: 10/02/2010 at 1:54:53 PM
Group Policy was applied from: XXXXXADC.DOMAIN.com.au
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
Allow Remote Assistance
**** SITECODE Mapped Drives/ Printers - has Gp Pref's that should apply
Default Domain Policy
Proxy Settings
**** Desktop Background & Home Page - has Gp Pref's that should apply
Local Admin & Local Power Users
The following GPOs were not applied because they were filtered out
AU-WSUS
Filtering: Not Applied (Empty)
Legal Notice
Filtering: Disabled (GPO)
Reg Permissions for default desktop
Filtering: Not Applied (Empty)
Logon as service, operating system
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
au-mdwsus
Filtering: Not Applied (Empty)
AVD Rollout
Filtering: Disabled (GPO)
The user is a part of the following security groups:
Domain Users
Everyone
Offer Remote Assistance Helpers
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
Computer Account Operators
Internet Users
SITECODE Users
DOMAIN-Public Folders Administrators
All Email Users
DOMAINSWIFTEMAIL
Domain Admins
Offer Remote Assistance Helpers
WSUS Administrators
DHCP Administrators
CERTSVC_DCOM_ACCESS
Resultant Set Of Policies for User:
Software Installations
N/A
Public Key Policies
N/A
Administrative Templates
N/A
Folder Redirection
N/A
Internet Explorer Browser User Interface
GPO: Proxy Settings
Large Animated Bitmap Name: N/A
Large Custom Logo Bitmap Name: N/A
Title BarText: N/A
UserAgent Text: N/A
Delete existing toolbar buttons: No
Internet Explorer Connection
HTTP Proxy Server: Proxy:port
Secure Proxy Server: Proxy:port
FTP Proxy Server: Proxy:port
Gopher Proxy Server: Proxy:port
Socks Proxy Server: Proxy:port
Auto Config Enable: Yes
Enable Proxy: Yes
Use same Proxy: Yes
Internet Explorer URLs
GPO: Proxy Settings
Home page URL: N/A
Search page URL: N/A
Online support page URL: N/A
Internet Explorer Security
Always Viewable Sites: N/A
Password Override Enabled: False
GPO: Proxy Settings
Import the current Content Ratings Settings: No
Import the current Security Zones Settings: No
Import current Authenticode Security Information: No
Enable trusted publisher lockdown: No
Internet Explorer Programs
GPO: Proxy Settings
Import the current Program Settings: No -
User group policy turns "display last user" to "ON"
Hello to all,
I distribute a simple local user group policy to turn off the "Action Center" at the System tray.
Every time I do this, the "last...Search policy includes groups.
User is only in one group.
Still the same problem.
The tree is very simple, one O and one OU. All policies and users are in
the OU.
Ian
"Ian Russell" <[email protected]> wrote in message
news:hn_Tc.3065$[email protected]..
> Hi Craig,
>
> I will check that out. It may be the multiple group membership that is
> causing the problem....
>
> "Craig Wilson" <[email protected]> wrote in message
> news:[email protected]..
> > 1) Check to make sure you have a search policy defined and that search
> policy
> > includes groups.
> >
> > 2) Make sure that ONE and only ONE group a user is assigned to has a
> policy
> > assigned. Multiple Group Memberships that contain policies will result
in
> > seemingly random results. Due to the complex nature of events when
users
> belong
> > to multiple groups that contain policies, Novell actually recommends
> against the
> > use of policies for groups. It can be done, but just be sure the limit
is
> > maintained.
> >
> > Ian Russell wrote:
> >
> > > Hi,
> > > I have ZfD3.2 (SP3) on a NW 6.0 (SP5) server. The user group policy
does
> not
> > > get applied to members of a NetWare group. If I apply it to a user
> object it
> > > works.
> > > Any ideas?
> > > Ian
> >
> > --
> > Craig Wilson
> > CNE3, 4, 5 - MCSE - CCNA
> > NSC Sysop (http://support.novell.com/forums/)
> >
> > Tech Writer - http://www.ithowto.com
> > (I Peter 4:10)
> >
> >
>
> -
Unable to make changes to LAN Settings in IE after Group Policy Preference is applied
Hi all,
I have an IE10 group policy preference on a Server 2008 R2 domain that is pushed out to Windows 7 SP1 x64 clients. This IE10 GPP is used to push out proxy settings etc. The GPP is applied fine, however when I go into LAN Settings in IE and make any
changes such as unchecking "Use a proxy server..." these changes are not saved. As soon as I click OK and go back into LAN Settings it reverts back to the GPP settings. Are IE10 GPP's meant to allow a user to amend settings in IE? The users have
permissions to write to the Connections key under Internet Settings in the registry. If I delete the Connections key (Which includes DefaultConnectionSettings and SavedLegacySettings) I can then make changes to the proxy (Although without the original settings).
I know their are other, and better, methods of controlling proxy settings for users but unfortunately this is the way the customer has it implemented. All defaults for GP is applied such as refresh rate etc. I've tested IE10 on a Server 2012 R2 / Win8 environment
with the exact same GPP settings and I can make changes to the LAN Settings. Is this possibly a bug? Any help would be appreciated.
Thanks.Hi,
So by now we could make it work by deleting the Connections key, in order to change the proxy settings of IE 10-Windows 7 in the Windows Server 2008 R2 environment?
Besides, could it be convenient for us to perform some more tests here? How IE 10 of Windows 7 behaves in Server 2012 R2 environment? And Windows 8 in Server 2008 R2?
Best regards
Michael
Michael Shao
TechNet Community Support -
Hide Display Settings not applied in User GPO
Hello,
I am trying to hide the display settings via a GPO so folks can't change the resolution. I set the "Disable the Display Control Panel" setting to enable, but users can still go to the Control Panel and change the display settings. Other parts of
the GPO are applying, like the Ctrl+Alt+Del settings. The GPO has the loopback function set to replace. From my understanding, that should force all user settings in that GPO on everyone who logs into the computer, whether they are in that OU or not.
Some settings apply, just not the Display settings. Is there something else I have to enable to get that working?
Thanks
Jason Watkins MCSE, MCSA, MCDBA, CCNAHi Jason,
It's been a while. How is it going? If it still doesn't work out, we can run command
gpresult/h report.html to collect group policy result to check this. Note: to collect computer part group policy settings, we need to run the command with administrative privileges.
In addition, regarding troubleshooting group policy issues, the following thread can be referred to as reference.
[Forum FAQ] Common steps to start troubleshooting Group Policy application issues
https://social.technet.microsoft.com/Forums/windowsserver/en-US/382c97e8-93c8-4022-b8fe-22401037d14c/forum-faq-common-steps-to-start-troubleshooting-group-policy-application-issues?forum=winserverGP
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
New to the Apple and I want to set up a user account that will not delete the guest users files and allow and preserve their personal settings after log out. Is this possible?
The built-in guest user account will not do this. Simply create a new standard account and call it "Guest" or "Guest Users" or whatever you like.
Go to System Preferences > Users& Groups, click "+" to make a new account. -
OU Group Policy over-riding User Group Policy
I'm using ZfD 4.01 ir7 and have a restrictive Group Policy applied at the
OU level. I've created a less restrictive Group Policy and assigned it to
a user within the above mentioned OU but the settings are not
taking...the OU Group Policy is over-riding the user Group Policy. The
appropriate rights have been assigned and this configuration is working
for other users/OUs in the tree. I've run a dsrepair against this
partition and no errors were reported.
Any suggestions to resolve this would be greatly appreciated.
RyanPaulr,
It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
- Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
- You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
Print preferences do not apply to CRM users
When Print Preferences are set for a document type (for example, print 2 copies on Add), they are applied to Professional users, but not to CRM users. While it seems reasonable to restrict CRM users from changing the print preferences, these are meant to be company-wide defaults and should apply to all users. I have verified with SAP support that CRM users are not affected by settings in the print preferences. We are currently using a work-around of setting the preferences in User Defaults for these users, but it is time-consuming and could be neglected when adding a new user. There is no reason why system defaults should not apply to CRM users.
Hi,
I agree with Meinolf. Besides, we can try to configure this setting under Computer Configuration and apply the GPO to the terminal server, in which way all users logging onto
the server will apply the setting.
Regarding how to add trusted sites, the following article can be referred to as reference.
How to configure Internet Explorer security zone sites using group polices
http://blogs.msdn.com/b/askie/archive/2012/06/05/how-to-configure-internet-explorer-security-zone-sites-using-group-polices.aspx
Best regards,
Frank Shen -
Backup & Restore non-administrators Group Policy Settings
Hi,
I'm trying to setup a few reference images of Windows 7 which will be deployed to our client computers. The baseline Group Policies are configured through Local Group Policies set in the image. I've setup a Master GPO machine on which to build the policies
and test them.
The Local Group Policies have been set for Local Computer Configuration, Local User Configuration and for Local Non-Administrators Configuration. The thinking is that members of the local Administrators group on the computer are unrestricted and still have
the ability to do most things. Users which log onto the computer abide by the more restrictive Non-Administrators Group Policy settings.
Using the "LocalGPO.wsf" script I'm able to backup and restore Computer and User Configuration which affects all users of the machine but it does not backup the Non-Administrators Policies. Is this possible?
After some digging around in the "GPOPack.wsf" files I've found that the Machine & All Users Policies are restored by the "LocalPol.exe" file. This utility has command line switches for '-m' machine and '-u' user. So I'm guessing
that it's not possible to restore the Non-Administrators Policies?
For what it was worth I've tried copying the "Registry.pol" file from "%windir%\System32\GroupPolicyUsers\S-1-5-32-545\User" folder on the GPO Master machine and placed the file in the same location on target computer. A test which had
one value set worked on the reference computer but when the policies were copied form the GPO Master machine, the target computer ignored all the settings.
Any ideas how to backup/restore Local Machine Non-Administrator Group Polices?
Thanks!Not entirely sure of the specific policies you're dealing with, but you would typically use the Microsoft Security Compliance Manager to create GPO packs that you would then apply using the Apply Local GPO Package task sequence step in MDT.
I'd encourage you to look over the Applying Group Policy Object Packs section of the
Using the Microsoft Deployment Toolkit.docx file in the MDT 2013 documentation for more details.
MDT 2013 documentation can be downloaded here: LINK -
Cases in which Domain Group Policy settings would be reverted to default settings on a Win7 client
Hi - I'm sure this info is out there somewhere, but I'm having a hard time finding it. Basically, I'm trying to identify the cases in which settings deployed via Domain Group Policy on 2008R2/Win7SP1 would get reverted back to "default settings"
on a Win7SP1 client that is still a member of the domain, and is in a proper OU, properly targeted, WMI filters should still evaluate true, etc...
For instance, it appears that if machine-level registry settings contained within a LocalGPO file on a client get corrupted (C:\Windows\System32\GroupPolicy\Machine\registry.pol), all of those settings, plus all machine level administrative template settings
defined in Domain Group Policy, get reverted to default settings (corresponds with Event ID 1096 in System Event Log where it references "LocalGPO"). I have not confirmed if this is the case for machine level settings defined outside of administrative
templates in Domain Group Policy, or for any user level settings though. (But I suspect not.)
When a workstation is unable to talk to a Domain Controller in order to identify applicable Domain Group Policy settings (for instance, this issue:
http://support.microsoft.com/kb/2421599/en-us), do administrative templates Domain Group Policy settings revert to defaults up until the next successful processing interval? I don't believe
so, but would like confirmation.
Are there any other cases in which Domain Group Policy settings for a client still joined to the Domain would be reverted to defaults?
And when a client is unjoined from the Domain, what Domain Group Policy settings would remain on the client? I understand that some Domain Group Policy settings outside of administrative templates are "tattooed" to the registry. Does
anyone know of a full list of these settings? I believe that most or all of the ones in Windows Settings\Security Settings are tattooed, and the only way to get these settings removed is to explicitly change them via registry edit or LocalGPO/Local Security
Policy, after unjoining the domain.
Any info/insight/links to other doc/etc would be much appreciated!Hi Shaun,
>>If a client cannot talk to a domain controller at all, admin template settings still stay in-place on the client, correct?
As far as I know, it's not this case. If a client can't communicate with domain controllers, it means that the GPOs applied to the client are out of scope. As suggested by
the article I provided, for native policy, "when a Group Policy object (GPO) goes out of scope, the policy setting is removed allowing the original configuration value to be used."
>>What if a client looses network connectivity while reading Domain GPO?
Group policy will be get updated when computers start up and users log on. Besides, for workstations, group policy will get refreshed at background with by default an interval
of 90 minutes. As long as workstations can restore network connectivity, the group policy settings will get updated.
>>Are there any other failure cases like this where some or all Group Policy settings (admin template or other areas) would get reverted?
There are many reasons which can cause GP malfunction. However, Windows itself provides necessary tools for troubleshooting various issues. When GP malfunctions, we can check
Event Viewer, collect group policy result, or generate group policy log to troubleshoot.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen
Maybe you are looking for
-
Value Mapping Tables are not updated in RWB cache
Hi Friends, I am doing value mapping replication from SAP. I am following /people/sreekanth.babu2/blog/2005/02/23/value-mapping-replication 1) I didnt changed ABAP proxy of ValueMappingReplicationOut in SAP system. is anything to... its already in Ac
-
Export JPEG quality must be chosen twice
Mac OS X, Lightroom 1.4.1: In Library mode, choose export, choose JPEG and quality. Then photo is opened in Photoshop and once again you have to choose jpeg quality. OK with only a few photos, but tiresome when exporting many. Is it possible only hav
-
My Black Berry Desk Top Manager doesn't work on my computer help!
On March 6 I took my BlackBerry® Style™ 9670 smartphone in for software issues after tech support did a hard reset on the device. I went home to back up my information and was unsuccessful. The connection failed this is the first time that the desk
-
Updated my 2008 MacBook pro to Mavericks.Lost some programs that won't run on Mavericks. One being Tuneup for Mac. Used for housekeeping and cleaning up the machine. Can't figure out how run maintenance on drive w/o this. Seached for scheduled mai
-
Syncing a selection of contacts
When I connect my iPhone to my iMac to sync, a window pops up informing me that it'll add 14 new contacts, modify 3 and delete 12 contacts in my Address Book on my computer. How do I sync the 14 new contacts and the 3 modified ones but NOT delete the