Using WMI Filter to apply group policy to users on computers in a security group

Hello all,
I've got a bunch of computers that I want to apply some user side polices that affect all users that log on to these specific computers (they are used for exams).
Unfortunately it is company policy to have a flat OU structure and as such moving these computers into their own OU is out of the question. Which brings me to wanting to create a WMI filter to limit the policy to running on computers only within the security
group and then set the security filtering to "Authenticated Users". The policy will be linked to the all student computers OU where a few thousand machines sit, but will only apply to 20 or so machines (I know it's messy).
Anyway that brings me to my question, can someone point me in the right direction for how I would go about creating this WMI query?
Cheers

> I've got a bunch of computers that I want to apply some user side
> polices that affect all users that log on to these specific computers
> (they are used for exams).
That's what "Loopback" initially was designed for. Nowadays, we can use
some other tricks :)
http://evilgpo.blogspot.de/2012/02/loopback-demystified.html
http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

Similar Messages

  • Event ID 1085 on DC - Failed to Apply the Group Policy Local Users and Groups Settings

    I have a domain with 2 DCs.  The primary DC is running Server 2012 and is raising Event ID 1085 every 10 minutes and 20 seconds.
    Windows failed to apply the Group Policy Local Users and Groups settings. Group Policy Local Users and Groups settings might have its own log file. Please click on the "More information" link.
    System
    - Provider
    [ Name] Microsoft-Windows-GroupPolicy
    [ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
    EventID 1085
    Version 0
    Level 3
    Task 0
    Opcode 1
    Keywords 0x8000000000000000
    - TimeCreated
    [ SystemTime] 2014-10-20T20:09:03.706992400Z
    EventRecordID 130087
    - Correlation
    [ ActivityID] {FDDFB8C5-9ECF-41B9-B2B4-3AD0B345A37A}
    - Execution
    [ ProcessID] 1000
    [ ThreadID] 3280
    Channel System
    Computer SERVER.DOMAIN.NAME
    - Security
    [ UserID] S-1-5-18
    - EventData
    SupportInfo1 1
    SupportInfo2 4404
    ProcessingMode 0
    ProcessingTimeInMilliseconds 10343
    ErrorCode 183
    ErrorDescription Cannot create a file when that file already exists.
    DCName \\SERVER.DOMAIN.name
    ExtensionName Group Policy Local Users and Groups
    ExtensionId {17D89FEC-5C44-4972-B12D-241CAEF74509}
    Everything I look up for Event ID 1085 seems to be about a different cause.
    Any ideas?

    I enabled tracing on a domain gpo and I still get the error when running gpupdate /force .
    I'm also still getting Event 1085.  Here's the trace file.  I've anonymized the site/domain and the GUIDs.
    2014-10-21 11:16:54.003 [pid=0x3e8,tid=0xcd0] Entering ProcessGroupPolicyExLocUsAndGroups()
    2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] SOFTWARE\Policies\Microsoft\Windows\Group Policy\{GUID-1}
    2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] BackgroundPriorityLevel ( 0 )
    2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] DisableRSoP ( 0 )
    2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] LogLevel ( 2 )
    2014-10-21 11:16:54.018 [pid=0x3e8,tid=0xcd0] Command subsystem initialized. [SUCCEEDED(S_FALSE)]
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] Background priority set to 0 (Idle).
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ----- Parameters
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] CSE GUID : {GUID-1}
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] Flags : ( X ) GPO_INFO_FLAG_MACHINE - Apply machine policy rather than user policy
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( X ) GPO_INFO_FLAG_BACKGROUND - Background refresh of policy (ok to do slow stuff)
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_SLOWLINK - Policy is being applied across a slow link
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_VERBOSE - Verbose output to the eventlog
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_NOCHANGES - No changes were detected to the Group Policy Objects
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_LINKTRANSITION - A change in link speed was detected between previous policy application and current policy application
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_LOGRSOP_TRANSITION - A change in RSoP logging was detected between the application of the previous policy and the application of the current policy.
    2014-10-21 11:16:54.065 [pid=0x3e8,tid=0xcd0] ( X ) GPO_INFO_FLAG_FORCED_REFRESH - Forced Refresh is being applied. redo policies.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_SAFEMODE_BOOT - windows safe mode boot flag
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPO_INFO_FLAG_ASYNC_FOREGROUND - Asynchronous foreground refresh of policy
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Token (computer or user SID): S-1-5-18
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Abort Flag : Yes (0x313be090)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] HKey Root : Yes (0x80000002)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Deleted GPO List : No
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Changed GPO List : Yes
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Asynchronous Processing : Yes
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Status Callback : No (0x00000000)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] WMI namespace : Yes (0x32273740)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] RSoP Status : Yes (0x320cc7f4)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Planning Mode Site : (none)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Computer Target : No (0x00000000)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] User Target : No (0x00000000)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Calculated list relevance. [SUCCEEDED(S_FALSE)]
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ----- Changed - 0
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Options : ( ) GPO_FLAG_DISABLE - This GPO is disabled.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPO_FLAG_FORCE - Do not override the settings in this GPO with settings in a subsequent GPO.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Options (raw) : 0x00000000
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] Version : 19267878 (0x01260126)
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPC : LDAP://CN=Machine,CN={GUID-2},CN=Policies,CN=System,DC=SITE,DC=DOMAIN
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPT : \\SITE.DOMAIN\sysvol\SITE.DOMAIN\Policies\{GUID-2}\Machine
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPO Display Name : Default Domain Policy
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPO Name : {GUID-2}
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] GPO Link : ( ) GPLinkUnknown - No link information is available.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPLinkMachine - The GPO is linked to a computer (local or remote).
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPLinkSite - The GPO is linked to a site.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( X ) GPLinkDomain - The GPO is linked to a domain.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GPLinkOrganizationalUnit - The GPO is linked to an organizational unit.
    2014-10-21 11:16:54.081 [pid=0x3e8,tid=0xcd0] ( ) GP Link Error
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] lParam : 0x00000000
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Prev GPO : No
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Next GPO : Yes
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Extensions : [{00000000-0000-0000-0000-000000000000}{GUID-3}][{GUID-1}{GUID-3}][{GUID-4}{GUID-5}{GUID-6}{GUID-7}{GUID-8}][{GUID-9}{GUID-10}][{GUID-11}{GUID-5}{GUID-6}]
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] lParam2 : 0x3146f978
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Link : LDAP://DC=SITE,DC=DOMAIN
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Purge GPH : C:\ProgramData\Microsoft\Group Policy\History\{GUID-2}\Machine\Preferences\Groups\Groups.xml
    2014-10-21 11:16:54.096 [pid=0x3e8,tid=0xcd0] Read GPE XML data file (592 bytes total).
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ----- Changed - 1
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Options : ( ) GPO_FLAG_DISABLE - This GPO is disabled.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPO_FLAG_FORCE - Do not override the settings in this GPO with settings in a subsequent GPO.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Options (raw) : 0x00000000
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Version : 1245203 (0x00130013)
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPC : LDAP://CN=Machine,CN={GUID-12},CN=Policies,CN=System,DC=SITE,DC=DOMAIN
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPT : \\SITE.DOMAIN\sysvol\SITE.DOMAIN\Policies\{GUID-12}\Machine
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPO Display Name : Default Domain Controllers Policy
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPO Name : {GUID-12}
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] GPO Link : ( ) GPLinkUnknown - No link information is available.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPLinkMachine - The GPO is linked to a computer (local or remote).
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPLinkSite - The GPO is linked to a site.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GPLinkDomain - The GPO is linked to a domain.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( X ) GPLinkOrganizationalUnit - The GPO is linked to an organizational unit.
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] ( ) GP Link Error
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] lParam : 0x00000000
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Prev GPO : Yes
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Next GPO : No
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Extensions : [{00000000-0000-0000-0000-000000000000}{GUID-3}][{GUID-1}{GUID-3}][{GUID-9}{GUID-10}]
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] lParam2 : 0x324e8198
    2014-10-21 11:16:54.112 [pid=0x3e8,tid=0xcd0] Link : LDAP://OU=Domain Controllers,DC=SITE,DC=DOMAIN
    2014-10-21 11:16:54.127 [pid=0x3e8,tid=0xcd0] Purge GPH : C:\ProgramData\Microsoft\Group Policy\History\{GUID-12}\Machine\Preferences\Groups\Groups.xml
    2014-10-21 11:16:54.127 [pid=0x3e8,tid=0xcd0] Read GPE XML data file (592 bytes total).
    2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] Completed get next GPO. [SUCCEEDED(S_FALSE)]
    2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] WQL : SELECT * FROM RSOP_PolmkrSetting WHERE polmkrBaseCseGuid = "{GUID-1}"
    2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] Purged 2 old RSoP entries.
    2014-10-21 11:16:54.143 [pid=0x3e8,tid=0xcd0] Logging 2 new RSoP entries.
    2014-10-21 11:16:54.159 [pid=0x3e8,tid=0xcd0] RSoP Entry 0
    2014-10-21 11:16:54.174 [pid=0x3e8,tid=0xcd0] RSoP Entry 1
    2014-10-21 11:16:54.174 [pid=0x3e8,tid=0xcd0] Completed get GPO list. [SUCCEEDED(S_FALSE)]
    2014-10-21 11:16:54.174 [pid=0x3e8,tid=0xcd0] IsRsopPlanningMode() [SUCCEEDED(S_FALSE)]
    2014-10-21 11:17:04.252 [pid=0x3e8,tid=0xcd0] Completed settings update (csePostProcess). [ hr = 0x800700b7 "Cannot create a file when that file already exists." ]
    2014-10-21 11:17:04.252 [pid=0x3e8,tid=0xcd0] Completed CSE post-processing. [ hr = 0x800700b7 "Cannot create a file when that file already exists." ]
    2014-10-21 11:17:04.267 [pid=0x3e8,tid=0xcd0] Leaving ProcessGroupPolicyExLocUsAndGroups() returned 0x000000b7

  • Configuring group policy for user profiles in Windows Server 2012 R2 Domain

    Requesting some experts advise on configuring group policy for user profiles.
    We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
    The settings which I am concerned:
    1. Folder Redirection: Desktop, Documents, Favorites.
    2. Quota for Folder Redirection - 1 GB per user.
    3. Map a networked drive - 1 GB per user.
    4. Roaming profile - (Will ignore if it does not suit our requirement). 
    The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
    FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
    Thanks a lot for your valuable time and efforts.

    Hi,
    >>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
    This depends on where our outlook data files are stored. If these data files are stored under
    drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
    However, regarding your question, we can refer to the following thread to find the solution.
    Roam outlook profiles without roaming profiles
    http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
    In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
    Configuring Folder Redirection
    http://technet.microsoft.com/library/cc786749.aspx
    Hope it helps.
    Best regards,
    Frank Shen

  • Exclude individual computers from a GPO using WMI Filter

    I understand I can use security settings to Deny Apply Group Policy to certain users thus excluding them from a GPO, but I'm wondering if I can use a WMI filter to exclude certain computers from a GPO that contains only Computer Configuration policies.
    Root\CimV2; select Name from Win32_ComputerSystem where (Name <> "COMPNAME")
    This would evaluate to True on all except the COMPNAME computer and therefore should exclude the COMPNAME computer.  Could this be expanded to exclude a second computer with: Or Name <> "COMP2" ?
    Is this correct?  Has anyone else gotten this to work?

    Am 16.09.2014 um 21:20 schrieb john1519:
    > Root\CimV2; select Name from Win32_ComputerSystem where (Name <> "COMPNAME")
    select Name from Win32_ComputerSystem where (Name <> "COMPNAME1" and
    Name <> "COMPNAME2" [...])
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • How can I deploy EFS using Group Policy and automatically encrypt computers for ALL users who login?

    How can I deploy EFS using Group Policy and Active Directory with a goal to automatically encrypt computers for ALL users who login? (NOT an option for me to use BitLocker)
    I was asked to deploy EFS to encrypt the user my documents folder and profile on all of the users laptops. The laptops are in common areas (board meeting rooms, etc) and security of files is a must.
    I successfully created a recovery certificate in AD. I created an OU and setup an EFS policy and users can now login and select to encrypt their own files. The issue is that management would like to have automaticy Encrypt ALL users my documents AUTOMATICALLY
    when a user login.
    Can this be done?
    Please help

    Hi,
    Any update?
    Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
    Best Regards,
    Andy Qi
    TechNet Subscriber Support
    If you are
    TechNet Subscription user and have any feedback on our support quality, please send your feedback
    here.
    Andy Qi
    TechNet Community Support

  • Best Practice: Deploying Group Policy to Users on different OUs

    Greetings, everyone! I am needing some advice on how to deploy some group policy objects to specific users stored on different OUs.
    Let me set the stage: I work for a large school district, and have recently taken over the district's career center. The idea behind the career center is that students from different high schools around the city come in to take classes based on their choice
    of career, such as radio broadcasting or auto mechanic and such. The AD structure is set up so that each school has their own OU.  When a user (staff, student, etc.) is assigned to a school OU, they automatically are added to
    their school's security group (i.e. EASTHIGH-STUDENT), and that when any user moves from one school to another, we have to move their AD account to that school's OU, which will remove the security group from the old school and apply the new school
    security group.
    For the career center, since we have students coming from different buildings every day, rather than trying to find a way to move their AD account from their high school OU to the career center OU, the previous techs created generic accounts (such as tv001,
    tv002, etc.) in AD and stored them in the career center OU.  This way, teachers can assign students that particular generic account so that they can access the drives and printers from the career center, as well as access the career center network
    drives while they are at their home high school.
    Since I have moved to the career center, and apparently I have more knowledge about group policy than most of the techs in the district, the district system engineers want me to remove all of the generic accounts from the career center OU, and have students
    use their own AD accounts.  Obviously I also want to do this since the generic accounts are very confusing to me, but I'm trying to figure out the best way to do this.
    For simplicity sake, I'm just going to start off by figuring out how to set up a group policy for mapping the career center drives.  Now, I obviously know that the best way would be to create security groups for each career area, and that we would need
    to add students to those groups so that only those particular students would get the GPO for the career center, but my question is where would I like the group policies to?  Do I need to link it at the root of the domain so that every OU is hit? 
    Just curious about this.
    Thanks!

    Don't link it to the root.... apply the drive mapping as a policy at the OU or you could apply the drive mapping using Group Policy Preferences using security group targeting... .I would also strongly recommend you check out my articles
    Best Practice: Active Directory Structure Guidelines
    – Part 1
    Best Practice: Group Policy Design Guidelines – Part 2
    Hope it helps...

  • Event 4098, Group Policy Local Users and Groups

    Hello,
    A few of our computers on the network are not replacing the local "Administrator (built-in)"account with our administrator account we set up through Group Policy. I recieve the follow error message from the Applicaiton Logs. I'm
    not sure if this error is a PC issue instead of a Group Policy issue, because Group Policy seems to be working fine on our other PCs. Any suggestions/ideas would be helpful. Thank you.
    Error message: The computer "Administrators (built-in) preference item in the "Security Policies {CD8199AF-99A8-41F8-8D28-C92DD9C57A51}" Group Policy object did not apply because it failed with error code '0x80070526 The specified group policy
    already exists.' This error was suppressed.

    Hi,
    It seems that you have configured this security policy already, you can try run GPupdate /force command and then check if all security policies are applied in your computer:
    Resultant Set of Policy
    http://technet.microsoft.com/en-us/library/cc772175.aspx
    you can use this command to retrieve the specific group policy:
    http://technet.microsoft.com/en-us/library/ee461059.aspx
    If you have any feedback on our support, please click
    here
    Alex Zhao
    TechNet Community Support

  • How to disable via Group Policy - "Any user who has a password doesn't need to enter it when waking this PC"

    The setting can be found in the following location:
    From the “Charm” bar, Settings>Change PC Settings>Users>Sign-in Options> click the “Change” button next to “Any user who has a password must enter it when waking this PC”.
    I am looking to disable this option via Group Policy on our domain, but am unable to find a default policy related to this setting.  I am searching Group Policy on a Server 2012 machine, and in local Group Policy in Windows 8, but have found nothing. 
    Hoping I'm just missing the location of this and someone can point me to the right place.
    Regards,
    -BN

    There is no specific policy for this item. Please set “Require a password on wakeup” policy instead.
    Niki Han
    TechNet Community Support
    I'm using Windows Server 2012 R2, and I can't find the above quoted policy, and don't know where to anymore where to look. I searched for "Require a password when the computer wakes up", but it took me to the "Define Power Buttons and Turn On
    Password Protection" page of System Settings, but there's NOTHING there except the "When I press the power button".  I really want to stop having to enter a password every time I wake up the monitor screen.
    Capt. Dinosaur

  • Processing of Group Policy failed - User Policy - Windows 7

    OP:
    http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/191f1ee1-a551-446b-9808-ff66a952bb25
    When running a gpupdate I get the following message:
    Updating Policy...
    User policy could not be updated successfully. The following errors were encount
    ered:
    The processing of Group Policy failed. Windows could not authenticate to the Act
    ive Directory service on a domain controller. (LDAP Bind function call failed).
    Look in the details tab for error code and description.
    Computer Policy update has completed successfully.
    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
    rom the command line to access information about Group Policy results.
    This only happens on one computer under a certain account; other accounts work fine and the problem account works fine on other computers. Therefore the problem is located on the Windows 7 computer.
    I have tracked it down to an LDAP error code 49. 
    I tried the MS sollution (http://technet.microsoft.com/en-us/library/cc727283(v=ws.10).aspx) but the credentials are sound.
    I can also connect to the DC with LDP.exe fine. 
    Here are the diagnostic read outs (GPResult was too long to post):
    Log Name:      System
    Source:        Microsoft-Windows-GroupPolicy
    Date:          2/29/2012 1:56:09 PM
    Event ID:      1006
    Task Category: None
    Level:         Error
    Keywords:     
    User:          Domain\UserAccount
    Computer:      Win7-ComputerA.FQDomain
    Description:
    The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
        <EventID>1006</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>1</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2012-02-29T19:56:09.732842600Z" />
        <EventRecordID>32458</EventRecordID>
        <Correlation ActivityID="{CECE6DDC-E7CC-4563-8109-E62382F645D4}" />
        <Execution ProcessID="984" ThreadID="3688" />
        <Channel>System</Channel>
        <Computer>Win7-ComputerA.FQDomain</Computer>
        <Security UserID="S-1-5-21-416373151-1271962822-2142307910-40105" />
      </System>
      <EventData>
        <Data Name="SupportInfo1">1</Data>
        <Data Name="SupportInfo2">5012</Data>
        <Data Name="ProcessingMode">0</Data>
        <Data Name="ProcessingTimeInMilliseconds">1326</Data>
        <Data Name="ErrorCode">49</Data>
        <Data Name="ErrorDescription">Invalid Credentials</Data>
        <Data Name="DCName">
        </Data>
      </EventData>
    </Event>
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : WIN7-ComputerA
       Primary Dns Suffix  . . . . . . . : FQDomain
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : FQDomain
                                           ParentDomain
    Ethernet adapter Local Area Connection:
       Connection-specific DNS Suffix  . : FQDomain
       Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connecti
    on
       Physical Address. . . . . . . . . : 00-21-CC-5F-CF-DF
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 216.71.244.28(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Wednesday, February 29, 2012 12:38:25 PM
       Lease Expires . . . . . . . . . . : Thursday, March 01, 2012 12:38:24 PM
       Default Gateway . . . . . . . . . : 216.71.244.1
       DHCP Server . . . . . . . . . . . : 216.71.244.2
       DNS Servers . . . . . . . . . . . : 216.71.244.2
                                           216.71.240.120
                                           216.71.240.132
       Primary WINS Server . . . . . . . : 216.71.244.2
       Secondary WINS Server . . . . . . : 216.71.240.130
                                           216.71.240.122
       NetBIOS over Tcpip. . . . . . . . : Enabled
    Wireless LAN adapter Wireless Network Connection:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) WiFi Link 1000 BGN
       Physical Address. . . . . . . . . : 8C-A9-82-B0-67-E8
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Hi,
    It sound like port blocking issue, Seems your client system connecting 216.71.240.x DNS Servers as a logon server and which seems on different subnet
    as per subnet mask, So there must be a router or firewall in between and so it might be Active directory ports are being blocked.
    So first for testing purpose just remove other
    216.71.240.x DNS
    servers from TCP/IP configuration and clear dns cache
    ipconfig/flushdns
    and restart the system. check if it works.
    or run this command on DC
    dcdiag /test:dns
    and share the error report.
    Cheers!
    Sanjay

  • Group Policy Prevent users to access DNS

    Hello
    I have a problem with DNS in windows 2008R2. there is a policy prevent DNS resolving name to IP and I can ping any computer by IP put I cannot ping it by name although when I use "nslookup" on cmd the computer can see DNS server. Another problem I
    can join Computer to domain put when I want to add a domain user to local admin group the computer cannot see the domain and user show as s-1-5-21 if I could  add user.I don't know the policy and how to delete it.

    thank's alot for your replaying. 
    But when any computer is in work group I can ping any computer on the domain using host name and IP . when I joined the computer to domain I can ping computers by Ip but when I ping it using host name I get this message
    "Ping request could not find host ............. Please check the name and try again"    
    thank's
    some thoughts...
    check: System Properties > Computer Name > Change > More >
    Primary DNS Suffix of this computer
    Change primary DNS suffix when domain membership changes
    http://technet.microsoft.com/en-us/library/cc794784(v=ws.10).aspx
    also
    http://gpsearch.azurewebsites.net/Default.aspx?PolicyID=203
    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

  • Adding group policy to non domain computers

    is it possible to add gpo's to computers that are not in the domain..we have some "client" computer that only our customers use and we want to have more security to those computers..what is the best way to accomplish this

    > have more security to those computers..what is the best way to
    > accomplish this
    Download security compliance manager, it has the option to create a
    "local GPO" package that will be installed through a script:
    http://technet.microsoft.com/library/cc677002.aspx
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • Run Script Once through Group for All users

    Hello Everyone,
    We have 4 forests with one domain each having forest trusts. I want to run a script only once on all the windows 7 machines in all the domains.
    I have created the script and saved it in the .bat. how can i go ahead and do this.
    Need your help.
    Thanks in Advance

    Hello Everyone,
    We have 4 forests with one domain each having forest trusts. I want to run a script only once on all the windows 7 machines in all the domains.
    You need to apply your script 4 times since you have 4 domains. Just use WMI filters to apply the GPO on Windows 7 machines only. 
    Filtering Group Policy to Windows 7 Computers
    Mahdi Tehrani   |  
      |  
    www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as
    and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.
    How to query members of 'Local Administrators' group in all computers?

  • Security Group Creation in Specific OU and Create Network Share For the Security Group

    Hi,
    We would really want to create a PowerShell script that creates a specific Security Group within a selected Organisation Unit.
    Brief Scenario;
    We have created several Organisation Units. Each Organisation Unit contains another Organisation Unit called users. 
    +OU=Netherlands
    ++OU=Company A
    +++OU=users
    ++OU=Company B
    +++OU=users
    And so forth.
    If we run the PowerShell script it should create a list of all the Companies in container Netherlands. After the list is created it creates an output like 1. Company A; 2. Company B. (Forearch ..)
    The script asks for user input where to create the Security Group. If user selects option 2, a security group Called "Company B" is being created. All the users located in the Organisation Unit users within Company B are joined to that group. (Sets
    option 2 as a value like Security Group = "$Company B", create Security Group "Universal, Global (option), and get all users from container users and join them)
    Then without user interaction a share is being created. Granting Domain Administrators full access and the Security Group which has just been created.
    Is somebody able to help me with this kind of script?
    Thank you in advance,
    With kind regards,
    Danny Locorotondo

    Already gathered some information. Have this as a result. Now I need to figure out how to put the results into a list, so the user can select the group. As far as now I am stuck.
    Import-Module ActiveDirectory
    Function SelectCollectionRelease 
        [CmdletBinding()]
        Param
            [Parameter(Mandatory=$true,
                       Position=0,
                       HelpMessage='Enter the Release of the Collection. By example: Alfa,Beta or Charlie')]
            $CollectionRelease
        IF(!$CollectionRelease)
            write-host "`n You did not select a proper Collection Release" -foregroundcolor "red"
    SelectCollectionRelease 
        Elseif($CollectionRelease)
        [string] $OUPath = "OU=$CollectionRelease,OU=VDI,OU=carsystems,DC=carsysdev,DC=local"
    if (!([adsi]::Exists("LDAP://$OUPath"))) 
    write-host "`n Collection Release does not exists" -foregroundcolor "red"
    SelectCollectionRelease 
    else
    write-host "`n Collection Release exists." -foregroundcolor "green"
    write-host "`n Selected $OUPath ..." -foregroundcolor "yellow"
    Get-ADGroup -SearchBase "OU=$CollectionRelease,OU=VDI,OU=carsystems,DC=carsysdev,DC=local" -filter {GroupCategory -eq "Security"} | Format-List -Property Name
        Else
            //$SecurityGroup = Get-ADGroup -SearchBase "OU=$CollectionRelease,OU=VDI,OU=carsystems,DC=carsysdev,DC=local" -filter {GroupCategory -eq "Security"} -and (ObjectClass -eq "user")
    SelectCollectionRelease 

  • Bit Locker Implementation in Windows 8.1 machine using Windows server 2008 r2 server group policy.

    is it possible to enable the bit locker only for windows 8.1 machines through windows 2008 r2 server group policy ?
    Thanx and Regards,
    Shanif

    Hi Shanif,
    Yes, we can do this.
    Regarding how to enable Bitlocker via group policy, the following article can be referred to as reference.
    Cannot Save Recovery Information for Bitlocker in Windows 7
    http://blogs.technet.com/b/askcore/archive/2010/02/16/cannot-save-recovery-information-for-bitlocker-in-windows-7.aspx
    After configuring the settings, we can use security filtering or WMI filtering to apply the policy to specific computers.
    Regarding this point, the following blog can be referred to for more information.
    Security Filtering, WMI Filtering, and Item-level Targeting in Group Policy Preferences
    http://blogs.technet.com/b/grouppolicy/archive/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences.aspx
    Best regards,
    Frank Shen

  • Group Policy won't apply, No mapping between account names and security IDs was done.

    I am using Group Policy Preferences to remove users from the local admin group and add a local admin account.  This GPO is working on 90% of the Win7 machines on the network, but three laptops are not accepting the GPO.  I get the following error:
    Log Name:      Application
    Source:        Group Policy Local Users and Groups
    Date:          6/24/2014 8:49:28 AM
    Event ID:      4098
    Task Category: (2)
    Level:         Warning
    Keywords:      Classic
    User:          SYSTEM
    Computer:      laptop1.internal.com
    Description:
    The user 'Administrators' preference item in the 'Local Admin Policy - Remove Permissions {593ACD77-3663-4023-BEB8-938D83F7862E}' Group Policy object did not apply because it failed with error code '0x80070534 No mapping between account names and security
    IDs was done.' This error was suppressed.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Group Policy Local Users and Groups" />
        <EventID Qualifiers="34305">4098</EventID>
        <Level>3</Level>
        <Task>2</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2014-06-24T13:49:28.000000000Z" />
        <EventRecordID>68771</EventRecordID>
        <Channel>Application</Channel>
        <Computer>laptop1.internal.com</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data>user</Data>
        <Data>Administrators</Data>
        <Data>Local Admin Policy - Remove Permissions {593ACD77-3663-4023-BEB8-938D83F7862E}</Data>
        <Data>0x80070534 No mapping between account names and security IDs was done.</Data>
      </EventData>
    </Event>
    I've searched high and low for an answer and nothing I find on-line seems to apply.  I also notice that the option to 'Run as Administrator' does not work.  If I right-click on cmd.exe and select 'run as administrator', the command box opens but
    I am not prompted for credentials and the command box does not have admin rights.  Not sure if this is related or not.
    Any help on this would be greatly appreciated.
    Thanks,
    Joe

    Hi,
    Delete your  remove action from the GPP and push it again, does this issue still occur?
    If it still exists, let’s collect the GPP log for analysis:
    Group policy Preference debug logging policy settings are located under:
    Computer Configuration\Administrative Templates\System\Group Policy
    Click Logging and tracing, select local users and group preference logging and trace.
    Meanwhile, just a similar issue, but it is worth trying:
    A user is added to the wrong group on a client computer that is running Windows 7 or Windows Server 2008 R2
    http://support.microsoft.com/kb/2280515
    If you have any feedback on our support, please click
    here
    Alex Zhao
    TechNet Community Support

Maybe you are looking for

  • How to Format number in RTF template?

    Hi, In RTF template i am using Format_number for custom requirement. when i am using below conditon <?format-number(ENTERED_CR,'##,##0.00')?> number is getting formatted if above 1000 only. My requirement is 1). 444 should format like 444.00 2). 444.

  • Pages 5.2 multiple styles on the same line

    I am using Pages 5.2 on OSX Mavericks.  I would to use multiple styles on one line for research papers for school.  For instance, I would like to be able to do this: in Pages.  However, I have found that I need to create multiple styles to accomplish

  • Disk wasn't ejected properly..Error

    All of a sudden, when my late 2012 iMac wakes from sleep it wakes with a white screen and then takes about 4 seconds to get to the usual desktop screen where I enter my password.. When I log back in it says 'disk wasn't ejected properly' .. All I hav

  • Why do my notes keep going to my yahoo and leaving my iPad

    Why do my notes keep going to my yahoo and leaving my iPad. I have had this problem ever since I did the last two system updates. I deleted my Google Gmail from the account and kept my yahoo email, and is still have the same problem. The notes keep g

  • IWEB publishing PODCAST.. There's a problem

    There's a problem with iWEB 1) I made my podcasts in iWEB 2) I published them to web.me.com 3) It worked very fine. I can see them all in my page. 4) BUT 5) I made other pages in iWEB ex) BLOG 6) I published them (I did not edited or touched podcast