W7 client machine stuck on startup "Group Policy Files Policy"

Similar Messages

• Manual client deployment not picking up Group Policy provided registry settings

  We are having an issue with some laptops and machines that are turned off overnight not downloading necessary items for the SCCM 2012 client install.  We are going through the upgrade from 2007 to 2012 and are manually installing the client
  through the SCCM console.  Now that we have gotten the majority of our clients up to the 2012 version, we are planning to push the client going forward through WSUS.  Unfortunately, BITS is not allowing the update to come down in the time that some
  machines are on the network. 
  After some digging, we have concerns that the Group Policy setting for the command line properties are being ignored.
  We have the Group policy set as follows:
  /mp:oursccmserver.domain.com / service / forceinstall / BITSPriority:FOREGROUND SMSSITECODE=PRISITE FSP=OURFSP.domain.com
  However, the command line entry in the ccmsetup.log file on machines that have received the client as well as those not installing is showing the following:
  - Ccmsetup command line: "C\Windows\ccmsetup\ccmsetup.exe" /runservice /config:MobileClient.tcf
  - Command line parameters for ccmsetup have been specified. No registry lookup for command line parameters is required.
  Can someone tell me why it is not picking up the settings in the registry?  we have verified the settings are hitting the machines from GP, just does not seem to be using them which is why we thing it is allowing BITS to throttle the download of the
  pre-reqs.
  Thanks in advance for any suggesstions/help.

  Sorry for not updating this...
  After digging for days on this and contemplating calling MSFT support, I happened to check the Client Push installation properties and found the Install properties had been removed from each of our sites (1 primary and 2 secondary's).
  Although we do not have Client Push enabled for a variety of reasons, the properties have to be set for the manual push of the client from the console.  Once we re-entered the command line options for the Push install properties, manual installation
  from the console is working as expected.

• Uninstall Lync 2010 client, Install Lync 2013 using Group Policy/VB/MS Customisation Tool

  Hi, I am using Group Policy/vb/Lync customization tools to deploy 2013 and remove 2010. The machines have Office 2010. The vb script is as below:
  Dim objShell 'As Object
  Dim objFSO 'As FileSystemObject
  '-- SET OBJECTS
  Set objFSO = CreateObject("Scripting.FileSystemObject")
  Set objShell = CreateObject("WScript.Shell")
  strComputerName = objShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
  Dim WshNetwork : Set WshNetwork = WScript.CreateObject("WScript.Network")
  objShell.Run """\\xxxxxxxxx - Do not Remove\Lync Install 2013 2010\Lync 2013 Outlook 2010\setup.exe"""
  I have amended the OCT with relevant settings, Lync 2013 installs but Lync 2010 does not uninstall. Here is how i have it set:
  In the Office Customization Tool - Set-up - Add Installation and Run Programs,
  In target - pointing to the Lync2010 exe file (on above share)
  In Arguments - /silent /uninstall
  Is this correct?
  Also, i would have thought that, Remove Previous Installations, it would have an option to remove Lync2010?
  Anyway..pulling my hair out here!
  Hope you can help.

  Hi,
  Based on your description, we can refer to the following threads for help.
  Slient Unninstall of Lync 2010 on client machines script required
  http://social.technet.microsoft.com/Forums/lync/en-US/69e32128-4581-4be5-9a44-b5d133e1f480/slient-unninstall-of-lync-2010-on-client-machines-script-required
  Scripting a Lync 2010 client Uninstall
  http://social.technet.microsoft.com/Forums/en-US/a65bd0d0-daa1-4616-8725-63f349fdde86/scripting-a-lync-2010-client-uninstall?forum=lyncconferencing
  For this issue is more related to Lync, in order to get better help, we can ask the question in the following TechNet dedicated Lync forum.
  Lync 2010 and OCS - Lync Clients and Devices
  http://social.technet.microsoft.com/Forums/lync/en-US/home?forum=ocsclients&filter=alltypes&sort=lastpostdesc
  In addition, for it also involves scripts, we can also ask for help in the following scripting forum.
  The Official Scripting Guys Forum
  https://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG&filter=alltypes&sort=lastpostdesc
  Hope it helps.
  Best regards,
  Frank Shen

• Stuck at Applying Group Policy Printers Policy on Windows 2008 Servers

  xp clients seem to be fine and map all printers at logon. The 2k8 servers all hang at logon for 30min or more at the Applying Group Policy Printers Policy. The print server is a DC in the same domain and it does not experience the issues at logon and gets to the desktop immediately.

  a DHCP workstation
  Microsoft Windows XP [Version 5.1.2600]
  (C) Copyright 1985-2001 Microsoft Corp.
  U:\>ipconfig /all
  Windows IP Configuration
          Host Name . . . . . . . . . . . . : CP0030621
          Primary Dns Suffix  . . . . . . . : us.tms.local
          Node Type . . . . . . . . . . . . : Unknown
          IP Routing Enabled. . . . . . . . : No
          WINS Proxy Enabled. . . . . . . . : No
          DNS Suffix Search List. . . . . . : us.tms.local
                                              us.tms.local
                                              tms.local
  Ethernet adapter Local Area Connection:
          Connection-specific DNS Suffix  . : us.tms.local
          Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
          Physical Address. . . . . . . . . : 00-19-BB-5F-EE-75
          Dhcp Enabled. . . . . . . . . . . : Yes
          Autoconfiguration Enabled . . . . : Yes
          IP Address. . . . . . . . . . . . : 10.1.10.165
          Subnet Mask . . . . . . . . . . . : 255.255.254.0
          Default Gateway . . . . . . . . . : 10.1.10.1
          DHCP Server . . . . . . . . . . . : 10.1.10.27
          DNS Servers . . . . . . . . . . . : 10.1.10.27
                                              10.1.10.28
          Lease Obtained. . . . . . . . . . : Monday, August 24, 2009 8:24:12 AM
          Lease Expires . . . . . . . . . . : Saturday, August 29, 2009 8:24:12 A
  Ethernet adapter Bluetooth Network Connection:
          Media State . . . . . . . . . . . : Media disconnected
          Description . . . . . . . . . . . : Bluetooth Device (Personal Area Net
  ork)
          Physical Address. . . . . . . . . : 00-0D-3A-A6-BA-28
  win2k3 web server which logs in successfully
  Microsoft Windows [Version 5.2.3790]
  (C) Copyright 1985-2003 Microsoft Corp.
  U:\>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : wlfdweb01
     Primary Dns Suffix  . . . . . . . : us.tms.local
     Node Type . . . . . . . . . . . . : Unknown
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : us.tms.local
                                         tms.local
  Ethernet adapter Local Area Connection 2:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : HP NC7782 Gigabit Server Adapter #2
     Physical Address. . . . . . . . . : 00-14-C2-C3-DA-3A
     DHCP Enabled. . . . . . . . . . . : No
     IP Address. . . . . . . . . . . . : 10.1.10.29
     Subnet Mask . . . . . . . . . . . : 255.255.254.0
     IP Address. . . . . . . . . . . . : 10.1.10.30
     Subnet Mask . . . . . . . . . . . : 255.255.254.0
     Default Gateway . . . . . . . . . : 10.1.10.1
     DNS Servers . . . . . . . . . . . : 10.1.10.27
                                         10.1.10.28
  Print Server that logs in fine (also a DC and DNS Server)
  Microsoft Windows [Version 6.0.6002]
  Copyright (c) 2006 Microsoft Corporation.  All rights reserved.
  U:\>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : wlfddc02
     Primary Dns Suffix  . . . . . . . : us.tms.local
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : us.tms.local
                                         tms.local
  Ethernet adapter Local Area Connection 4:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : HP NC373i Multifunction Gigabit Server Ad
  apter #2
     Physical Address. . . . . . . . . : 00-1C-C4-EF-B7-A4
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 10.1.10.28(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.254.0
     Default Gateway . . . . . . . . . : 10.1.10.1
     DNS Servers . . . . . . . . . . . : 10.1.10.28
                                         10.1.10.27
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter Local Area Connection* 9:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.{9FB5C233-FB93-471F-873E-6DFDFCFED
  2AE}
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  server that hangs at applying group policy printers (the other dc and dns server for the domain)
  Microsoft Windows [Version 6.0.6002]
  Copyright (c) 2006 Microsoft Corporation.  All rights reserved.
  U:\>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : wlfddc01
     Primary Dns Suffix  . . . . . . . : us.tms.local
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : us.tms.local
                                         tms.local
  Ethernet adapter Local Area Connection:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
     Physical Address. . . . . . . . . : 00-0F-1F-68-D6-42
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 10.1.10.27(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.254.0
     Default Gateway . . . . . . . . . : 10.1.10.1
     DNS Servers . . . . . . . . . . . : 127.0.0.1
                                         10.1.10.25
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter Local Area Connection* 8:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : isatap.{C0EEED04-498A-42FC-9C42-86A37BD4D
  8D5}
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes

• Group Policy control of ActiveX installation

  Our users are on Windows 8.1 and IE 11.
  We use SQL reporting services at our company. Our users run reports from the Report Manager, which uses an ActiveX control to enable printing. 
  I need to allow our normal users to install this ActiveX control. Looking at this page http://technet.microsoft.com/en-us/library/dn454941.aspx I added the CLSID of the control to a GPO under
  Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management. I linked
  this GPO to an OU. 
  Even after making sure the policy was applied to the the computer, this ActiveX control still required popped a UAC dialog to allow the installation of this control. 
  What do I need to do to make this work?

  Hi,
  Please follow these steps:
  Step 1: Convert ActiveX exe or cab file to MSI package
  ===================================
  Install visual studio installer to create .msi package of ActiveX Control
   Downloaded free Visual Studio installer from
  http://msdn.microsoft.com/en-us/vs2005/aa718352.aspx
  But this requires Visual Studio 6.0 to be installed
  Step 2: Place the package in network share where all the users have access
  Step 3: Create an organizational unit (OU) in active directory
  Step 4: Add a group policy object (GPO) to the OU
  Step 5: Publish the package using this GPO
  =============================
  1. Open Group Policy editor and go under User Configuration > Software Settings ->"Software Installation"
  2. Right-click, select new > package, and browse to the package (make sure it's on a network location that all of his users will be able to access, because this is going to become the distribution point)
  3. Once you choose a package, choose "Advanced" from the options list
  4. On the Deployment tab, select "Assigned", click the "Advanced" button at the bottom, and make sure that "Include OLE class and product information" is checked, and that "Make this 32bit x86 application available to Win64
  machines" Also, on the "Deployment" tab, make sure that "Install this application at logon" is checked.
  After that, please be assured that we need to run gpupdate /force command on the client machines after applying the group policy on the server side.
  Now log in to client machine using the user login created in the OU to check if it can work properly.
  For more information, please refer to this article:
  How To Install ActiveX Controls in Internet Explorer Using the Active Directory
  http://support.microsoft.com/kb/280579
  Karen Hu
  TechNet Community Support

• Intermittend DNS resolution, timeserver, group policy updates errors in client logs in Win 2012 R2 single server environement

  We recently switched hardware and server software Win SBS 2008 to 2012R2 for a small network roughly 40 clients (Win7 Pro / Win 8.1 Pro) about 16 running concurrently at a given time and one network printer with the printer queue residing on the DC as well.
  I read that a single server environment might not be ideal in particular no fail-over but that is an accepted risk in this particular network here.
  Errors:
  Error 1043: Timeout during name resolution request
  Error 1129: Group policy updates could not be processed due to DC not available
  Error 5719: Could not establish secure connection to DC, DC not available
  Occasionally but disappears after a while
  Error 134: As a result of a DNS resolution timeout could not reach time server
  Symptoms
  On Win 7 Clients
  Network shares added through Group Policy will not show sometimes
  Network shares disconnect (red X) and when accessed return access authorization error after one or two clicks on the share finally grant access again
  When the issue with accessing network shares occurs, it usually also affects Internet access meaning a 'server not responding' error appears in the browser windows when trying to open just any web page
  nslookup during the incident returns cannot resolve error
  ipconfig on client shows correct default router (VDSL Router) and DHCP / DNS Domain Controller
  Also, the Win system log shows the above errors during these incidents, however, the nuimber of incidents vary from 20-30
  On Win 8.1 Clients
  Same as above with the slight variation for network shares apparently due to Server 2012 and Win 8.1 clients managing drive shares differently. However, network share refresh does not work with this clients. In most cases only a gpupdate /force returns
  drive shares but usually only for the active session. After logoff / logon the shares are gone again.
  The issue does appear to be load related since it occurs even if there are only one or two workstations active.
  Server Configuration
  Dell R320 PowerEdge 16GB / 4TB 7200RPM RAID10 / GBitEthernet
  Zyxel 1910-48 Port Switch
  VDSL 50Mbps Down / 20Mbps Up
  Since the DC is the only local DNS and there are no plans to add another one or move DNS to another server, the DNS server is configured with this own address as preferred DNS with three DNS forwarders 1) VDSL Router 2) ISP DNS1 3) ISP DNS2
  Currently only one Network card is active for problem determination reasons.
  There appears to be no consensus concerning IPV6 enabled or disabled, I tried both with no apparent effect
  I have set all network cards server and client to Full Duplex and the same speed, also disabled Offload functions within the adapter settings. Some but no consistent improvements.
  Best Practice Analyzer Results
  DNS server scavening not enabled
  Root hint server XYZ must respond to NS queries for the root zone
  More than one forwarding server should be configured (although 3 are configured)
  NIC1 should be configured to use both a preferred and alternate DNS (there is only one DNS in this network)
  I have found some instructions to apply changes to the clients through a host file but I would rather like to understand whether this DNS response time issue can be resolved on the server for example timing setting perhaps. Currently the DNS forwarders are
  set to 3 second.
  Since a few people have reported issues with DNS but most are working with multi DNS, DC environment I could not really apply any suggestions made there. perhaps there is anyone like me who is running a single server who has overcome or experience the same
  issues. Any help would be appreciated

  Hello Milos thx for your reply.. my comments below
  1. What does it "switched"? You may mean migration or new installation. We do not know...
  >> Switched is probably the incorrect term, replaced would be the appropriate wording. Before, there was a HP Proliant Server with SBS 2008 with distinct domain and now there is a Dell Server with MS 2012 R2 with a distinct domain. Client were
  removed from one (SBS) domain and added to the new Server 2012 domain. Other components did not change for example same Network Switch or VDSL Router, Workstations and Printer
  2. Two DCs are better alternative. Or backup very frequently. There are two groups of administrators. Those who have lost DC and those who will experience this disaster in near future.
  >> Correct, and I am aware of that
  3. NIC settings in W 7 and W 8.1, namely DNS points to DC (...and NOTHING else. No public IP or that of router DNS.))
  >> Correct, this is how it's currently implemented. Clients point to DC for DHCP and DNS and Default Router, no public IP or DNS. The only references to ISP DNS exist on the VDSL Router itself as provided through ISP when establishing VDSL
  Link and the list of Forwarders in the DNS Server configuration. However, I have just recently added the ISPs DNS as forwarders for test purposes and will probably learn tomorrow morning whether this had any effect for better or worse.
  4. Do nslookup to RR on clients. RR branch is saying client basic info on LDAP parameters of AD.
  >> Will post as soon as available
  5. I do not use forwarders and the system works
  >> Ok, does this mean it works for you in a similar or the same infrastructure setup or are you saying it is not required at all and I can remove any forwarder in a scenario like mine? If not required can you explain a bit more why it is not
  required apart from that it does work for you that way?
  6. DHCP should sit on DC (DHCP on router is disabled)
  >> Correct, no other device is configured to provide DHCP service other than DC and DHCP is currently running on DC
  7. NIC settings in DC points to itself (loopback address 127.0.0.1)
  >> Are you sure this is still correct and does apply to Server 2012? I am reading articles stating that it should be the servers own IP but local loop or should this be added as alternate DNS in addition to the servers own IP?
  8. Use IPCONFIG /FLUSHDNS whenever you change DNS settings.
  >> OK, that was not done every time I changed some settings but I can do that next week. Reboot alone would not suffice, correct?
  9. Test your system with dcdiag.
  >> See result below
  10. Share your findings.
  Regards
  Milos
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
    Home Server = GSERVER2
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
  Testing server: Default-First-Site-Name\GSERVER2
        Starting test: Connectivity
           ......................... GSERVER2 passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\GSERVER2
        Starting test: Advertising
           ......................... GSERVER2 passed test Advertising
        Starting test: FrsEvent
           ......................... GSERVER2 passed test FrsEvent
        Starting test: DFSREvent
           ......................... GSERVER2 passed test DFSREvent
        Starting test: SysVolCheck
           ......................... GSERVER2 passed test SysVolCheck
        Starting test: KccEvent
           ......................... GSERVER2 passed test KccEvent
        Starting test: KnowsOfRoleHolders
           ......................... GSERVER2 passed test
           KnowsOfRoleHolders
        Starting test: MachineAccount
           ......................... GSERVER2 passed test MachineAccount
        Starting test: NCSecDesc
           ......................... GSERVER2 passed test NCSecDesc
        Starting test: NetLogons
           ......................... GSERVER2 passed test NetLogons
        Starting test: ObjectsReplicated
           ......................... GSERVER2 passed test
           ObjectsReplicated
        Starting test: Replications
           ......................... GSERVER2 passed test Replications
        Starting test: RidManager
           ......................... GSERVER2 passed test RidManager
        Starting test: Services
           ......................... GSERVER2 passed test Services
        Starting test: SystemLog
           ......................... GSERVER2 passed test SystemLog
        Starting test: VerifyReferences
           ......................... GSERVER2 passed test VerifyReferences  
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test
           CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test
           CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : GS2
        Starting test: CheckSDRefDom
           ......................... GS2 passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... GS2 passed test CrossRefValidation  
     Running enterprise tests on : GS2.intra
        Starting test: LocatorCheck
           ......................... GS2.intra passed test LocatorCheck
        Starting test: Intersite
           ......................... GS2.intra passed test Intersite
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  *** gserver2.g2.intra can't find g2: Non-existent domain
  > gserver2
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  g2.intra
          primary name server = gserver2.g2.intra
          responsible mail addr = hostmaster.g2.intra
          serial  = 443
          refresh = 900 (15 mins)
          retry   = 600 (10 mins)
          expire  = 86400 (1 day)
          default TTL = 3600 (1 hour)
  > wikipedia.org
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  Non-authoritative answer:
  wikipedia.org   MX preference = 10, mail exchanger = polonium.wikimedia.org
  wikipedia.org   MX preference = 50, mail exchanger = lead.wikimedia.org
  polonium.wikimedia.org  internet address = 208.80.154.90
  polonium.wikimedia.org  AAAA IPv6 address = 2620:0:861:3:208:80:154:90
  lead.wikimedia.org      internet address = 208.80.154.89
  lead.wikimedia.org      AAAA IPv6 address = 2620:0:861:3:208:80:154:89
  Final benchmark results, sorted by nameserver performance:
   (average cached name retrieval speed, fastest to slowest)
    192.168.240.  6 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    + Cached Name   | 0,001 | 0,002 | 0,003 | 0,001 | 100,0 |
    + Uncached Name | 0,027 | 0,076 | 0,298 | 0,069 | 100,0 |
    + DotCom Lookup | 0,041 | 0,048 | 0,079 | 0,009 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               gserver2.g2.intra
                  Local Network Nameserver
    195.186.  4.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,023 | 0,025 | 0,000 | 100,0 |
    - Uncached Name | 0,025 | 0,071 | 0,274 | 0,065 | 100,0 |
    - DotCom Lookup | 0,039 | 0,040 | 0,043 | 0,001 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns8.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
    195.186.  1.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,023 | 0,026 | 0,001 | 100,0 |
    - Uncached Name | 0,025 | 0,072 | 0,299 | 0,066 | 100,0 |
    - DotCom Lookup | 0,039 | 0,042 | 0,049 | 0,003 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns7.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
      8.  8.  8.  8 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,033 | 0,040 | 0,079 | 0,011 | 100,0 |
    - Uncached Name | 0,042 | 0,113 | 0,482 | 0,097 | 100,0 |
    - DotCom Lookup | 0,049 | 0,079 | 0,192 | 0,039 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               google-public-dns-a.google.com
                   GOOGLE - Google Inc.,US
    UTC: 2014-11-03, from 14:33:12 to 14:33:29, for 00:17,648
  15: 40
  192.168.240.  6 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    + Cached Name   | 0,001 | 0,002 | 0,004 | 0,000 | 100,0 |
    + Uncached Name | 0,025 | 0,074 | 0,266 | 0,063 | 100,0 |
    + DotCom Lookup | 0,042 | 0,048 | 0,075 | 0,007 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               gserver2.g2.intra
                  Local Network Nameserver
    195.186.  1.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,024 | 0,029 | 0,001 | 100,0 |
    - Uncached Name | 0,024 | 0,073 | 0,289 | 0,067 | 100,0 |
    - DotCom Lookup | 0,039 | 0,041 | 0,043 | 0,001 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns7.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
    195.186.  4.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,024 | 0,029 | 0,001 | 100,0 |
    - Uncached Name | 0,025 | 0,073 | 0,286 | 0,065 | 100,0 |
    - DotCom Lookup | 0,041 | 0,066 | 0,180 | 0,037 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns8.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
      8.  8.  8.  8 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,033 | 0,038 | 0,077 | 0,009 | 100,0 |
    - Uncached Name | 0,042 | 0,105 | 0,398 | 0,091 | 100,0 |
    - DotCom Lookup | 0,049 | 0,066 | 0,141 | 0,025 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               google-public-dns-a.google.com
                   GOOGLE - Google Inc.,US
    UTC: 2014-11-03, from 14:39:59 to 14:40:12, for 00:13,363

• Group policy template for Novell Client for Windows 7

  Does anyone know if there is a group policy template for the Novell Client for Windows 7? I find it really hard to believe that Novell has not yet released one, but I cannot find one anywhere. We use ZCM 11.2, and I really need to be able to send out settings for the client via a group policy.
  By the way, I am also posting this on the Novell Client forum, but since this is also a ZCM thing, I am hoping I might get some feedback here.
  Rick P

  Two recent/new resources are available for the Novell Client 2 SP3 for Windows:
  Cool Solutions AppNote: Novell Client 2 SP3 for Windows: Registry Settings
  Novell Client 2 SP3 for Windows: Registry Settings | Novell User Communities
  Cool Solutions Tool: Group Policy Administrative Template for Novell Client 2 SP3 for Windows
  Group Policy Administrative Template for Novell Client 2 SP3 for Windows | Novell User Communities

• Group Policy Guru? Group Policy and Windows 7 erratic and inconsistant.

  (*If you don't feel like reading everything, skip to the bottom two paragraphs for my questions)
  I've had a premier call open with MS since August. This week I had a Microsoft Technician in-house.  Though we eliminated some possibilities, we're not really closer to a cause or solution.
  Every time we work with an expert, I get a different explanation to describe the situation we are viewing.
  Quick summery of the issue:  We've been using Group Policy to manage most Windows XP and 7 settings for years, but starting the middle of last year, we began having clients with machines where some or all group policies would fail to apply. 
  These could be long assigned policies, new polices, or changes to policies.  It would never affect everyone or even a majority at once, and the resolution is never the same.  Sometimes a GPUDPATE /FORCE sometimes fixed automajically the next day,
  sometimes (but very rarely) longer.
  Troubleshooting History:
  What we found in early troubleshooting, that these machines, had errors in Event Viewer for Netlogon, Time-Sync, and Group Policy.  The other issue we noticed, was that our GPRESULT /H reports were missing security groups and the denied section was
  nothing but SSID's.  The first issue pointed me to:
  Event ID 5719 and event ID 1129 may be logged when a non-Microsoft DHCP Relay Agent is used
  I installed these Hot Fixes.  No change to any of the errors in event viewer, or to our Group Policy problems.
  Initial work with Premier Support found that Netlogon, Time-Sync, and Group Policy, were failing before loading of the network stack.  The suggestion was to apply the group policy setting "Always wait for the network at computer startup and
  logon".  At the time, this seemed not to work.  The policy was set on a test bed of laptops and desktops, and no changes in behavior were seen after 3 days.
  Windows 7 Clients intermittently fail to apply group policy at startup
  For some time after this, we were collecting GPSVC and NetTrace logs for Premeir Support, trying to document and troubleshoot the problem.  Eventually we got fed up and asked our TAM to call in a pro to get this resolved.  We were sent an engineer
  for 3 days.  For three days we banged away on this issue.  We verified AD and replication health, we tried numerous fixes and workarounds.  I learned 3 different desriptions of how Group Policy works, and in the end we thought we had a workaround
  using the "Always wait for the network at computer startup and logon" because of a single success late in the day.  On day 3 we tried replicating this fix, and quickly realized that the same issue we were having preventing other GPOs to apply,
  were also preventing our "fix" GPO from applying.  So we went the route of using a registry entry.  I also had a problem that even though it was making the process more consistant, it was still taking 3 reboots for a Computer Policy, assigned
  to a computer object via Security Group, to fully take affect on a computer.
  I used the registry methods in the above article.  It didn't work, no sign it was having the same affect the GPO had had.
  Our support engineer claimed this was the proper method, but that path wasn't even close in a Windows 7 SP1 registry, and after creating all the keys that were not present, it still didn't work.
  Always wait for the network at computer startup and logon - AzureWeb
  We ran out of time, our engineer returned home.
  I can understand how these errors indicate a problem applying Group Policy at boot.  But to me it doesn't explain why it doesn't correct post boot, and after a GPUDPATE /FORCE and a reboot.
  It also doesn't explain why we were working fine for years, then all of a sudden DHCP is being outrun by background services.  (By the way logging showed DHCP wasn't significantly delayed, out boot process was actually excellent, health wise.) 
  Why all of a sudden is this not behaving optimly?  No changes to network design or function.  No changes to the domain since 2008 R2 was installed in 2011.
  Today I'm reading through all these KB's and articles again, and took some time to read:
  [Forum FAQ] Common steps to start troubleshooting Group Policy
  application and it's links below.
  We ran though all of that before and during the 3-day onsite.  It's not getting us any closer to the cause or a solution.
  I found and begin some deep reading in this link today.  It has some additional information I will try to use next week:
  Group Policy Basics - Part 3: How Clients Process GPOs
  The one unanswered question I have is this.  How is group policy supposed to apply to a computer, when that policy is applied to a AD Security Group, in which the computer object is a member?
  Before we began having this problem, we would assign a computer GPO, then ask the user to reboot.  If it were a user GPO, we'd ask the user to log off, or reboot.  Either way, if we allowed a few minutes for AD and FRS replication, the user would
  log back in with that new policy in affect.  A new imaged machine would boot with all the GPO's linked to that domain and assigned to "Authenticated Users", already in affect.  Admin groups would be present in administrators, proxy settings
  would be set in Internet Explorer, etc.
  Now I'm aked to beleive this was never the case from Premeier Support and Microsoft Engineers.  That those policies require the equilent of a "GPUPDATE /FORCE" that was executed by the Local_System account.  That 3 reboots may
  be nessessary for a group policy to be applied.  One for the AD Security Group to be applied.  One for the Computer Policy to be applied.  And a final one for the policy in the GPO to be applied to Windows.
  Can someone confirm or correct this information please?  It's imperitive to my troubleshootng.
  There's no place like 127.0.0.1

  That key is empty on all of my machines I have checked today.  Working and problematic alike.
  GPRESULT logs, when ran as me, historically would show the group polices applied, denied, and the AD group membership all by name.  About 6 months ago I noticed this changed.
  Now they show the applied GPO's by name, a few of the denied GPO's by name, most by SID, and only 2 to 3 AD groups, though PowerShell shows all the AD groups assigned.  This happens after several AD security and distribution groups are added to the
  machine (Radia software distribution uses Dist groups to assign software).
  A check showed no groups with long legacy Kerberos keys.
  When we make a change to AD Security Group membership, to assign or deny a Group Policy, is usually when we encounter this problem.  It will usually fix itself in 24 hours of the machine being left up and running.  But no amount of GPUPDATE /FORCE
  and rebooting will cause the changes to take affect.
  During this time, the Group Policies will show assigned to the computer in the GPRESULT log.
  Yesterday I began looking into Spanning Tree configuration on our network being a possible cause for the boot up issues.  I'm waiting on responses from our Network group to confirm our configuration.
  There's no place like 127.0.0.1

• Group Policy issue - Bandwidth detection failed

  Hi
  We have a major issue affecting multiple users (>100) where they are unable to login to the machine.It looks like core windows services do not start such as DHCPClient, EventLog, UserProfileService.
  Looking at the events on the pc I can see the following events:
  Event 6314
  Group policy bandwidth estimation failed. Group policy processing will continue. Assuming fast link.
  Event 6323
  Group Policy dependency (Network Location Awareness) did not start. As a result, network related features of Group Policy such as bandwidth estimation and response to network changes will not work.
  I can see the NLA service started but I am worried alot more machines will become unusable. A change was made to group policy regarding searching items in the start menu
  User Configuration\Administrative Templates\Start Menu and Taskbar
  Do not search files
  Enabled
  Do not search Internet
  Enabled
  Remove Games link from Start Menu
  Enabled
  Remove Help menu from Start Menu
  Enabled
  Remove Music icon from Start Menu
  Enabled
  Remove Network Connections from Start Menu
  Enabled
  Remove Network icon from Start Menu
  Enabled
  Remove Run menu from Start Menu
  Disabled
  Remove the networking icon
  Enabled
  Remove the volume control icon
  Disabled
  Remove user's folders from the Start Menu
  Enabled
  The clients are mostly Vista SP2 with some Windows 7. DCs are Server 2008.
  Any help in resolving this much appreciated.

  Hi,
  >>Group Policy dependency (Network Location Awareness) did not start. As a result, network related features of Group Policy such as bandwidth estimation and response to network changes will not work.
  Network Location Awareness service is a needed service for processing group policy settings since Windows Vista. It helps check the network location of the computers and helps detect slow link when processing group policy settings.
  Before going further, does this happen to all clients in our environment? Please check our network configuration and make sure that the clients are able to correctly communicate with DCs. Besides, we can try to reinstall network
  adapters to see if it helps. Moreover, please further check event logs to see if some other error events were logged.
  Here, we can also try to clean boot our clients to troubleshoot if this is caused by some third party services or applications.
  Regarding how to perform clean boot, the following article can be referred to for more information.
  How to perform a clean boot in Windows
  http://support.microsoft.com/kb/929135
  In addition, if everything goes clean, we can try to delay the application of Group Policy at startup by following the procedure described in the Resolution section in the article below to see if it helps.
  Windows 7 Clients intermittently fail to apply group policy at startup
  http://support.microsoft.com/kb/2421599
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Group policy Query

  Someone please help me to disable the Group policy for only one machine.(atleast wsus Group policy)
  Please share the step by step details.

  <![LOG[Its a WSUS Update Source type ({508E7B21-0DA1-4AED-B1FA-03AD7D9A49DD}), adding it.]LOG]!><time="20:13:20.083-330"
  date="04-09-2014" component="WUAHandler" context="" type="1" thread="2508" file="sourcemanager.cpp:1232">
  <![LOG[Unable to read existing resultant WUA policy. Error = 0x80070002.]LOG]!><time="20:13:20.083-330"
  date="04-09-2014" component="WUAHandler" context="" type="2" thread="2508" file="sourcemanager.cpp:920">
  <![LOG[Enabling WUA Managed server policy to use server: http://SCCM.ABC.in:8530]LOG]!><time="20:13:20.083-330"
  date="04-09-2014" component="WUAHandler" context="" type="1" thread="2508" file="sourcemanager.cpp:948">
  <![LOG[Waiting for 2 mins for Group Policy to notify of WUA policy change...]LOG]!><time="20:13:20.108-330"
  date="04-09-2014" component="WUAHandler" context="" type="1" thread="2508" file="sourcemanager.cpp:954">
  <![LOG[Timed out waiting for Group Policy notification.]LOG]!><time="20:15:20.109-330" date="04-09-2014"
  component="WUAHandler" context="" type="1" thread="2508" file="sourcemanager.cpp:95">
  <![LOG[Unable to read existing WUA resultant policy. Error = 0x80070002.]LOG]!><time="20:15:20.109-330"
  date="04-09-2014" component="WUAHandler" context="" type="2" thread="2508" file="sourcemanager.cpp:958">
  <![LOG[Group policy settings were overwritten by a higher authority (Domain Controller) to: Server  and
  Policy NOT CONFIGURED]LOG]!><time="20:15:20.112-330" date="04-09-2014" component="WUAHandler" context="" type="3" thread="2508" file="sourcemanager.cpp:1013">
  <![LOG[Failed to Add Update Source for WUAgent of type (2) and id ({508E7B21-0DA1-4AED-B1FA-03AD7D9A49DD}).
  Error = 0x87d00692.]LOG]!><time="20:15:20.113-330" date="04-09-2014" component="WUAHandler" context="" type="3" thread="2508" file="cwuahandler.cpp:2325">
  WSUS settings will be assigned by SCCM Server basically, but in above the error the settigns has been overridden by GPO it seems.
  I have created new OU and moved the test machine to that OU and disabled all Group policy.
  Still the issue persist.
  Note: Some GPO issue is already there in my environment (Computer policy will not refresh for any clients)

• Group policy for changing binding order of network adapters

  Hi,
  We have enabled Wifi and Wired (LAN) connections at the same time for users using group policy. Both connections works properly on laptops. Now some applications are not working due to routing issues as same connections are working at the same time.
  We want to change connections priority in such a way that Wired (LAN) should always take priority over WiFi connections.
  http://support.microsoft.com/kb/894564 describes method for changing same on single computer.
  Can this be achieved using group policy.
  Mukesh S MCITP Exchange 2007

  Hi,
  There is no corresponding group policy settings which can change binding order of NIC. However, in the article you provided, it says that we can create a fixed metric by changing
  the InterfaceMetric registry value or set the interface metric by using a script. In this way, we can choose to use Group Policy Preferences Registry extension to deploy the registry change to clients, or we can use group policy to deploy the script to clients.
  Regarding GPP registry extension, the following article can be referred to for more information.
  Registry Extension
  http://technet.microsoft.com/en-us/library/cc771589.aspx
  If we choose to deploy script via group policy, we can assign computer startup script or user logon script.
  Regarding this point, the following article can be referred to for more information.
  Assign computer startup scripts
  http://technet.microsoft.com/en-us/library/cc779329(v=WS.10).aspx
  Assign user logon scripts
  http://technet.microsoft.com/en-us/library/cc781361(v=WS.10).aspx
  Best regards,
  Frank Shen

• Unable to see Remote App and Desktop Connection in Group Policy Management Editor

  I am unable to see the Remote App and Desktop Connection in Group Policy Management Editor on my 2012 R2 DC. I am therefore not able configure the connection URL in Access RemoteApp and desktops in our Windows 8.1 client environment.
  Within the Group Policy Under User Configuration, Administrative Templates, Windows Components all I see is:-
  RD Gateway
  Remote Desktop Connection Client
  Remote Desktop Session Host
  But NOT
  Remote App and Desktop Connection
  Which I need. Is there anyway of adding this?

  > I am unable to see the Remote App and Desktop Connection in Group Policy
  > Management Editor on my 2012 R2 DC. I am therefore not able configure
  > the connection URL in Access RemoteApp and desktops in our Windows 8.1
  > client environment.
  http://gpsearch.azurewebsites.net/#8113
  Do you use a central store for ADMX? Is this central store out of date?
  (Means "still contains ADMX from W7/2008R2")
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• BitLocker - Conflict with Group Policy

  Hi;
  I am using Bitlocker on my Win 8.1 Pro, and it works ok when I encrypt my C: drive, I configured my computer to let it prompt for PIN number when I turn on my computer by using the following setting in Group Policy for "Require additional authentication
  at startup".
  Configure TPM startup: Allow TPM
  Configure TPM startup PIN: Require startup PIN with TPM
  Configure TPM startup key: Allow startup key with TPM
  Configure TPM startup key and PIN : Allow startup key and PIN with TPM
  I tried it and reboot my computer, it works fine and the computer prompt me for the PIN number after reboot.  However; when I tried to encrypt my USB key or another E: drive partition, I got the error below.  I tried to disable my group policy
  but no help.
  "the group policy settings for BitLocker startup options are in conflict and cannot be applied."
  KW - CNE,MCSE,VCP5

  Hi KANE.W,
  For BitLocker Group Policy settings, “Require additional authentication at startup” group policy has conflicts, if one authentication method is required, the other methods cannot be allowed.
  Based on your description, I am supposing that in “require additional authentication at startup”, If you choose to require an additional authentication method, other authentication methods cannot be allowed.
  For more information about conflicts of BitLocker group policy
  https://technet.microsoft.com/en-us/library/jj679890.aspx?f=255&MSPPError=-2147217396#BKMK_unlockpol1
  Regards
  D. Wu

• Is there a way to give a local user permission to add a local user using the local group policy editor?

  I need to find a way to have the local administrator of a Windows Server 2012 system grant a local user (non-administrator) the ability to add a user for the machine using the local group policy editor. The machine is not part of any Active Directory environment,
  this is strictly on the one machine.  In my situation it is not an option to just make the user an administrator. The idea is to give someone the right to add a user and have no other such administrative rights. I need to accomplish this using the
  Local Group Policy editor or the Group Policy Management Console if it is possible to do this outside of an active directory environment. This is not an assignment to learn how to use these tools and I am not even sure if it would even be possible though I
  need to either find a way or find proof that it is not possible using these applications.

  Hi,
  Sorry for the delay reply.
  So did you want to non-admin user have the ability to add another user?
  As far as i know, we cannot add the user if we have no local admin permission, we will receive the error"Access denied".
  Regards.
  Vivian Wang

• Group policy adm question

  Hey there,
  I am bit stuck on a group policy thingy. :)
  When I edit my group policy in c1, I see all of my policies including all those custom ADM files that I added to both the user and computer policies. Everything looks good.
  However, when I go to a workstation and run the gpedit.msc all I see are the standard policies and none of the custom ADMs. Along with that, it looks as if none of my custom adm settings actually apply.
  We have a small ADM from Energy star that turns off a non-logged in PC after 30 minutes. Worked last year, not this year.
  Any ideas?
  Tom

  Tom,
  try this "Computer Configuration,Administrative Template, then for
  Windows2000 you must click Views, then uncheck "Show Policies Only",
  and for XP, View, Filtering,and then uncheck "Only show policy settings
  that can be fully managed"."
  Shaun Pond