Questions tagged as ['group-policy']
As per title, am attempting to disable TLS1.0/1.1 and default to TLS 1.2 instead.
However my registry do not have the below paths:
../Protocols/TLS 1.0/servers
../Protocols/TLS 1.0/clients
../Protocols/TLS 1.1/servers
../Protocols/TLS 1.1/clients
../Protocols/TLS 1.2/servers
../Protocols/TLS 1.2/clients
This is causing my gpupdates to fail as those paths cannot be found. Most resources I have checked eit ...
I have a PowerShell script that I need to run once on all computers in my Active Directory domain. A large number of computers are off at any given time, so a GPO would allow us to ensure that it applies to all affected machines. However, the script needs to run as administrator because of the registry values being modified. Also, per our security department, we cannot change the ExecutionPolicy on these ...
I have a problem that can solve, a client of mine have access free laptop for young people to research job or do paperwork. Those laptop cannot be on the domain. The administration of those computer is done via the "Veyon" application.
I create on each of them a user account with really strict Local Group Policy Settings and now I want to export those GPO to the other user on the 8 laptop.
To this e ...
We are performing tests to deploy a Univention UCS domain with samba Active Directory in our company and, to comply with a security normative, we need to activate the GPO "Display information about previous logons during user logon" found in "Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options".
I have been testing but I can't get it to work correctly ...
I am trying to implement through a GPO, a new Start Menu Layout but no matter what I do it simply dont apply.
This is the XML of this Layout:
<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas ...We are trying to set up a three step permission-structure (Firstline, secondline, thirdline support). Firstline can only RDP with user-rights to all our domain-servers, no problem there with restricted groups GPO.
Now to the problem, secondline should be able to RDP + Update applications and restart services. How do I achieve this via GPO? Where I look it's the other way around, DON'T alow users ...
I have an issue where I was modifying some settings in the Default Domain Policy (I know I shouldn't have) and I've managed somehow to set the 'Allow log on through Terminal Services' to a null value (I think I forgot to uncheck it after I removed the groups I deleted). So now I can't login using RDP. I can still access the Domain Controller through ssh so is there a way to remove this setting through po ...
I have 4 printers being deployed by my Windows Server 2016. They are all the same printer. I am using the latest driver. The printers are deployed by the server using Group Policy. The printers are deployed "per machine" through GPO. When I go and check the computers in the OU only 1 of the 4 printers gets deployed. All the printers have the same security permissions.
I am using the Point To Prin ...
I have inherited hardened clients with a lot of policies applied to them. There is an application running on this clients, that should show the windows printing dialog, but it does not pop up.
There are no policies regarding printers configured, and I have no idea which policies stop this dialog from appearing. How can I find out which one it is? Maybe someone have an idea, which policies to test ...
I wish to run the following instruction in a Windows cmd: java -jar app.jar. App.jar is an application in charge of creating a file in the Temp folder of the Windows user folder but it fails because it does not have write permissions. The windows user is given full control on C drive. Then the command is executed but the same message keeps. Is there a GPO policy in Windows Server that allows java applic ...
I am trying to add a scheduled task to run a batch file that updates / installs software. I created a GPO to create the task, using these settings:
For one of them, I am using item level targeting to only apply to one group. But this issue is happening with both. I also have tried using both User Configuration and Computer Configuration, with the same se ...
We have developed a browser extension and wish to distribute it.
A license key is required to use our chrome extension. This value should be set by the system administrators and not by individual end users.
How can we let administrators pass the license key via group policy or other device management configuration?
I have inherited a network whose GPOs are damaged, the SYSVOL folder shows signs of tampering with the NTFS permissions and folder structure manually, and I am unable to add/edit any GPOs, I receive an "Access Denied" error and the only entry in eventvwr I can find looks like an app crash for the mmc plugin. From timestamps it is clear this hasn't worked for 4+years.
- I have performed a D2 and D4 r ...
We inherited a network with badly damaged GPOs across 3 DC's (all WinServ 2016). We receive an "Access Denied" error when using GPOs, and the permissions of the SYSVOL folder show signs of tampering. I have attempted a D2 and D4 restore, following these instructions: https://docs.microsoft.com/en-US/troubleshoot/windows-server/group-policy/force-authoritative-non-authoritative-synchronization
However t ...
We have a DNS suffix for our domain ourdomain.local and it works whenever we have one additional DNS component e.g. test1.ourdomain.local or graphs.ourdomain.local, so that means we only have to type test1 or graphs and it will resolve correctly. However if we have remote.graphs.ourdomain.local then remote.graphs won't resolve and only remote.graphs.ourdomain.local will.
This is a Windows Server 2012R2 ...
For Windows based PCs connected with Windows AD with Group policy, we want to block USB phone tethering options. And we have tried following things which seems to be working for some people but not us.
We have applied computer policy to block device installation
System/Device Installation/Device Installation Restrictions > Prevent installation of devices that match any of these device IDs
Device ID ...
Background
Historically in my organisation we have used a particular shared domain admin account (let's call it SharedDA) for almost everything. It is currently logged on to several dozen servers. Bad juju.
Saner minds are now prevailing and we are planning to completely remove access to this SharedDA account, with the ultimate aim of deleting it, however we have a certain number of our technica ...
Background
I have a Windows domain consisting of ten Windows 2022 servers and five Windows 11 Hyper-V VMs. The servers live at AWS. The Windows 11 VMs live on various laptops.
I want to implement a reliable Windows Update strategy.
What I Want
My preference is for downloading to take place automatically in the background, and for installations and subsequent reboots (if necessary) to take place at or ...
The root certificate of the DFN-PKI "T-TeleSec GlobalRoot Class 2" is not activated in the Windows certificate store for the certificate purpose "code signing".
I can activate it with certmgr.msc in [Trusted Root Certificates Authorities] > [Certificates] > RMB on "T-TeleSec GlobalRoot Class 2" > [Select role code-signing].
I have some 50+ PCs where this setting is required.
In Group Pol ...
We have 2 domain controllers with 2019 server, system administrator made something with GPO which deny access for group "Domain Admins" to workstations, now it is distributed throughout the domain (including domain controllers and servers). He aslo made changes to Active Directory Users and Computers (like include domain admins to Protected user group, deny delegation for domain admins in profiles, rese ...
My clients environment is a mix of Windows 2012, 2016 and 2019 servers. Recently we had a few additional Windows 2019 servers provisioned and added to our domain. When I run gpupdate /force from the command line on these newly provisioned 2019 instances I get the following error - "User Policy Update Failed".
If I run gpresult /h gpo.html and review the results in a browser its showing "No Errors De ...
Is there a way to change the amount of time the Group Policy Files Preference Policy takes to timeout when the file server is not available? A setting that affects only this preference item is necessary. Perhaps a registry change.
In an isolated backup test lab, we need to start an image of the domain controller first. The domain controller has group policy files preference items applied which re ...
My clients domain has various 2012R2, 2016 and 2019 Windows Server versions. Two of the four domain controllers are running Windows 2012R2 and the ADMX files haven't been updated in years. The other two domain controllers are Windows 2019 and they have the FSMO roles assigned to them.
I hope to have all 2012 instances retired for good shortly, including the DC's. Since the ADMX files haven't been updat ...
This is a Server 2022 Standard box. I want to set a GPO in order log failed login events. So in the Default Domain Controllers Policy I went to Windows Settings>-Security Settings->Local Policies->Audit Policy>-Audit Logon Events and set it to 'Failure'.
No logon failures are being recorded. In the Security Event Log, several times a day I am seeing multiple 4719 Events as the policy ...
we have joined a Windows 11 machine for the first time to our domain, however something is not working as expected. For instance, the machine cannot be pinged, although the domain GPO sets a rule in the firewall to allow this.
Computer Configuration
Policies
Administrative Templates
Network/Network Connections/Windows Defender Firewall/Domain Profile
Allow inbound echo request Enabl ...
as shown in here
Group Policy for Blocking Windows 11 Upgrade Prompts
Microsoft allows blocking the Windows 11 Update via a GPO, howver as far as it seems you have to specify both the main (e.g. Windows 10) and sub-version (e.g. 21H2) of windows, can the field for the subversion be left empty or anything else be done so it properly keeps updating the sub version but stays on Windows 10.
After all you ...
We've set "Microsoft network server: Server SPN target name validation level" to "Required from client" on our test GPO.
Our test systems have some custom machine aliases in their hosts files, but once the option is turned on we can no longer access SMB shares using the machine alias.
I've struggled to find information on this interaction so was hoping someone would be able to explain the interact ...
I need to distribute a secret token to a group of users, where it would be stored in ODBC configuration in the password field (masked). The goal is to make it accessible for GPO script, but not viewable by users (to reduce chances of leaking).
My question is similar to this one, but as I understand, in that case users will be able to access the secret in the place where it is stored.
What is the best way ...
I've a Ubuntu desktop client joined to an Active Directory 2008 R2 domain.
I need to use "kinit" command on Linux to determine when a user password will expire. That's my way to go due to other scripts running on system so can't / don't want to change that approach.
However, as far as I saw, kinit returns password expire warning for 7 days or lower. Can I change this attitude? What makes kinit retur ...
I have had a client request that I setup a user account on a Windows device that will clear all user profile data once the account has been logged off. The computer is a shared device that will be used by guests and there cannot be any reference to the previous guests data.
My question is, what is the best method for achieving this? Is there a way I can achieve this with Group Policy, or some for ...