Questions tagged as ['group-policy']

Group Policy is a built-in feature of the Microsoft Windows operating systems. Group Policy allows administrators to automatically configure myriad options within the OS. These policies can be configured, and applied, either locally to the computer via Local Group Policy or remotely within an Active Directory environment.
Score: -1
Attempting to disable TLS1.0/1.1 on Windows level via GPO
lt flag

As per title, am attempting to disable TLS1.0/1.1 and default to TLS 1.2 instead.

However my registry do not have the below paths:

../Protocols/TLS 1.0/servers
../Protocols/TLS 1.0/clients
../Protocols/TLS 1.1/servers
../Protocols/TLS 1.1/clients
../Protocols/TLS 1.2/servers
../Protocols/TLS 1.2/clients

This is causing my gpupdates to fail as those paths cannot be found. Most resources I have checked eit ...

Score: 0
Run a PowerShell script once on all computers as admin via GPO without changing execution policy
cn flag

I have a PowerShell script that I need to run once on all computers in my Active Directory domain. A large number of computers are off at any given time, so a GPO would allow us to ensure that it applies to all affected machines. However, the script needs to run as administrator because of the registry values being modified. Also, per our security department, we cannot change the ExecutionPolicy on these ...

Score: 0
Export Local Group Policy Settings to Another Computer
in flag

I have a problem that can solve, a client of mine have access free laptop for young people to research job or do paperwork. Those laptop cannot be on the domain. The administration of those computer is done via the "Veyon" application.

I create on each of them a user account with really strict Local Group Policy Settings and now I want to export those GPO to the other user on the 8 laptop.

To this e ...

Score: 0
Samba AD GPO “Display information about previous logons during user logon” does not apply and makes it impossible to logon
sz flag

We are performing tests to deploy a Univention UCS domain with samba Active Directory in our company and, to comply with a security normative, we need to activate the GPO "Display information about previous logons during user logon" found in "Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options".

I have been testing but I can't get it to work correctly ...

Score: 1
marafado88 avatar
Customize start menu from Windows through GPO not working
in flag

I am trying to implement through a GPO, a new Start Menu Layout but no matter what I do it simply dont apply.

This is the XML of this Layout:

<?xml version="1.0" encoding="utf-8"?>
    xmlns:start="http://schemas ...
Score: 0
Best approach for specific local server permissions?
cn flag

We are trying to set up a three step permission-structure (Firstline, secondline, thirdline support). Firstline can only RDP with user-rights to all our domain-servers, no problem there with restricted groups GPO.

Now to the problem, secondline should be able to RDP + Update applications and restart services. How do I achieve this via GPO? Where I look it's the other way around, DON'T alow users  ...

Score: 0
Sparky26 avatar
Can you modify or remove a Domain GPO Setting through powershell
ru flag

I have an issue where I was modifying some settings in the Default Domain Policy (I know I shouldn't have) and I've managed somehow to set the 'Allow log on through Terminal Services' to a null value (I think I forgot to uncheck it after I removed the groups I deleted). So now I can't login using RDP. I can still access the Domain Controller through ssh so is there a way to remove this setting through po ...

Score: 0
Deploy Printers Per Machine With GPO
cn flag

I have 4 printers being deployed by my Windows Server 2016. They are all the same printer. I am using the latest driver. The printers are deployed by the server using Group Policy. The printers are deployed "per machine" through GPO. When I go and check the computers in the OU only 1 of the 4 printers gets deployed. All the printers have the same security permissions.

I am using the Point To Prin ...

Score: 0
RagedVimClicker avatar
Printing on hardened windows clients
cn flag

I have inherited hardened clients with a lot of policies applied to them. There is an application running on this clients, that should show the windows printing dialog, but it does not pop up.Expected printing dialog

There are no policies regarding printers configured, and I have no idea which policies stop this dialog from appearing. How can I find out which one it is? Maybe someone have an idea, which policies to test ...

Score: -1
user3637971 avatar
GPO policy to give write permissions to java applications in C drive
ve flag

I wish to run the following instruction in a Windows cmd: java -jar app.jar. App.jar is an application in charge of creating a file in the Temp folder of the Windows user folder but it fails because it does not have write permissions. The windows user is given full control on C drive. Then the command is executed but the same message keeps. Is there a GPO policy in Windows Server that allows java applic ...

Score: 0
Group Policy scheduled task for running .bat file applies, but task does not create
tc flag

I am trying to add a scheduled task to run a batch file that updates / installs software. I created a GPO to create the task, using these settings:

Task Settings

Task settings 2

Task settings 3

For one of them, I am using item level targeting to only apply to one group. But this issue is happening with both. I also have tried using both User Configuration and Computer Configuration, with the same se ...

Score: 0
Dani-san avatar
Chrome enterprise set custom setting for extension
us flag

We have developed a browser extension and wish to distribute it.

A license key is required to use our chrome extension. This value should be set by the system administrators and not by individual end users.

How can we let administrators pass the license key via group policy or other device management configuration?

Score: 0
TechnoNewbie avatar
WinServer2016 - Access Denied when adding or changing a GPO
pt flag

I have inherited a network whose GPOs are damaged, the SYSVOL folder shows signs of tampering with the NTFS permissions and folder structure manually, and I am unable to add/edit any GPOs, I receive an "Access Denied" error and the only entry in eventvwr I can find looks like an app crash for the mmc plugin. From timestamps it is clear this hasn't worked for 4+years.

Score: 1
TechnoNewbie avatar
GPO and SYSVOL reset
pt flag

We inherited a network with badly damaged GPOs across 3 DC's (all WinServ 2016). We receive an "Access Denied" error when using GPOs, and the permissions of the SYSVOL folder show signs of tampering. I have attempted a D2 and D4 restore, following these instructions:

However t ...

Score: 0
sdlsep avatar
DNS suffix works only when no subdomains are added
vg flag

We have a DNS suffix for our domain ourdomain.local and it works whenever we have one additional DNS component e.g. test1.ourdomain.local or graphs.ourdomain.local, so that means we only have to type test1 or graphs and it will resolve correctly. However if we have remote.graphs.ourdomain.local then remote.graphs won't resolve and only remote.graphs.ourdomain.local will.

This is a Windows Server 2012R2 ...

Score: 1
Block or Disable USB tethering using Windows AD GroupPolicy
cn flag

For Windows based PCs connected with Windows AD with Group policy, we want to block USB phone tethering options. And we have tried following things which seems to be working for some people but not us.

We have applied computer policy to block device installation

System/Device Installation/Device Installation Restrictions > Prevent installation of devices that match any of these device IDs

Device ID  ...

Score: 2
blackworx avatar
If I set a policy to deny log on locally for a particular AD user, will it affect existing logged on sessions belonging to that user in any way?
bz flag


Historically in my organisation we have used a particular shared domain admin account (let's call it SharedDA) for almost everything. It is currently logged on to several dozen servers. Bad juju.

Saner minds are now prevailing and we are planning to completely remove access to this SharedDA account, with the ultimate aim of deleting it, however we have a certain number of our technica ...

Score: 2
juan_more_bitcoin avatar
Windows Update fallback plan when system is powered off?
au flag


I have a Windows domain consisting of ten Windows 2022 servers and five Windows 11 Hyper-V VMs. The servers live at AWS. The Windows 11 VMs live on various laptops.

I want to implement a reliable Windows Update strategy.

What I Want

My preference is for downloading to take place automatically in the background, and for installations and subsequent reboots (if necessary) to take place at or  ...

Score: 2
GPO to add a purpose to root certificate
cd flag

The root certificate of the DFN-PKI "T-TeleSec GlobalRoot Class 2" is not activated in the Windows certificate store for the certificate purpose "code signing".

I can activate it with certmgr.msc in [Trusted Root Certificates Authorities] > [Certificates] > RMB on "T-TeleSec GlobalRoot Class 2" > [Select role code-signing].

enter image description here

enter image description here

I have some 50+ PCs where this setting is required. In Group Pol ...

Score: -1
cozby avatar
Can't logon to domain controllers
es flag

We have 2 domain controllers with 2019 server, system administrator made something with GPO which deny access for group "Domain Admins" to workstations, now it is distributed throughout the domain (including domain controllers and servers). He aslo made changes to Active Directory Users and Computers (like include domain admins to Protected user group, deny delegation for domain admins in profiles, rese ...

Score: 0
jrd1989 avatar
Windows Server 2019 GPO - "User Policy Update Failed"
cn flag

My clients environment is a mix of Windows 2012, 2016 and 2019 servers. Recently we had a few additional Windows 2019 servers provisioned and added to our domain. When I run gpupdate /force from the command line on these newly provisioned 2019 instances I get the following error - "User Policy Update Failed".

If I run gpresult /h gpo.html and review the results in a browser its showing "No Errors De ...

Score: 0
Appleoddity avatar
Can I change the timeout settings for Group Policy Files Preference policy?
ng flag

Is there a way to change the amount of time the Group Policy Files Preference Policy takes to timeout when the file server is not available? A setting that affects only this preference item is necessary. Perhaps a registry change.

In an isolated backup test lab, we need to start an image of the domain controller first. The domain controller has group policy files preference items applied which re ...

Score: 1
jrd1989 avatar
How to Update ADMX Files - Different Server OS Versions in Domain
cn flag

My clients domain has various 2012R2, 2016 and 2019 Windows Server versions. Two of the four domain controllers are running Windows 2012R2 and the ADMX files haven't been updated in years. The other two domain controllers are Windows 2019 and they have the FSMO roles assigned to them.

I hope to have all 2012 instances retired for good shortly, including the DC's. Since the ADMX files haven't been updat ...

Score: 0
Ian Pendlebury avatar
GPO Audit Policy Issue
cn flag

This is a Server 2022 Standard box. I want to set a GPO in order log failed login events. So in the Default Domain Controllers Policy I went to Windows Settings>-Security Settings->Local Policies->Audit Policy>-Audit Logon Events and set it to 'Failure'.

No logon failures are being recorded. In the Security Event Log, several times a day I am seeing multiple 4719 Events as the policy  ...

Score: 0
Windows 11 PC is ignoring domain GPO to allow inbound ICMP
ph flag

we have joined a Windows 11 machine for the first time to our domain, however something is not working as expected. For instance, the machine cannot be pinged, although the domain GPO sets a rule in the firewall to allow this.

Computer Configuration 
  Administrative Templates  
   Network/Network Connections/Windows Defender Firewall/Domain Profile 
    Allow inbound echo request Enabl ...
Score: 1
Block Windows 11 via GPO without specifying sub-version
de flag

as shown in here

Group Policy for Blocking Windows 11 Upgrade Prompts

Microsoft allows blocking the Windows 11 Update via a GPO, howver as far as it seems you have to specify both the main (e.g. Windows 10) and sub-version (e.g. 21H2) of windows, can the field for the subversion be left empty or anything else be done so it properly keeps updating the sub version but stays on Windows 10.

After all you  ...

Score: 3
Why does a MS GPO option break SMB shares that use a hosts file for the machine name?
gh flag

We've set "Microsoft network server: Server SPN target name validation level" to "Required from client" on our test GPO.

Our test systems have some custom machine aliases in their hosts files, but once the option is turned on we can no longer access SMB shares using the machine alias.

I've struggled to find information on this interaction so was hoping someone would be able to explain the interact ...

Score: 0
Distribute a Secret to users without showing it to users [Active Directory, Group Policy]
in flag

I need to distribute a secret token to a group of users, where it would be stored in ODBC configuration in the password field (masked). The goal is to make it accessible for GPO script, but not viewable by users (to reduce chances of leaking).

My question is similar to this one, but as I understand, in that case users will be able to access the secret in the place where it is stored.

What is the best way ...

Score: 0
Diga avatar
kinit Password Expire Warning
dz flag

I've a Ubuntu desktop client joined to an Active Directory 2008 R2 domain.

I need to use "kinit" command on Linux to determine when a user password will expire. That's my way to go due to other scripts running on system so can't / don't want to change that approach.

However, as far as I saw, kinit returns password expire warning for 7 days or lower. Can I change this attitude? What makes kinit retur ...

Score: 0
Smithy avatar
Best Method For Clearing User Data On Shared Windows Device?
ng flag

I have had a client request that I setup a user account on a Windows device that will clear all user profile data once the account has been logged off. The computer is a shared device that will be used by guests and there cannot be any reference to the previous guests data.

My question is, what is the best method for achieving this? Is there a way I can achieve this with Group Policy, or some for ...