Quantcast
Channel: Active Directory & GPO
Viewing all 20789 articles
Browse latest View live

Deploy GPO for plain Win10 VPN connection before domain login

March 10, 2020, 9:44 am
$
0
0

I have successfully created a VPN connection through my Windows 10 professional computer to our branch office through a Peplink router using the following parameters:

  • L2TP/Ipsec
  • Preshared key
  • Username & password
  • MS CHAP

So far so good, works perfectly.

If a domain laptop is taken home, I'd like allowing activating the VPN connection on Windows 10 login screen, before login is attempted, so that the server on the remote network may authenticate the client.

Can I achieve this? Eventually deploying a GPO (this is not compulsory)

Search

Power Policy GPO

March 10, 2020, 12:53 pm
$
0
0

Good Afternoon,

I am creating a new power plan group policy.  It appears everything is working well.  However, I am being asked to disable Allow Wake Times for both on battery & plugged in options.  However, I am not seeing where in GP to control these options. 

I found this website for enabling them.  

https://adameyob.com/2015/02/28/enable-wake-timers/ 

It seems like there isn't a option for it in GP.  I just wanted to see if anyone else has dealt with this issue before.   Any assistance would be appreicated.

Program wont open with domain user.

March 11, 2020, 5:56 am
$
0
0

Ok so we are on windows server 2012, and work stations are windows 10.

there are 2 work stations that standard users cannot open certain apps (python in this case)
I can open the program with a admin account, but students cant, If they use a different machine it works fine, So i am ruling out a problem with the user account.
The workstations in question are in the correct groups on the AD. I have tried reinstalling the program and still no luck with the students. I cant help but think there is a simple solution to this but I cant get my head round it.
Has anyone else had a problem like this before or could help
Thanks

Testing GPO failing

March 11, 2020, 6:08 am
$
0
0

I have a few account policies nested together and was testing the lockout policy and its not working is it due to too many polices in one? Where do i begin to test? create new GPO as a singular and see if it works?

Adding a TCP/IP printer through GPO requires admin previladges

March 11, 2020, 11:42 am
$
0
0

Hello All,

I have 8 terminal servers and 30 physical locations. I am trying to add printers to terminal servers based on the client's location. So basically if a user logs in from location 1 to the terminal server then he/she will see the printers of location 1. If he/she logs in from location 2 then the printers of location 1 should get deleted and the printers of location 2 should get added.

I was able to achieve it through deploying the printers using GPO - User Configuration - Preferences - Control Panel Settings - Printers. I added the item level targetting to set the client IP range for the RDP session. The whole setup is working fine except for one thing.

Adding a TCP/IP printer requires admin rights and since I have checked the checkbox "Run in logged-in user's security context" the whole setup does not work when a standard user...

GPO will create URL shortcuts but not system objects

March 11, 2020, 12:12 pm
$
0
0

Hi guys,

I'm trying to fix these shortcuts I pushed out over the weekend. I pushed them as URLs since it's a website, but people are used to having this program pinned to their taskbar. I was able to create a shortcut that targets Firefox with the -url attribute, but when I try to push it out, nothing happens. I know the GPO is applying via gpresult and it deletes the old URLs, but I don't see the new shortcuts being created. Has anyone experienced this before?


Thanks,

-D

GPO for screen lockout for Local Users only

March 11, 2020, 2:04 pm
$
0
0

Hello

Computer1 - part of the domain and receives our domain policy for the screen lockout (15 minutes).

But when someone logs into the computer locally, I need for the computer NOT to lockout at all  (this is a camera surveillance machine).  And when a user logs into the domain as a domain user, the domain policy should be enforced.

Thank you

Terry

GPO Workgroup Templates

March 11, 2020, 3:06 pm
$
0
0

Hi all - i set up a GPO to update some Office (Word, Excel, Powerpoint) templates. All users on the local domain are able to see the shared templates in Office. Users that work offsite, but connect to the network shares via VPN are not able to see the shared templates.

This is an example of a correct location from GPO from a PC that is on the domain and connected to the network in the office:


The problem I am having is trying to get this to work on a laptop on the domain that is out of the office and not actively connected to the network unless it is connected to the VPN.

The end user for this example will have this same above window but the workgroup template would be blank. Trying to change the location manually to the network location (either by IP or DNS) both won't work as well. Trying to change this location to a local location (for...

Search

Folder Redirection and Offline Files via GPO Deleting Files

March 11, 2020, 9:46 pm
$
0
0

We have group policies that set folder redirection for user document and app data folders to be stored on a file server. We also have Offline Files set via GPO so that users can take their laptops out of the office and have access to their files. This has been working for years (with glitches here and there) except for the occasional computer that refuses to synch until we turn off file synch and turn it back on. Anyway, I had to make a change to the path in the GPO such that it no longer redirects to \\FileServer, but rather now points to \\FileServer.domainname.org (That is, the Fully Qualified Domain Name). We had to do this to accommodate a couple of new offices connected via VPN so users could still reach their file server. But now, when some users have moved into the new office and their computer syncs, their folder on the file...

GPO - Roaming Personalisaton

March 12, 2020, 5:53 am
$
0
0

Hi there,

I'm looking to get a little bit of advice for my home environment. Currently I have several computers that are Active Directory domain joined, having various policies applied to them.

At the moment (obviously) things like wallpaper, colour scheme, and things like that aren't transferred computer to computer.

I don't want to go down the route of full folder redirection, or roaming profiles. As I think it's a bit overkill for what I'm wanting to acheive.

But is there any way or solution you can think of that would allow roaming of personalisation settings between computers?

Thanks in advance,
Chris!

Mapped Drive GPO Item Level Targeting Not Working

March 12, 2020, 9:31 am
$
0
0

I have a network share with share permission set to Everyone Full and NTFS permissions set to my security group as Full.

Created a GPO to map the network drive to the share that has authenticated users in the security filtering.
User Configuration > Preferences > Windows Settings > Drive Maps
> General
 Action: Replace
 Location: \\server\share
 Label: Sharename
 Use: F
 Hide/show this drive: Show this drive
> Common
 Item Level Targeting: checked
 Targetting: Security group > my security group

GPO is applied at the domain level.

I run gpupdate /force on a test workstation and drive doesn't show up. Run gpresult /r and it shows it applied the GPO. If I go back and remove the Item Level Targeting, drive will show up on gpupdate /force.

What am I doing wrong?

Disable the Default Administrator account in existing DC?

March 12, 2020, 11:54 am
$
0
0

SysAdmin/IT/Computer guy at our company. Started here when we had 6 computers that were not networked and now we have 50+ in an AD setup. So please forgive me if I have been a bit sloppy with "Best Practices", I have had no training other than trial and error.

We've also hired an outside firm to help us get NIST compliant. One of the things they don't like is that I use the Builtin Administrator account (UserName is "Administrator") to manage the domain. When I setup the Domain years ago I just used the Default Administrator username. Yes, password is changed, it's complex, changes regularly, and its not shared with anyone else. They want me to change this and use a different one and disable the "Admininstrator" user. So I have added a new "Administrator" user (UserName NewAdministrator, not really but for this discussion) to the Domain...

New Vbsscript not working for all users

March 13, 2020, 3:07 am
$
0
0

I have made a new vbsscript for our mailsignature. It works for about 95% of all the users - but the last 5% is a mistery.

The vbsscript is executed by a .bat file from GPO - Logon

The file delete the old Signature folder first and after that runs the VBS script that makes a new file in \Users\%username%\appdata\local - So it checks if it exists or it will create a new "check" file.

It takes the data from AD

But to get back to the issue - a very few users can't execute the bat file from \\domainFQDN\Netlogon\

The problem is that the vbs box " Open File Security Warnings" keeps popping up - When I press Accept/OK but when I press cancel it says Access denied and keep comming with the Access denied everytime I press Cancel.

But if I make a new user profile for the user it works without problems.

If I try to enable the(Security - Internet -...

One profile to rule them all

March 13, 2020, 5:41 am
$
0
0

I need some guidance and ideas on how to approach a project i have going on, I have adventured through Google Univ. and found super-mandatory profiles and such but i am looking for a more GPO oriented setup if possible.

We have a common use machine that serves a very specific but small task, can be thought of as a clockin\clockout machine. Attached to this machine is a label printer that needs preferences set up all the time for all different users (Drops settings and general printer fun).

Here's what i'm trying to do, When any user logs in they would be signed in with their domain login, however they would be presented with a predefined default profile with the shortcuts needed to perform the task this computer is there for. I would also like to have the printer setup on this profile with the correct settings and all that jazz (main...

Designing a new active directory

March 13, 2020, 8:59 am
$
0
0

This is a question about my home network so I made it a discussion.  My home network is simple one AD server, one forest and one domain and a handful of computers.  When I set the domain up the FQDN was servername.domain.int since I didn't have a domain.

Since then I have started a hobby that DOES have a registered domain name.  I have been contemplating redesigning the network anyway for personal reasons.  If I do should I use domain,int or domain.int?  Why?

Search

Set ADComputer Description during OSD

March 13, 2020, 9:32 am
$
0
0

I have a powershell script that is supposed to update the computers description during the OS Deployment (see script below)

I have the task sequence as bypass and running as a service account that has access to modify the Computer, but I keep getting the following error in the SMSTS.LOG

failed to get the linked token information. It may not be available. Error 1312
...
CreateProcessAsUser failed. Code (0x8007010B)
Command line Execution failed (8007010B)
...
Failed to execute PowerShell Command line
...
Run PowerShell script failed to run, hr=0x8007010b
...
Failed to run the action: Set AD Computer Descirption. Error -2147024629

This is the Code

Powershell
#OSDDescription and OSDComputerName are set earlier.$TSEnv=New-Object-ComObjectMicrosoft.SMS.TSEnvironment[string]$Description=$TSEnv.Value("OSDDescription")[string]$ComputerName=...

Supporting Remote Work via VPN on company-issued laptops?

March 13, 2020, 10:47 am
$
0
0

Given the recent news, we are preparing some laptops for employees to use at home that may not have access to a computer at home.

It's been a while since we supported this type of environment, i'm looking for best practice suggestions on how to configure the laptops.

  • Laptops are running windows 10 enterprise, we have a sonicwall SRA that handles VPN connections. We use a lot of on-prem software, that is typically available via RemoteApp, but could be installed locally if the laptop has a VPN connection. We have a hybrid domain with Azure AD (Federated)

Given the above:

  1. Should i domain join the laptops? (Or perhaps just register them in azure AD?)
    1. If i domain join them, and someone takes it home, they wont be able to login unless the VPN tunnel is live, which may be an issue if it cant find a network for connectivity.
  2. Is it possible to...

dns integration with new domain tree in forest

March 13, 2020, 12:30 pm
$
0
0

I am administrator for a small AD domain (300 computers). It has always been the only domain in the forest. Lets call it original.local. There are 2 DCs in the domain/forest

I recently created a new tree in the forest, lets call it new.local. This new.local will eventually have around 150 computers. So now in the forest original.local there are 2 tree domains: original.local and new.local. To create this new tree domain I first created the new.local DNS zone, then I promoted a new server to be the first DC in the new tree of the forest.

Now my question is how to properly setup DNS so that both domains can update each other. I am not clear on whether I should be using conditional forwarders, or adding a new zone and if so what type.

These two forest domains are separate legal companies which share a lot of resources (including the IT...

Printer properties shows multiple printers

March 13, 2020, 11:37 pm
$
0
0

Hello All,

I am deploying the printers through GPO User Configuration Preferences Control Panel Settings Printers Right Click New Shared Printer. The action is set to Update.“Run in logged-on user’s security context (user policy option)” and “Item-level targeting” is checked. In Item-level targeting the printer is deployed based on the terminal session client IP range. The policy is working fine but somehow it looks like the printer is getting deployed multiple times or something because the printer properties shows a lot of printers inside it as shown below.

Just to verify that no other group policy is deploying these printers, I disabled the GPO which was deploying the printer and deleted the printer manually and logged off and logged in with that user a multiple times and the printer did not come back but as soon as I enable...

pull users using AD attribute

March 14, 2020, 8:54 am
$
0
0

Hi Experts

I want to make a dynamic distribution list but before that i am trying to write a query to pull Johns ogranization of manager who has direct reports and without direct reports

We have below custom attribute in AD for example

for paul i have customattribute01 as |john|roger||
for tim i have customattribute01 as|john|roger|paul||

If i use the below query i am getting the output but i dont see tims name because tim doesnot have direct reports, even though tim doesnot have direct reports i want to pull tim as well. experts guide me on this to modify the below query to include tim as well.

((extensionAttribute01 -like '*john*') -and (directReports -like '*' ))

$input = "((extensionAttribute01 -like '*john*') -and (directReports -like '*' ))"
Get-ADUser -Filter $input -properties DisplayName,Userprincipalname| Select...

Viewing all 20789 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>