@G-I-Jones said in GPO to create scheduled task to run netlogon batch script:

Did you ever figure this out?

No and the person who was working on it has been OOO all day, so its not a priority either.

Jared ran into a simliar'ish problem recently... There is a thread around here somewhere.

@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

@Obsolesce said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

t only applies the setting when linked to the OU of the user

We'll according to that screenshot, it IS a user setting.

Yeah. I want all users or a group of users who login to the RD00 server (and only this server) to have this GPP modifying HKCU to apply. Is it even possible?

Yes, it's possible.

Ensure the GPO is applying to the user. For example, if User1 is in the Company > Users OU, then make sure that GPO is either in Company or Users OU and the Users OU is inheriting the GPO. Verify with RSOP and gpresult that user is getting the policy.

I think, but it's been awhile since I did much with AD GP... (like you are in the screenshot) use item-level targeting to the server name.

Test it by having one of the in-scope users log on to a difference server, run gpresult and see if it's applying, then try it on the targeted server and see if it applies then.

@black3dynamite said in Windows Server 2016 RDS - GPO for Disabling Windows Update Notifications for Non-Admins/Users?:

@wrx7m said in Windows Server 2016 RDS - GPO for Disabling Windows Update Notifications for Non-Admins/Users?:

@black3dynamite said in Windows Server 2016 RDS - GPO for Disabling Windows Update Notifications for Non-Admins/Users?:

@wrx7m Is that a computer configuration or user configuration policy? Try applying the rules to only non-admins groups.

Yeah, it is at the computer level. I would like to do it via user config but I only want them to apply to users on the RD servers. I need to figure out the proper way to structure AD/GPOs to not screw up everything else.

I am guessing creating another OU as a sub container and move the RD servers into.

Edit: Since it isn't GPP, there isn't any item level targeting, so I can't do it that way.

If you can make those changes directly in the registry, maybe can allow you to use GPP and item level targeting.

Hmmm. That makes sense. Let me mull it over.

A quick update for y'all that are watching/participating in this thread (thank you, by the way!).

Late Friday I realized where the lockouts where coming from. We have a Windows VM that has a suite of applications that folks need to use every blue moon or so, and they access the VM via RDP. Of course, users don't log out, they just close the RDP client (I am going to fix this). The user in question had an old logon session on this VM. Killing the user's session (I just rebooted the VM) seems to have done the trick.

Now the goal is to better position myself for the next time this happens. I also figure it's probably not a bad idea to have more visibility on account lockouts and where they are coming from in general.

@marcinozga said in Any Way to Automate Adding a New Computer to an AD Group?:

@flaxking said in Any Way to Automate Adding a New Computer to an AD Group?:

@marcinozga said in Any Way to Automate Adding a New Computer to an AD Group?:

Ansible can do that. https://docs.ansible.com/ansible/latest/modules/win_domain_group_membership_module.html#win-domain-group-membership-module
You can add new PCs to domain, and change their group membership, you just need to know computer names in advance.

Which is just a layer on top of Powershell. The Active Directory Powershell module is still required.

It's not required, or that module is included already in Windows 10 by default. Because I haven't had to install it on any machine I managed with Ansible.

"win_domain_group_membership requires the ActiveDirectory PS module to be installed"
https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/windows/win_domain_group_membership.ps1

They have it in the documentation as well "This must be run on a host that has the ActiveDirectory powershell module installed."
https://docs.ansible.com/ansible/latest/modules/win_domain_group_module.html

@WLS-ITGuy said in GPO issue:

@Dashrender said in GPO issue:

I would change this up by applying your GPOs to the OU above these WLS OUs, then set filters to only apply to the users you want.

So in the case of the Library, you've already created a security group, so you'll grant permissions to that group.

Then you'll need to create a WLS-Faculty security group and do the same with it's GPO.

So the GPOs would be at 'domain level' not in the OU level...Like this?

Then I apply the security groups from there? That makes sense.

yeah - you could do it at the domain level - I personally wouldn't. I'd make a new OU, and put your WLS-faculity and WLS-Library in that new OU.. then apply your GPOs to that new one you created. But that's just me.

@wrx7m said in Server 2016 - Force Default Update Server to WSUS Server Via GPO:

@dbeato said in Server 2016 - Force Default Update Server to WSUS Server Via GPO:

This would have happened on Server 2012 R2 as well, dual scan has been around and causes a lot of problems as you noted.

It is strange that I didn't have these issues in 2012 R2. I essentially copied the same GPO for 2012 R2 and made some minor changes to it to convert it for 2016. My 2012 R2 show the correct default service.

Weird, I have various Server 2016and now 2019 with WSUS and while dual scan was an issue for me on Server 2012/ 2012 R2 not anymore.

@dbeato said in GPO for compatibility mode:

@Grey said in GPO for compatibility mode:

A previous admin created a gpo to alter and add an entry under the hive HKEY_CURRENT_USER in Key path Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range66 which forces a single entry for compatibility mode. I've spent a lot of time testing and, while the setting is to apply once and not again, it doesn't seem to allow a user to add more sites to compatibility mode and keep that addition after a reboot.

Has anyone successfully created a GPO for IE11 to enable CM for users to add items, while also pushing a list of our own? Is there a best method around for achieving this goal?

I have not, I only keep adding it through GPO (In the medical field which they have many sites as this).

Ditto - Just have to keep adding them via GPO. So glad we barely use IE 11 anymore.

In my case I wanted to kill sleep altogether.

c:\windows\system32\powercfg.exe -change -monitor-timeout-ac 0 c:\windows\system32\powercfg.exe -change -monitor-timeout-dc 0 c:\windows\system32\powercfg.exe -change -disk-timeout-ac 0 c:\windows\system32\powercfg.exe -change -disk-timeout-dc 0 c:\windows\system32\powercfg.exe -change -standby-timeout-ac 0 c:\windows\system32\powercfg.exe -change -standby-timeout-dc 0 c:\windows\system32\powercfg.exe -change -hibernate-timeout-ac 0 c:\windows\system32\powercfg.exe -change -hibernate-timeout-dc 0

@obsolesce Right, I am having to add a group of computers to the printers' security permissions with allow printing enabled to get the GPP to actually deploy the printer to the user.

UNC pathing to the printer by a member of the PrintersChecksUsers (while the user is logged in) allows them to install and print to the printer.

The GPO shows as applied in the RSOP, but with item level targeting, I don't see any info on why it wasn't actually installed/applied. Maybe it shows it somewhere else.

The key is the shared printer's security tab on the print server, itself. That is where I have to allow the specific group of computers, as well as the specific group of users. I need both, the computers and users groups to have at least printing allowed.

I finally found the GPO setting that caused this issue-

Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>User Rights Assignment

Load and unload device drivers - Enabled with Everyone and NT Authority\Authenticated Users listed.

I had to change it to Not configured.

0_1528315769936_2b6b6a24-bede-47d1-bd4d-3df40eb2c368-image.png

@scottalanmiller said in Deleting a GPO:

@rojoloco said in Deleting a GPO:

@dave247 I have a few ideas about who they are specifically... but after they decided to be a bunch of dicks about anyone here posting links to their site that shall not be named, they created an account here to spy, presumably. Lot of former :hot_pepper: folks here... Lots of :middle_finger: :middle_finger: :middle_finger: :middle_finger: :middle_finger: for their informers.

It's a public site, doesn't take much for someone to inform, lol. It's a bit like tattling on a billboard.

That sounds a lot like calling out your Husband by doing this to his ride.

cheating2_small.jpg

As long as it is on the SysVol\Policies\PolicyDefinitions folder then you should be fine.

@dbeato First I've heard of this service (speaking of Second Chance, not KnowBe4). Definitely going to check it out.

@thwr said in Flushing GPOs:

@dbeato said in Flushing GPOs:

You need to setup the settings to Delete or changed to not configured, wait until it applies and then delete the GPOs after confirming they are not applied any longer.

Get-Content c:\temp\gpos.txt | foreach { Get-GPO -Name "$_" | Remove-GPO }

http://jeffwouters.nl/index.php/2013/08/remove-group-policy-objects-through-powershell/

I bet you could do something like this to set all GPOs to "on delete remove from client" too

This assumes a txt file with all GPO names. You could also just use Get-GPO

@dashrender It is SA

@Mike-Davis said in GPO - Install software based on User - Without user involvement:

@Dashrender said in GPO - Install software based on User - Without user involvement:

Many policies can't be applied to users and have to be applied to the computer. that said you might be able to set the Item level targeting to limit it to specific users.

This is your problem.

If you want to deploy the software based on user, you need to deploy it under User Configuration -> Policies -> Software Settings -> Software installation.

You tried to deploy it under Computer Configuration, and filtered by User, so it gets totally ignored.

This is only a problem if your computer is not part of this GPO pool - or you're trying to run things from both computer and user without loopback enabled.

@Tim_G said in GPO Path?:

@Grey said in GPO Path?:

So, what's the current method to add a single trusted site to my intranet zone in GPO, eh? And where do I modify all of the trusted sites/zones and activex now?

I was answering the above question. Of course these will say not configured, because you haven't configured them yet.

That's the thing though; there is configuration from the previous IT Team.
CRwvU7j.png
I should be able to edit that and I just can't. The path shown isn't there for me.