t only applies the setting when linked to the OU of the user
We'll according to that screenshot, it IS a user setting.
Yeah. I want all users or a group of users who login to the RD00 server (and only this server) to have this GPP modifying HKCU to apply. Is it even possible?
Yes, it's possible.
Ensure the GPO is applying to the user. For example, if User1 is in the Company > Users OU, then make sure that GPO is either in Company or Users OU and the Users OU is inheriting the GPO. Verify with RSOP and gpresult that user is getting the policy.
I think, but it's been awhile since I did much with AD GP... (like you are in the screenshot) use item-level targeting to the server name.
Test it by having one of the in-scope users log on to a difference server, run gpresult and see if it's applying, then try it on the targeted server and see if it applies then.
@wrx7m Is that a computer configuration or user configuration policy? Try applying the rules to only non-admins groups.
Yeah, it is at the computer level. I would like to do it via user config but I only want them to apply to users on the RD servers. I need to figure out the proper way to structure AD/GPOs to not screw up everything else.
I am guessing creating another OU as a sub container and move the RD servers into.
Edit: Since it isn't GPP, there isn't any item level targeting, so I can't do it that way.
If you can make those changes directly in the registry, maybe can allow you to use GPP and item level targeting.
A quick update for y'all that are watching/participating in this thread (thank you, by the way!).
Late Friday I realized where the lockouts where coming from. We have a Windows VM that has a suite of applications that folks need to use every blue moon or so, and they access the VM via RDP. Of course, users don't log out, they just close the RDP client (I am going to fix this). The user in question had an old logon session on this VM. Killing the user's session (I just rebooted the VM) seems to have done the trick.
Now the goal is to better position myself for the next time this happens. I also figure it's probably not a bad idea to have more visibility on account lockouts and where they are coming from in general.
I would change this up by applying your GPOs to the OU above these WLS OUs, then set filters to only apply to the users you want.
So in the case of the Library, you've already created a security group, so you'll grant permissions to that group.
Then you'll need to create a WLS-Faculty security group and do the same with it's GPO.
So the GPOs would be at 'domain level' not in the OU level...Like this?
Then I apply the security groups from there? That makes sense.
yeah - you could do it at the domain level - I personally wouldn't. I'd make a new OU, and put your WLS-faculity and WLS-Library in that new OU.. then apply your GPOs to that new one you created. But that's just me.
This would have happened on Server 2012 R2 as well, dual scan has been around and causes a lot of problems as you noted.
It is strange that I didn't have these issues in 2012 R2. I essentially copied the same GPO for 2012 R2 and made some minor changes to it to convert it for 2016. My 2012 R2 show the correct default service.
Weird, I have various Server 2016and now 2019 with WSUS and while dual scan was an issue for me on Server 2012/ 2012 R2 not anymore.
A previous admin created a gpo to alter and add an entry under the hive HKEY_CURRENT_USER in Key path Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range66 which forces a single entry for compatibility mode. I've spent a lot of time testing and, while the setting is to apply once and not again, it doesn't seem to allow a user to add more sites to compatibility mode and keep that addition after a reboot.
Has anyone successfully created a GPO for IE11 to enable CM for users to add items, while also pushing a list of our own? Is there a best method around for achieving this goal?
I have not, I only keep adding it through GPO (In the medical field which they have many sites as this).
Ditto - Just have to keep adding them via GPO. So glad we barely use IE 11 anymore.
@obsolesce Right, I am having to add a group of computers to the printers' security permissions with allow printing enabled to get the GPP to actually deploy the printer to the user.
UNC pathing to the printer by a member of the PrintersChecksUsers (while the user is logged in) allows them to install and print to the printer.
The GPO shows as applied in the RSOP, but with item level targeting, I don't see any info on why it wasn't actually installed/applied. Maybe it shows it somewhere else.
The key is the shared printer's security tab on the print server, itself. That is where I have to allow the specific group of computers, as well as the specific group of users. I need both, the computers and users groups to have at least printing allowed.
@dave247 I have a few ideas about who they are specifically... but after they decided to be a bunch of dicks about anyone here posting links to their site that shall not be named, they created an account here to spy, presumably. Lot of former :hot_pepper: folks here... Lots of :middle_finger: :middle_finger: :middle_finger: :middle_finger: :middle_finger: for their informers.
It's a public site, doesn't take much for someone to inform, lol. It's a bit like tattling on a billboard.
That sounds a lot like calling out your Husband by doing this to his ride.