Posts Tagged group policy

Group policy on server 2012

We finally got our new server up and running as a new domain controller. Now we have a server 2008 and server 2012 as our DCs – our main DC was running server 2003, ouch. Trying to manage windows 7 machines with server 2003 was not fun so this was very exciting for me. I was working last week on making sure things were syncing properly between the two of them so I could start cleaning up group policy and look in to changing the way I have our printers set up. Things are a little different in group policy management editor, but not much.

One thing I did notice is you can now easily check the status of active directory and sysvol replication for the domain. When you open group policy management click on your domain and to the right the first tab will be the status. You can hit the detect now button on the bottom right to pull it and see what it says.


When I did this for the first time last week, instead of it saying 1 domain controller with replication in sync, it had 1 for domain controller with replication in progress. I can’t remember exactly what it said when you clicked the arrow next to it to show the details. But if you clicked on the domain controller this is the window that opened:


I tried figuring this out for at least 3 hours before I finally found a site that told me how to fix it. Being interrupted and having to work on other things probably didn’t help. It’s been a week now and I don’t remember what the site was. Clearly the permissions are messed up, but where to fix the permissions was the problem. All you need to do is open group policy management editor for whatever policy is on the list above. Right-click on the policy name and go to properties.


Go to the security tab, click advanced near the bottom and in the permissions tab click restore defaults. That was it, it was that simple. But it took forever for me to find the solution. Now one thing I noticed the next day was that resetting the permissions also resets who the policy applies to. Obviously I have the intern policy in order to lock down where they can go and what they can do. After resetting the permissions I logged in the next day and thought things looked weird because my control panel was missing. I logged in to the domain controller and noticed under security filtering in group policy management it was set for authenticated users instead of just the intern group. I didn’t realize it reset who it applies to until it applied to me, whoops. Luckily only 2 other people noticed before I fixed it.


Leave a comment

Screen locking through group policy

Somebody here mentioned to me that her screen doesn’t lock like it is supposed to after 15 minutes. I couldn’t figure out why because I thought I had everything in group policy set right. I lock my computer myself every time I get up from it so I never noticed. But come to find out that if a screen saver isn’t selected on the client machine it will not lock unless you set the policy “screen saver executable name.” I guess it is my fault for not completely reading the descriptions for the other three settings that say you have to specify the executable name. I just typed in scrnsave.scr for the black one, that way it looks like the monitor went to sleep. It should ask for a password when it wakes back up.

To find these go to user configuration -> policies -> administrative templates -> control panel -> display.Image



WMI Repair in Windows XP

Continuing on my path of figuring out group policy I came across some errors on our Windows XP machines in the event log that I’ve been trying to repair for awhile now. For some reason the printers aren’t deploying to our Windows XP machines and I’m thinking it’s because the machines are having problems pulling the policy off the domain controller.  I also needed to use the system information tool to send to our anti-virus company so they could troubleshoot an issue we’re having with their software. But when I went to system information it said it could not collect the data.  It was event ID 1090, the source is Userenv, and it says:

I’ve been looking up this error for weeks trying to decipher how to repair Windows Management Instrumentation. Nearly every site and forum I found said either to empty the c:\windows\system32\wbem\repository folder, re-register the dll files associated with WMI, or do a repair installation of Windows XP.  I emptied that folder I don’t know how many times.  I tried using system file checker to replace any corrupted system files. I also ran the WMI diagnostic tool you can download from Microsoft to see if that would point me in any other directions, but I didn’t find it terribly helpful – except for one thing I found in the log file that it generates.

I came across the same error when I tried to re-register the dll files and when I ran the diagnostic tool.

!! ERROR: WMI CONNECTION errors occured for the following namespaces:

.1581 14:13:07 (0) ** – Root, 0x80070005 – Access is denied..
.1582 14:13:07 (0) ** – Root, 0x80070005 – Access is denied..
.1583 14:13:07 (0) ** – Root/Default, 0x80070005 – Access is denied..
.1584 14:13:07 (0) ** – Root/CIMv2, 0x80070005 – Access is denied..
.1585 14:13:07 (0) ** – Root/WMI, 0x80070005 – Access is denied..

Access denied? I had no idea why access would be denied. I’m the admin and have full permissions. Well today I finally figured out the problem. Since I was having problems today using the system information tool, I googled that error and came across this forum that had a script in it.  When I tried to run the script the first time on my account I got the access denied errors again.  So I went to the run box and typed services.msc. I looked at the WMI service to see what account it was logging on as, it says local administrator account. Well that’s good, so I next look at the remote procedure call (RPC) service and that one originally said log on as NT Authority or some other network account.

Well I changed that one to local administrator, rebooted the machine in safe mode so that no services were running, and ran the script from that forum again. It took awhile but I noticed it wasn’t throwing any access denied errors. I rebooted the machine, logged in on my regular network account and did not see a single RSoP error in the event log. Success.

Copy this script into notepad or some other text editor and save it as fixwmi.cmd. When you go to save as you’ll have to select all files in the file type so it doesn’t save as a text file.

@echo on
cd /d c:\temp
if not exist %windir%\system32\wbem goto TryInstall
cd /d %windir%\system32\wbem
net stop winmgmt
winmgmt /kill
if exist Rep_bak rd Rep_bak /s /q
rename Repository Rep_bak
for %%i in (*.dll) do RegSvr32 -s %%i
for %%i in (*.exe) do call :FixSrv %%i
for %%i in (*.mof,*.mfl) do Mofcomp %%i
net start winmgmt
goto End

if /I (%1) == (wbemcntl.exe) goto SkipSrv
if /I (%1) == (wbemtest.exe) goto SkipSrv
if /I (%1) == (mofcomp.exe) goto SkipSrv
%1 /RegServer

goto End

if not exist wmicore.exe goto End
wmicore /s
net start winmgmt

Now I’m seeing another error related to to group policy, but hey, at least it isn’t a WMI error.


  1. How to Troubleshoot Service Startup Permissions
  2. Solved: Can’t Collect Information

, ,


Group policy – create a central store

I’m forever tweaking our group policy settings as I read more and more about it and how to manage Windows 7 machines along with Windows XP machines. Adding some admin templates to the group policy settings is what set me on this path again.  I read about creating a central store on the domain controller making it easier to manage the settings and reducing the amount of duplication on the servers. But I also found another post saying that it may cause some problems. So I guess I’ll find out. It’s super easy to create a central store so I can also go back and remove it if I need to.

I found this awesome video that was really helpful. For some reason, reading how to do it kept confusing me.

  1. Go to your domain controller, go to your run menu and type in \\{domain name}\SYSVOL\{domain name}\policies
  2. Go to run again and type in %systemroot%
  3. Find the PolicyDefinitions folder and copy it.
  4. Go back to your policies folder that we opened in the first step and paste the entire PolicyDefinitions into the folder.
  5. Your central store is now created

If you open your group policy management editor and click on the administrative templates folder under either computer or user configuration, you’ll now see that it is retrieving them from the central store. Now if you download new templates to manage various settings or programs, you’ll copy them into that new central store folder to add them to group policy.

If you are needing to use the old ADM template files to manage older settings you’ll need to copy those files into the central store and then go to group policy management editor, right-click on administrative templates, and them add/remove templates to manually import those. I need to be able to manage Office 2003 since our XP machines are still running that. They didn’t automatically load into group policy management after I copied them into the central store.




Deploy printers using group policy

I should say that this is for a mixed environment. It was such a pain for me to figure this out because we have machines running Windows XP and some machines running Windows 7. Some parts of the policies are ignored by the Windows 7 machines if I do manage group policy on our Server 2003 DC so I had to figure out how to do get this going on Server 2008 and find the settings that would work for both operating systems.

I’ve recently deployed new computers and cascaded the computers that were replaced down to other locations to get rid of the really old ones. I really hated having to install all the printers under every single user account so I decided to look into how to configure group policy to deploy them. My office is small enough that I can deploy all the printers to every user and not have to worry about separating them by OU. They can set the default printers themselves. As long as I don’t have to deal with installing them every time we replace a computer or every time we get an Intern, I’ll be happy.

We have one Server 2008 box with the rest being Server 2003. Since half of our workstations are Windows 7 I’ll be using Server 2008 to configure and deploy group policy. One thing you’re going to want to make sure of is that all the workstations have the group policy preference client side extensions. You’ll need them for any machines that are running Windows XP or Vista. You can also select the client side extensions when you look at the optional updates on the Windows Update site. I really hope you don’t have any machines running Vista. I thought I installed them on Windows 7 too, but I just looked and apparently it wasn’t necessary.

These steps will allow you to manage printers from your server 2008 box without actually making it a print server.

  • Go to server management, either through administrative tools menu or just type it into the search bar.
  • Click on features and then add features on the right.
  • Find remote server administration tools and expand that list, expand role administration tools. Then find print services tools and check the box. Go through the installation, it does not require a reboot, but it does take its sweet time finishing.

  • Now you can go to print management and select the server(s) you want as the print server(s). I removed the local server since I just want to use this server as the manager.
  • After you’ve added the servers you’ll see them in the left panel.  Click on the appropriate server, click on printers and from here you’ll select which printers to deploy using group policy by right-clicking on the printer and selecting deploy using group policy.
  • In the window that pops up, go to browse and find the policy you want to assign the printer to. Check the box for either a per user setup or per computer. I don’t really know the pros and cons, but the way our policies are set up it’s easier for me to select per user.

  • Make sure you click the add button below that to make it show up in the bottom area. I kept hitting OK and then wondering why there wasn’t some sort of confirmation, duh. I made the mistake of starting to configure this before I had my coffee this morning. After you hit OK or apply, it will hopefully say it was successfully assigned.

Since my users do not have admin privileges on their machines I need to find a way to allow the drivers for the printers to install without prompting for admin credentials. There are a couple places on the group policy you need to go to for this setting so that it takes effect for both Windows 7 and Windows XP machines.

  • Computer configuration -> policies -> windows settings -> security settings -> local policies -> security options -> Devices: Prevent users from installing printer drivers: Disabled

Some people may not want to uncheck that box, but after having to go down the hall to type my credentials in so many times, I’m fine with it.

  • The other location is user configuration -> policies -> administrative templates -> control panel -> printers -> point and print restrictions: enabled

  • Make sure the top 2 boxes are unchecked and select “do not show warning or elevation prompt” and “show warning only” for the drop down lists.

After all this the printers should install for all users or computers, depending on how you assigned them. I’m hoping it’ll stop me from getting phone calls about having to enter my credentials in for the Windows 7 machines.

I just had someone test it for me by logging into a Windows 7 machine they hadn’t logged into before and it worked. I watched the printers pop up under devices and printers without prompting for admin credentials. This will save me so much time.


, , ,