Adding Administrative Templates for GPO

Scenario

Several users have complained that they have found several emails in their Junk Email folders within Outlook.

They already have a hosted email filtering solution that sends a daily quarantine digest to each user. When they release the quarantined emails, they sometimes go into Outlook’s Junk Email folder, so it seems the email has not been released. Users are unhappy.

You need to find a way of globally disabling Outlook’s Junk Email filtering. Enter custom Administrative Templates.

[Read more…]

Troubleshooting GPOs

A great post on troubleshooting Group Policy using event logs: http://technet.microsoft.com/en-us/library/cc749336(v=ws.10).aspx

I can’t remember where I copied the rest of these steps, but I refer to them quite often:

Collect GPMC log

1. On domain controller, click Start -> Run, type GPMC.MSC, it will load the GPMC console. If the GPMC snap-in is not installed.

2. Right click on “Group Policy Result” and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper user in the wizard)

3. Right click the resulting group policy result and click the “Save Report…” => save report and upload it to the link I provided.

Collect gpresult output

1. Run the command gpresult /v >C:\gpresult.txt.

2. Upload the C:\gpresult.txt to the above link.

Collect Userenv.log

Subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Entry: UserEnvDebugLevel

Type: REG_DWORD

Value data: 0x00030002 (Hexadecimal)

After the issue reoccurs, find and upload %windir%\Debug\UserMode\Userenv.log file.

Collect fdeploy.log

Subkey: Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics

Entry: FdeployDebugLevel

Type: REG_DWORD

Value data: 0x0000000F (Hexadecimal)

The log file can be found at: %Systemroot%\debug\usermode\fdeploy.log.

Enable Group Policy Preference logging and tracing

Scenario

You’ve created and linked a new GPO that uses Group Policy Preferences to move some files. You’ve had this working before, but now find that the files aren’t being copied across on certain clients.

The Resultant Set of Policy (RSOP) tool does not show GP Preferences, so you need another way of troubleshooting this. Enter Group Policy Preference logging and tracing.

Follow the steps below to enable the GP Preferences log file(s):

[Read more…]

Deploying UltraVNC within an Active Directory environment using Group Policy

Scenario

You’ve tried several different VNC applications and have decided UltraVNC meets your humble Remote Support needs. Now you want to centrally deploy and manage UltraVNC in your domain.

The default installer creates unwanted shortcuts on the user’s desktop, so you need to modify this before rolling out to all client PCs. In addition to this, there are separate installers for 32-bit and 64-bit PCs, so this will have to be accounted for.

Here is how to achieve remote desktop nirvana using UltraVNC:

[Read more…]

Updating all Local Administrator passwords across the domain

Scenario

You used to use startup scripts to update all Local Administrator passwords throughout your domain, but now that you think logon scripts are the Devil’s work, you need another way of doing it.

I mean, look at the code…it’s not heavenly is it:

Set SatanNet = WScript.CreateObject("WScript.Network")
strComputer = "."
Set LuciferUser = GetObject("WinNT://" & strComputer & "/Administrator,user")
LuciferUser.SetPassword "PASSWORD'o'HELL" ' Enter new password between brackets
LuciferUser.SetInfo

Here’s a nicer, flame-resistant solution:

[Read more…]

How to create a Group Policy Central Store

Scenario

You have downloaded or created your own Group Policy Administrative Templates, and would like them to be stored centrally, opposed to individually on each Domain Controller.

Here’s how to create a Group Policy Central Store:

[Read more…]

Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile

Problem

Several users were recently getting the following error when logging into one of our Terminal Servers:

Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff.

Solution

Go into the Group Policy Editor on the Terminal Server (gpedit.msc) Computer Config > Admin Templates > System > User Profiles > Only Allow Local Profile – Enable.

Cannot find pushprinterconnections.exe to deploy printers via GPO to WinXP PCs

I was onsite with a customer the other week, and noticed that they installed print drivers individually on each PC to print direct to the printer. Not good, as the maintenance and management must have been a nightmare; the customer was a medium-sized school.

Usually I see shared printers being used, but better still are shared printers deployed via Group Policy. I started preaching to their IT guy about the wonders of centrally managed printing, and decided to set this up for him.

Unfortunately, after a while I gave up as I couldn’t find the necessary pushprinterconnections.exe file I needed for the solution to work with their Windows XP clients. It’s usually in %WINDIR%\System32 on the server, but not this time.

Here’s a link to the file if you ever struggle finding it too: pushprinterconnections

Instructions on Deploying Printers via GPO can be found here: http://technet.microsoft.com/en-us/library/cc722179(v=ws.10).aspx

Using GPO to control Local Administrators group

I read an excellent article on how to populate the Local Administrators group via Group Policy Objects (GPO): http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

However, after following the instructions to the letter, I could only populate the Local Administrators group with the builtin\administrator user account; the other groups I specified were simply ignored.

Here’s how I fixed the issue:

[Read more…]

How to confirm if Group Policy Preference Client Side Extensions are installed in WinXP

Scenario

You need to confirm if Group Policy Preference Client Side Extensions are installed for Windows XP, but nothing shows up in Add/Remove Programs.

You’re sure that you have the right update (http://www.microsoft.com/download/en/details.aspx?id=3628), but Group Policy Preferences are not working.

Here’s how you can confirm Preference CSEs are installed:

[Read more…]