Search Results

Search found 23301 results on 933 pages for 'check in policy'.

Page 39/933 | < Previous Page | 35 36 37 38 39 40 41 42 43 44 45 46  | Next Page >

• Deny to administrators to change network configuration settings

  - by moronrats

  I need to provide admin rights to every user but the users should not able to change network configuration settings. For this I have enabled following policies in User Configuration\Administrative Templates\Network\Network connections Enable Windows 2000 network connection settings for administrators Prohibit access to properties of a LAN connection Prohibit access to properties of components a LAN connection Users (that exist in administrators) still can change the LAN properties. Are there any other solutions?

  Read the article

• Event ID for modified GPOs

  - by Hinek

  I have to know, who (usersid or loginname) changed a specified GPO for a specified OU in the Active Directory. Given our audit settings include this, what would be the right Event ID to look for?

  Read the article

• Security and Windows Login

  - by Mimisbrunnr

  I'm not entirely sure this is the right place for the is question but I cannot think of another so here goes. In order to login to the windows machines at my office one must press the almighty CTRL-ALT-DELETE command combo first. I, finding this very frustrating, decided to look into why and found claims from both my sys and Microsoft stating that it's a security feature and that "Because only windows could read the CTRL-ALT-DELETE it helped to ensure that an automated program cannot log in. Now I'm not a master of the windows operating system ( as I generally use *nix ) but I cannot believe that "Only windows can send that signal" bull. It just doesn't sit right. Is there a good reason for the CTRL-ALT-DELETE to login thing? is it something I'm missing? or is it another example of antiquated legacy security measures?

  Read the article

• Is there a way to set access to WMI using GroupPolicy?

  - by Greg Domjan

  From various documentation it appears that to change WMI access you need to use WMI to access the running service and modify specific parts of the tree. Its kind of annoying changing 150,000 hosts using the UI. And then having to include such changes in the process of adding new hosts. Could write a script to do the same, but that needs to either connect to all those machines live, or be distributed for later update say in an startup/install script. And then you have to mess around with copying binary SD data from an example access control. I've also found you can change the wbem/*.mof file to include an SDDL but I'm really vague on how that all works at the moment. Am I just missing some point of simple administration?

  Read the article

• Active Directory: delete vs. disable departed employees

  - by Matt Rogish

  When an employee leaves your organization, do you delete or disable their Active Directory account? Our SOP is to disable, export/purge the Exchange mailbox, and then after "some time" has elapsed (usually quarterly), delete the account. Is there any need for that delay? After exporting and purging their mailbox, why shouldn't I delete the account right then and there?

  Read the article

• Complete Active Directory redesign and GPO application

  - by Wolfgang Kuehne

  after much testing and hundreds of tries and hours invested I decided to consult you experts here. Overview: I want to apply some GPO to our users which will add some specific site to the Trusted Sites in Internet Explorer settings for all users. However, the more I try the more confusing the results become. The GPO is either applied to one group of users, or to another one. Finally, I came to the conclusion that this weird behavior is cause rather by the poor organization in Users and Groups in Active Directory. As such I want to kick the problem from the root: Redesign the Active Directory Users and Groups. Scenario: There is one Domain Controller, and we use Terminal Services (so there is a Terminal Server as well). Users usually log on to the Terminal Server using Remote Desktop to perform their daily tasks. I would classify the users in the following way: IT: Admins, Software Development Business: Administration, Management The current structure of the Active Directory Users and Groups is a result of the previous IT management. The company has used Small Business Server which has created multiple default user groups and containers. Unfortunately, the guys working before me have do no documentation at all. Now, as I inherit this structure I am in the no mans land. No idea which direction to head first. As you can see, the Active Directory User and Groups have become a bit confusing. There is no SBS anymore, but when migrating from SBS to the current Windows Server 2008 R2 environment the guys before me have simply copied the same structure. The real question: Where should I start cleaning from, ensuring that I won't break totally the current infrastructure? What is a nice organization for the scenario that I have explained above? Possible useful info for the current structure: Computers folder contains Terminal Services Computers user group Members: TerminalServer computer located at Server -> Terminalserver OU Member of: NONE Foreign Security Principals : EMPTY Managed Service Accounts : EMPTY Microsoft Exchange Security Groups : not sure if needed, our emails are administered by external service provider Distribution Groups : not sure if needed Security Groups : there are couple of groups which are needed SBS users : contains all the users Terminalserver : contains only the TerminalServer machine

  Read the article

• Windows 7 Folder Redirection (GPO)

  - by Kev

  I have been fighting this issue for a day or two now, so I am looking for some insight. I am taking over admin duties in a domain of 800 users, and the previous admins really did not employ much of any GPO settings for the clients of the Domain. In each site, there is a location on the file server where "Home" folders were manually created. EX: \server\home\enduser Whenever a user got a machine, the admin would manually right-click on the "My Documents" folder and manually enter the path to the home folder. We are planning to start putting Windows 7 machines on the Network, and I am wanting to automate as much as I can, everything that was not done in the past. Since everyone has exising "Home" folders I have been fighting and trying to get Folder Redirection to work with a new Windows 7 machine (In a Test OU). I am getting all kinds of errors and I can't get the Windows 7 "Documents" folder to redirect to the users EXISTING home folders. As I stated earlier, all of the Home folders were (and still are) manually created on the File Server and are set with the following Security permissions - Domain Admins - Full Control euser (end user) - Modify (Everything but Full) Can someone point me in the right direction on the proper setting to put in the Folder Redirection GPO to get this to work with the Existing Home folders.

  Read the article

• Users can't change password trough OWA for Exchange 2010

  - by Rémy Roux

  Here's our problem, users who want to change their password trough OWA get this error "The password you entered doesn't meet the minimum security requirements.", even if users are respecting the minimum security requirements. With these settings, we have the error: Enforced password history 1 passwords remembered Maximum password age 185 days Minimum password age 1 day Minimum password length 7 characters Password must meet complexity requirements enabled With these test settings, we don't have an error: Enforced password history not defined Maximum password age not defined Minimum password age not defined Minimum password length not defined Password must meet complexity requirements not defined People can change their password but there is no more security! Just changing one parameter of the GPO for example "Enforced password history", brings back this error. Here's our server configuration : Windows Server 2008 R2 Exchange Server 2010 Version: 14.00.0722.000 If anybody has a clue it would very helpful !

  Read the article

• Which smartphone OS would you choose for your users ?

  - by Florent

  While we currently only use windows mobile smartphone, my boss seems less and less reluctant to try and choose a new kind of OS for our users corporate phones. For some reasons, we can't use a Blackberry Enterprise Server, so i guess our only choice is between Iphone OS and Android (or Blackberry without BES ? I don't really know if this works fine) We need activesync capable smartphones of course, and activesync security policies must be available (pin when using your phone for example). Centralized Phone management would be nice too :D Any ideas on what should be the best smartphone to choose for our users ?

  Read the article

• Applocker custom extension (Java, CPL, MSC etc.)

  - by test1839

  We have a Terminal server and want to prevent users from running inappropriate software. Previously we used Software Restriction Policies for this purpose. Now, Microsoft seems to recommend Applocker instead. However we found no possibilities to add custom extensions like JAR, CPL, MSC etc. which was possible in Software Restriction Policies. Do you know how to add custom extensions to the Applocker policies in Windows 2008? Or how can we block custom script interpreters like Perl etc.?

  Read the article

• How Do I Get poledit.exe Out Of Windows 2000 Service Pack 4?

  - by Nick

  I've read that I can get poledit.exe from Windows 2000 Service Pack 4, but have been unable to figure out how. I've downloaded the service pack from Microsoft's website, "W2KSP4_EN.EXE", and extracted it using the "/x" option on the command line: W2KSP4_EN.EXE /x Which produced an i386 folder with a bunch of files in it, but poledit.exe isn't there. Theres a "poledit.ex_", but changing the "_" to an "e" and trying to execute it results in the error: The NTVDM CPU has encountered an illegal instruction. I'm trying to do this on a winXP Pro machine. I know I've gotten this to work before, but don't remember how I did it. What am I missing?

  Read the article

• How to allow program updates without prompting UAC?

  - by Ryan Mortier

  We have about 15-20 users who have this software installed. We have UAC enabled through GPO as you should, which means the software prompts for admin approval if a standard user trys to install it. Thats fine, they can call the help desk to have the software installed. My problem is, our help desk is being bombarded every day because users can't update the software and there are updates almost every day which is prompting UAC. Using procmon.exe to find out where it was trying to write to, I then created a GPO to allow file permission access to the program files folder for this particular software, including the program data folder, but it still prompts for admin approval. It seems as though that the software is using msiexec.exe to run a .msp patch file. The only "ACCESS DENIED"s I can still see in procmon is things like this: What can I possibly do to stop this software from prompting UAC with admin password credentials aside from disabling UAC?

  Read the article

• New IE windows open in background on restricted computer

  - by Adam Towne

  We have a new computer build that is locked down via GPO. We have locked it down as tight as we can, but now new IE windows that are opened with shortcuts open behind the active window. I can post the whole list of restrictions if it is necessary, but there are a lot of restrictions. The machine has a domain account that automatically logs in, that account is the actual AD object that we have locked down. What restrictions could cause the new windows to not have focus? I apologize for a question like this, but I had 1 day to build this, and now 2 days to iron out bugs our clinical analysts find.

  Read the article

• Batch add/import of a list of users to a group in Active Directory?

  - by JB

  We have two lists of users (about 1000 each) that we need to add to groups in Active Directory (Windows Server 2003...one list will be in one group, one in the other). All the users currently exist in the directory, but we just need to assign them properly. Is there an easy way to do this without scripting? If not, can it be scripted with Ruby, Perl or Python? Thanks!

  Read the article

• Securing DRAC/ILO

  - by The Diamond Z

  This might be a dumb question but DRAC/ILO both have HTTP server interfaces. If I were trolling IP's port 80 on and I came across such a page I'd know it to be a high value target in the sense that if I can crack it, I can take control of the server to some extent (potentially installing another OS). Other than changing the port, what are the best practices for securing DRAC/ILO on public Internet facing machines?

  Read the article

• GPO IE Favorites Adds Unwanted Folders

  - by Kyle Brandt

  I created a AD 2003 GPO to add a couple of the company's links to everyone's IE. I have the following: Checked: Place Favorites and Links at the Top of the List... Unchecked: Everything else Then: Favorites |-Company Link One |-Company Link Two Links However, the GPO seems to add Favorites Bar, Microsoft Websites, MSN Websites, and Windows Live folders. If they are deleted it seems to make them come back. Anyone know how to fix this?

  Read the article

• Which GPO is making my Domain Controller my clients' DNS server?

  - by Harry Muscle

  I maintain a small domain (about 20 clients) and we need to make some changes to the DNS server that's being used by the clients. All the clients have been hard coded to use the domain controller as their DNS. Since these are new machines, and I never changed their DNS settings, I'm guessing there must be a GPO that's causing them to use the domain controller as their DNS. Since we don't have any GPO other than the default one yet, it's got to be the default GPO, however, I have looked through all the GPO settings and none of them refer to anything related to DNS. So I'm wondering if there's anything else that might be causing this. Any help or advice is highly appreciated. Thanks, Harry

  Read the article

• IE9 GPO Setting "Configure Tracking Protection Lists"

  - by Daniel B

  I've just installed IE9 on my workstations and Server in our network. According to technet article http://technet.microsoft.com/en-us/library/gg699401.aspx There is a GPO setting for IE9 called "Configure Tracking Protection Lists" located at Windows Components\Internet Explorer\Privacy in the admistrative templates. I can find all the other IE9 settings in the GPO, but I cannot find this one. Does anyone know if there is an updated template, or if this setting was removed from the RC version of IE9? Thanks, Daniel

  Read the article

• Auto Log-Off Windows users - Windows 2003 domain

  - by thehatter

  I am trying to make windows clients automatically log off after some time, I have been trying to use the winexit.scr which I have seen working else where in a similar environment. After working though these instructions (I did read the comments and notice the original ADM provided is buggy) I've had no joy what so ever! Winexit.scr refuses to read any settings in the registry, even while using a test account I can access the required reg key(s); edit, add, and remove values. Essentially winexit.scr always uses it's default values: 30 second timeout, no forced log-out. What I really want is a 30 minute timeout with a forced log-out, closing all the users apps etc. I've tried removing and re-adding the ADM template, creating the GPO from scratch several times, giving various registry permissions - including full control to "Everybody" just for fun! Oh, clients are all win XP SP3, DC is win 2003 R2 SP2. So, can anybody suggest something? Cheers!

  Read the article

• Disabling Start menu items through user policies

  - by Hipno

  I am using Windows 7. I have a non-admin user on my computer and I want to apply on him user policies from the Microsoft Management Console. How can I disable the computer button from the Start menu through user policies? or something else?

  Read the article

• FirefoxADM not applying settings?

  - by alex

  I've followed the deployment instructions on: http://homepages.ed.ac.uk/mcs/FirefoxADM/ADM_Deploy.pdf I've applied some settings to a GPO: However, When I do GPUPDATE, log out, log back in, nothing has changed...? Am I missing something? I'm using Firefox 3.6.2.

  Read the article

• Possible to disable smart card PIN change in Windows 7?

  - by bobmagoo

  I'm looking for a way to disable the smart card PIN change ability provided with Windows 7's native minidriver. It doesn't allow us to enforce any PIN complexity requirements such that users could change their PIN to 000000 or blank without any issues so we'd like to disable that ability. I've been googling around and haven't found any way to do this, but perhaps someone has encountered a similar issue and found a resolution? A third party minidriver is the next step, but if we could do it without additional tools I'm all for it.

  Read the article

• How can I create a windows shutdown script from powershell/command-line?

  - by David Rubin

  I've read the TechNet pages that describe using computer/user startup/shutdown scripts, and that's great, but I'd like to create those scripts via the command-line (and not have to click around in gpedit.msc). It looks like scripts.ini and psscripts.ini in %SYSTEMROOT%\System32\GroupPolicy\Machine\Scripts specifies the scripts to run, but those don't exist until running gpedit.msc for the first time. Is it safe to create and edit those directly? Or do I need to muck around with Set-GPO or something similar? Thanks!

  Read the article

• Windows GPO order - beginner

  - by Andras Sebestyen

  I have some software that required e.g. .NET 4 install before them. I wonder what is the best way to make a GPO order list. I also have some software that needs certain files so I need to prepare them (via batch file). I have done a quick research however I haven't found the answer. Any help, link would be appreciated. Please feel free to down vote it if it is a real dummy one. Thanks for example: batch file cleans some folder install .NET Framework 4 install apps through MSI (commercial software) I can't pack everything in the MSI and I also need to make sure that all the steps succeed

  Read the article

• Active Directory theme policies

  - by Tuinslak

  Hey, I'm currently managing a terminal server in a domain. As the TS-service just got installed, previous users (I logged in with every user once to test it and set up a few things) use the default windows 2008 theme. New users automatically use the fancy Aero theme. Is there a way to push the Aero theme to all current users? I currently have something like this in my policies: However, when logging in with a user, the theme is not changed. Only if I disable "prohibit access to the control panel", the theme can be changed (doesn't seem to change automatically). But this gives them access to every other control panel feature as well. And giving users only access to "desk.cpl" CP-applet, gives them an access error as well when attempting to change the theme. Another question: can I, as admin, take over and/or log in as another user when that user is not logged in? Thanks

  Read the article

< Previous Page | 35 36 37 38 39 40 41 42 43 44 45 46  | Next Page >