I set a Preference setting, but it didn’t work. The answer? Probably F5-F6-F7-F8.
GP Preferences has a ton of compelling reasons to use it; the functionality allows admins to configure settings that are difficult to impossible to achieve through policy (deploying shortcuts, setting up drive maps, managing devices…) and the configuration UI is eerily familiar to what the user’s UI looks like to configure the same settings. Pretty easy to figure out where everything is when you already know the layout, right? The subtlety, however, is in knowing when you have actually set the configurations to be captured in the preference item and set to be applied with F5-F8 keys, indicated by the red or green icons.
This is my favorite example of the sweet UI and the subtle differences. These are the Internet settings options I see as a user for IE7:
And these are the same two tabs in Preferences. Notice the only difference in the Preference dialogs vs. the user is the right-most Common tab (where all of the interesting targeting and special behavior rules can be set up).
The other difference is the red dashed line or green circles that hover around the configuration options. What does this mean? Why is it there? And more importantly…how am I supposed to use it?
Look at all those options you can adjust in the Advanced Tab; that’s a lot of granularity and a lot of work to get exactly right. Instead of forcing admins to modify every single setting when they configure an IE option, Preferences offers the ability to pick and choose which setting choices the admin wants to be pushed out. Those that are red underlined (or have a red circle next to them) are going to be ignored. Those that are underlined with a green solid line (or next to a green circle) are going to be noted, captured in the GPO, and enforced on the target user or computer. So I can make a Preference item that only captures three or four settings out of a whole menu of settings. Cool, right?
To ensure you aren’t pushing out unwanted settings, settings are ignored by default; this is indicated with red-dashed-underlined or a red circle icon. This is true of the home page, for example (you can see the red dashed line in the image above). If you do not consciously make the choice to have these settings captured, they will be ignored. No green line/circle, no configuration. This is what causes most people to have issues with Preferences; they go through all the work of configuring the settings they want, set up targeting, link the GPO, gpupdate…nothing changes. The GPO applied in the report, but what happened? The settings were still set to be ignored, so nothing was pushed out.
The mechanism to specify or ignore settings is controlled by the F5 – F6 – F7 – F8 keys. They are grouped in pairs by outside keys (F5, F8) and inner; (F6, F7). The outer keys manage all the settings at once; F5 makes everything count, all the settings get green-underlined. F8 sets them all to be ignored, red-dashed-underline. F6 and F7 work on individual settings; F6 will light up one setting at a time, F7 will set one setting to be ignored. Here’s a diagram, hopefully it doesn’t make it more confusing. I’ll write up some examples for the next blog post, hope this helps so far!
Consider the following scenario:
|
• |
The following policies are enabled on a domain controller that is running Windows Server 2003 in a domain:
|
• |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always) |
|
• |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (if client agrees) | |
|
• |
The following policies are enabled on a member computer that is running Windows Vista Service Pack 1 or Windows Server 2008 in the same domain:
|
• |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always) |
|
• |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (If server agrees) | |
In this scenario, Group Policy settings are not applied on the member computer. Additionally, the following event is logged in the System log on the member computer:
Date: Date
Event ID: 1058
Level: Error
Keywords:
User: UserSID
Computer: CompuerName
Description:
The processing of Group Policy failed. Windows attempted to read the file \\ path \gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Note This problem occurs only on member computers that are running Windows Server 2008 or Windows Vista Service Pack 1 (SP1). It does not occur on member computers that are running Windows Server 2003, Windows XP, or the release version of Windows Vista.
For more information, check the following article:
http://support.microsoft.com/kb/950876
Have you ever wanted to configure a preference item to include a specific user name and password? You can do so in several types of preference items, but if you are working in a high-security environment you should first consider the security ramifications of embedding a user name and password in a preference item.
Where can you use passwords?
- Local User preference items: When you create or modify a local user account, you can specify both a user name and a password for the account.
- Data Source preference items: If a user name and password are required to access the data source, you can provide them in the preference item. If you do so, end users to whom the preference item applies can access the data source regardless of their own permissions, but only if the specified account has the necessary permissions.
- Mapped Drive preference items: You can specify the user name and password to be used to connect to a mapped drive. If you do so, end users to whom the preference item applies can access the mapped drive regardless of their own permissions, but only if the specified account has the necessary permissions.
- Scheduled Task or Immediate Task preference items: You can configure a scheduled task to run under the security context of a specified user (allowing the task to run regardless of whether that user is logged on), by selecting the Run as check box and providing a user name and password.
- Service preference items: You can modify which account the service runs under by selecting Local System account or by selecting This account and specifying a user name and password.
For the user name in a Data Source, Mapped Drive, Scheduled Task, Immediate Task, or Service preference item, you can specify a local user account on multiple computers using the format .\UserName, or a domain account using the DomainName\UserName format.
Are passwords in preference items secure?
Passwords in Group Policy preference items are protected using 256-bit AES encryption. In the XML source code of a preference item, the password does not appear as clear text; it is encrypted. The client reads the XML, decrypts the password, and implements the configuration.
Although passwords in Group Policy preference items are encrypted, they are not completely secure and therefore are not appropriate for situations requiring high security. Consider the security requirements of your situation, and use discretion when deciding whether to include passwords in preference items.
Contents :
1. Server Manager
2. Changes to Domain Controller Promotion
3. Re start able Domain Controller
4. Distributed File System Namespace - DFSN
5. Distributed File System Replication – DFSR
6. Fine Grained Password Policy
7. RSAT Tools
8. IFM Support
9. Auditing
10. ADMT 3.01
11. Windows Server Backup (System State)
12. Read Only Domain Controller (RODC)
13. Terminal Service Licensing
14. Group Policy Changes
15. Active Directory Light Weight Directory Services
16. Certificates
17. Webcasts
Scenario:
If we create a group and assign the users to the group.
Create a loopback policy for users in merge mode and assign the group to security filtering for the loopback policy and give the following permission:
Read and Apply Group Policy.
User side of the policy will not apply.
From the GPSVC logs, we see the following:
Machine Side:
GPSVC(434.4b8) 15:00:19:206 EvalList: Object <cn={630069B4-401B-4DB0-9559-EF4D821D04FE},cn=policies,cn=system,DC=childA,DC=dom147330,DC=local> cannot be accessed
User Side:
GPSVC(434.1c8) 15:05:54:924 EvalList: Object <cn={630069B4-401B-4DB0-9559-EF4D821D04FE},cn=policies,cn=system,DC=childA,DC=dom147330,DC=local> cannot be accessed
For more details look into the below article:
http://support.microsoft.com/kb/953768
We see the following event ID is logged in application log:
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: Date
Event ID: 1511
Task Category: None
Level: Warning
Keywords: Classic
User: User
Computer: Computer
Description:
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
Title: A temporary profile is loaded after you log on to a Windows Vista-based system
Check the following article, which describes about the cause.
http://support.microsoft.com/kb/947242
This guide provides you with the fundamental concepts used to troubleshoot Group Policy on Windows Vista. You will learn:
· How to locate new troubleshooting information.
· How to use the Event Viewer to filter specific Group Policy information.
· How to read and interpret event data.
· Correct methods for locating point of failure.
Topics
•What is Group Policy Preferences
•Benefits
•Preferences Vs Policy Settings
•System Requirements
•Client Side Extensions
•Features
•Common Options
•Targeting
•GPMC Support
•Enabling Logging
•Links
(Note: Attached is complete presentation in PDF format)
