Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Group Policy Objects’ Category

(2016-10-13) Namespace Already Defined As The Target Namespace For Another File In The Policy Store

Posted by Jorge on 2016-10-13


My AD is running W2K12R2 DCs with the corresponding ADMX/ADML files. While preparing it for an updated Windows 10 client (Version 1607, OS build 14393.22) (this was installed ages ago and updated to the latest and greatest using Windows Update), I also decided to update the policy definitions on the central policy store. So I copied the files in the folder “C:\Windows\PolicyDefinitions” on the updated Windows 10 computer to the folder representing the central policy store on a DC (<Drive>:\<folder>\domain\Policies\PolicyDefinitions). SYSVOL replication should take care of the rest.

Now after starting the GPMC and targeting any of the GPOs you have for either viewing or editing

…and clicking on the Settings tab followed by clicking the “Show All”, you may see something similar to the following

image

Figure 1: Error Message About An Already Defined Namespace In Some Other ADMX File

…or opening a GPO, you may see something similar to the following

image

Figure 2: Error Message About An Already Defined Namespace In Some Other ADMX File

image

Figure 3: Error Message About An Already Defined Namespace In Some Other ADMX File

Looking at my Windows 10 client, its PolicyDefinitions folder contained the following files:

  • LocationProviderAdm.admx (en-US folder contained LocationProviderAdm.adml)
  • Microsoft-Windows-Geolocation-WLPAdm.admx (en-US folder contained Microsoft-Windows-Geolocation-WLPAdm.adml)
  • WindowsStore.admx (en-US folder contained WindowsStore.adml)

After this I also checked my Windows Server 2016 TP5 machine and its PolicyDefinitions folder contained the following files

Looking at my Windows 10 client, its PolicyDefinitions folder contained the following files:

  • LocationProviderAdm.admx (en-US folder contained LocationProviderAdm.adml)
  • WindowsStore.admx (en-US folder contained WindowsStore.adml)

My W2K12R2 DC had initially the following files in the central policy store:

  • LocationProviderAdm.admx (en-US folder contained LocationProviderAdm.adml)
  • WinStoreUI.admx (en-US folder contained WinStoreUI.adml)

After copying the files from the Windows 10 client to the central policy store on the W2K12R2 DC it ended up with the following files:

  • LocationProviderAdm.admx (en-US folder contained LocationProviderAdm.adml)
  • Microsoft-Windows-Geolocation-WLPAdm.admx (en-US folder contained Microsoft-Windows-Geolocation-WLPAdm.adml)
  • WindowsStore.admx (en-US folder contained WindowsStore.adml)
  • WinStoreUI.admx (en-US folder contained WinStoreUI.adml)

Looking at the end result of the files, it explained the error messages in Figure 1, 2 and 3.

The solution to this one in my case:

  • Using Notepad++, I compared “LocationProviderAdm.admx” and “Microsoft-Windows-Geolocation-WLPAdm.admx” and found no differences
    • I deleted:
      • Microsoft-Windows-Geolocation-WLPAdm.admx
      • en-US\Microsoft-Windows-Geolocation-WLPAdm.adml
  • Using Notepad++, I compared “WindowsStore.admx” and “WinStoreUI.admx” and found differences
    • I deleted:
      • WinStoreUI.admx (this file was older and contained less data than the other file)
      • en-US\WinStoreUI.adml

You can also read more about this in the following KB article MS-KBQ3077013 – "’Microsoft.Policies.Sensors.WindowsLocationProvider’ is already defined" error when you edit a policy in Windows

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Group Policy Objects | Leave a Comment »

(2016-06-16) A Change In Group Policy Processing After The Security Update MS16-072

Posted by Jorge on 2016-06-16


The Security Update MS16-072 changes the way how user GPOs are being processed. If you do not meet pre-requisites, make sure you do before applying the security update!

This applies to every Windows version starting from Windows Server 2008 and Windows Vista and higher!

More about this:

Symptoms

All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

Cause

This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

Resolution

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
If you are using security filtering, add the Domain Computers group with read permission.

Script

If you want to script this have a look at:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Group Policy Objects | Leave a Comment »

(2011-10-23) Best Practices For The Default Domain Policy And The Default Domain Controllers Policy GPOs

Posted by Jorge on 2011-10-23


Every AD domain since Windows 2000 Server implements two default GPOs being the “Default Domain Policy” GPO and the “Default Domain Controllers Policy” GPO.

With regards to the domain related GPOs the following are best practices:

With regards to the domain controllers related GPOs the following are best practices:

  • Create a separate “Custom Domain Controllers Policy” GPO and link that also to the domain controllers OU to be applied after the Default Domain Policy.
  • Use the “Custom Domain Controllers Policy” GPO for all non-default settings you require to use, except for the user rights settings.
  • For the user rights settings still use the “Default Domain Controllers Policy” GPO OR you need to duplicate all user rights from the “Default Domain Controllers Policy” GPO into the “Custom Domain Controllers Policy” GPO. However, when installing applications with Domain Admin or Enterprise Admin equivalent permissions, some of those applications may automatically edit the “Default Domain Controllers Policy” GPO  with regards to the user rights without any interaction. It is therefore better to still configure all user rights for domain controllers in the “Default Domain Controllers Policy” GPO. Because of this reason it is pointless to manage user rights settings in a “Custom Domain Controllers Policy” GPO.
  • You may need to create an additional GPO that only targets Branch Office DCs through group filtering or WMI filtering so that Branch Office DCs do not register domain-wide SRV records
  • You need to create an additional GPO that only targets the DC currently hosting the PDC FSMO role and any candidate DC to host the PDC FSMO role through WMI filtering. You can read more about that in “(2010-09-26) Configuring And Managing The Windows Time Service (Part 1)”, “(2010-09-26) Configuring And Managing The Windows Time Service (Part 2)”, “(2010-09-26) Configuring And Managing The Windows Time Service (Part 3)” and “(2010-09-26) Configuring And Managing The Windows Time Service (Part 4)”.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Group Policy Objects | 3 Comments »

 
%d bloggers like this: