Showing posts with label Windows 7. Show all posts
Showing posts with label Windows 7. Show all posts

Wednesday, September 28, 2016

Microsoft released a series of patches that broke user group policies - Resolution

Microsoft released a series of patches that broke user group policies. Below is a snippet from the TechNet blog at https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/.

We released new security patches for all currently supported Operating Systems. Among those patches was this one: MS 16-072, which is also referenced as KB 3163622. OS Specific articles are released as 3159398, 3163017, 3163018, and 3163016.

KB 3159398 – Vista, 2008, 7, 2008 R2, 2012, 8.1, 2012 R2
KB 3163017 – Windows 10 TH1
KB 3163018 – Windows 10 TH2 and Server 2016 TP4
KB 3163016 – Server 2016 TP5

NOTE: The AskDS blog also has some excellent content out there on this topic that can be found here.
After applying the appropriate patch to your systems, User group policies are retrieved from SYSVOL differently than before. Prior to the update, domain joined computers used the user’s security context to make the connection and retrieve the policies. After the update is applied, domain joined computers will now retrieve all policies using the computer security context. The users that get the policy is still controlled by the policy scope just like before. The only change is the computer is getting the policy for the user.

Ones that still had the default security scope of “authenticated users” typically still worked because that also grants the permission to any domain authenticated computers.

To work around this change, the computer account will need “read” access to all GPOs in order to evaluate whether the user policies are applicable. I used group policy to grant the “domain computers” group read access to all existing group policies, and modified the security descriptor in the defaultSecurityDescriptor property of the CN=Group-Policy-Container object in the AD schema so that new policies will get this permission by default. I have tested this and it seems to have fixed the issue in new and existing group policies. I originally thought this may be directly related to Windows 10 being that’s where I was seeing it, but I guess not. If you have had issues with user group policies lately, this was probably the problem.


Below is exactly what I did to fix the issue.

From an elevated PowerShell prompt I ran:
Set-GPPermissions -all -PermissionLevel GpoRead -TargetName “Domain Computers” -TargetType Group

That grants the "domain computers" group read permissions to all of the existing group policies. This will not remove any other permissions that were already granted to that group.

Next I logged in to the domain controller that holds the operations master role. From there you can open ADSIedit and connect to the schema naming context. Find the CN=Group-Policy-Container object, right-click and click properties. Locate the defaultSecurityDescriptor attribute, and click edit. Append (A;CI;LCRPLORC;;;DC) to the end of that string. This will grant the "domain computers" group read access to any new group policies that are created in the domain.

Saturday, September 14, 2013

Resolved: Error message Windows is unable to install to the selected location. Error: 0x80300001 after loading additional drivers

There is a very misleading/deceptive error that you might run into when installing various versions of the Windows operating system. It typically happens when you load additional drivers for raid controllers, fiber cards, SCSI controllers, etc. That error is:

Error: "Windows is unable to install to the selected location. Error: 0x80300001."

Wednesday, March 27, 2013

Filter Security Event Logs by User in Windows 2008 & Windows 7

If you are like me, you probably miss being able to easily filter your security event logs by a specific user like we did in previous versions of Microsoft Windows. Well, it is still possible in Windows 2008 and Windows 7. You just need to use the XML filter option. When you are in the security event logs, click on "Filter Current Log..." from the actions pane. Click the XML tab of the window that opens, and check the box next to "Edit query manually".

Friday, January 11, 2013

How to Configure Your Page File to Save Disk Space

Written by Greg Kjono

There are a couple of hidden files that typically use up a lot of disk space, especially in systems that have large amounts of RAM. These are the pagefile.sys and hiberfil.sys. Hiberfil.sys can be deleted if you don't use the hibernation feature. Instructions on how to do that are available at http://nerdsknowbest.blogspot.com/2013/01/how-to-delete-hiberfilsys-on-windows.html.

I don't recommend completely removing the pagefile, especially on desktops and laptops, however. You can configure them to not use so much disk space though. By default they are set to "system managed" and are probably close in size to the amount of memory you have in your PC. Chances are that you aren't actually using most of that space in the page file, and that your computer is just allocating that space in case it needs it in the future.

Wednesday, January 9, 2013

Error! Windows - No Disk: Exception Processing Message c0000013 Parameters 75a851d8 979a26dc 75a851d8 75a851d8

This is one of those errors that doesn't really give you any information to go on. All you really get is this popup message that say Windows - No Disk: Exception Processing Message c0000013 Parameters 75a851d8 979a26dc 75a851d8 75a851d8.

Error! Windows - No Disk: Exception Processing Message c0000013 Parameters 75a851d8 979a26dc 75a851d8 75a851d8

Thursday, January 3, 2013

Phantom space used in Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista

A common issue that has baffled a lot of administrators is where a large amount of disk space is showed as in use, but they can’t find the files that are using it. For example, ff you go to the root of the C: drive, select all of the files, right-click, and click properties. The amount of space shown as used on that properties window isn’t nearly what it should be if you deduct it from the size of the drive and compare your results to the free space that Windows explorer, or my computer shows.

There are a couple things that most often contribute to this. The first is a bloated, oversized $TOPS file. You can set your system to specify that the Transaction Resource Manager will clean the transactional metadata on the next mount, or reboot.

How to delete hiberfil.sys on Windows 2008/Vista/Windows 7

In Windows 2008, 2008 R2, Vista and Window 7, disabling hibernation via Power Options in the control panel doesn't get rid of the hiberfil.sys file. This file is usually equal to the amount of memory your system has, so it eats up a lot of disk space. This is  especially true if you have a lot of memory which is common on servers, or a small amount of disk which is common on virtual machines. To get rid of this file and free disk space, just run the following command from an elevated, or administrative command prompt.