Mobile profile and GPO and security group interaction

I have set up mobile profiles (the client insists) according to this document: https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles and it works, but there is something I do not understand.
Step 2: creation of a security group. It seems that a mobile profile should be created for any user who places in this group, regardless of the machine they access, but it doesn't work that way for me. In my environment, mobile profiles only apply if the user and the computer are added to the security group.

Is there a problem with my configuration or is this behavior expected? If you wait, why am I missing? It seems to me that the policy should apply to any object that is in that group, be it a user or a computer.

Thanks in advance.

Group Policy: Cannot remove deployed printers from workstations through GPO

I have about 40 printers that were implemented in the previous method (GPO – printers implemented by the user)
Each printer has a security group in the User Permissions tab that can use it.
For now I have the problem that some printers appear on workstations where the user does not have permissions if they are not in the security group of that printer.

For example:
user1 added to the printer01-print-group security group and was able to print to printer01. But you also see the printers you used before and then deleted them from the group: printer02, printer03, etc. They are not accessible to him, but you can see them in the list.

In GPP I tried the user policy "Printer" and set it to remove all printers from workstations. But some deleted printers and some printers do not.

In the GP result I had an error:

0x80070005 access is denied

What I tried to do:
1.add SYSTEM printer security account on the print server
2.add DOMAIN COMPUTERS to printer security on the print server
3. Trying to eliminate HKEY_CURRENT_USERPrintersConnections

What am I doing wrong? How can I remove inactive printers that are not accessible?

thanks!

Active directory: how to change the password of a Windows service through GPO

This is a continuation of my previous question here: can I change the type of login of a Windows service through GPO?

So, I have a custom Windows service that is configured to run on a specific user account through GPO. Now the scenario is how we handle the password changes for that user account.

I did the following
Edit the configured GPO, go to Computer Settings -> Preferences -> Control Panel -> Settings -> Services and change the password field of that service to the updated one.
In addition, I selected Service Action – Restart Service
After that, I ran gpupdate on the VM, but the service still uses the previous password. It seems that if the username is the same and only changes the password, the GPO does not update the password.

Any ideas on how to handle this would be appreciated.

User accounts: how to change the password of a Windows service through GPO

This is a continuation of my previous question here: can I change the type of login of a Windows service through GPO?

So, I have a custom Windows service that is configured to run on a specific user account through GPO. Now the scenario is how we handle the password changes for that user account.

I did the following: edit the configured GPO, go to Computer Settings -> Preferences -> Control Panel -> Settings -> Services and change the password field of that service to the updated one. Also, I selected Service Action – Restart Service After that I ran gpupdate on the VM, but the service is still using the previous password. It seems that if the username is the same and only changes the password, the GPO does not update the password.

Any ideas on how to handle this would be appreciated.

Group Policy – GPO – Setting an item level filter in a record collection does not work

We face a strange problem. We create a collection of proxy settings that we are applying to virtually everyone in the company. However, we have a subset of users that should be excluded from this, so we create security groups to use for exclusion. See image below.

Configuration Image

As you can see, we have the element level orientation enabled and we have selected one of the groups (in this case, a test group) to divert it, it is configured to apply to users who are NOT members of the security group. This does not work

We have also tried to apply this to specific users and execute this in the security context of the connected user. We have restarted the computers several times and, as you can see in the "ProxyServer" object, "Filtered by ancestor:" is set to yes.

Filtering works on each specific record object, when we apply exactly the same filter in "ProxyServer", the filtering works properly. I searched a lot online, however, I couldn't find any problem like this. We will use filtering on each object for now, however, it will be difficult to handle. Does anyone know what is causing this? Are there any other settings we need to enable?

Active Directory: centrally apply a GPO rule to local administrators

Sorry if someone asked him before – he tried to search, maybe I missed it.

Anyway, I have to

1a) Establish a broad domain policy to deny access to this computer from the network
1b) Place the local "Administrator" of each computer in that policy

What surprises me is that in the domain controller >> Administration of group policies, while the policies are changed during the selection phase of users and computers, only domain users are shown. Neither can a change of scope be made: it only allows to look for the local DC, the whole domain or the forest

I did an investigation about Restricted Users, I'm sure I can use that tool to overwrite user group memberships, but that's it, I can not automate centrally adding / administering the local administrator of each PC to the Deny policy Login.

I would value any alternative idea or suggestion to this problem. You may have to explain to the administration or even go through the sticky way of simply doing this as the default of the box for new computers

Active Directory: The Powershell startup script in GPO does not run. Windows Server 2016

I'm trying to get a simple Powershell script to run as a GPO startup script on my school workstations. So far I have not had much luck. The script started as a more complex set of commands to determine if an application was installed or not, and what version, and then install an updated version if necessary. None of that worked, so I reduced the script to just two lines to see if the script even runs. It does not seem to be.

The current code:

set-content -Path c:  PSTests  PSTest.log -value "The PSTest script ran successfully"
exit

This has been installed in a GPO in Computer Configuration / Windows Configuration / Scripts (Start / Shutdown) / Start

I can run this in the Powershell ISE if I log in, and the text file is created or updated, but using it as a GPO startup script has no discernible effect.

I ran gpresult / h To determine if the policy is being applied (s):
enter the description of the image here

I have also checked the system logs in Application and service logs / Microsoft / Windows / GroupPolicy / Operationalwhich reports a list of applicable group policy objects that my GPO script includes. It also reports the start of Scripts Extension processing and lists my GPO, and completes the processing, but does not report errors between these two points.

Then, it seems that my policy object is being applied, and that my workstation is making some attempt to process it. However, the file that you are supposed to create never appears.

Clearly I'm missing something, but what?

Group Policy – Firefox ESR 60.07 GPO can not be opened about: policies

If I install the normal version of Firefox I can open the about policies: and everything seems fine, but when I try this with the ESR version, there is no module like the policies. You can not find any of them in the entire browser. In about: support is "company policies" marked as "inactive". How can I activate the policie module?

Cheers

Windows – Install a .reg file through GPO

I downloaded a .reg file with some registry keys that I would like to apply on a Windows machine.
Since it is necessary to apply the same key, I would like to do it directly with the GPO policies.

I found several guides, however, nobody explicitly explains a way to directly send the contents of the .reg file.

Could you please explain to me a clean way to do it?

The software restriction policy of the workstation differs from the GPO domain controller

I am trying to add a certificate rule to my software restriction policies to allow a signed executable file.

The application with which I am working extracts an exe to the appdata / local / temp users (blocked with a route rule) with a random name and tries to run. Currently it is being blocked.

When researching, I ran rsop on some workstations and found that there were no certificate rules listed in "Additional Rules".
Regarding the application options, on the workstations, I see "When applying software restriction policies:" is set to "Ignore certificate rules". This same configuration is set to "Apply certificate rules" on the domain controller. I assume that workstations do not receive certification rules if the option is set to ignore.

The "Precedence" property sheet shows that the correct policy is enabled and winning.

These certificate rules have worked in the past, however, I am not the usual system administrator, so I am not sure what may have changed.

Why do rsop workstations show something different than what is configured on the server?