Posts Tagged ‘group policy’

When trying to deploy BigHand Via GPO via the system account uses for Computer installations the below error comes up 

 

You will need to deploy the MSI with the MST Transform attached here : no updater

e.g. to test

msiexec /i “bighand install.msi” Transforms=”no updater.mst” /qb

 

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: +1 (from 1 vote)

Trying to deploy Bighand via GPO MSI , running the System App Via the Transform brings up the below error

 

That error relates AD authentication, but because you are using BigHand Professional, this should always be turned off.


Browse to – 
[HKEY_LOCAL_MACHINE\Software\Bighand\Totalspeech\v3] 
(on a 64 bit machine this will change to [HKEY_LOCAL_MACHINE\Software\Wow6432Node\BigHand\Totalspeech\v3]) 

The REG_DWORD to look for is called “AuthenticationType” This should be set to “0” 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

For a new deployment we needed for Outlook to show the Task’s ToDo List on the Outlook Home Screen

 

 

 

 

 

 

I couldn’t find this documented anywhere so I have to monitor the Outlook.exe during the change to find out what Registry Key it changed

Location

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Preferences

Item : PinMail

Type : Dword

Value : 4

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently , users where getting the below error from a Web App they use

This is due to the mixed code security which needs to be set to : “Enable – hide warning and run with protections”

To deploy this setting to all computers on a network via Group Policy follow the guide below , here is the Java Reference

Create a GP to delpoy the following file to C:\Windows\Sun\Java\Deployment\deployment.config

deployment.system.config.mandatory=true
deployment.system.config=file:///C:/WINDOWS/Sun/Java/Deployment/deployment.properties

Create a GP to delpoy the following file to C:\Windows\Sun\Java\Deployment\deployment.properties

# Mixed code (sandbox vs. trusted) security verification
deployment.security.mixcode=HIDE_RUN
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

You will probably be given the files in a Zip file something like

SV9100_UC_Suite_AU_v4.5.4_R2

Extract this zip file

Download and install 7zip then extract UC_InConnect-4_5_4.exe to a folder UC_InConnect-4_5_4

You will now see the MSI file to install 

UcConnector.msi

Move this file to a share on a server ( or DFS location if you have multiple sites ) and make sure Domain Computers has read Access to the Share and the security on the folder

Create a new Group Policy and add it to the Policy Assigned Apps

How apply this policy to the Workstations OU

And on reboot you should see the below on the desktop

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

After deploying some sharepoint lists using Group Policy via Microsoft Outlook 2016/Account Settings/SharePoint Lists

The Lists would not add unless the user had clicked Allow to this error : 

Do you want to allow this website to open a program on your computer?

Image result for Do you want to allow this website to open a program on your computer?

From: companyweb

Program: Microsoft Outlook

Address: stssync://sts/?ver=1.1&type=tasks&cmd=add-folder&base-url=http%3A%2F%2Fcompanyweb&list-url=%2FLists%2FTasks%2F&guid=%7Bcf8bbfb4%2D575b%2D4dce%2Da800%2D5b34ac1786f1%7D&site-name=Corporate%20Intranet&list-name=Tasks

This error can stopped being displayed by deploying the below reg key : 

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ProtocolExecute

Add Key stssync

In that Key Create a Dword :  “WarnOnOpen=dword:00000000.”

For this to apply to All users on the machine apply to the Key’s below

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\stssync

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\stssync

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

I tried to go to this group policy documented around 

User Configuration > Administrative Templates > Windows Components > Internet Explorer Double click on the item named “Pop-Up Allow List”

Add the site to here, however due to the way the group policy works , the User never sees this list being populated and for some reason, it was not applying

Solution

Add Site to Trusted Sites in Group Policy By going to 

 User Settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page. Double click on the Site to Zone Assignment

Add the URL and Zone as 2

 User Settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Trusted Site Zone Double Click on Use Pop-Up Blocker

Change to disabled 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently a Webroot Bug : https://community.spiceworks.com/topic/2114911-netlogon-5820-endpoint-duplicate-windows-10  and https://community.webroot.com/t5/Known-Issues-KB/Netlogon-is-not-starting-after-Reboot/ta-p/316119 Had caused Netlogon service to not start on some machines which stops group policy running. We needed to deploy the following which ran a script when it detected netlogon stopped : 

SCHTASKS /Create  /TN “System_NETLOGON_5820” /TR c:\Scripts\netstartnetlogon.cmd /SC ONEVENT /RL Highest /RU SYSTEM /EC SYSTEM /MO “*[System[Provider[@Name=’NETLOGON’] and EventID=5820]]” /F

With netstartnetlogon.cmd stored on the local machine in C:\Scripts\containing “net start netlogon”

You can deploy a schedule task remotelty using : 

SCHTASKS /Create /s %machinename%  /TN “System_NETLOGON_5820” /TR c:\Scripts\netstartnetlogon.cmd /SC ONEVENT /RL Highest /RU SYSTEM /EC SYSTEM /MO “*[System[Provider[@Name=’NETLOGON’] and EventID=5820]]” /F

Then Run it remotely using 

SCHTASKS /run /s %machinename%  /TN “System_NETLOGON_5820”

However it seemed a long method to go through all the machines with this. I used BatchPatch to deploy the netstartnetlogon.cmd files into the Folder on each machine , then used the Deploy Software/Patch/Script/Regkey to deploy and run the file : 

createscheduledtask.bat

Which containned : 

SCHTASKS /Create /TN “System_NETLOGON_5820” /TR c:\Scripts\netstartnetlogon.cmd /SC ONEVENT /RL Highest /RU SYSTEM /EC SYSTEM /MO “*[System[Provider[@Name=’NETLOGON’] and EventID=5820]]” /F
SCHTASKS /Run /TN “System_NETLOGON_5820”

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

This can be used to install the N-able agent on Startup or through something like PSEXEC with Batch Patch . this only supports Agents137 and below

@echo off

cls

REM WindowsAgentSetup.exe can be downloaded from N-able by Manual Add Device

xcopy /y /e \\%pathtonableinstaller%\137WindowsAgentSetup.exe c:\Temp\137WindowsAgentSetup.exe*

title Installing N-able Remote Monitoring Software



SET	"server=%nableserverAddress%"

REM Can be found by going to the root of your N-able , Administration Tab on the Left then Customer

SET	"customerID=%CUSTOMERID%"

SET	"installerLocation=c:\Temp"

SET	"alreadyInstalled=The N-able Agent is already installed"

SET	"notInstalled=The N-able Agent is not yet installed, installing it now..."

SET	"programFiles=c:\program files"



REM       Check to see if its x86 or x64

IF %PROCESSOR_ARCHITECTURE% EQU  AMD64 ( SET "programFiles=%programFiles% (x86)" )



REM Debug Information

echo %server%

echo %customerID%

echo %installerLocation%

echo %programFiles%



IF NOT EXIST "%programFiles%\N-Able Technologies\Windows Agent\bin\agent.exe" ( GOTO INSTALL ) else ( GOTO AlreadyInstalled )

GOTO: END



:INSTALL

echo %notInstalled%

%installerLocation%\137WindowsAgentSetup.exe /s /v" /qn CUSTOMERID=%customerID% CUSTOMERSPECIFIC=1 SERVERPROTOCOL=HTTPS SERVERADDRESS=%server% SERVERPORT=443"

GOTO END



:AlreadyInstalled

echo %AlreadyInstalled%

GOTO END



:END

If installing via Batch Patch use the Software Deploy to run the .bat

 

The best way I have deploying anything higher then Nable Agent 137 , is run the .exe and go to %temp% and get the WindowsAgent.msi and deploy with 

msiexec /i “\\pathj\WindowsAgent.msi” /q CUSTOMERID=”%number%” CUSTOMERSPECIFIC=”1″ SERVERPROTOCOL=”HTTPS” SERVERADDRESS=”%server%” SERVERPORT=”443″

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently a user asked me if they could change their homepage from MSN. I’d agree with the user as MSN is the worst however the Group Policy we deployed to set the homepage 

  1. Did not have MSN in there
  2. Disable users from changing the homepage 

We wanted a way to deploy the standard company websites however make sure it wasn’t locked so the users could add their own!

We set the “Disable changing home page settings” and “Disable changing secondary home page settings” to Not  configured then deployed the Registry Item below

Create 2 Regs Key via Updare

Software\Microsoft\Internet Explorer\Main\Start Page ( Enter Homepage URL ) 

Software\Microsoft\Internet Explorer\Main\Secondary Start Pages ( Enter Secondary URL or more if needed ) 

Choose the below to make sure it only applies once and the user can change it from there:

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)