Posts tagged ‘Group Policy’

Cannot access adapter options or control panel

There seems to be an issue with recent server versions where after promoting a server to be a Domain Controller you loose access to several key functions. The main one seems to occur when trying to access “Change adapter Options” which results in a pop up “Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item”. In addition, in some cases when you try clicking on management tools such as Gpedit.msc and Control Panel, nothing happens. You can to try to access these using “run as administrator” which doesn’t always work, or create a desktop icon for the app and click the advanced options check box for run as administrator, but I see these as tedious work arounds.

The issue seems to be related to UAC (User Access Control) which can be “tweaked” with Group Policy. Since this occurred after promoting to a DC, one should use the Group Policy Management console rather than the Local Group Policy editor.

Run the GP Management console and edit the Default Domain Policy or a Computer OU of your choice. Locate the following policy, and enable:

Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options || User Account Control: Admin approval mode for the built-in administrator account

Once changed, from an elevated Command prompt run:

gpupdate /force

If not prompted to do so, you will need to log out and back in.

You should now be able to access your various admin tools that were blocked before.


Connect to Windows VPN at Logon

The internet is littered with questions about VPN connection and authentication issues as a result of using cached credentials.

  • How can I automatically connect my Windows VPN at start up?
  • Why do I have to re-enter my user credentials when connecting my corporate VPN?
  • How do I get Group Policy to apply to VPN connected users?
  • How do I use my work domain user account when I work from home using a VPN?
  • Why won’t my logon script run when connecting by VPN?

You can connect from any PC using a VPN, but in most cases you do so after having logged onto the PC first. If this is a “domain joined” corporate PC, when you logon without the domain controller present, you are not authenticating to the domain but rather using the credentials cached on the local computer from a previous logon.  As a result Group Policy cannot be updated, logon scripts are not applied, and most often you have to re-enter your user credentials when you do choose to connect to the office via VPN.

It is possible to connect to the VPN at logon resulting in an experience similar to that of the office, except of course for the reduced file transfer speed,  However, there are few conditions that must be met to do so:

  1. This applies only to the Windows VPN client. Newer Cisco VPN clients and a few others do offer methods to connect the VPN before logon, but they use different processes.
  2. The computer must be a member of the domain, and therefore Pro, Ultimate, or Enterprise versions of the operating system.  At logon you will be providing domain credentials which are automatically passed to the local logon, thus they must be the same.  Using the same username and password is not enough as logon credentials include domain or computer names.  Domain\JDoe is not the same as LocalPCname\JDoe.  If the computer is not already a member of the domain, it is possible to join a remote domain using the VPN connection.  To do so please see:
  3. Should the PC not be domain joined and you wish to automate the VPN connection, after logon, please see:
  4. When you create the VPN connection you must check the box “allow other people to use this connection”.


Having met these conditions, at logon there is now an option to connect using the VPN during logon.

Windows Vista and Windows 7:

At logon select “Switch User” and a new blue icon will appear in the lower right next to the familiar red Shut Down icon.


Clicking the icon will allow you to use the VPN connection, and simultaneously connect and authenticate to the corporate domain, and log on to your local PC


Windows XP:

At logon after pressing ctrl+alt+del, if you click the “Options” button there will new be a check box “Logon using Dial-up connection” which will use the VPN connection, and simultaneously connect and authenticate to the corporate domain, and log on to your local PC


Windows 8:

Please see the more recent post to enable on a Win 8 PC

Slow Links:

Depending on the performance of the VPN connection, it is sometimes necessary for the network administrator to “tweak” a few Group Policies for slow network detection.  The following policies can assist with this:

Server 2008 / 2008 R2 / SBS 2008 / SBS 2011:

  • Computer Configuration | Policies | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Policies | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow link speed

Server 2003 / SBS 2003 / SBS 2003 R2:

  • Computer Configuration | Administrative Templates | System | Logon | Always wait for the network at computer startup and login
  • Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow link speed

Client Deployment:

Network administrators may also want to considered creating a deployable VPN client for consistency, security, and with a company logo.  An earlier post outlines how to do so in detail:

Drive Mapping Basics

We have all been mapping drives using various methods so long as we have had networked computers.  A recent discussion with a colleague revealed that many IT pros still use the same methods they used with NT4, during the last century. Though these methods still work as well today as they did 10 to15 years ago, if enlightened these folk might find some of the newer options using group policy and preferences easier to manage and apply, in a windows domain environment.  I am sure this article is a very basic review for most, so I have titled each so that you can quickly locate methods that may be of interest, or skip to using group policy near the end like any good “cliff hanger”.

1)  Manually:

The option still exists with Windows 7 to open windows Explorer, click on the menu bar, select “Map a network drive”, select the drive letter and path, and choose whether to reconnect at next logon.  This is hardly a reasonable way to deploy mapped drives to multiple users as it would require going desk to desk.  The other primary downside to this option is end users can override, delete, and add their own mappings which may conflict with mappings you are trying to push out from the server.  The latter to be addressed with the deployment methods #3 and on.


2)  From a command line:

Though probably even less practical, the option also exists to duplicate the above from a command line by simply using:

Net Use X: \\ServerName\ShareName /persistent:yes

3)  A batch file

The next step up would be to apply the Net Use commands using a batch file (also called script) which the user can apply by clicking on a desktop shortcut or by adding it to the start menu “StartUp” folder.  Though this method of applying the batch file is not at all practical, using a batch file is a reasonable option. Alternate methods to apply a batch file are discussed later, but I will take this opportunity to discuss the script itself and the syntax.  The script could be written using VBS or other languages, but for simplicity I will stick to DOS commands.  The script is written in a text editor like “notepad” and saved with a .bat (or .cmd) extension.  When saving, to be sure the .txt extension is not automatically added, place quotes around the file name such as “MyScript.bat” .

The basic line to apply the drive mapping is still the same:

Net Use  X:  \\ServerName\ShareName

However, as mentioned in #1 users have a tendency to occasionally create their own mappings, or you may want to make changes from time to time, so I like to start with a clean slate, delete all existing mappings, and make sure they will not automatically be recreated due to the “/persistent:yes” option.  To do so start the script as below, followed by the drive mappings. (Note: DOS commands are not case sensitive)

Net Use /persistent:no
Net Use * /delete
Net Use X: \\ServerName\ShareName1
Net Use Y: \\ServerName\ShareName2
Net Use Z: \\ServerName\ShareName3

It is also possible to add GoTo statements and Labels to filter a script.  For example you may want one script for multiple users on multiple devices, but the required mappings may vary for different users, on different servers or PC’s, or when users are members of different groups.  This is not a scripting lesson but to provide an example, in the following batch file the mappings will not be applied if run on a server named Server1, and User1 and User2 will have different drive mappings than other users.

If "%ComputerName%" == "Server1" GoTo END
Net Use /persistent:no
Net Use * /delete
If "%UserName%" == "User1" GoTo MAP1
If "%UserName%" == "User2" GoTo MAP2
Rem  apply default mappings to all others
Net Use X: \\ServerName\ShareName1
Net Use Y: \\ServerName\ShareName2
Net Use Z: \\ServerName\ShareName3
Net Use X: \\ServerName\ShareName1
Net Use Y: \\ServerName\ShareName2

The following sites will provide additional information regarding DOS commands and syntax, or using IfMember (for group membership filtering)  instead of If %UserName%

4)   Batch file, applied through the user’s profile

Continuing with using the batch file method; it would be more practical to apply it from the server, when the user logs on to their workstation than by installing on each machine.  The crudest method of doing so which has been around for more than 10 years, is to apply the script though the user’s profile in Active Directory Users and Computers on the server.  The default location to place the script is  C:\Windows\sysvol\sysvol\<your domain>\scripts.  This path is also a default share, \\ServerName\Netlogon  for which all domain users have read permissions.  The location can be change but if so permissions have to be considered and the path provided.  Why “re-invent the wheel”, use the default file path.  On server 2008 / 2008 R2 you must be an administrator and have “elevated privileges” to write to this file location. When opening the text editor (Notepad) right click on the application or shortcut and choose “run as administrator”.   Failing do to so will not allow the file to be saved.image

Once the batch file has been placed in the appropriate location, open the user’s profile in Active Directory, and in the box labeled “Logon Script” under the “Profile” tab, insert the name of the script.  It will be applied the next time this user logs on to a domain joined machine.  The only real disadvantage of this method is the name of the batch file has to be manually added to each user’s profile.


5) Batch file, applied using Group Policy

Now the 21st century methods:  Group policy is the ideal way of managing users and controlling their environment.  The possibilities are endless, but the focus is on mapping drives.  Again place the script in the default location mentioned above; C:\Windows\sysvol\sysvol\<your domain>\scripts heeding the notes about requiring elevated privileges.  Instead of applying through the user’s profile, which only affects one user, we can now apply to all members of an OU (Organizational Unit) through Group Policy.  This example will use an OU named Sales.  I will assume the users belonging to the Sales OU have already been added in active Directory.  The policy can be applied to an OU at any level, including the domain level if preferred, though it is a “User Policy” so I recommend applying to a User OU.

Open the Group Policy Administration Console under Administrative Tools, and locate the OU to which you wish to apply the Logon script. Right click on the OU and choose “Create a GPO in this domain, and link it here”. The following image shows the OU structure used on a Small Business Server.


Name the policy


Right click on the new policy and choose edit


Expand the tree to locate <your domain name> | User Configuration | Policies | Windows Settings | Scripts (Logon/Logoff) | in the right hand window right click on Logon and choose properties| click add, then enter the path or browse to your logon script.  Save by choosing OK, OK.


Group policy can take up to about 90 minutes to apply to workstations.  If you wish to force it to update form a command line run:  gpupdate /force  then log off and back on.  The drive mappings should be applied.

6) Using Group Policy Preferences

The latest method for applying drive mappings also uses Group Policy but does not require a script at all.  Server 2008 introduced Group Policy Preferences.  This method applies the mappings to a specified OU similar to the example above with the Sales OU, but uses a different feature or object within the Group Policy management console.  Again right click on the OU to which you wish to apply the mappings and choose “Create a GPO in this domain, and link it here”, name the policy, and select edit as in #5 above.  This time expand the tree to locate <your domain name> | User Configuration | Preferences | Windows Settings | Drive Maps.  Right click in the right hand window  and choose New | Mapped Drive


In the resulting window first choose Create or Replace.  Create seems to be the more common choice.  Replace does function more like the earlier script in that it deletes existing mappings and options, and completely re-creates the new drive mapping.  Next enter the share UNC path and select the drive letter. I prefer not to select reconnect, which is similar to opting for  /persistent:no  as explained in the earlier scripting section.  Then save the drive mapping by simply clicking OK.  For more information on Drive Map options see:


Once complete the new drive mappings will be displayed in Group Policy similar to the following image:


Remember as in #5 if you wish the Policy Changes to be applied immediately, you must run gpupdate /force on the workstations to be affected.

Group Policy Preferences is obviously the simplest method for creating and reviewing mapped drive configurations so chances are you only read the past 2 paragraphs, but hopefully it has be of some help to those looking at other methods or wanting a brief history lesson.

In the event you have problems applying Group Policies make sure you have waited 90+ minutes or run gpupdate /force, then if necessary you can run GPResult on the workstation, or on the server in Active Directory run the Group Policy Modeling Wizard .

Tag Cloud