Category Archives: Group Policy

Items related to specific GPO’s and also items to be aware of server side.

[Solved] Failed to apply policy and redirect folder “Desktop”

I struggled to figure why my folder redirection policy failed to apply fully.  In this case, I was actually trying to have a folder redirection reversal. For some users, we wanted to go back to having the profile local.  My method was to create a security group and associate a policy to it that would put the normal redirected folders back to the local user profile.  I felt I had it all set up right. I made sure the members of the new group were denied the ability to apply the normal redirection policy so the only one that would take effect was the new gpo.

However, after verifying the settings in windows, I saw the changes didn’t fully work.

For anyone who doesn’t know, your profile folders locations are specified here:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Items such as Desktop are normally set as %USERPROFILE%\Desktop unless you or a policy changes it.

I used myself as a guinea pig and ran the group policy results wizard on myself. Not much clues except oddly, some of my folders that were previously redirected did change. Most didn’t.

The clues I needed finally came from eventvwr. I really enjoy the way events are grouped at a high level. It makes things easier.

I actually had some error events in the Application log with Folder redirection as the source. The event ID I had was 502.

Failed to apply policy and redirect folder “Desktop” to “C:\Users\chris\Desktop”.

Redirection options=0x9200.
The following error occurred: “Can not create folder “C:\Users\chris\Desktop””.
Error details: “This security ID may not be assigned as the owner of this object.”.

With this in hand, I went to google and found some posts of people having similar issues in dealing with roaming profiles. The cause turned out to be ownership on my local profile.

I checked mine and sure enough that was it. I had full control of my profile but System was the owner. I checked another user and he had the same problem.

I needed a way to correct this for myself and everyone else. I like using the application subinacl (from Microsoft) for ownership changes. You can find it here.

I did some testing and created a script to do the corrections for me. I stored subinacl.exe in the netlogon folder.

Here is the script I created. I called it SetOwner.bat

<start of script>

REM Set owner at profile root
\\domain.loc\netlogon\subinacl /subdirectories “%Userprofile%” /setowner=”ncdsb\%username%”
REM Set owner on files and folders in profile
\\domain.loc\netlogon\subinacl /subdirectories “%Userprofile%\*.*” /setowner=”ncdsb\%username%”

<end of script>

I made the .bat file a script that would run on user logon in my new local redirection policy.  Maybe I don’t need to correct the root profile folder and the files in two separate lines. In my testing, I didn’t see changes in subfolders without it.  However, I did notice checking ownership on my Desktop folder twice in the same logon session did take some time to update. There might be some processing time for it to all work.

After the permissions are corrected, a second reboot is required to fully fix the folder redirection.

The only mystery left in this for me is how System ended up as owner of my profile.


How to block Ultrasurf at the workstation level in Windows

Some time ago, I discovered students were using a program called Ultrasurf to get around our internet filter.  The app is portable and so can run off a USB key or from a cloud drive. (As of writing this, the latest file name is u1403.exe. You can recognize it is running by a yellow gold lock icon on the screen and usually in the lower right corner)

Apparently it was designed for citizens of China to get around “The great firewall of China.”  The app sets itself up as a proxy.  Ultrasurf then changes Internet Explorer to use this new proxy to surf. Behind the scenes the app works by connecting to an IP overseas from a wide-range of choices. From what I saw, it connects using https and the port can be varied by users. Blocking it is a daunting task.

Blocking the app itself via group policy is tough as well. The checksum is a moving target.   Ultrasurf often has a new version out plus old versions can be found everywhere.

You might think that blocking proxy access in IE via GPO would help. It really doesn’t. All the GPO does it block being able to put in the settings via Internet Options.  Policies still allow changing the actual proxy value in the registry.

What I discovered is that to block Ultrasurf, you need to prevent the users from being able to edit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings.

This is where IE stores it’s proxy information. As long as the user has write access, Ultrasurf can work.

Introducing UltraFin!

I have created a script that works at the user level. I deploy it via a policy that will run as the user for anyone who is a member of our student user group.  I called it UltraFin as a play on UltraSurf. A surfers day is ruined if they see a Fin in the water 🙂

What the script does is use a tool called regini.exe to set the part of the registry I mentioned above as read-only. This essentially locks them out from making any changes to their proxy settings. To undo the permissions settings, an admin would have to mount their profile hive (ntuser.dat) and correct the permissions.

Once this is done, launching Ultrasurf says it is connected but will go nowhere. Ultrasurf normally launches IE once it connects but this won’t happen anymore.

I keep both my script and regini.exe in the netlogon folder of our DC’s.

You get regini.exe as part of the  Windows Server 2003 Resource Kit Tools.

Here is my script and please note, you will need to rename it from ultrafin.txt to ultrafin.vbs

In the GPO I create, here is where I place it:

User Configuration->Policies->Windows Settings->Scripts->Logon


I use the logonserver variable to reduce network traffic and to prevent a workstation from hanging up on logon if X server is down.

One important note, I still keep a policy in place for this group that prevents them from changing their proxy settings in IE.  The main reason for this is so my users in question can’t manually set a different browser to use the Ultrasurf proxy address. Ultrasurf thrives on IE but there is the potential to workaround it.

To ensure this, I also have imported policy templates for the other popular browsers such as Chrome and Firefox. I enable settings to force these browsers to use IE proxy settings.

I hope this helps someone as I haven’t found many good ways so far on how to block Ultrasurf.

Restoring GPO’s without a backup.

This post rely’s on having Shadow Copy enabled.

I recently did some changes to a Group Policy Object that didn’t fill the need I was going for. I wanted to put it back but there is no undo when it comes to GPO.

A proper course of action would of course be to make a backup copy or test in a lab part of your network. In this case, the L2 felt the need to be more pressing and needed a quick resolution.

I tried a few ways to restore, including finding the GPO folder and trying to overwrite the folder with the one from shadow copy. This partially failed as some files are locked by Windows.

For anyone curious, this is where you would find the folder where group policies live.

If you are using NTFSR (standard) SYSVOL replication, your path is this:

I am using DFSR replication for SYSVOL so this is my path:

(Side note, some don’t see the need for the switch but I’ve read that DFSR replication for SYSVOL is better as it is self-healing)

All the folders you see in this represent a group policy. If you want to know which folder is the GPO in question, you need to know the right unique ID.

This can be found in Group Policy management on the details tab (after you click on the GPO in question.)

In the case of a GPO that you want to revert, here are the steps I followed:

1- First backup the “broken” GPO to a folder on your C: drive. In Group Policy Management, you will need to find the actual GPO and not a link. For this you will need to expand Group Policy Objects.

2-Find the policy folder in the path above and go to previous version in Shadow copy. Find a point in time before your changes and open that version.

3- Copy the contents of the shadow copy folder to the folder you just created as a backup. Now what and where is critical.

The GPO folder will have folders called Machine and User. You need to dig down into the backup folder until you find them.

For example, here is how much I had to dig to find them:
C:\GPO Backups\{UNIQUE-ID}\DomainSysvol\GPO

Just say yes to overwrite all files and folders.

4-At this point, return to your actual GPO under Group Policy Objects, and say Restore From Backup…  Browse to where you backed it up and follow the wizard, making sure to select the right one (in the case you have other GPO’s backed up to that folder).

At this point, your GPO should be back to what it was before.

How to shutdown idle systems in the evening or on the weekend

I have been wanting to put this one up for awhile as it seems appropriate for a Friday.

We have labs for students with laptops on carts. Often kids will put back a laptop and not bother to turn it off. This leads to heat issues inside the cart which can lead to early failure in the components of the system.

I have thought about using a Power policy to enable hibernation. That didn’t seem the best option as the next user will find the system locked as the previous user and will most likely force the power off which isn’t good for the computer either.
Since Microsoft haven’t included a built in way to shutdown a system via policy, I decided to invent one.
I created a policy that makes use of Preferences Scheduled Tasks.
The idea is that a scheduled task will be created that will monitor computer idle time after a certain time of day on student laptops.
I’m working under Computer Configuration -> Preferences -> Control Panel Settings ->
Scheduled Tasks
I created a new task and called it Schedule Idle Shutdown
I set the account to use as NT Authority\System
and set to run whether user is logged on or not.
Configure for Windows 7.
Trigger, I set it to run daily at 3PM and repeat every hour for a duration of 12 hours.
For the actions tab, it will run C:\Windows\System32\Shutdown.exe  with
/f /s /t 60
(force, shutdown, in 60 seconds) as the arguments.
Idle, start the task only if the computer is idle for: 1 hour and I set wait for idle to Do not wait
As the kids only have the laptops plugged in when they are on the cart, I set it to only schedule the task if the computer is on AC power. and Stop if switches to battery power
Run task as soon as possible after a scheduled start is missed and if already running, stop the existing existence.
What this all means is that when 3pm rolls around, the computer has to have been idle for at least an hour. If not, at the next run, it will check again if it’s been idle for an hour. When the two are finally in agreement, a shutdown is triggered.
We save power, reduce heat damage and avoid users forcing a locked system off the next time around.

Understanding setting local group members via GPO

I’m more putting this as notes for myself as I usually have to check out to use Computer config->Policies->Windows Settings->Security Settings->Restricted Groups

Use it one way, you wipe out existing local members of groups on a workstation. Use it the right way and you add to it instead. This can be used to either set a group as local admin or as power users.

I do this to set our L2 group to have local admin on all workstations. (side note: WMI filter is another topic to think of in that case so you don’t set them as local admin on a server. If no policy link in a server OU you are fine but WMI filtering is something to watch for in a later post)

There are two parts of this: *The Members of this group* and This group is a member of

If you put a group into the first one, it will wipe out any existing groups. If your local groupings are standard it may not be an issue. However, I rather use the second one as it adds to it without wiping out the existing members.