Resource Win7Only referenced in attribute displayName could not be found

This error appears when you have updated the ADML and ADMX file to Windwos 10, version 1803. Let’s see how to fix it!

When trying to editing a policy, you receive this error: Resource ‘$(string id=Win7Only)’ referenced in attribute displayName could not be found.

This is a known issue for Microsoft, in fact there was an update in the Windows 10 version 1803’s SearchOCR.ADML file and this line was missed in the new ADML file:

<string id=”Win7Only”>Microsoft Windows 7 or later</string>

The way I used to fix this was to manually editing SearchOCR.ADML.

Editing SearchOCR.ADML

  • Make a copy of \Policies\PolicyDefinitions\en-us\searchocr.adml. Normally this path is under \\yourdomain\sysvol\yourdomain. This is needed in case the file you’ll edit gets corrupted.
  • With a text editor, open \Policies\PolicyDefinitions\en-us\searchocr.adml and search for <string id=”OCREveryPage”>Force TIFF IFilter to perform OCR for every page in a TIFF document</string>.
    • The line above this, should be: <string id=”OCR”>OCR</string>
  • Add the following string, right after <string id=”OCR”>OCR</string>:
    • <string id=”Win7Only”>Microsoft Windows 7 or later</string>
  • Save the file and try again (allow some time for replication if you have multiple Domain Controllers).

EDIT: There’s a KB from MS finally released for this HERE.

Read More

LAPS missing from GPO

Don’t worry if LAPS is missing from GPO: most likely it’s not being copied to your SYSVOL share and it can be fixed real quick. Obviously, you must have LAPS installed on the machine where you’re trying to create the group policy object on (I installed it on a Domain Controller to keep things simple):

  • Copy  C:\Windows\PolicyDefinitions\AdmPwd.admx to \\itdroplets\sysvol\\Policies\PolicyDefinitions
  • Copy C:\Windows\PolicyDefinitions\en-US\AdmPwd.adml to \\itdroplets\sysvol\\Policies\PolicyDefinitions\en-US


Read More

The user does not have RSoP data

This is an error you get back from running GPRESULT /R and it happens because the user you’re running this command with isn’t logged on the system.
For instance you want to check the policies applied to your computer but you’re not logged on with your administrator account. So you would run a command line prompt as a different user and then run gpresult /r or gpresult /r /scope computer getting stuck at The user does not have RSoP data.

gpresult-the-user-does-not-have-rsop-dataIn order to avoid this warning, you can run the following:

Where itdroplets\myuser is the user account that is logged on that workstation at the minute.

If you’re running this with PSEXEC (remotely) and you don’t know who’s logged on, run the following (with your admin account):

Where PC01 is the target computer. Note that this command might fail if ran it as above but it won’t if you run it with psexec like this:


Read More

Active Directory Auditing

Active Directory Auditing is very important for large organisations where there’s a high number of technical resources, from different teams, accessing and modifying Active Directory. Active Directory Auditing comes with a cost though: an enormous amount of logs created.

Having so many logs will mean that you won’t be able to troubleshoot much as what you’re looking for might be long gone. If you work in a smaller company, then manually sorting these logs shouldn’t be a big deal, but again, remember that a Domain Controller in general does generate a lot of events. I would suggest to integrate Active Directory Auditing with something like System Center Operations Manager (SCOM) to help you out catching what you’re interested on.

This article wants to show you how to enable Active Directory Auditing. Remember also that you will have to enable it for each single (writable) Domain Controller that you have. This is very important or else you will only be able to track changes happening on a single domain controller (unless that is what you intend to do). What could be used to achieve this quickly and with the least effort as possible? Group Policies obviously!

Domain Controllers are stored in the same OU by default, and they also have a Default Domain Controllers Policy.
If you’re reading this, it means that you probably already know what Policy you want to enable, so I will go straight to the point. Auditing data will be stored in the Security logs.

  1. Open Group Policy Management (from Administrative Tools).
  2. Keep expanding until you reach the Domain Controllers OU.
  3. Right click on Default Domain Controllers Policy and click Edit.
    • GPO-Edit
  4. Once the Editor has started, expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.
    • GPO-AuditAccountManagement
  5. Now you can see the list of audits that you can turn on/off. You can either define to log just the success or just the Failures or both.
    • GPO-AuditAccountManagement-2

Read More

Disable This PC is eligible for a free upgrade to Windows 10

If you’re receiving a pop-up on your Windows 7, Windows 8 and Windows 8.1 client that tells you that This PC is eligible for a free upgrade to Windows 10, then you’re probably running an OEM version of Windows. If this is happening at work and you know you should have a version of Windows Volume License, then you might have found a client wrongly imaged as Windows 10 is free to be upgraded only on OEM version of the OS (at least until today 17th of March 2016). Check out this article about Check what type of Windows License is installed.

Either ways, let’s see how we can get rid of This PC is eligible for a free upgrade to Windows 10 prompt. I set up a GPO for it, but I used the registry to make the change and not any Policy Template.


These are the two Registry Keys you will need to add in order to stop this from prompting again:

Subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DWORD value: DisableOSUpgrade = 1

Subkey: HKLM\Software\Policies\Microsoft\Windows\Gwx
DWORD value: DisableGwx = 1 (more…)

Read More