|
This is the script I usecode:
|
#
?
Jan 18, 2013 17:36
|
|
|
|
| # ? Apr 23, 2024 11:33 |
|
|
FISHMANPET posted:I'm not sure if that means they kept the same product code or not. They don't, for every update they get a new product code. It's incredibly maddening and is just more proof that the people handling Java are incompetent. That may not be entirely fair, but it is easily one of the worst handled products in the mass market.
|
|
#
?
Jan 18, 2013 17:52
|
|
|
peak debt posted:This is the script I use Fannntastic. I'm going to test this out on a few users and see if OCS picks up the software change.
|
|
#
?
Jan 18, 2013 18:14
|
|
|
I am looking for something I can provide to the support staff to be a central place to view information, like which terminal server users are signed into, easy access to reset passwords, or whatever other things I dream up. Basically I can write a script/app and the support staff can run as needed. I have been looking around but haven't come up with anything. What are other people using to provide easy to use tools for other support staff?
|
|
#
?
Jan 21, 2013 03:49
|
|
|
gbeck posted:I am looking for something I can provide to the support staff to be a central place to view information, like which terminal server users are signed into, easy access to reset passwords, or whatever other things I dream up. Basically I can write a script/app and the support staff can run as needed. Does RSAT not provide most of what you want?
|
|
#
?
Jan 21, 2013 03:53
|
|
|
I'm looking at ManageEngine at the moment to allow certain staff members to create / reset passwords / disable user accounts in a very specific OU (basically volunteers that they are responsible for). It seems to tick all the boxes for a reasonable price.
|
|
#
?
Jan 21, 2013 03:56
|
|
|
spidoman posted:Does RSAT not provide most of what you want? I work in healthcare and the main group of people I am targeting are the "Application Admins". They know everything about the clinical side but just enough on the IT side. I don't really expect (or want) them to be running around AD or give them admin rights to servers.
|
|
#
?
Jan 21, 2013 04:17
|
|
|
peak debt posted:This is the script I use Not sure if it applies in your environment, but don't forget about 64bit 
|
|
#
?
Jan 21, 2013 04:58
|
|
|
Changing the name every other day suddenly makes sense, if you can not find it then you can not uninstall it and that means you like it! So we are going to start moving people over to active directory soon and everybody will be limited users. Any gotchas we should know about? We will be on 2008 with XP and 7 machines. We already have policies, mapped drives, and printers set up. We have a sane structure for the domain instead of things thrown wherever we wanted in eDirectory. We are going to turn off automatic updates for java, adobe reader and flash so people won't be bugged by it. I am hoping we can push out updates easily through SCCM once we get that up and running. I was thinking that I should poke around more too see if we can convert local profiles to AD profiles, but then I realized it is time for as much as a fresh start as we can get so screw their probably malware filled profiles. Also, Novell sucks. Yaos fucked around with this message at 09:14 on Jan 21, 2013 |
|
#
?
Jan 21, 2013 09:12
|
|
|
Try and get rid of XP if you can. The stuff in Vista onwards from a Group Policy perspective is like night and day compared to XP. No more scripting for every tiny little thing.
|
|
#
?
Jan 21, 2013 11:40
|
|
|
We are slowly getting rid of XP, all new machines we put out will be Windows 7 Pro x64. We don't have the money to replace everything though so XP will be with us for awhile. A co-worker showed me the magic of remote assistance. We've been using TightVNC, but it's kind of slow and has no features in it, probably should have used UltraVNC but I don't care now. We found a hack that let's us connect Windows 7 to XP without solicitation. It's included with Windows so we don't have to spend anything, which is nice. Only problem is the user needs to be logged in, although if we need in we can just RDP in. Once SCCM goes up we'll be using that though. I wish we had the money for 3rd party patch management so I can be lazy.
|
|
#
?
Jan 23, 2013 23:27
|
|
|
So I've got a problem with printers. Just about everyone has their own personal laser printer in their office. We've been setting them up on wireless so it's more convenient to install in these offices. Then we've got one group policy that pushes out all the printers on the print server to everyone. Now people are starting to complain that they don't like trying to find their own printer out of a list of 30 or more. I don't see any easy way to assign specific printers to specific people or computers without making a poo poo ton of individual GPOs, and we don't have any sensible grouping like Dept X, Y, and Z or floors 1, 2, and 3. Am I missing something here? (Besides dragging all the printers out into the parking lot and having a big bonfire.)
|
|
#
?
Jan 28, 2013 23:11
|
|
|
Cpt.Wacky posted:So I've got a problem with printers. Just about everyone has their own personal laser printer in their office. We've been setting them up on wireless so it's more convenient to install in these offices. Then we've got one group policy that pushes out all the printers on the print server to everyone. Now people are starting to complain that they don't like trying to find their own printer out of a list of 30 or more. I ran into something similar 2 years ago... We have a app that runs in terminal services. Said app requires printer names to NEVER change once set. RDP printer re-direction was out since the local printer name changes with every login. So I had to come up with something different... All the printers that are used for this software are installed locally on the terminal server. So for every user in this situation, I put the name of their default printer into a unused AD field on the user object. (I used the "Office" field, as we don't use it for anything else.) and then wrote a login script in VBS that reads that field, checks that the printer exists, and if it does, sets the user's default printer to it. In our environment, the printer assignments rarely ever change, so managing it is fairly painless. stevewm fucked around with this message at 03:01 on Jan 29, 2013 |
|
#
?
Jan 29, 2013 02:58
|
|
|
Cpt.Wacky posted:So I've got a problem with printers. Just about everyone has their own personal laser printer in their office. We've been setting them up on wireless so it's more convenient to install in these offices. Then we've got one group policy that pushes out all the printers on the print server to everyone. Now people are starting to complain that they don't like trying to find their own printer out of a list of 30 or more. I don't know if this is easier than setting up GPOs per user/group though.
|
|
#
?
Jan 29, 2013 22:16
|
|
|
Cpt.Wacky posted:So I've got a problem with printers. Just about everyone has their own personal laser printer in their office. We've been setting them up on wireless so it's more convenient to install in these offices. Then we've got one group policy that pushes out all the printers on the print server to everyone. Now people are starting to complain that they don't like trying to find their own printer out of a list of 30 or more. You can make one GPO to assign the printers, and then use item level targeting, on the Common tab, to restrict the distribution. (User Config -> Preferences -> Control Panel Settings -> Printers)
|
|
#
?
Jan 29, 2013 23:04
|
|
P.S. STILL COMPLETELY DEVOID OF MERIT
|
It drives me insane that the solution to this isn't "show everyone how to add the printer they want then wash your hands of it forever".
|
|
#
?
Jan 29, 2013 23:48
|
|
|
EAT THE EGGS RICOLA posted:It drives me insane that the solution to this isn't "show everyone how to add the printer they want then wash your hands of it forever". That's similar to how we do it since our departments/users are so scattered that it doesn't make much sense to force printers through GPO or scripts. So their installed to a print server and we just taught the "leads" in the bigger depts how to do it so they can handle it if a user mucks it up somehow otherwise we just manually put them on new PCs as they're ordered or handle it case by case. I can't imagine that being an effective solution for a larger more organized place though. Maybe send out an instructional e-mail 
|
|
#
?
Jan 30, 2013 00:44
|
|
|
Back in 2007 or so when working for an office where there were like 40 printers for 150 people I made an HTA script that listed all available printers with their fancy names (taken from an AD property) and added them through WSH when clicked on. Where I currently work at the official way is to send people asking for help adding printers a one-page PDF telling them how to go to Start->Printers->Add Printer
|
|
#
?
Jan 30, 2013 01:21
|
|
|
gbeck posted:I work in healthcare and the main group of people I am targeting are the "Application Admins". They know everything about the clinical side but just enough on the IT side. I don't really expect (or want) them to be running around AD or give them admin rights to servers. Its roll separation and its a core concept of AD. You can install RSAT and not give them the keys to the kingdom. Just enable active directory users and computers, and pair down what the person needs to see or have rights to. You've already given them password reset rights, now craft an MMC that sits on their desks and allow specific OU view of their purview.
|
|
#
?
Jan 30, 2013 07:45
|
|
|
"[oMa posted:Whackster" post="411401784"] Welp, looks like we're gonna have to install SP1 right away, since all our clients are getting corrupted by a Windows patch... http://support.microsoft.com/kb/2796086
|
|
#
?
Jan 30, 2013 14:47
|
|
|
zapateria posted:Welp, looks like we're gonna have to install SP1 right away, since all our clients are getting corrupted by a Windows patch... Same thing happened to me a few weeks ago. I did the registry hack they suggested in the KB and everything started working again after reinstalling the Management Point.
|
|
#
?
Jan 30, 2013 16:10
|
|
|
Sacred Cow posted:Same thing happened to me a few weeks ago. I did the registry hack they suggested in the KB and everything started working again after reinstalling the Management Point. But it will also disable automatic client reinstallation, so you'll have to do the manual resets again like in 2007 
|
|
#
?
Jan 30, 2013 20:09
|
|
|
peak debt posted:But it will also disable automatic client reinstallation, so you'll have to do the manual resets again like in 2007 Crap didn't read that part...I guess I'll be installing SP1 ahead of schedule. Thanks for the heads up.
|
|
#
?
Jan 30, 2013 21:40
|
|
|
Little tip for everyone using SCCM 2012 to deploy applications. Never make a mandatory user based install. You'll never get decent compliance numbers. Ugh, so many little hidden quirks in app models.
|
|
#
?
Jan 31, 2013 08:26
|
|
|
spidoman posted:We have a 2% threshold for errors in application deployments. We do phased deployments to avoid unforeseen errors. Phased deployments are awesome, but a lot more work if you don't automate it. My environment is very homogenous, so i can usually do a test-run on one department and then an enterprise wide deployment (if needed). When it comes to you stastics issue - keep it simple, stupid. In my deployment monitor script I won't send out any alerts before the software has been attempted installed on atleast 50 clients. Depending on your environment, it won't take many minutes until you hit that anyway. Before hitting that threshold you always want to keep an eye on it before moving to doing something else. Don't waste hours coding stuff like if you have better things to do (hey, a new Java version just shipped!)
|
|
#
?
Feb 6, 2013 23:50
|
|
|
Ifan posted:Phased deployments are awesome, but a lot more work if you don't automate it. My environment is very homogenous, so i can usually do a test-run on one department and then an enterprise wide deployment (if needed). We have pre-built phase collections to speed up the process. But it also helps that we aren't the ones who keep track of deployment schedules. For now I've given up on trying to make the phases more statistically appropriate, our 50k phase probably isn't statistically necessary, but it makes everyone feel safer. And yeah, Java has taken up most of my time the past couple weeks. Don't let users open up browser windows during the upgrade process of Java. It messes everything up really bad. Sudden Loud Noise fucked around with this message at 04:45 on Feb 7, 2013 |
|
#
?
Feb 7, 2013 04:40
|
|
|
spidoman posted:
Yes, yes it does. Do you count everything as a failure like download failed, user canceled for non mandatory things or just error 1603s etc? To avoid problems with browsers and Java I made a wrapper script that handles it. It asks the user to turn off $process because $application needs to be updated. They have 90 minutes to comply, or the browser gets killed. They can postpone the update once (and it will try again in 2 days). This works pretty well, and the users are pretty happy about it. Not having too many problems with people turning on the browser before it's finished installing. I'm concidering using a local applocker policy to avoid this in the next version of the script. I have tried the concept before in a deployment of Adobe CS6. Only problem is that the users turn off the computer / run out of battery before the installation finishes. The applocker policy is then stuck (because the script cant run it's unlock routine) and all browsers and office applications are unlaunchable until someone from IT fixes it. Need some handling for this, i guess the task scheduler might be the way to go, or maybe register a WMI event subscriber. I love this one: http://java.com/en/download/help/error_25099.xml Nothing can be done to avoid this untis Oracle gets their thumbs out of their asses. Ifan fucked around with this message at 09:48 on Feb 7, 2013 |
|
#
?
Feb 7, 2013 09:28
|
|
|
Ifan posted:(hey, a new Java version just shipped!) What do you guys use to notify you of updates to your software? I've been using Software Informer installed on my test VM but it hasn't been picking up the Java updates recently.
|
|
#
?
Feb 7, 2013 16:33
|
|
|
We subscribe to a service which delivers the most usual applications (Flash, Java, iTunes etc.) deployment friendly within 3 days of release. It costs a bit, but a huge time saver not having to disable auto updates etc. every time a new version rolls around. I just get an email when a new version is available on the share, and then add it to SCCM, do some light testing then deployment. You could probably make a script that checks different websites for you every morning.
|
|
#
?
Feb 7, 2013 18:03
|
|
|
Ifan posted:We subscribe to a service which delivers the most usual applications (Flash, Java, iTunes etc.) deployment friendly within 3 days of release. It costs a bit, but a huge time saver not having to disable auto updates etc. every time a new version rolls around. Mind pointing me to the website?
|
|
#
?
Feb 7, 2013 18:37
|
|
|
Ninite pro and PDQ Deploy both do that pretty well too.
|
|
#
?
Feb 7, 2013 18:40
|
|
|
devmd01 posted:Mind pointing me to the website? http://services.atea.com/services_uk/services/appupdate.aspx Has anyone successfully managed to get the Microsoft table (Surface/Pixelsense) working with Windows 8? It works fine in Windows, and after some tweaking i managed to get the surface mode up and running. It registers fingers, and clicks on the main screen in surface mode, but i can't click anything to invoke it. Ifan fucked around with this message at 19:30 on Feb 7, 2013 |
|
#
?
Feb 7, 2013 19:17
|
|
|
It was nice of Microsoft to completely wreck the build and capture mechanism in SCCM 2012. You're now not able to let a DP fall back to HTTP if the client is roaming or in a workgroup (which is where you should do BnCs from). No, now you have to either have your DP in HTTP mode or have a seperate HTTP DP. I tried this: http://www.jamesbannanit.com/2012/05/how-to-build-and-capture-in-configuration-manager-2012-using-https/ Which isn't working due to the problems people mention in the comments. I've fallen back to manually building my reference image now and then capturing it when I'm done. This has just been a huge waste of my time overall.
|
|
#
?
Feb 7, 2013 22:10
|
|
|
Does anybody else use SCCM Endpoint Protection for Macs? I'm looking at SCCM 2012 where I work and we're trying to replace McAfee VSE with the Endpoint Protection module for SCCM, but it looks like Macs require PKI communication. I believe means probably have to deploy AD Certificate Services which means an even bigger headache. Does anyone have any experience here that can give some advice?
|
|
#
?
Feb 7, 2013 22:59
|
|
|
Everybody that loves authentication I have great news, we just tried out authentication software called Digital Persona that supports regular Windows login, face, smartcard, bluetooth, RFID, fingerprint, and I believe something else I can't remember. It can run in stand alone mode or with Active Directory. We'll be using it for fingerprint authentication in vehicles to login to laptops and other software. It also supports seamless authentication to 3rd party programs, kind of like LastPass. Credentials can be saved to the server or local only, so if the client computer dies the user won't lose any of their settings. The server side adds some extensions to AD and Group Policy. On the client side if the client detects the user has no registered authentication methods it provides a simple step-by-step guide on adding their allowed authentication methods that the user will ignore.
|
|
#
?
Feb 8, 2013 00:46
|
|
|
Anyone have a way to determine what services and/or whatever else might be reliant on a certain (domain admin) account's credentials? I need to either disable a domain admin account or change the password on it.quote:Stumbled on your question: where is the Active Directory Domain Administrator account used? Found this via googling, but maybe there's a better way?
|
|
#
?
Feb 8, 2013 20:14
|
|
|
That's the official way. You switch on account logon success events on your domain controllers (all of them, remember), let the whole thing run for a couple days then filter the security logs of all DCs by the account name you are looking for. Or just disable the account and wait until somebody complains, that works too...
|
|
#
?
Feb 8, 2013 21:53
|
|
|
peak debt posted:That's the official way. You switch on account logon success events on your domain controllers (all of them, remember), let the whole thing run for a couple days then filter the security logs of all DCs by the account name you are looking for. If I was to do actually do it the "official way", what form of auditing should I enable? 
|
|
#
?
Feb 8, 2013 22:46
|
|
|
"Audit account logon events" is what you want, that's for when some other PC uses this DC to verify a password. "Audit logon events" is when somebody actually logs in to this DC. And to be honest, that first setting should be on at least for failures just for security best practices...
|
|
#
?
Feb 9, 2013 00:57
|
|
|
|
| # ? Apr 23, 2024 11:33 |
|
|
Enterprise Print Management question: How do you deal with multiple sites (10+) and users who randomly work at each site? GPO works fine to add printers to profiles we specify with a windows groups, but then the end-user ends up with 10 different sites' printers in their single profile. I'd really like the users to only see printers that are physically at the site they are signed into at that moment in time. Is there anyway do add printers based on what IP the user's machine is getting or another way???
|
|
#
?
Feb 11, 2013 01:32
|
|
