|
poo poo, Camwood took down the link to the AppEditor download, and I can't find it anywhere else. Does anyone have another working link, or know of a similar tool to get the job done? I've got a pretty enormous undertaking (doing some massive update deployments to about 20 companies with random assortments of Windows/Office/etc versions) and every tool I can get to ease things helps.
|
#
?
Oct 5, 2009 18:53
|
|
|
|
| # ? Apr 16, 2024 11:25 |
|
|
Is there a way to create or change the password for a local account on a machine through GP? The other day one of our desktop's clock was off enough to prevent logging in under a domain account and nobody knew the local administrator password (machine was set up before I got here). I'd like to standardize the local administrator account on all of my machines.
|
|
#
?
Oct 14, 2009 20:23
|
|
|
Erwin posted:Is there a way to create or change the password for a local account on a machine through GP? The other day one of our desktop's clock was off enough to prevent logging in under a domain account and nobody knew the local administrator password (machine was set up before I got here). I'd like to standardize the local administrator account on all of my machines. Any reason you couldn't just have a logon script that does 'net user administrator password'?
|
|
#
?
Oct 15, 2009 13:51
|
|
|
Richard Noggin posted:Any reason you couldn't just have a logon script that does 'net user administrator password'? It's insecure as hell. Open Run \\domaincontroller\sysvol\Domain\SCRIPTSDIR Open the login script. Hey, there's the local admin account password in plaintext. It totally defeats the purpose of a password. The way I would suggest standardizing the local administrator account password would be to use psexec and use a batch file that does the same thing. psexec @complist.txt -u domainadmin -p password net user administrator password That should run 'net user administrator password' over every computer listed in complist.txt in the current working directory.
|
|
#
?
Oct 15, 2009 22:47
|
|
|
Are there any guidelines on creating GPO's from scratch that recommend best policy for security? I'm looking at setting up a domain w/GPO's for around 30-40 users and would like to know how complex the most simple deployment would be for such a scenario.
|
|
#
?
Oct 15, 2009 23:46
|
|
|
Wicaeed posted:Are there any guidelines on creating GPO's from scratch that recommend best policy for security? I'm looking at setting up a domain w/GPO's for around 30-40 users and would like to know how complex the most simple deployment would be for such a scenario. Depends on what you want the GPO's to do. I like keeping things seperate, so I can easily back out of one specific GPO if I have to. Also don't be afraid to name them well. I name all mine GPO_<LOCATION>_FUNCTION edit: Just realised you might be looking for recommendations to increase security on workstations via GPO. Grab the list and figure out what you want to do. You can also use the security templates from MS, but usually those are overkill. skipdogg fucked around with this message at 23:55 on Oct 15, 2009 |
|
#
?
Oct 15, 2009 23:53
|
|
|
Phuzion posted:It's insecure as hell. Considering the local admin password can be changed with a boot disk...but yeah, psexec is a better idea.
|
|
#
?
Oct 16, 2009 00:37
|
|
|
Not a Domain Admin. Just wanted to say that the OP was the best OP I've seen in all my time here on SA.
|
|
#
?
Oct 16, 2009 17:04
|
|
|
Erwin posted:Is there a way to create or change the password for a local account on a machine through GP? Pretty sure GPP CSE covers this, under something like Computer/Preferences/Control Panel/Local Users & Groups. Edit: Screenshot in the first post says that's exactly where it is.
|
|
#
?
Oct 16, 2009 17:44
|
|
|
Jreedy88 posted:Not a Domain Admin. Just wanted to say that the OP was the best OP I've seen in all my time here on SA. Hopping on this too, should be really helpful in the future. Thanks OP!
|
|
#
?
Oct 16, 2009 19:46
|
|
|
I am very, very close to getting Software Deployment working correctly, but I've hit a snag I can't find a solution for. I made a test policy to test software deployment to an intentionally outdated virtual machine, running Windows XP with Service Pack 2. The server in question is Windows Server 2003, and it was already set up for Active Directory and Group Policy Management. The test policy is meant to push out Adobe Reader 9.1 (yes, I know .2 is out, this is just a test) to the specific machine, I've used the Adobe Deployment Wizard and gotten an MSI going in a global shared folder, and everything seems to be set up correctly. However, when booting the VM, the message "Installing Adobe Reader 9.1" only shows up for about a second and then disappears, bringing me straight to the login screen, no Adobe Reader installed. If there was a log somewhere I could access it would help. I also tried it with an MSI for VIPRE Enterprise with our domain's AV policy, but that also only showed up for a split second, so I suspect it's something not configured correctly. VV Nope, I've linked it to its absolute network path and confirmed that it works as intended from the target machine when done manually. BTW, thanks a ton for the AppDeploy link you sent me earlier. Looking in Event Viewer confirms it couldn't access the share for some reason, I'll play around with permissions and security settings. EDIT: GOT IT! I had to give share permissions for the folder to the MACHINE, as it stood all the permissions were to user groups. Thank you all, I am now ready to royally unfuck a lot of computers. univbee fucked around with this message at 19:14 on Oct 30, 2009 |
|
#
?
Oct 30, 2009 17:53
|
|
|
My first guesses are that you have a reference to mapped drive (X:) in the group policy, instead of a UNC path. The second is that the event viewer really should have something in it in reference to the policy actions.
|
|
#
?
Oct 30, 2009 17:57
|
|
|
univbee posted:poo poo, Camwood took down the link to the AppEditor download, and I can't find it anywhere else. Does anyone have another working link, or know of a similar tool to get the job done? I've got a pretty enormous undertaking (doing some massive update deployments to about 20 companies with random assortments of Windows/Office/etc versions) and every tool I can get to ease things helps. AppDeploy's InstEdit! http://www.instedit.com/ basically replaces the AppEditor functionality 1 for 1.
|
|
#
?
Oct 30, 2009 18:01
|
|
|
And you thought this thread had died! Well, apparently the third time's the charm. It's working fine. Richard Noggin fucked around with this message at 22:41 on Jan 21, 2010 |
|
#
?
Jan 21, 2010 20:43
|
|
|
Bumpin this awesome thread with a problem I've been working on off and on for a few months: how do you schedule a nightly reboot? My network: ~250 workstations, running XP, Vista or Windows 7. We have disabled administrative shares. My users are mostly local admins, but I'm in the process of converting them to local power users. Our domain controller is Server 2003, but I'm doing the GPO stuff from a Windows 7 machine. I've tried to use PSShutdown, but power users cannot run it. I also tried to schedule it using the at command, but that schedules the job to run as system, which also does not work for power users. I looked into using a combination of 'runas' and 'sched', but it looks to me like the runas requires the password as text. I don't really want to do that, because our default local admin account has the same name and password as our main domain admin account.  Also, is there a list of the GP options that have with Windows 7? I have one for Windows XP/2003, but haven't been able to find a new one.
|
|
#
?
Feb 10, 2010 17:34
|
|
|
Bob Cthulhu posted:Bumpin this awesome thread with a problem I've been working on off and on for a few months: how do you schedule a nightly reboot? I'm not sure about the latter thing, but a scheduled task through policy should take care of it:  Leave the runas stuff blank and it will default the job to system credentials which is fine. Then just schedule it to run a 'shutdown -r -t 60 -c "Whatever"' at your desired time.
|
|
#
?
Feb 10, 2010 17:49
|
|
|
So the new way of deploying printers using Group Policy preferences is pretty neato. I tried setting it up for a client and one issue I ran into is that after deploying the policy my test system tried to install several printers but failed because I had the wrong drivers setup on the server. So I corrected the drivers and rebooted my test system several times, ran GPUpdate etc etc but it doesn't seem like its trying to run the policy again. I guess I could just delete and recreate the policy but it seems sort of weird (I'm looking at the eventlog on the test system and it doesn't seem like its trying to process that policy at all).
|
|
#
?
Feb 10, 2010 18:24
|
|
|
jmu posted:So the new way of deploying printers using Group Policy preferences is pretty neato. I tried setting it up for a client and one issue I ran into is that after deploying the policy my test system tried to install several printers but failed because I had the wrong drivers setup on the server. So I corrected the drivers and rebooted my test system several times, ran GPUpdate etc etc but it doesn't seem like its trying to run the policy again. I guess I could just delete and recreate the policy but it seems sort of weird (I'm looking at the eventlog on the test system and it doesn't seem like its trying to process that policy at all). Try GPUpdate /force if you haven't already. If they are user-assigned printers, those go in during logon so do that as well.
|
|
#
?
Feb 10, 2010 18:30
|
|
|
I got the reboot to work, thanks! Follow up question: is there any way to make this effect laptops that aren't on the network when the reboot is scheduled to run? It didn't appear that it would work, but I only messed with that for a few minutes. Also, after you deploy Adobe products thru Group Policy, how do you find out about updates? I see some of them on the SANS RSS, but those seem to be the more critical fixes.
|
|
#
?
Feb 12, 2010 05:18
|
|
|
Bob Cthulhu posted:I got the reboot to work, thanks! Follow up question: is there any way to make this effect laptops that aren't on the network when the reboot is scheduled to run? It didn't appear that it would work, but I only messed with that for a few minutes. Once policy applies a scheduled task, they stay there until a policy refresh completes that removes them. So even if your laptops are only occasionally communicating with the domain, they'll still have the scheduled task sitting there ready to go. As for adobe, I do the exact same thing with the SANS ISC feed and just re-deploy when an update comes out. It sucks, but Shavlik is a worse in my opinion and I don't want to get back in to that. Mostly I am banking on Microsoft pulling their head out of their rear end and opening up their automatic update framework to support 3rd party vendors in the next few years so this gets simplified. If you want to minimize the risk from Adobe products, check out my other thread on DEP. That shoots down most of those exploits easily.
|
|
#
?
Feb 12, 2010 05:24
|
|
|
BangersInMyKnickers posted:The Forced attribute will not override the Block Inheritance attribute of an OU or Domain. So, I've been studying for my MCSE and I admittedly do not have much experience with GPOs. One of the books I'm reading, it explained that a GPO with the Enforced attribute will apply down through the OU even if the OU explicitly has the Block Inheritance attribute. The book is: 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure. I'm confused, which is correct? Also, on an unrelated note. We may be rolling out Windows 7 machines shortly but we still have an Active Directory 2003 Domain. Is there features that come with Server 2008 that will allow more control over Windows 7? Is Windows 7 able to be controlled with a 2003 Domain?
|
|
#
?
Feb 22, 2010 19:22
|
|
|
Yes, that should be the case. In the Microsoft exams you always answer it the Microsoft way. Doesn't matter what your experience is. If it says it Enforced overrides Block Inheritance than it does. Windows 7 works fine in a 2003 domain. Client Side extension can be setup in a 2003 domain to add most of the new group policy support as stated in this thread I believe.
|
|
#
?
Feb 22, 2010 23:16
|
|
|
IT Guy posted:Also, on an unrelated note. We may be rolling out Windows 7 machines shortly but we still have an Active Directory 2003 Domain. Is there features that come with Server 2008 that will allow more control over Windows 7? Is Windows 7 able to be controlled with a 2003 Domain? It works pretty well. I administer our 2003 domain from a Windows 7 machine. I have a couple of questions, though. Someone in my company recently got busted playing minesweeper. Because of that, all games now need to be removed, and implementation has fallen on me. Is there any easier way to do this than by blocking access to the executables, and then creating hash rules for each game? I would think that this would be easier to do these days, but it doesn't look like it. And if I have to block executables, where can I find a list of the executable names for Vista and Windows 7? The XP names are all over the internet, but none of the other ones are. I seem to remember someone mentioning a free VM solution with free guest OS's that work really good for testing group policies. I can't remember what thread this was in, though, and I didn't save the information. Does anyone know what I'm talking about?
|
|
#
?
Feb 23, 2010 04:21
|
|
|
Bob Cthulhu posted:I have a couple of questions, though. Someone in my company recently got busted playing minesweeper. Because of that, all games now need to be removed, and implementation has fallen on me. Is there any easier way to do this than by blocking access to the executables, and then creating hash rules for each game? I would think that this would be easier to do these days, but it doesn't look like it. And if I have to block executables, where can I find a list of the executable names for Vista and Windows 7? The XP names are all over the internet, but none of the other ones are. I figured it out: collect the games from each version of Windows and make a hash rule. I guess I was over-thinking it.
|
|
#
?
Feb 24, 2010 14:44
|
|
|
I just need to throw this out there since its a networking question: At the network I manage, I put a computer on the domain which we use. As in, instead of having that XP screen where you click a series of pcitures representing a fixed set of users, it converted into a login prompt for a login and password. all good. for whatever reason (kinda stupid) I wanted to switch it back. in retrospect I think i should have just gone to my computer/properties/change ID or whatever it is and just deleted the domain name. instead i switch it to WORKGROUP and put it in some improvised name and when asked for a login, put it one from the network and for some reason it worked. now im stuck with a login prompt that isnt for the domain and I dont seem to have any of the logins for it. everyone i tried failed, as if i were trying to login to a workgroup that has no members. how in gods name can i get it back to something i can get into.
|
|
#
?
Mar 25, 2010 14:30
|
|
|
Gozinbulx posted:I just need to throw this out there since its a networking question: I don't quite understand what you're saying. Can't you just change the third field (log on to:) to the local computer and log in as a local account? Also, this has nothing to do with this thread.
|
|
#
?
Mar 25, 2010 14:41
|
|
|
Gozinbulx posted:I just need to throw this out there since its a networking question: There are linux boot cds that will let change the password for local accounts. This has nothing to do with group policy.
|
|
#
?
Mar 25, 2010 18:28
|
|
|
Does AD in 2008 apply security filtering to GPOs differently than in 2003? Example - create a new GPO in a computer OU. Under security filtering, remove authenticated users, replace with a security group of computers (including multiple computers in that OU). In 2003, the members of the security group had that policy applied (I'm pretty sure). Policy modeling says the policy should be applied, but gpresult shows that the policy is denied on security filtering. Only after I manually delegate read permission to authenticated users does the policy apply. This doesn't make sense to me - the group the policy applies to is automatically delegated read permission when I add them to security filtering/apply the policy to it. Why does it need authenticated users delegated read permission for the group member when that member already has read & apply perms?
|
|
#
?
Mar 26, 2010 16:33
|
|
|
da sponge posted:This doesn't make sense to me - the group the policy applies to is automatically delegated read permission when I add them to security filtering/apply the policy to it. Why does it need authenticated users delegated read permission for the group member when that member already has read & apply perms? Could it be a token issue? Maybe the machines need a reboot to pick up their new group memberships.
|
|
#
?
Mar 26, 2010 17:18
|
|
|
Dan Landry posted:Could it be a token issue? Maybe the machines need a reboot to pick up their new group memberships. Nope, multiple reboots & gpupdate /force.
|
|
#
?
Mar 26, 2010 17:57
|
|
|
Regarding screensavers: I have a policy set to force the logon screensaver. Company policy requires the screensaver to be set and the the workstation to lock when the screensaver kicks in. People would turn them off, and the workstation would never lock. It's been 6 months, and people are still whining about not have kitties or whatever for their screensaver. Is there any way to 'disallow' a screensaver? Specifically, I don't want them to be able to choose (None). I don't care what they have, as long as they have something.
|
|
#
?
Apr 1, 2010 04:06
|
|
|
Bob Cthulhu posted:Regarding screensavers: I have a policy set to force the logon screensaver. Company policy requires the screensaver to be set and the the workstation to lock when the screensaver kicks in. People would turn them off, and the workstation would never lock. It's been 6 months, and people are still whining about not have kitties or whatever for their screensaver. I have a feeling you're just going to need to pick one as a corporate standard and stick with it. Beyond that, there is a business case that screen savers leave displays on and waste power (and are pointless, we really don't have burn in issues anymore). You're better off setting the screen saver to the black one or something generic, enforcing a password lock for security if the screen saver comes up, and then setting the user's power settings for displays to correspond with the screen saver so the whole thing turns off and saves electricity.
|
|
#
?
Apr 1, 2010 13:53
|
|
|
Bob Cthulhu posted:Regarding screensavers: I have a policy set to force the logon screensaver. Company policy requires the screensaver to be set and the the workstation to lock when the screensaver kicks in. People would turn them off, and the workstation would never lock. It's been 6 months, and people are still whining about not have kitties or whatever for their screensaver. I'm in the same boat as you. If my user base can't have their ugly baby pics cycled through the screensaver then they freak the gently caress out. We are very lenient on policies around here.
|
|
#
?
Apr 1, 2010 14:25
|
|
|
BangersInMyKnickers posted:I have a feeling you're just going to need to pick one as a corporate standard and stick with it. That's what I thought. I have no problem with that, because if you're sitting there working, how does your screensaver even turn on?  Also, screensaver names and filenames changed with Win 7.  Sometimes I wonder if the people who develop Windows have ever actually used Windows.
|
|
#
?
Apr 1, 2010 19:46
|
|
|
So I just moved to a new IT department within my existing company where I work and I am unable to remotely manage any computers using Computer Management nor can I access any of the hidden administration shares. I also tried by IP address rather than NetBIOS name. I'm thinking it's a group policy or a setting I am missing. As of now the group policies are pretty basic but Client Side Extensions was installed via our WSUS and I am going to eventually start customizing them a bit more. I enabled the Remote Administation Group Policy because it was previously not configured. These are the settings I used: Computer Configuration/Administative Templates/Network/Network Connections/Windows Firewall/Domain Profile Windows Firewall: Allow remote administation exception: Enabled Allow unsolicited incoming messages from: 100.12.204.0/24,100.12.206.0/24,100.12.55.0/24 My PCs are spread throughout about 3 subnets which I enabled by entering "100.12.204.0/24,100.64.206.0/24,100.12.55.0/24" (Note: These aren't my real subnets..) Checked on PCs -Windows firewall is enabled however it not set to Block File and Print Sharing. (Does this explicitly need to be enabled in a GPO for remote administration to work??) -Remote Registery Service is enabled -Computer Browser Service is disabled (Does this need to be enabled?) -I am in the Administrator group on all computers -I can ping computers and remote desktop into them fine. -Forced group policy by doing gpupdate /force numerous times. Any ideas?
|
|
#
?
Apr 15, 2010 00:38
|
|
|
Here's what's in my firewall policy: %windir%\PCHealth\HelpCtr\Binaries\Helpctr.exe:[your subnets]:Enabled:Remote Assistance %windir%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:[your subnets]:Enabled:Offer Remote Assistance %systemroot%\system32\sessmgr.exe:[your subnet]:Enabled Remote Assistance Those get remote assistance working if you care (we let users connect to each other for that if they want). Windows Firewall: Allow inbound file and printer sharing exception: Enabled, your management subnet Allow ICMP exceptions: Enabled so you can ping Allow inbound Remote Desktop exceptions: Enabled, whatever subnet works for you Inbound port exceptions: 135:TCP:[management subnet]:Enabled:DCOM Does a lot of the RPC stuff work windows and you'll need it open if the Remote Management policy isn't working right.
|
|
#
?
Apr 15, 2010 14:00
|
|
|
I seem to have a situation here. We have several branches on slow connections. I'm trying to update our OfficeScan client with is 100MB. Therefore I want to copy it to each branches server where every computer has a mapped drive to with a specific drive letter. For example. Branch: 1 Server: serv1 Mapped Drive: M:\ (which is \\serv1\Folder) Branch: 2 Server: serv2 Mapped Drive: M:\ (which is \\serv2\folder) Can I create a single GPO that looks at the M:\ Drive for the file? When I goto set it up, it wants me to choose the file which I'm scared that the second branch will download and install from branch 1's server.
|
|
#
?
Apr 15, 2010 20:55
|
|
|
IT Guy posted:Can I create a single GPO that looks at the M:\ Drive for the file? When I goto set it up, it wants me to choose the file which I'm scared that the second branch will download and install from branch 1's server. I remember dealing with something similar to this--I'm sure there is a better way, but I worked around it and cheated by calling a .bat file that points to the mapped drive/executable due to lack of time to get it solved. I don't know if that would work for your specific situation, though.
|
|
#
?
Apr 16, 2010 02:00
|
|
|
I'm not really sure how to address your particular issue, but long-term shouldn't you be using DFS to get content locally mirrored to all the branches more efficiently?
|
|
#
?
Apr 16, 2010 14:11
|
|
|
|
| # ? Apr 16, 2024 11:25 |
|
|
BangersInMyKnickers posted:I'm not really sure how to address your particular issue, but long-term shouldn't you be using DFS to get content locally mirrored to all the branches more efficiently? Our site servers are Windows XP boxes 
|
|
#
?
Apr 16, 2010 14:17
|
|