|
hihifellow posted:I posted it halfway up the this page and it's not a bad idea, especially if you have nothing managing local admin passwords except a spreadsheet you hope people keep updated (or worse, the same password for everything (like us We use ERPM to manage Don't ask why we do it this way (the massive amounts of local users that is), I've been told that at the time it was the best way to do what we wanted (honestly after working here for a few years, it does seem like it was the best way), but it will be nice when we upgrade our 2207 remote locations to server 2012, and when we upgrade our production DCs to 2012 and change functional level from 2003 to 2012. Boy was I pissed off when I wrote a PS script to move all the AD objects around for an org structure only to find out that it wouldn't work in our production environment because the AD PS tools/hooks didn't come around till 2008 R2. I was especially angry because literally 2 days before I started writing the script is when we changed our QA functional level to 2012 as preparation for our massive backend/frontend upgrades. MF_James fucked around with this message at 08:22 on May 15, 2015 |
#
?
May 15, 2015 07:39
|
|
|
|
| # ? Apr 24, 2024 11:18 |
|
|
so you write it in vbs? Or pay me to?
|
|
#
?
May 15, 2015 09:03
|
|
|
MF_James posted:...when we upgrade our production DCs to 2012 and change functional level from 2003 to 2012. We upgraded the functional level of one of our domains from loving 2000 to 2008 R2 last year and it was really painful due to the morons who ran the domain before us who applied all of these group polices but they never seemed to take effect at the time. Because they were running them against server 2008 and 2008 R2. So when we upgraded the functional level to accommodate an Office 365 migration and we installed that critical user elevation patch for domain controllers last fall within a few weeks of each other all hell broke lose. Firewalls were turned back on and blocked apps. Password complexity was raised and pretty much every service account for any application or DB server was now silently failing to auth and brought down almost everything including Exchange. The problem was we didn't know what the hell was going on until we started piecing the puzzle together and realized that crap only broke when we rebooted the server in question. We referred to this as the 'policy bomb' and I don't think we have had any related issues for a while, but this happened in late Q3 and into Q4 last year which is bad loving news for a company with a catalog and webstore for crap people don't need.
|
|
#
?
May 15, 2015 13:55
|
|
|
hihifellow posted:I posted it halfway up the this page and it's not a bad idea, especially if you have nothing managing local admin passwords except a spreadsheet you hope people keep updated (or worse, the same password for everything (like us oh you did, sorry mate. It really can't get more official and supported than this. How big are some of the networks you guys are working on? 10k seats or more?
|
|
#
?
May 15, 2015 14:25
|
|
|
One of our engineers isn't doing his loving job, so I need to take things into my own hands and get something done but I'm not sure the best way to do it. We're a Win7 shop, SCCM managed workstations. There is an Office add-in that is causing problems and I want to unregister the DLL for all of the computers to disable it. I know how to do it on a case by case basis using "regsvr32 /u" but what would be the best way to do this for all laptops? Even better, limited to model-xxx?
|
|
#
?
May 15, 2015 15:25
|
|
|
ZetsurinPower posted:One of our engineers isn't doing his loving job, so I need to take things into my own hands and get something done but I'm not sure the best way to do it. Create a group for that model and deploy a script with SCCM that does that?
|
|
#
?
May 15, 2015 15:34
|
|
|
mayodreams posted:We upgraded the functional level of one of our domains from loving 2000 to 2008 R2 last year and it was really painful due to the morons who ran the domain before us who applied all of these group polices but they never seemed to take effect at the time. Because they were running them against server 2008 and 2008 R2. So when we upgraded the functional level to accommodate an Office 365 migration and we installed that critical user elevation patch for domain controllers last fall within a few weeks of each other all hell broke lose. Holy poo poo. I think you are me.
|
|
#
?
May 15, 2015 16:41
|
|
|
I have a complicated VMM setup that's throwing me some errors and I was wondering if you guys have done this already.. Here's the thing: We have 4 different domains. Let's call them corporate.intra, corporate.division, corporate.lab and corporate.demo. We want to build a self-service portal through App Controller so that users in corporate.intra can login and control VM's that are in a cluster in corporate.lab without setting a direct trust between them (only with corporate.division). Here's what I'm trying: corporate.intra <-------trust------->corporate.division(VMM Management Server)<-------trust-------->corporate.lab(Cluster) So, I have a VMM Management server in corporate.divison (VMMSERVER.corporate.division) managing a cluster in corporate.lab (CLUSTER.corporate.lab). Setup worked, I had to fiddle with the hosts file to add the cluster but it worked and I can control resources in corporate.lab. I added a user to a self service group in the user roles section, and it worked. But now, when I try to add a user to the access list in a VM proper, it throws this error:  Where the censored bit isn't the Management Server, but the user I'm trying to add! Does anyone know what might be causing this?
|
|
#
?
May 18, 2015 09:46
|
|
|
How are some of you planning to tackle Microsoft Accounts with Win10? I know certain features won't work without a Microsoft Account and haven't seen a work around yet.
|
|
#
?
May 18, 2015 22:31
|
|
|
Does anyone know how to setup a SCCM lab/test/dev/whatever environment alongside a production environment? I don't what the boundaries to collide have have clients start registering with my test instance, but I'm not sure what I need to do to keep the separated. Also 2012 R2 SP1/2012 SP2 has been released, which supports Win 10 clients. There was a test SCCM instance here when I started, and I'd like to actually start using it, to test, among other things, upgrading to SP1, but I don't want to clobber my production instance.
|
|
#
?
May 18, 2015 23:00
|
|
|
ghostinmyshell posted:How are some of you planning to tackle Microsoft Accounts with Win10? I know certain features won't work without a Microsoft Account and haven't seen a work around yet. http://blogs.technet.com/b/ad/archive/2015/05/13/azure-active-directory-and-windows-10-making-the-enterprise-cloud-a-reality.aspx Like that
|
|
#
?
May 18, 2015 23:16
|
|
|
ghostinmyshell posted:How are some of you planning to tackle Microsoft Accounts with Win10? I know certain features won't work without a Microsoft Account and haven't seen a work around yet. No cloud anything and will not be using MS accounts in my environment so I'll let you know how that turns out.
|
|
#
?
May 18, 2015 23:35
|
|
|
FISHMANPET posted:Does anyone know how to setup a SCCM lab/test/dev/whatever environment alongside a production environment? I don't what the boundaries to collide have have clients start registering with my test instance, but I'm not sure what I need to do to keep the separated. Phone postin' so I apologize if I missed anything. More then one SCCM primary site can exist in a Forest. It will only scan what you tell it to in the Boundary settings and as long as you don't set the client to automatically push you should be ok. Set aside a chunk of IPs not included in your current setup and statically assign them to your test clients. Also lock down the permissions so only you can access it and you'll keep wondering hands from accidentally turning your test into prod. Just keep in mind you can only have one site act as the PXE responder. That could make OSD testing tricky if you want to try out deploying Win10 with R2 SP1. Of course the best answer is to set up a completely separate environment but that's not always an option.
|
|
#
?
May 18, 2015 23:57
|
|
|
ghostinmyshell posted:How are some of you planning to tackle Microsoft Accounts with Win10? I know certain features won't work without a Microsoft Account and haven't seen a work around yet. I still roll out win7 so I'm not planning on tackling win10 at all for a while
|
|
#
?
May 19, 2015 02:34
|
|
|
Hoping there are similar group policies to the ones for Windows 8.1 for 10 to manage MS accounts and what not.
|
|
#
?
May 19, 2015 14:54
|
|
|
NevergirlsOFFICIAL posted:I still roll out win7 so I'm not planning on tackling win10 at all for a while I don't want to roll out win10 right away either, but we can take advantage of the free upgrade the first year since we use Professional.
|
|
#
?
May 19, 2015 16:42
|
|
|
I upgraded our DirSync installation to AADSync yesterday and it's great. I always felt that DirSync was super kludgy and obtuse. At least the migration was easy.
|
|
#
?
May 19, 2015 16:44
|
|
|
Anything that works similar to Crashplan but can backup to network shares? I want something that continously monitors and backups files to a network drive but doesn't need to run on the server it's backing up to. It also needs to not freak out if the network drive is temporarily unreachable for VPN users.
|
|
#
?
May 19, 2015 19:24
|
|
|
How are you mostly Windows Network admins dealing with OS X in your environment? Our Yosemite (and as far back as Mavericks) macs are just absolute garbage when trying to browse SMB file shares. After the Mavericks SMB2 debacle, I actually upgraded all our Fileservers to 2012 R2 (from 2008 R2) and that seemed to help some (as in, they could actually browse the shares) but it's still just terribly slow. They're also having awful slowness connecting to SMB shares on our EMC VNXe3200. There has to be a fix for this right?
|
|
#
?
May 21, 2015 15:30
|
|
|
I'm seeing SMB getting better all the time for Macs. But they have a habit of undoing all the good work when the next OS drops and it takes a couple of point releases to fix. You could always give ExtremeZ-IP a go.
|
|
#
?
May 21, 2015 18:26
|
|
|
We are on a workgroup and a user took their laptop home and needs to install a driver for their local printer. If he does not have local admin rights, is there any way for me to take control of the PC without having to tell him the admin password? I've been testing MDM solutions haven't implemented anything yet so I need to figure something for this user now. I'm guessing Join.Me / TeamViewer are all going to need admin credentials.
|
|
#
?
May 21, 2015 18:51
|
|
|
We are having significant challenges with Macs and our filer based storage on NetApp and Nexenta. For all intents and purposes, SMB/CIFS for 10.7, 10.8, and 10.9 are garbage and do NOT play well with 3rd party Samba stacks. We have not really had issues with native 2012 R2 with the varying levels of Mac OS though. We are pushing a huge migration to 10.10 Yosemite to alleviate these issues long term. For the short term, we had to up the number of seats for ExtremeZip to help the 10.7-10.9 crowd, but mixing protocols has created issues too.
|
|
#
?
May 21, 2015 19:00
|
|
|
Thanks Ants posted:I'm seeing SMB getting better all the time for Macs. But they have a habit of undoing all the good work when the next OS drops and it takes a couple of point releases to fix. mayodreams posted:We are having significant challenges with Macs and our filer based storage on NetApp and Nexenta. For all intents and purposes, SMB/CIFS for 10.7, 10.8, and 10.9 are garbage and do NOT play well with 3rd party Samba stacks. We have not really had issues with native 2012 R2 with the varying levels of Mac OS though. We are pushing a huge migration to 10.10 Yosemite to alleviate these issues long term. For the short term, we had to up the number of seats for ExtremeZip to help the 10.7-10.9 crowd, but mixing protocols has created issues too. I actually just setup Acronis Access Connect (Used to be called Extreme Z-IP). Running the trial right now and it seems to be working really well actually. It's still indexing TB's of data, but it's already performing better than SMB for our Macs. Mayodreams, don't expect Yosemite (we're fully upgraded) to fix your problems. It's still pretty terrible w/ 2012 R2 SMB and with our EMC SMB shares.
|
|
#
?
May 21, 2015 19:04
|
|
|
Zero VGS posted:We are on a workgroup and a user took their laptop home and needs to install a driver for their local printer. Most remote control software will let you take control without the user having admin rights.
|
|
#
?
May 21, 2015 19:37
|
|
|
The problem I've found is that if the remote viewer process is launched as the standard user then the UAC elevation popup that dims the display will completely black it out for your remote session, so you aren't able to enter the credentials.
|
|
#
?
May 21, 2015 20:01
|
|
|
I've had good luck with ScreenConnect. It lets you relaunch the process with different credentials once you've connected. Also a few tweaks to GPO and you can get those UAC elevation pop ups on the regular desktop instead of the secure desktop.
|
|
#
?
May 21, 2015 20:11
|
|
|
Gerdalti posted:I actually just setup Acronis Access Connect (Used to be called Extreme Z-IP). Running the trial right now and it seems to be working really well actually. It's still indexing TB's of data, but it's already performing better than SMB for our Macs. You should turn off indexing/spotlight. The Access Connect / ExtremeZip is a resource pig and indexing a lot of files does not help that.
|
|
#
?
May 21, 2015 20:22
|
|
|
mayodreams posted:You should turn off indexing/spotlight. The Access Connect / ExtremeZip is a resource pig and indexing a lot of files does not help that. I tried that, it did not go over well. I had the entire art department in my office shouting, and then they got CEO level backing to make me turn it back on.
|
|
#
?
May 21, 2015 20:41
|
|
|
FISHMANPET posted:Does anyone know how to setup a SCCM lab/test/dev/whatever environment alongside a production environment? I don't what the boundaries to collide have have clients start registering with my test instance, but I'm not sure what I need to do to keep the separated. The easiest way to do that is to not publish the test SCCM settings into AD, and not have any system discovery or client push installations. That way you're forced to manually set the SCCM site on the clients that should contact that server - either by setting in in the Control Panel or as a command line option to ccmsetup.exe. But that guarantees that only clients you want to talk to the test server will do so.
|
|
#
?
May 21, 2015 21:48
|
|
|
Gerdalti posted:I actually just setup Acronis Access Connect (Used to be called Extreme Z-IP). Running the trial right now and it seems to be working really well actually. It's still indexing TB's of data, but it's already performing better than SMB for our Macs. The only thing that raises an eyebrow with ExtremeZ-IP (or perhaps its successor) is the possibility of illegal characters allowed on NTFS shares. I haven't used the software in over 5 years, but I would spend a couple minutes researching how the API interacts with NTFS shares, and whether that may someday come back to haunt you if/when you do fileserver migrations. This may not apply to Acronis Acess Connect and may never be a problem for your environment, just thought I'd mention it during the trial phase.
|
|
#
?
May 22, 2015 06:48
|
|
|
Malcolm posted:The only thing that raises an eyebrow with ExtremeZ-IP (or perhaps its successor) is the possibility of illegal characters allowed on NTFS shares. I haven't used the software in over 5 years, but I would spend a couple minutes researching how the API interacts with NTFS shares, and whether that may someday come back to haunt you if/when you do fileserver migrations. This may not apply to Acronis Acess Connect and may never be a problem for your environment, just thought I'd mention it during the trial phase. This. We are dealing with the fallout of illegal characters and super long file and path names. We had a meeting with the creatives yesterday where they kept complaining about not being able to rename folders or files and that was due to Windows' shorter limit for path and file names. For the past few years we were using ExtremeZIP to reshare volumes from an aging Netapp that the Macs could not reliably access via CIFS/SMB. While it works for these types of things, just be weary of memory leaks causing the service to crash and the other file system concerns between Windows and Mac OS.
|
|
#
?
May 22, 2015 14:00
|
|
|
I'm having an issue with the SCCM Management Point, and it seems to be a WMI corruption problem. The resolution is to remove/re-add the Management Point role, however I only have one Management Point. Is it safe to remove the role, and then re-add it, or will I have to reassign the clients once it's done?
|
|
#
?
May 22, 2015 19:18
|
|
|
Hey I inherited a completely hosed domain and while it's mostly ok right now, GPO is causing problems. For example it doesn't have a lot of the base admxs and I'm guessing there's other stuff wrong. I want to just completely blow away and start group policy over from scratch (they only have like 3 GPOs right now that I can export and re-import) so what do I do
|
|
#
?
May 22, 2015 19:42
|
|
|
NevergirlsOFFICIAL posted:Hey I inherited a completely hosed domain and while it's mostly ok right now, GPO is causing problems. For example it doesn't have a lot of the base admxs and I'm guessing there's other stuff wrong. I want to just completely blow away and start group policy over from scratch (they only have like 3 GPOs right now that I can export and re-import) so what do I do Follow the instructions here https://msdn.microsoft.com/en-us/library/bb530196.aspx to set up a central store. Grab the admx files from the most recent version of Windows server you have available. That will get the dc's and clients ignoring any missing or screwed up policy folders. If you've got messed up GPOs and can't delete them using GPMC you can delete them from the domain sysvol folder but you'll have to load up adsiedit and delete them from system\policies as well. At that point you're mostly fresh; many policy settings will tattoo the registry of the clients so that can cause problems but if you don't want to reverse engineer those you'll have to reimage or reinstall the client os.
|
|
#
?
May 22, 2015 20:00
|
|
|
generally don't blow them away, that isn't a good idea. What kind of problems is it causing? "Missing base admx" - not sure what that means. What I do is: - Create a new OU with similar structure to your existing OUs (Computers, Users, Security Groups, etc.) - Block inheritance on the top OU you just made - Link your default domain policy in the new OU - Create your Group Policies, Go Hog Wild! Then make test users and see how they work in the new OU. You can replace ADMX files no problem in the central store.
|
|
#
?
May 22, 2015 20:22
|
|
|
So despite using Server for years and years now I just learned that Windows Server Experience exists, been setting it up now it doesn't seem awful anyone have any experience with this, the accessing the shares remotely alone seems handy for some end users.
|
|
#
?
May 23, 2015 13:46
|
|
|
Serfer posted:I'm having an issue with the SCCM Management Point, and it seems to be a WMI corruption problem. The resolution is to remove/re-add the Management Point role, however I only have one Management Point. Is it safe to remove the role, and then re-add it, or will I have to reassign the clients once it's done? It is safe as it doesn't story any data by itself, but you can not uninstall the last management point on a site. You have to first add one to another server in the same site, only then can you uninstall your broken one.
|
|
#
?
May 23, 2015 14:46
|
|
|
Looking for a VPN client replacement. The one I've sworn by for years, seen below, is also pretty out of date. I love it because it lets me create multiple entries - I need to VPN into any number of sites and it lets me import a profile for each. It's spectacuar. It's the Cisco VPN Client pictured here: What's the latest and greatest that I should be using?
|
|
#
?
May 24, 2015 02:21
|
|
|
MC Fruit Stripe posted:Looking for a VPN client replacement. The one I've sworn by for years, seen below, is also pretty out of date. I love it because it lets me create multiple entries - I need to VPN into any number of sites and it lets me import a profile for each. It's spectacuar. It's the Cisco VPN Client pictured here: I've heard this one is decent but I've personally never tried it.
|
|
#
?
May 24, 2015 03:21
|
|
|
|
| # ? Apr 24, 2024 11:18 |
|
|
PUBLIC TOILET posted:I've heard this one is decent but I've personally never tried it. That's for OpenVPN. Cisco IPsec would be replaced by ShrewSoft: https://www.shrew.net/software Ideally you should be on AnyConnect with SSL VPN or IKEv2 and use Windows native IPsec client.
|
|
#
?
May 24, 2015 03:54
|
|
