|
BangersInMyKnickers posted:I was more asking to make sure you didn't have some old nt4 controllers sitting around or something weird like that. Kerberos is what you should be authenticating with in in a domain unless you are going by the IP instead of hostname, the other machine isn't on the domain, or you ports aren't open right. Then it will default down to NTLM or LM. Any of those apply to you? Nope 
|
#
?
Sep 12, 2008 22:29
|
|
|
|
| # ? Apr 20, 2024 05:46 |
|
|
BangersInMyKnickers posted:It looks like the name key is what we want to go by. So lets make a WQL statement. Actually this isn't how it works. Whether there is any product named Symantec Antivirus installed or not, that query will always return the products that aren't named like that. The only situation where that query would return false is if there isn't any software other than Symantec Antivirus installed.
|
|
#
?
Sep 12, 2008 23:15
|
|
|
RonaldMcDonald posted:Actually this isn't how it works. Whether there is any product named Symantec Antivirus installed or not, that query will always return the products that aren't named like that. The only situation where that query would return false is if there isn't any software other than Symantec Antivirus installed. Yep, you're right. I was working off some old notes and that was one of my failed attempts while I was starting out. I ended up deleting the the filter I made a while ago I can't remember exactly exactly how I did it any more. There is a limitation between WQL and WMI filtering that because WMI filtering will only execute on a true statement and WQL will only return False if it didn't find something and you can't invert that behavior, you are kinda screwed if you are trying to return "True" for not finding something on a WQL statement. I believe what I ended up doing was making one policy that had a WMI filter to check for 'select * from Win32_Product where Name = "Symantec Antivirus"' and then execute an attached batch script to remove SAV, and then a separate install policy for Nod32 that ran off a batch script to check for the Symantec service and install Nod if it wasn't detected. Once all the Symantec clients were removed I ended up deleting those old policies and just making a normal deployment one for Nod.
|
|
#
?
Sep 12, 2008 23:48
|
|
|
With the vista gpmc, I can push any key I want to an OU affected by that policy, for instance having everyone's workstation automagically populate HKCU/Software/Microsoft/blablah/somekey with the value I need it to have? If so, that's pretty much awesome.
|
|
#
?
Sep 15, 2008 17:55
|
|
|
NotYella posted:With the vista gpmc, I can push any key I want to an OU affected by that policy, for instance having everyone's workstation automagically populate HKCU/Software/Microsoft/blablah/somekey with the value I need it to have? If so, that's pretty much awesome. Yep, you can configure it to add a new key, update an existing key, or delete a key from a nice little GUI in either the HKCU or HKLM hives. Shortcuts, individual files or folders, the contents of .ini files, and a few other things can all be manipulated in this manner as well.
|
|
#
?
Sep 15, 2008 20:22
|
|
|
Bangers, So I set up a Vista SP1 machine with RSAT to play around with the sweet new Vista Group Policy options, but when I run it on my current domain all the options look exactly the same as they do on my other machines. Reading the OP again, am I correct in assuming that this: BangersInMyKnickers posted:You also want to make sure that the optional Windows Update Group Policy Client Side Extensions is installed across the entire domain for these new features to be usable on older system, but more on that later when I get to patch management. means that the new extensions won't show up until the update is installed on the Server 2003 machines that currently govern my network? I just want to confirm before I go ahead and reboot our primary domain controller.
|
|
#
?
Sep 16, 2008 17:03
|
|
|
•Testing and Troubleshooting policy: Quite a few things can go wrong when policy is applying. Here are a few of the most common issues I have seen. Having your antivirus client correctly configured is a key component of group policy working correctly. If clients are attempting to pull policy off the sysvol share, this will trigger scan events by a real-time scanning engine which can cause file locks that result in policy not being applied correctly. This issue will be intermittent and very hard to diagnose as it will appear from the client end that the connection is timing out and dropping. This guide is a fairly good guide for setting up the common exclusions to Microsoft servers and services. Keep in mind that anything running a database is going to need some manner of exclusion or you may encounter problems. The eventlog (eventvwr.msc) is your go-to place to see if policy is applying correctly, with policy results being reported in the Application log. If you are pushing out application packages, one of the errors you may encounter will look like this: quote:Failed to apply changes to software installation settings. Software installation policy application has been delayed until the next logon because an administrator has enabled logon optimization for group policy. The error was : The group policy framework should call the extension in the synchronous foreground policy refresh. If you are not seeing policy being applied, attempt to manually update policy with gpupdate.exe. If there is an error at this point, there may be something wrong with the sysvol DFS share your domain controllers run. Make sure you can manually navigate to it via \\[domain fqdn]\sysvol. Also check to make sure you are pointed at your internal DNS servers an not somewhere else, as not being able to resolve the name to your packages share will shoot you down quickly. Beyond those things to check, you will most likely need to do some googling with error codes. If policy says it is applying correctly but you do not see this reflected in the eventlog or on the actual settings, then odds are the machine or user is not falling within the scope of the policy. The first thing is to check your Active Directory structure and verify that the user or machine object falls at or below the level where the link is placed and that there aren't Inheritance Blocks causing the problem. Keep in mind that machine policy will only apply to machine objects and likewise with user policy and objects. Because of this I keep all of my user and machine policy settings in discrete GPOs to avoid confusion on their scope. The exception to this may be your default domain policy as this is a good place to configure settings to which all objects within the domain should adhere to. If a quick spotcheck doesn't reveal anything out of the ordinary, your best bet is to use group policy modeling and results. Modeling is mostly used to figure out what policies are filtering down to a specific OU but won't tell you much about a specific machine. Results gives you a much more granular look at one specific machine, including which WMI filters evaluated as true or false and what security group apply so you can get a better idea of what is causing the policy to fall out of scope. When it comes to actual software deployment testing, VMWare Server or ESXi are great free tools that you can use to easily load up a single machine with a bunch of OS installs and test their installation as well as rolling back to an established snapshot. I have had a few packages (Acrobat Reader 8, Java 6u1) to which the uninstallers break and catching and testing in this environment is critical to a smooth rollout without a bunch of things breaking and people screaming down your neck. For a general hint, a large number of uninstaller errors can be circumvented by deleting the associate package key from HKCR\Installer\Products.
|
|
#
?
Sep 16, 2008 20:06
|
|
|
Model Camper posted:Bangers, Are you editing local group policy or are you in the actual "Group Policy Management" applet. gpedit.msc will look exactly the same as before but if you run the group policy management app from Administrative Tools (or add the snap-in to a mmc console) you should see the new policy options by default. The ability to build policy using the new options are there by default with RSAT, the restriction is that for a machine to interpret the new options you need to have the that update installed. Group policy is basically a set of configuration files hosted on the network share your domain controllers run, and machines and user by default look there for policy as domain members. You should not need to modify your domain controllers or reboot them to host a policy object created with the new features RSAT provides.
|
|
#
?
Sep 16, 2008 20:15
|
|
|
Are the CSEs included in XP SP3 and/or Vista SP1? Do I need to worry about pushing those out separately?
|
|
#
?
Sep 17, 2008 15:23
|
|
|
Mierdaan posted:Are the CSEs included in XP SP3 and/or Vista SP1? Do I need to worry about pushing those out separately? They are optional updates and not bundled with SP3 or SP1, but with Vista it was flagged as an Important update instead of Optional so most systems should have it already (not sure about 2008 but I assume it would be classified as Important there as well). Look for KB943729 in XP, XP-64, Server 2003, and Server 2003-64 flavors depending on what you are running.
|
|
#
?
Sep 17, 2008 15:36
|
|
|
Got it, thanks. It actually doesn't show as being compatible with XP SP3 in WSUS, so I'm glad I hadn't pushed that out to clients yet...
|
|
#
?
Sep 17, 2008 17:01
|
|
|
Mierdaan posted:Got it, thanks. It actually doesn't show as being compatible with XP SP3 in WSUS, so I'm glad I hadn't pushed that out to clients yet... Yeah, I forgot to mention this but there is a flaw in the detection logic where XP SP3 thinks that this specific KB doesn't apply even though it does. Apparently the WSUS team has acknowledged the issue and is testing compatibility of the update on SP3 or some nonsense and expects a fix "soon". I haven't pushed out SP3 yet either because I expected some kind of screwball issue like this, though I didn't exactly expect group policy to get dicked up. Hopefully it will be sorted at or before the October security patches.
|
|
#
?
Sep 17, 2008 17:24
|
|
|
BangersInMyKnickers posted:Yeah, I forgot to mention this but there is a flaw in the detection logic where XP SP3 thinks that this specific KB doesn't apply even though it does. Apparently the WSUS team has acknowledged the issue and is testing compatibility of the update on SP3 or some nonsense and expects a fix "soon". I haven't pushed out SP3 yet either because I expected some kind of screwball issue like this, though I didn't exactly expect group policy to get dicked up. Hopefully it will be sorted at or before the October security patches. This is some goddamned bullshit right here. I just bought a Vista license for the sole purpose of testing group policy for my handful of Vista clients and using the new GPMC to push new group policy objects out to everyone. edit: Just discovered that I can install the update manually without any problems. How can I turn this into an MSI to push to all of my clients with a GPO? Sock on a Fish fucked around with this message at 18:50 on Sep 17, 2008 |
|
#
?
Sep 17, 2008 18:35
|
|
|
So, what did you guys do before the new Vista group policy extensions that would allow a user without a connection to the domain controller to have a drive map at login that he could then reconnect once he established a VPN connection to the office? I'm thinking I should just tell WSH to map the drive persistently, but I'm worried that I'm going to regret that later on if I need to change drive mappings.
|
|
#
?
Sep 17, 2008 21:05
|
|
|
Sock on a Fish posted:This is some goddamned bullshit right here. I just bought a Vista license for the sole purpose of testing group policy for my handful of Vista clients and using the new GPMC to push new group policy objects out to everyone. Take the downloadable exe and decompress it with the /x:[somepath] switch. Then take the contents of the update subdirectory and save it someplace on the network. Then you are going to need a machine startup script GPO that looks something like this: code:As for the VPN issue, correct me if I am wrong but so long as you create the VPN connection in Windows and mark it as available to all users you can use the "Connect with dial-up networking" option at logon to connect the machine to the VPN before logon processes and then you won't have the problem with not seeing the domain controller. BangersInMyKnickers fucked around with this message at 21:52 on Sep 17, 2008 |
|
#
?
Sep 17, 2008 21:43
|
|
|
Just checking in to say that this thread is awesome. You're awesome. GPOs are one of the major reasons why Active Directory is really good in enterprise scenarios. Being able to just set a policy that affects a specific class of computer or user and have it just HAPPEN is an administration dream.
|
|
#
?
Sep 17, 2008 21:51
|
|
|
BangersInMyKnickers posted:Take the downloadable exe and decompress it with the /x:[somepath] switch. Then take the contents of the update subdirectory and save it someplace on the network. Then you are going to need a machine startup script GPO that looks something like this: Sweet, I never thought of that. Thanks!
|
|
#
?
Sep 17, 2008 22:02
|
|
|
Sock on a Fish posted:Sweet, I never thought of that. Thanks! I just realized that I can't make it work. The reg query outputs an error that it can't find the key, but then the conditional doesn't do anything after checking for NOT ERRORLEVEL = 0.
|
|
#
?
Sep 17, 2008 22:26
|
|
|
Sock on a Fish posted:I just realized that I can't make it work. The reg query outputs an error that it can't find the key, but then the conditional doesn't do anything after checking for NOT ERRORLEVEL = 0. Sorry, I was just mashing out half-assed script without really testing it. Lets go this way: code:
|
|
#
?
Sep 17, 2008 22:52
|
|
|
Thanks for the help. I learned a shortcut to avoid needing to check the ERRORLEVEL variable. Just put a double pipe after the reg query -- if the query fails, everything after the double pipe gets executed.
|
|
#
?
Sep 18, 2008 00:20
|
|
|
Sock on a Fish posted:Thanks for the help. I learned a shortcut to avoid needing to check the ERRORLEVEL variable. Just put a double pipe after the reg query -- if the query fails, everything after the double pipe gets executed. Very cool, I didn't know you could use || and && in that manner. Thanks for the tip, that will simplify my scripts a lot.
|
|
#
?
Sep 18, 2008 01:32
|
|
|
BangersInMyKnickers posted:You don't need Vista clients to use the new group policy features, only a Vista machine to build the actual policies. So long as the group policy extension update is installed on the XP or Server 2003 system they will apply there just fine, which is why I was trying to shift focus away from using VBScript and batch scripting. That right there just eliminated around 40-50% of the crap I had to script using vbscript at my former employer. I'm still a script monkey at heart but god drat this tutorial is awesome. It almost makes me want to go back to being a Windows sysadmin (I'm a unix sysadmin now). Well, almost...  I'm not sure if this was covered yet (I'm still reading and digesting), but you might want to mention how GPOs are deployed over slow connections and how to diddle the rules surrounding what gets deployed when.
|
|
#
?
Sep 18, 2008 05:05
|
|
|
I'm in a school environment that has a relatively simple 2 domain structure: Teacher Server (domain-1): Teacher GPO Office admin GPO Tech admin GPO Student server (domain-2): Jr Sr Student GPO Elementary GPO Tech admin GPO The OUs pretty much match up exactly with that. This thread has opened my eyes beyond just scripting commands into login batch files... but people seem to have TONS AND TONS more GPOs going on. Am I missing something? Do you apply multiple GPOs to an OU just to keep types of settings clean and separate? I would love to read descriptions and see pictures of really complex OU/Group Policy configurations.. I have not seen many AD configurations beyond the ones at my current job. ogreboy fucked around with this message at 05:35 on Sep 18, 2008 |
|
#
?
Sep 18, 2008 05:32
|
|
|
ogreboy posted:This thread has opened my eyes beyond just scripting commands into login batch files... but people seem to have TONS AND TONS more GPOs going on. Am I missing something? Do you apply multiple GPOs to an OU just to keep types of settings clean and separate? Yes, it typically boils down to multiple policies to a single OU so you can keep them segregated. It is a lot easier to make a change or revert on a whole policy that does a limited scope of things (like pre-configures IE and WMP to skip the EULA and enforce some default settings) if things go screwy so you don't need to go digging for individual settings in another policy to revert things, just disable the link. You also hit situations where different departments or user groups request divergent settings and having multiple smaller policies makes it much easier to give people the settings they want why not pissing off everyone else. In my environment we have different departmental OUs for things as divergent engineers, waste management, telecommunications, and a power plant. Because their functions are all so different, a lot of forethought needs to be put in to your Active Directory structure if you want something that is easily manageable and scales well. In your environment, I question the logic of running separate domains within a single building (assuming that is your situation). It will double the number of domain controllers you need and nothing would stop you from segregating teacher and student user objects through an OU structure like you already use but in a single domain. Typically you want to set up different domains for geographically separate locations. Two within the same building would be more hassle within benefit that I can see.
|
|
#
?
Sep 18, 2008 14:42
|
|
|
Any tips on using the new GPE to mount a drive with different credentials than the logged in user? I've put in both the username and password for the share in my GPO, but when I login the drive is mapped, I double click it, and I get prompted for a password for the username that I had put in the GPO. I've quadruple checked that the credentials have been correctly entered. Also, does Vista need an update to use the new GPEs? My Vista test client shows that my new drive mapping policy is being applied, but drives don't actually map.
|
|
#
?
Sep 18, 2008 18:15
|
|
|
Sock on a Fish posted:Also, does Vista need an update to use the new GPEs? My Vista test client shows that my new drive mapping policy is being applied, but drives don't actually map. There is a KB943729 for Vista as well which should be installing by default, but verify just in case. You also want SP1, so do that if you haven't for some reason. From what I am reading, a few of the newer policies won't apply correctly until your schema is updated to Server 2008 (this can be done on Server 2003 DCs) and configuring a drive mapping to log in with alternative credentials may be one of those situations.
|
|
#
?
Sep 18, 2008 18:30
|
|
|
BangersInMyKnickers posted:There is a KB943729 for Vista as well which should be installing by default, but verify just in case. You also want SP1, so do that if you haven't for some reason. From what I am reading, a few of the newer policies won't apply correctly until your schema is updated to Server 2008 (this can be done on Server 2003 DCs) and configuring a drive mapping to log in with alternative credentials may be one of those situations. Oh well, I was planning on extending the schema to support MCX anyway. This should be fun. It looks like the registry in Vista doesn't store the Uninstall information for updates in the same location, and Google is no help in revealing the real location. Can you tell me where Vista stores that info?
|
|
#
?
Sep 18, 2008 18:50
|
|
|
Sock on a Fish posted:Oh well, I was planning on extending the schema to support MCX anyway. This should be fun. That one has been a mystery to me. The registry only contains garbage randomly named keys that reference the garbage randomly named patch installers in c:\windows\installer now and how it keeps track of that stuff is no longer in the registry. There is a command line tool you can use that will dump out the name of all the installed KBs on the system and you can pipe that in to a find for the GPE KB number, but I can't remember what the command is offhand. You may also be able to fish for it with a WMI query.
|
|
#
?
Sep 18, 2008 19:15
|
|
|
Alright, figured it out. Run this querycode:
|
|
#
?
Sep 18, 2008 20:00
|
|
|
This thread just keeps on delivering. Thanks!
|
|
#
?
Sep 18, 2008 21:37
|
|
|
Would you care to explain some of the intricacies as to why some policies will not apply on a first, or even second 'gpupdate /force'? Specifically, I've been going around to our users to remove the last of them on roaming profiles, and adding them to an OU that has the RedirectFolders policy on it. Every machine and every user is in the security group for the policy, but some machines require magical amounts of gpupdates/time passing for the redirect to take effect. I understand applying multiple policies could take multiple restarts, but this one is baffling me. Specifically some times I'll see "RedirectFolders Filtering: Not Applied (Empty)" on the gpresult under user settings...until some time later when it works. ___ Just out of curiosity, do we have a number of people using SCCM'07 that might warrant a similarly awesome thread? I'm not finding a lot of reliable sources of help for some things outside of our current testing group. VVV I didn't see anything on the first two I encountered that did this, and consequently ignored it then next 5-6 times (out of 35 or so machines). I just told them to shut down every night, and by the end of the week, the server showed their redirected folders had been created, and assumed that if I went to the machine, the policy would have been applied fine by that point. UserNotFound fucked around with this message at 22:19 on Sep 18, 2008 |
|
#
?
Sep 18, 2008 22:08
|
|
|
Always check the Event Log on the computers that aren't applying the GPO. If gpresult says it's applying but it doesn't, odds are there will be an error in the event log.
|
|
#
?
Sep 18, 2008 22:12
|
|
|
UserNotFound posted:Would you care to explain some of the intricacies as to why some policies will not apply on a first, or even second 'gpupdate /force'? Specifically, I've been going around to our users to remove the last of them on roaming profiles, and adding them to an OU that has the RedirectFolders policy on it. Every machine and every user is in the security group for the policy, but some machines require magical amounts of gpupdates/time passing for the redirect to take effect. I understand applying multiple policies could take multiple restarts, but this one is baffling me. With XP/Vista policies will apply asynchronously by default to improve logon times. If your domain controllers are running slow (not setting up the AV scanner exclusions of the DFS share caused a similar problem for us that you are describing) it make skip policy and try to pull it down again once you are logged in. Try using gpupdate /sync to force it to do a synchronous policy refresh that it can't opt out of during the logon process.
|
|
#
?
Sep 18, 2008 22:30
|
|
|
GP is some incredibly, powerful stuff when you really get into it. People can rip on MS for a lot (and deservedly so), but GP deserves their utmost praise. You guys should check out the Jeremy Moskowitz books if you want to read more (Amazon search - the 2 new 2008 books are 1 and 2 on this page). Moskowitz really knows his stuff. If I could get my company to pay for it, I'd attend one of his workshops.
|
|
#
?
Sep 18, 2008 22:37
|
|
|
You know what doesn't deserve praise? VBScript. It always makes me feel like an idiot. I'm trying to get the output of systeminfo | find command that the OP posted, and it just won't work. I've tried all of these variations to capture this text into a variable called Result: code:
|
|
#
?
Sep 18, 2008 23:32
|
|
|
BangersInMyKnickers posted:In your environment, I question the logic of running separate domains within a single building (assuming that is your situation). It will double the number of domain controllers you need and nothing would stop you from segregating teacher and student user objects through an OU structure like you already use but in a single domain. Typically you want to set up different domains for geographically separate locations. Two within the same building would be more hassle within benefit that I can see. I would agree and this would have made my life a lot easier, especially when we migrated to Server 2008. Unfortunately, while I am the school admin, my hands are tied due to REALLY FRUSTRATING, STUBBORN AND ESPECIALLY ARROGANT higher IT powers especially in regard to AD design and configuration. Anyways, that's an e/n rant.
|
|
#
?
Sep 19, 2008 01:46
|
|
|
BangersInMyKnickers posted:With XP/Vista policies will apply asynchronously by default to improve logon times. If your domain controllers are running slow (not setting up the AV scanner exclusions of the DFS share caused a similar problem for us that you are describing) it make skip policy and try to pull it down again once you are logged in. Try using gpupdate /sync to force it to do a synchronous policy refresh that it can't opt out of during the logon process. Interesting, I always just did /force, thinking...well...if I force it, it'll have to work! Are you saying the workstations were scanning a mapped DFS share, slowing down the network link? That's just silly :P
|
|
#
?
Sep 19, 2008 16:40
|
|
|
UserNotFound posted:Are you saying the workstations were scanning a mapped DFS share, slowing down the network link? That's just silly :P I am saying that workstations trying to access the DFS share will cause the antivirus client on the domain controllers to flip the gently caress out as it tries to scan the files being read as well as trying to scan the DFS database as it is read and modified which can lead to file locking conflicts and gently caress up your group policy.
|
|
#
?
Sep 19, 2008 16:53
|
|
|
If a service is set to disabled on a client, will adding it under Computer Configuration->Preferences->Control Panel Settings->Services, set to Action=Start Service Startup Type=Automatic do what I think it'll do? It hasn't yet and I don't know if I'm impatient or doing something wrong. edit: yes it does, if I actually have 943729 installed instead of just thinking that I do. Mierdaan fucked around with this message at 17:45 on Sep 19, 2008 |
|
#
?
Sep 19, 2008 17:11
|
|
|
|
| # ? Apr 20, 2024 05:46 |
|
|
What should I do if my predecessor checked off the 'Grant user exclusive rights to My Documents' on a Folder Redirection policy and I now want to give all domain admins full permissions on those folders but I can't even read the permissions?
|
|
#
?
Sep 19, 2008 17:25
|
|