|
Sock on a Fish posted:What should I do if my predecessor checked off the 'Grant user exclusive rights to My Documents' on a Folder Redirection policy and I now want to give all domain admins full permissions on those folders but I can't even read the permissions? Disable the option and give it a few days to make sure it propagates. Then have your domain admin (or whatever equivalent you may have) security group take ownership for the whole directory tree that the the redirect is to and add in the security permissions that your admins need to work with the directories. And obviously do this with a test account and policy first unless you are crazy and change the ownership off peak hours because it will take a while.
|
#
?
Sep 19, 2008 18:32
|
|
|
|
| # ? Apr 17, 2024 00:39 |
|
|
Thanks, again. Are there any pitfalls to watch out for if someone tries to perform administrative tasks with 2003 tools on a domain that you've upgraded to 2008 functional level?
|
|
#
?
Sep 19, 2008 23:28
|
|
|
Sock on a Fish posted:Thanks, again. None that I know of, and that would me a massive oversight by Microsoft. It should just be that the newer features aren't available but it is worth googling to see if anyone is throwing a fit about adminpak compatibility with Server 2008.
|
|
#
?
Sep 20, 2008 00:04
|
|
|
Great thread - I've recently just started seriously tinkering with our SBS 2003 server at work and you've certainly helped out in regards to Group Policy and what not. You've also helped in a completely unexpected way. I tried to install the BBC iPlayer recently (A UK-based on-demand tv shows over the internet type thing) and it refused to install claiming I don't have IE6. I clearly do, and had no idea how to fix it (as you can't simply un/reinstall like most other programs). The installer is an .exe, but as it just unpacks an .msi package I used that appEditor program to remove the check. Now it's installed and working fine. Thanks!
|
|
#
?
Sep 21, 2008 23:20
|
|
|
BangersInMyKnickers posted:They are optional updates and not bundled with SP3 or SP1, but with Vista it was flagged as an Important update instead of Optional so most systems should have it already (not sure about 2008 but I assume it would be classified as Important there as well). Look for KB943729 in XP, XP-64, Server 2003, and Server 2003-64 flavors depending on what you are running. When I try to to use wsus to install KB943729 for Vista, I keep getting "The selected update has expired and cannot be approved for installation." Does anyone have any suggestions?
|
|
#
?
Sep 23, 2008 15:34
|
|
|
overseerbrian posted:When I try to to use wsus to install KB943729 for Vista, I keep getting "The selected update has expired and cannot be approved for installation." Does anyone have any suggestions? From what I am reading, the functionality is all provided through RSAT's group policy management applet and KB943729 was for Vista workstations that were using adminpak.msi before RSAT was released, which is why the update is now expired.
|
|
#
?
Sep 23, 2008 15:47
|
|
|
Alright, Microsofy has re-released the client side extensions for Vista as of Tuesday and I honestly do not know what the gently caress they are doing any more. Hopefully updated XP ones for SP3 come soon as well.
|
|
#
?
Sep 25, 2008 14:18
|
|
|
I'm not exactly sure whats going on here, but this just happened to me yesterday. I'm currently using GPOs to push out some software to machines. I went ahead and setup an application share where I can store/organize all the .msi and .mst files. Everything was working great until the other day when I added a new application for someone who needed a different version of Java. Now ALL of my GPO software installs give me the same error: Policy Event Viewer posted:Error Event ID: 102 My Google-fu only turned up the blatantly obvious answers: "Check to make sure people have read access to the share". Right now, Everyone has read access, Domain Computers have read access to the share. I can access the share via drive mapping, and can execute the msi file via the command prompt (e.g. msiexec /i \\<blah>\share\Adobe\acroread.msi), so I don't really see how this can be a permission issue. Anyone have this problem before? I'm incredibly confused here 
|
|
#
?
Sep 26, 2008 18:17
|
|
|
Did you verify that read permissions exist for domain computers on the share and within the NTFS file structure itself? DNS or security permission problems are the more likely culprits for what you are describing. Are you supplying alternative credentials when you try to access the share with a drive mapping? Does anything change if you are navigating by direct UNC path? Are you using DFS?
|
|
#
?
Sep 26, 2008 18:20
|
|
|
BangersInMyKnickers posted:Did you verify that read permissions exist for domain computers on the share and within the NTFS file structure itself? DNS or security permission problems are the more likely culprits for what you are describing. Are you supplying alternative credentials when you try to access the share with a drive mapping? Does anything change if you are navigating by direct UNC path? Are you using DFS? The NTFS file structure for all folders within the share does list Domain Computers, and Everyone as having read + read & execute permissions. No alternative credentials are supplied when I try to map the drive, just the current user context. The context I've been logging in as to verify the mappings is a simple domain user. Direct navigation via the UNC path also works fine within this user context as well. I can access the share and launch the msi installers directly this way without any errors. We're not using DFS at present, but we're planning on doing this probably at the end of the current semester.
|
|
#
?
Sep 26, 2008 18:36
|
|
|
Is there existing copies of Acrobat 8 already deployed? It could be trying to uninstall 8 and can't find the source package for that.
|
|
#
?
Sep 26, 2008 19:01
|
|
|
I do have a copy of Adobe Pro 9 installed on my test box, but that was just an example. Completely unrelated GPO software installs are failing. For example, I have one that pushes out MySQL connector + some ODBC settings that fails with the same error. My JRE Software install exhibits the same behavior, unfortunately Since I just started to do this stuff in AD, I'm not upgrading any previous packages at all. A fresh machine has little software installed except for Windows and Novell's Netware Client. I was planning to distribute common applications like Adobe and Java via AD so I could save myself a lot of trouble. For other programs we're using Microsoft's App Virt stuff so I only have to putz around with 1 single instance of an install/configuration. The old dudes in the department didn't use this stuff at all (despite having the domain and everything setup for them already), and literally had a share setup so people could access it and install the stuff themselves, or someone would have to come down and manually install it on each machine. Screw that noise! As others were saying before, AD's Group Policy really is a god-send from an administrative standpoint.
|
|
#
?
Sep 26, 2008 19:18
|
|
|
You're not doing something weird like having workstations on a wireless network so there is no established network connection until a user logs in, are you? That could cause the symptoms you are describing where the machine receives the policy but the next time it reboots and the machine policy executes there is no established network connection at that point. e: As an after thought, if you want to try debugging this go in to a system that is having problems finding the package on the network and make a batch script similar to this: code:BangersInMyKnickers fucked around with this message at 19:29 on Sep 26, 2008 |
|
#
?
Sep 26, 2008 19:25
|
|
|
BangersInMyKnickers posted:You're not doing something weird like having workstations on a wireless network so there is no established network connection until a user logs in, are you? That could cause the symptoms you are describing where the machine receives the policy but the next time it reboots and the machine policy executes there is no established network connection at that point. Isn't this what having the computer authenticate with machine credentials when there's no user logged on is supposed to get around?
|
|
#
?
Sep 26, 2008 21:55
|
|
|
Mierdaan posted:Isn't this what having the computer authenticate with machine credentials when there's no user logged on is supposed to get around? Yes, but I have seen shops that don't do this and people log in to local accounts or with cached credentials so they don't realize there is something wrong.
|
|
#
?
Sep 26, 2008 21:57
|
|
|
BangersInMyKnickers posted:Yes, but I have seen shops that don't do this and people log in to local accounts or with cached credentials so they don't realize there is something wrong. Ahh. Click the checkbox, people! 
|
|
#
?
Sep 26, 2008 22:02
|
|
|
BangersInMyKnickers posted:You're not doing something weird like having workstations on a wireless network so there is no established network connection until a user logs in, are you? That could cause the symptoms you are describing where the machine receives the policy but the next time it reboots and the machine policy executes there is no established network connection at that point. Haha, no no, none of that zaniness. All the workstations I manage are connected to a wired-network. Any staff that use laptops have to support it themselves, which is fine with me. I went ahead and chucked in a debug startup script like you suggested. I was able to ping the file server without incident, and the directory for the file share displayed properly, so I'm seeing the file server and the appshare on startup. For shits and giggles, I ran cacls on it as well to make sure that permissions were set correctly, and it looks like I can absotively posilutely say that I'm stumped beyond all words. I'm wondering if it could have something to do with our network. Its been acting flaky lately, and they've been really dragging their asses around trying to fix it, which really sucks for me because an issue like that is totally out of my hands. My only real alternative is to use config manager 2007, but that always has that slight delay when installing software since it has to be discovered by the SMS server before it can push any software out. I'd much rather have all this crap installed before the user can login for the first time. 
|
|
#
?
Sep 26, 2008 23:13
|
|
|
Frankly you have me stumped here. Group policy itself isn't too complex; it polls the domain sysvol share for updated policy and saves it locally and then executes msiexec for you to whatever .msi package you saved on the share. You're obviously getting the policy, you have network connectivity, and the permissions are good. The only thing left I can think of is that the actual paths to the packages in the policy are bad, as you should get a more descriptive error if it actually found the package and couldn't execute it. You're absolutely sure you navigated to the package via a UNC path instead of a drive mapping you might have had when you were adding them to the policy?
|
|
#
?
Sep 26, 2008 23:20
|
|
|
I've tried doing it both ways. One of our servers is running server 2008, which if you browse to the package on a share, it will automagically resolve the UNC path. Looking through the policy there shows that the UNC path is correct. I also tried scrapping the GPO itself, and re-creating it on the actual server where the packages are, which is running 2003 R2. Manually inputting the UNC path into the GPO worked, but again I got the same error as before when it came down to distribution. Thanks for all the feedback though, its comforting to know I can utilize my SA membership for more than GBS and the obamarama megathreads 
|
|
#
?
Sep 26, 2008 23:59
|
|
|
I just figured out what was going wrong with my gpo software installs. I wasn't using the fully resolved DNS name for the server. My laziness finally came back to bite me in the rear end! Anyway, changing the old GPO's to the full DNS name for the server worked like a charm. Live and learn I guess 
|
|
#
?
Sep 29, 2008 19:09
|
|
|
Being new to this I'm having trouble figuring out how to separate computers in to separate groups and apply different GPO's to each - which I assume is a pretty basic function. I have a single top level domain in a small office (40 workstations, 30 servers, 4 or 5 printers). OS's are a mix of 2003 Server, XP SP3, and Vista business with two new 2008 servers we are testing. The two AD controllers are 2k3R2. I want to be able to set it up so that, for example, all the workstations have one firewall policy enforced, and servers another. I'd also like to be abbe to apply policies based on group membership. The problem I have is I think the default AD structure is laid out too simple. I have an OU called Accounts, then all users under that, and then security groups breaking out the users depending on department. For machines I have the default computer OU and have made two security groups, Workstations and Servers, for each type. Using Vista and the tools suggested here I cannot for the life of me figure out how to create GPO's that only apply to those security groups. Any GPO I create, such as the one I did for my WSUS server, is domain-wide. I suspect I'm doing something fundamentally wrong so if anyone has any pointers they'd be much appreciated.
|
|
#
?
Oct 9, 2008 20:41
|
|
|
So, I'm trying to fix years of haphazard software installation here and I've done quite a bit so far having to manually fix stuff before applying GPO-based software policies. It's a 2003 native AD domain with just less than 70 workstations and a handful of servers. I've tested this on a number of spare machines here and it seems to work fine but I'm curious about any performance hit of having this script run on each bootup. I'll probably run this for a while and then when I'm sure everyone is updated I'll remove the script from the GPO. I'm just wondering if this is the standard method or whether I'm going about this the wrong way.code:
|
|
#
?
Oct 29, 2008 16:57
|
|
|
I wouldn't worry about it. There are logon scripts that do a fuckton more than that!
|
|
#
?
Oct 29, 2008 17:44
|
|
|
That's good to know - I'm pretty new to this. Great thread!
|
|
#
?
Oct 29, 2008 17:49
|
|
|
Fourteen posted:GP is some incredibly, powerful stuff when you really get into it. People can rip on MS for a lot (and deservedly so), but GP deserves their utmost praise. You guys should check out the Jeremy Moskowitz books if you want to read more (Amazon search - the 2 new 2008 books are 1 and 2 on this page). Moskowitz really knows his stuff. If I could get my company to pay for it, I'd attend one of his workshops. He's a friend of my boss. I've had lunch with him a couple of times, he's a good guy. You've put together a nice thread Bangers and certainly have more wherewithal that I would to keep it going
da sponge fucked around with this message at 18:21 on Oct 29, 2008 |
|
#
?
Oct 29, 2008 18:16
|
|
|
Just so people are aware, Microsoft released a revision to the Client-side Group Policy Extensions so they will now detect and install on XP SP3. Make sure you sync your wsus server to get the latest version. I will spend some time answering the questions in this thread and adding content.
|
|
#
?
Oct 29, 2008 23:38
|
|
|
BangersInMyKnickers posted:Just so people are aware, Microsoft released a revision to the Client-side Group Policy Extensions so they will now detect and install on XP SP3. Make sure you sync your wsus server to get the latest version. I will spend some time answering the questions in this thread and adding content. I'm not really sure what this does. I thought these things worked on XP anyway, you just needed Vista to configure them in the first place?
|
|
#
?
Oct 30, 2008 03:12
|
|
|
Serfer posted:I'm not really sure what this does. I thought these things worked on XP anyway, you just needed Vista to configure them in the first place? The newest features like .admx templates, direct registry and file modification, and local printer configuration among other things only works if the PC has the client-side extensions installed, otherwise the machine has no idea how to interpret the policy you made.
|
|
#
?
Oct 30, 2008 05:32
|
|
|
Ixian posted:Being new to this I'm having trouble figuring out how to separate computers in to separate groups and apply different GPO's to each - which I assume is a pretty basic function. Use the Security Filtering part of your GPO to get GPO's to apply to security groups. Check out the screenshot on this page. Security Filtering is in the lower right quadrant of the GPMC console when you're looking at a GPO. If your GPO is affecting Computer settings, put your security group with your computers in there; if it's User settings, put a security group with users in there. Remove Authenticated Users, too. Filtering GPO's based on security groups can really help you flatten out and uncomplicate an AD structure since you can eliminate OU's if the only reason they exist is to separate objects for Group Policy purposes.
|
|
#
?
Oct 30, 2008 17:05
|
|
|
I'm not sure if this can be done via GPO or what, but here it goes. Basically, I need a Domain Local group to have all the rights that the built-in Domain Admins group does. I've gone through the default domain controller GPO and have specified my new group everywhere where the Administrators group is. I have also delegated full control of the domain to my said group. Problem is, is when I try to log into the PDC with credentials that belong to the group that I created. I get an error saying that I have to have terminal services user access. Since the PDC's access isn't controlled by local users/groups, but rather by AD, what would be the best way to fix this?
|
|
#
?
Oct 31, 2008 17:18
|
|
|
TheFlyingDutchman posted:I'm not sure if this can be done via GPO or what, but here it goes. If you need a group to have identical access to that of the domain admin group, the easiest way to do that is by nesting the group memberships by making this new group a member of the domain admin group. If you don't feel like going back and re-doing your work to do it that way you will need to add this new group to the "Allow log on through Terminal Services" setting under Computer\Windows Settings\Security Settings\Local Policies\User Rights Assignment in your default domain policy.
|
|
#
?
Oct 31, 2008 17:31
|
|
|
BangersInMyKnickers posted:If you need a group to have identical access to that of the domain admin group, the easiest way to do that is by nesting the group memberships by making this new group a member of the domain admin group. If you don't feel like going back and re-doing your work to do it that way you will need to add this new group to the "Allow log on through Terminal Services" setting under Computer\Windows Settings\Security Settings\Local Policies\User Rights Assignment in your default domain policy. Here's the thing. I specified that in the GPO. Also the reason why I can't simply just drop this group into the Domain Admins group, is because the group I created is, and has to be, a Domain Local group. For some hosed up reason, the trust I have setup will not recognize users when trying to add them to a universal group, but hey that's beside the point. I mean if there's a way I can add a domain local group to a domain global group, I would like to hear that instead I guess.
|
|
#
?
Oct 31, 2008 17:38
|
|
|
Assuming that an entire domain is 2k3+, there are really no possibilities of upgrading from the default forest level of 2k to 2k3 going wrong, correct? I've done this before no problem, it took a bit to replicate, that was all.
|
|
#
?
Oct 31, 2008 17:52
|
|
|
I am trying to figure out a way to apply a group policy to a certain OU so that the policies only affect the users when they log onto a certain terminal server. If I apply the group policy in the normal manner, it prevents them from shutting down their local workstations, when all I need is to prevent them from shutting down this one particular TS. Any thoughts on how I can accomplish this?
|
|
#
?
Nov 7, 2008 03:01
|
|
|
haljordan posted:I am trying to figure out a way to apply a group policy to a certain OU so that the policies only affect the users when they log onto a certain terminal server. If I apply the group policy in the normal manner, it prevents them from shutting down their local workstations, when all I need is to prevent them from shutting down this one particular TS. Any thoughts on how I can accomplish this? edit: whoops, dumb answer. Can't you just modify the local policy for that TS? Why make a group policy if it's only going to be meant for one machine?
|
|
#
?
Nov 7, 2008 03:42
|
|
|
haljordan posted:I am trying to figure out a way to apply a group policy to a certain OU so that the policies only affect the users when they log onto a certain terminal server. If I apply the group policy in the normal manner, it prevents them from shutting down their local workstations, when all I need is to prevent them from shutting down this one particular TS. Any thoughts on how I can accomplish this? Loopback mode processing. http://support.microsoft.com/kb/231287 Specifically on terminal servers http://support.microsoft.com/kb/260370
|
|
#
?
Nov 7, 2008 04:24
|
|
|
haljordan posted:I am trying to figure out a way to apply a group policy to a certain OU so that the policies only affect the users when they log onto a certain terminal server. If I apply the group policy in the normal manner, it prevents them from shutting down their local workstations, when all I need is to prevent them from shutting down this one particular TS. Any thoughts on how I can accomplish this? Link the GPO to the OU that this TS is in. Then from there, in the section where you can specify what user/group/computer the GPO is applied to, add your TS to there. Loopback processing will work, sure, but to be honest it's as simple as what I just described.
|
|
#
?
Nov 7, 2008 04:51
|
|
|
TheFlyingDutchman posted:Link the GPO to the OU that this TS is in. Then from there, in the section where you can specify what user/group/computer the GPO is applied to, add your TS to there. Awesome...Thanks for the quick replies. I will test this out today. Edit: TheFlyingDutchman's suggestion worked perfectly. Thanks again! haljordan fucked around with this message at 19:58 on Nov 7, 2008 |
|
#
?
Nov 7, 2008 15:36
|
|
|
Is there a way to "save" a GPO file for local group policy processing and then switch between two different local group policies instantly? What I'd like to do is lock down these workstations that we deploy at remote sites for ordinary usage, removing poo poo like internet explorer, windows explorer, the run prompt, and that kind of thing, but then be able to run a start menu program that will prompt for a password and then switch into "maintenance mode" which would basically unlock the workstation for anyone who knew the password. I figure that I can pretty easily do this with .reg files that will immediately modify the registry for a regular user and an administrator, but I was unable to figure out how to make the changes apply immediately. If you open up gpedit.msc and enable/disable a policy, it takes effect immediately. However, if I manually add or edit the key in the registry, it doesn't. Anyone know if there's a way I can basically switch between to local group policy "profiles" so to speak? Or am I going about this in completely the wrong way?
|
|
#
?
Nov 12, 2008 21:59
|
|
|
|
| # ? Apr 17, 2024 00:39 |
|
|
Cidrick posted:If you open up gpedit.msc and enable/disable a policy, it takes effect immediately. However, if I manually add or edit the key in the registry, it doesn't.
|
|
#
?
Nov 12, 2008 22:08
|
|
