|
Double post for an update. The powers that be had the Everyone group as full access on the share and they use the NTFS permissions to regulate control. I had them give Domain Computers and SYSTEM full control just in case and that still failed with the 1612 error on my win 7 box and VM. 
|
#
?
Oct 6, 2010 16:00
|
|
|
|
| # ? Apr 27, 2024 04:34 |
|
|
Naramyth posted:Double post for an update. Don't do 'full control', do 'modify'. Also, if they gave 'SYSTEM' full control, that would only by the SYSTEM account of the file server. As for your 1612, what happens when you copy the contents of the java folder locally and use the psexec trick to install it as SYSTEM? Remove the file server from the equation entirely.
|
|
#
?
Oct 6, 2010 22:55
|
|
|
Noel posted:Don't do 'full control', do 'modify'. Also, if they gave 'SYSTEM' full control, that would only by the SYSTEM account of the file server. Final update. I am retarded and shouldn't be let near computers.  I had a few emails with the "powers that be" and they noticed I had authenticated users have control over the fileserver\myOU\shared\apps folder but not at the root of fileserver\myOU. Somehow XP was able to handle it without issue but not Windows 7. After giving permission at the correct level, then breaking on my sub folders that contain users actual shares and personal directories, it worked. 
|
|
#
?
Oct 7, 2010 20:45
|
|
|
Is there no way to disable "Sticky Keys" via Group Policy? edit: to be clear, I should say I want to disable the hotkey (pressing a modifier 5 times) activation of Sticky Keys on a Computer basis (or loopback it, whatever works). I don't need to disable the Sticky Keys feature itself. I have a few computers that need to autolog. For whatever reason, I have to mash left shift instead of hold it after logging off to break the autolog. Sticky Keys pops up a dialog, stopping this. Naramyth: it's all about narrowing things down. Run it as SYSTEM with psexec from local storage. Then try it with psexec on network storage. Etc. quackquackquack fucked around with this message at 15:59 on Oct 13, 2010 |
|
#
?
Oct 13, 2010 15:56
|
|
|
Hopefully this falls under Group Policy, but I've got a bit of a situation at one of my clients: They're running about 10 Windows 7 workstations connecting to Server 2008 SBS. The president of the company wants users to be able to install programs (like Adobe Acrobat, Skype, or whatever other poo poo they use) but still have restricted access to deleting files, etc. They just migrated from a XP Workgroup environment, so everyone is having a slight issue readjusting to not being able to install certain programs for their workflow, etc. The major issue I have is that they use Satellite internet and are located four hours away from my firm's office, so remoting to each PC is out of the question (it's too loving slow.) Ideally, I'd like to find a way to grant all the users in Active Directory the ability to install programs and poo poo at their leisure, so they don't have to bug us or the president whenever they need to install something. I'm not sure if this is Group Policy related or if I should be looking somewhere else, though.
|
|
#
?
Oct 14, 2010 17:15
|
|
|
Is there any easy way to configure InPrivate browsing in Internet Explorer 8.0 for specific sites via Group Policy? I know you can turn it off and on. Right now I am using an Internet Explorer Group Policy for trusting local intranet sites but I would explore other options for more secure online banking. I dont want to enable it for all sites, just specific ones. I know I could add it as a Restricted Site and enable Protected Mode. I'd like to set it so cookies, usernames, passwords don't get saved for particular sites in the event the user's computer is compromised. This issue is I support the Finance department and they do a lot of online banking for releasing wire transfers and other transactions. Initially the suggestion was to setup dedicated banking PCs that are not on the domain and are limited to online banking only and setup in the user's office with a KVM switch. It wasn't my suggestion and I didn't like it since it requires setting up additional hardware that can be compromised and it is not centrally managed. We setup a few PCs to test but users had issues with the KVM switches, forgot the secondary computer passwords, etc. The other option I suggested was settings up a terminal server specifically for online banking that is locked down (overkill..I know) and disallowing all banking on their primary PCs. All PCs are running Windows XP SP3 with IE 8.0 and Group Policy Extensions or Windows 7 with Internet Explorer 8.0. I was curious if anyone else is doing something similar or had suggestions.
|
|
#
?
Oct 14, 2010 23:57
|
|
|
Gyshall posted:Hopefully this falls under Group Policy, but I've got a bit of a situation at one of my clients: If you know in advance what applications they will want to install, you could make software installation objects for them in a GPO, and publish them to the users. Even if you can't know in advance what they'll need, you can make the ones you do know about, and do the rest as they ask for them. You'd need to put the installation files on their end of the satellite link, though. Having to pull down the installation files through the satellite connection would take even longer than RDPing in.
|
|
#
?
Oct 17, 2010 15:49
|
|
|
Can I just get some clarification on what loopback processing does? I want to deploy a startup script to a particular group of users, no matter what PC they log into. If i create the GPO, assign it to a group of users, and enable loopback, will the PC that those users log into get the policy and apply it?
|
|
#
?
Oct 18, 2010 11:39
|
|
|
Swink posted:Can I just get some clarification on what loopback processing does? You have to assign a loopback policy to a computer, which then gets to run it no matter which user logs in. The other way around doesn't exist. So what you're trying to do depends on the contents of that script. If it's something that runs under user privileges, put it in a login script, then assign it to the group of users. No loopback needed.
|
|
#
?
Oct 18, 2010 12:02
|
|
|
Anyone have experience deploying software via group policy? I have successfully deployed some basic client software like Flashplayer, Acrobat, and Firefox, but I was wondering if I should be disabling the actual GPO once I can confirm it has propagated everywhere? For example I deployed that office patch so you can open .DOCXs etc and I've noticed that upon login some clients will actually reinstall the software so to speak. Is this because I should be disabling these GPOs once they've fully installed? If so is there any particularly good way to check and make sure it's been deployed short of checking everyone's event viewer?
|
|
#
?
Oct 21, 2010 23:11
|
|
|
Kerpal posted:Anyone have experience deploying software via group policy? I have successfully deployed some basic client software like Flashplayer, Acrobat, and Firefox, but I was wondering if I should be disabling the actual GPO once I can confirm it has propagated everywhere? For example I deployed that office patch so you can open .DOCXs etc and I've noticed that upon login some clients will actually reinstall the software so to speak. Is this because I should be disabling these GPOs once they've fully installed? If so is there any particularly good way to check and make sure it's been deployed short of checking everyone's event viewer? Just leave the GPO active. The system registers that it has already received and installed the assigned application. You might see some stuff in the event log about successful application of the policy, but that just happens during a synchronous policy refresh and doesn't indicate that the package reinstalled.
|
|
#
?
Oct 21, 2010 23:18
|
|
|
I guess my question would then be, why would a deployment GPO be stuck at logon during a synchronous policy refresh? For example, the user would login and it would say it was currently installing Adobe Flash Player and then the user would be stuck. The only work around to this as far as I know is to restart or to pull the network cable from the machine (at least someone suggested this). Did I gently caress up the GPO somehow or perhaps I didn't package Flash Player properly so it doesn't deploy correctly? I must be missing something here. Thanks.
|
|
#
?
Oct 22, 2010 21:04
|
|
|
If you are assigning package installs to a computer, a user cannot get to a logon prompt until the package install is complete. I don't have an explanation for the behavior why the user is seeing the installation dialog while trying to log in. As for packaging Flash, Adobe already does it for you. Just google "download flash msi".
|
|
#
?
Oct 22, 2010 21:06
|
|
|
Oh I'm sorry, perhaps that's what I mean. I believe it was before they login now that you corrected me. I can't remember exactly how it occurred , but it would make sense that it happens before they login. I did use the MSI package provided by Adobe though so I guess it's just another issue to troubleshoot to death. I have several other deployment GPOs but clients seem to get stuck on that particular Flash GPO.
|
|
#
?
Oct 23, 2010 01:25
|
|
|
You can occasionally have issues with a package not deploying because it is trying to uninstall the old version which hangs and times out. Easiest solution tends to be to go in to HKCR\Installer\Products and searching for the package, then manually deleting that key. Then the OS doesn't think there is a previous version in the way and will just overwrite anything that gets in the way.
|
|
#
?
Oct 23, 2010 15:12
|
|
|
I've just authored my first MSI package, hooray! It's going to end up going out to a number of systems in multiple domains, so I'm also getting to write a deployment guide. I've got some install issues but I'm fiddling with things to get those resolved, but my biggest problem is that there doesn't seem to be a way for VPN or wireless users to have the software assigned to their PCs. Is that right? If so, are there tricks to get that working? I'm installing a service, which I'm pretty sure requires admin rights, and the end users are mostly not admins, so I don't think that assigning to the user would help.
|
|
#
?
Nov 5, 2010 22:18
|
|
|
Absorbs Quickly posted:I've just authored my first MSI package, hooray! It's going to end up going out to a number of systems in multiple domains, so I'm also getting to write a deployment guide. The OS has something called slow-link detection, so if bandwidth to the DC is too low or ping is too high, things like scripts and software packages applied through policy will not execute. Either you can modify the slow-link threshold for those systems or use 3rd party tools to manage them. The VPN or wireless link also needs to be established as the system is starting up, not in the user's session, which is possible to do but can be tricky.
|
|
#
?
Nov 5, 2010 22:31
|
|
|
BangersInMyKnickers posted:The OS has something called slow-link detection, so if bandwidth to the DC is too low or ping is too high, things like scripts and software packages applied through policy will not execute. Either you can modify the slow-link threshold for those systems or use 3rd party tools to manage them. The VPN or wireless link also needs to be established as the system is starting up, not in the user's session, which is possible to do but can be tricky. In that case, would using a psexec script be a good or bad idea? I figure I can write a small exe that tests if the software is installed, and if not installs it, then psexec \\* -c installchecker.exe or something along those lines. Edit: going to try psexecing gpupdate /force with a user logged in for the fun of it. Absorbs Quickly fucked around with this message at 01:11 on Nov 6, 2010 |
|
#
?
Nov 5, 2010 22:52
|
|
|
Help me install printers with group policy! DC: Win2008 R2 Client: Win7 64bit Printserver: Win2003 32bit I've made the following policies: "Point and Print Restrictions" Computer Configuration (Enabled) Policies->Administrative Templates->Printers Policy Setting Comment Point and Print Restrictions Disabled User Configuration (Enabled) Policies->Administrative Templates->Control Panel/Printers Policy Setting Comment Point and Print Restrictions Disabled And "Printers" Preferences->Control Panel Settings->Printers-> Shared Printer (Name: \\PRINTSERVER\printername) Common Options Stop processing items on this extension if an error occurs on this item No Run in logged-on user's security context (user policy option) No Remove this item when it is no longer applied No Apply once and do not reapply No Item-level targeting: Security Group Attribute Value bool AND not 0 name DOMAIN\PR_printername sid S-1-5-.. userContext 1 primaryGroup 0 localGroup Added my user to the PR_printername group and linked policies to where my computer and user are in AD. Running gpresult I can see that the Point and Print restrictions are applied, and it tries to map the printer, but returns: Resultat: Error (Errorcode: 0x80070bcb) When I try to add the printer manually, by typing "\\PRINTSERVER\printername" it installs automatically without the "install this driver?" popup that I used to get before Point and Print restrictions where disabled.
|
|
#
?
Nov 11, 2010 16:07
|
|
|
I got it to work like this: Computer Configuration (Enabled) Administrative Templates Printers Point and Print Restrictions Enabled Users can only point and print to these servers: Enabled Enter fully qualified server names separated by semicolons hostname.fqdn Users can only point and print to machines in their forest Enabled Security Prompts: When installing drivers for a new connection: Do not show warning or elevation prompt When updating drivers for an existing connection: Do not show warning or elevation prompt User Configuration (Enabled) Administrative Templates Control Panel/Printers Point and Print Restrictions Enabled Users can only point and print to these servers: Enabled Enter fully qualified server names separated by semicolons hostname.fqdn Users can only point and print to machines in their forest Enabled Security Prompts: When installing drivers for a new connection: Do not show warning or elevation prompt When updating drivers for an existing connection: Do not show warning or elevation prompt Also make sure you are adding the 64-bit drivers on the print server under the sharing tab if you haven't. 64-bit clients need a different driver that a 32-bit print server won't have by default.
|
|
#
?
Nov 11, 2010 16:15
|
|
|
I have no idea what I did.. I had 4 printers added as a test, removed the one that gave the error message in gpresults and ran gpupdate/relogged/restarted a few times. It still showed up in gpresult after being removed. 5 minutes later and alot of gpupdate/force / computer restarts, it suddenly worked for the 3 other printers. I then readded the printer with the error message, restarted and now everything works!
|
|
#
?
Nov 11, 2010 16:39
|
|
|
A question of implementation here. I pushed out some folder redirection to a satellite office of one of my clients. I just stuck all of those users in an OU, and applied the policy to that thinking that they would want their profile redirected on the terminal server as well(They use this for certain apps that must be centralized and remote work). Turns out I was way wrong on that, and fits are being thrown. Would I be better off stopping the GPO from applying to the terminal server with WMI filtering, or by creating a separate GPO in the TS OU and setting loopback to replace?
|
|
#
?
Nov 15, 2010 20:33
|
|
|
BangersInMyKnickers posted:Also make sure you are adding the 64-bit drivers on the print server under the sharing tab if you haven't. 64-bit clients need a different driver that a 32-bit print server won't have by default. Don't use the drivers built into Windows when sharing / adding a printer either. A total pain in the rear end unless they change it in R2, the drivers have to have the same name (no not the same printer driver, the same drat name!), I found it pretty nice to just use the HP generic PCL 6 for pretty much all of mine (64 bit and 32). Bangers, I haven't looked it up (too lazy, so far) but if you know off the top of your head is there a way to get Vista (and 7? (not sure of the display on it)) to display the MSI package name while installing like Windows XP + 2000 do instead of just saying "Please Wait"? Noel posted:Is there no way to disable "Sticky Keys" via Group Policy? edit: to be clear, I should say I want to disable the hotkey (pressing a modifier 5 times) activation of Sticky Keys on a Computer basis (or loopback it, whatever works). I don't need to disable the Sticky Keys feature itself. 1. Disable Sticky Keys [HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys] “Flags”=”506″ 2. Disable Filter Keys [HKEY_CURRENT_USER\Control Panel\Accessibility\Keyboard Response] “Flags”=”122″ 3. Disable Toggle Keys [HKEY_CURRENT_USER\Control Panel\Accessibility\ToggleKeys] “Flags”=”58″ I seem to remember using the Sticky Key disable last year Edit: Bangers I also see you did a JRE rollout? How did it go? The registry settings you made though don't do anything if I remember correctly, they are just left over from previous versions (when you could disable the updates). If you did find one that works can you please update the technical notes on the JRE version at AppDeploy? Tried doing a QuickTime deployment yet? Another pain in the rear end. If anyone is looking to turn off the update for Flash, it is controlled by a .cfg file (I forget where, I think %windir%/system32/Macromedia/Flash (no I am not joking even though it has been quite a while since Adobe purchased them it still uses that path, as always check AppDeploy for more info / changes). (Will update this tomorrow with more info) AcridWhistle fucked around with this message at 01:54 on Nov 16, 2010 |
|
#
?
Nov 16, 2010 01:39
|
|
|
AcridWhistle posted:Bangers, I haven't looked it up (too lazy, so far) but if you know off the top of your head is there a way to get Vista (and 7? (not sure of the display on it)) to display the MSI package name while installing like Windows XP + 2000 do instead of just saying "Please Wait"? All our 2000/XP systems show something like "Applying Software Package [whatever]" during that sequence by default, so I'm not really sure what's going on there with you. You could always turn on Verbose Startup though. I bet that will tell you exactly what is going on. As for Java, they pulled their head out of their rear end and make disabling those components much much easier. Now all you need is a transform that disables the properties AUTOUPDATECHECK, JAVAUPDATE, and JU and the installer actually loving honors them for a change. Incredible. This happened a few months ago so I'm not thanking Oracle for it.
|
|
#
?
Nov 16, 2010 14:57
|
|
|
AcridWhistle posted:If anyone is looking to turn off the update for Flash, it is controlled by a .cfg file (I forget where, I think %windir%/system32/Macromedia/Flash (no I am not joking even though it has been quite a while since Adobe purchased them it still uses that path, as always check AppDeploy for more info / changes). (Will update this tomorrow with more info) %windir%\system32\Macromed\Flash\mms.cfg Containing the following line: AutoUpdateDisable=1
|
|
#
?
Nov 16, 2010 17:11
|
|
|
ozmunkeh posted:%windir%\system32\Macromed\Flash\mms.cfg There is also a line in the Property table when making a transform that disables the autoupdate.  e: The entry is ISCHECKFORPRODUCTUPDATES
|
|
#
?
Nov 16, 2010 23:25
|
|
|
Is there a good way to change the local users on my domain from Admin/Power Users to just regular users? Let's say salesperson Joe is a regular user on the domain, but I made him a admin on his laptop. But Joe is doing stupid poo poo like installing random software from the internet, how can I change his account without going to his computer? Also, is there a way to un-install software without having to go to his machine? Basically stuff like Limewire, PokerStars, trials of whatever.
|
|
#
?
Nov 18, 2010 15:14
|
|
|
Bob Morales posted:
I know this is the group policy thread... but couldnt you just open a computer management console and connect remotely to his machine while it is on your network and then modify the group membership that way? Thats the way I do it when I find someone that has admin privileges I want to remove
|
|
#
?
Nov 18, 2010 15:18
|
|
|
Bob Morales posted:Is there a good way to change the local users on my domain from Admin/Power Users to just regular users? Assuming the laptop is on the domain and a wireless network you can get to (or plugged in), you can always set up the Windows Firewall through policy to allow remote administration from a block of IPs you specify. Then you can use the computer management applet to remove him from the administrators security group. Uninstalling is a little trickier, but if you can get to it with remote regedit then you can look through the HKLM\Software\Classes\Installer\Products key for the crap he is put there and use a psexec session to fire off "msiexec /x {GUID} /qs" commands to get it off.
|
|
#
?
Nov 18, 2010 15:23
|
|
|
Also, bumping my question. What's going to be the best way to prevent a GPO from applying to a specific machine? (I have a folder redirection policy for a satelite office that is applying to terminal services). Because of horrid organization, it's going to be hard to change the GPO link from the location's user OU to computers, since computers is completely unorganized.
|
|
#
?
Nov 18, 2010 18:11
|
|
|
Citizen Z posted:Also, bumping my question. What's going to be the best way to prevent a GPO from applying to a specific machine? (I have a folder redirection policy for a satelite office that is applying to terminal services). Because of horrid organization, it's going to be hard to change the GPO link from the location's user OU to computers, since computers is completely unorganized. Either made a loopback policy for the terminal server that overrides the user's profile redirect policy or make a policy for the user with the scope restricted to just them that overrides the setting you don't want.
|
|
#
?
Nov 18, 2010 19:37
|
|
|
Just out of curiosity's sake... why would they not want their folders redirected when signing into the terminal servers? Ive actually found that to be one of the most useful scenarios for folder redirection
|
|
#
?
Nov 18, 2010 19:44
|
|
|
So when I got to the place I'm working at, we used something called Desktop Authority. Its basically a program that makes any kind of GPO you can think of point and click. We just recently decided to get rid of it, and make GPOs ourselves. Nothing was real difficult, but we have one problem. People are idiots and hit shutdown PC at the end of the day. They also refuse to read my Allstaff emails about the difference between shutdown, restart, lock and logoff... Desktop Authority had the ability to auto reboot the PC if shutdown from a windows session. And if someone shut it down from the login screen, it would actually shutdown. Anyone know any easy way to achieve this via GPO/scripts? Google was telling me its going to be a pain to try and setup.
|
|
#
?
Nov 18, 2010 20:03
|
|
|
Syano posted:Just out of curiosity's sake... why would they not want their folders redirected when signing into the terminal servers? Ive actually found that to be one of the most useful scenarios for folder redirection That was my reaction. I think it's because all the users down there put a ton of shortcuts to programs on their desktop. Apps that aren't installed on their server. We had to put folder redirection in place because they were saving stuff everywhere BUT their home drives or designated network shares. Ended up loosing some pretty critical documents right before a bid because of an errant cup of coffee.
|
|
#
?
Nov 18, 2010 20:14
|
|
|
I am in the process of creating some of my first policies and it seems to be going pretty well except for this one situation. The policies I have are applied to one OU that I set up for users. One policy maps some network shares and network printers. The other redirects My Documents to a network folder. They both work great except that if I log off the computer and then log back on (not restarting), the network shares don't get mapped. Anyone ever see this?
|
|
#
?
Nov 19, 2010 19:09
|
|
|
Wiggly posted:I am in the process of creating some of my first policies and it seems to be going pretty well except for this one situation. The policies I have are applied to one OU that I set up for users. One policy maps some network shares and network printers. The other redirects My Documents to a network folder. They both work great except that if I log off the computer and then log back on (not restarting), the network shares don't get mapped. Anyone ever see this? Mapped drives through policy have been known to be spotty and I don't believe anyone had come to a solid conclusion on the cause. You might be better off with logon scripts.
|
|
#
?
Nov 19, 2010 19:11
|
|
|
BangersInMyKnickers posted:Mapped drives through policy have been known to be spotty and I don't believe anyone had come to a solid conclusion on the cause. You might be better off with logon scripts. Do you (or does anyone) have an article or paper on this? I'll google, too, and it isn't that I don't believe you; it's just that if I bring that as the reason to stick with logon scripts instead of preferences to a meeting, I'll get asked for some confirmation.
|
|
#
?
Nov 19, 2010 23:54
|
|
|
BangersInMyKnickers posted:Mapped drives through policy have been known to be spotty and I don't believe anyone had come to a solid conclusion on the cause. You might be better off with logon scripts. Haven't had a single problem ozmunkeh posted:%windir%\system32\Macromed\Flash\mms.cfg Yeah I forgot about getting back to the thread but this is pretty much it.
|
|
#
?
Nov 20, 2010 18:29
|
|
|
Is there any good way to uninstall software with group policy? I'm doing work for a small non-profit that has ~33 machines with every antivirus in the book. Some have MSE, Symantec, AVG (free), Avast (free), McAfee (home edition  ), etc. They are finally standardizing on NOD32. Rather than going to each machine and uninstalling the current AV product, I would much prefer setting up a policy or script that would automatically uninstall the current product and then install/configure NOD32. Is this possible or would I be better off doing it manually for the 33 machines?
|
|
#
?
Nov 23, 2010 18:29
|
|
|
|
| # ? Apr 27, 2024 04:34 |
|
|
BangersInMyKnickers posted:Mapped drives through policy have been known to be spotty and I don't believe anyone had come to a solid conclusion on the cause. You might be better off with logon scripts. We just setup a bunch of GPOs to replace some software we used to use (ScriptLogic), and out of around 200 users, have only had 1 person who has problems. For some reason only random drives will map on every login, different drives every time. We just manually mapped them all as persistent, no more problems.
|
|
#
?
Nov 23, 2010 18:36
|
|