|
I believe there is a McAfee patch to allow ReaderX to be added to the list and work. Yeah.
|
#
?
Jan 21, 2011 00:05
|
|
|
|
| # ? Apr 26, 2024 07:48 |
|
|
Not sure if this is the right thread but anyway! We upgraded our DC's to server 2008 a little while back and ever since then we've been finding accounts with the following missing:  Anyone know a quick way for me to check if this exists and set it to the alias of the user if it's missing? It's causing problems with users logging into macs, some weird drive mapping errors, well at least putting their alias back in there seems to solve these issues  .
Honey Im Homme fucked around with this message at 01:06 on Jan 23, 2011 |
|
#
?
Jan 23, 2011 01:02
|
|
|
BangersInMyKnickers posted:Shockwave: The shockwave msi is a broken piece of poo poo that won't install through policy. Nobody in their right mind uses shockwave for anything these days so why bother installing it? Shockwave is fairly simple and easy (will have to look at my mst at work) None of those Java properties have ever worked for me  (well after 1u5?)Moey posted:Anyone know of a good guide to get me started with updating or uninstalling/reinstalling software through GPO? http://www.appdeploy.com/ for all your package information need. Won't help you with the general skills though, a handy reference for a lot of programs though. AcridWhistle fucked around with this message at 03:18 on Jan 23, 2011 |
|
#
?
Jan 23, 2011 03:13
|
|
|
Honey Im Homme posted:Anyone know a quick way for me to check if this exists and set it to the alias of the user if it's missing? Powershell is probably the answer you're looking for.
|
|
#
?
Jan 23, 2011 04:35
|
|
|
Noel posted:I believe there is a McAfee patch to allow ReaderX to be added to the list and work. And after I ranted about it I tested it again and it now works without issue. It must have been pushed out in general updates. 
|
|
#
?
Jan 31, 2011 16:55
|
|
|
Is there anyway to do folder redirection with a 2003 domain and windows 7 clients? I need to redirect our new windows 7 laptops to use a network share for my documents but the current policies don't seem to be working right.
|
|
#
?
Feb 24, 2011 18:33
|
|
|
You need the group policy extensions installed everywhere and you'll need to actually make the policy on a Windows 7/2008 system with the RSAT management pack installed. We do exactly what you describe here without a problem.
|
|
#
?
Feb 24, 2011 18:57
|
|
|
This has probably been covered, but I don't feel like digging through all the pages. Does everyone use GPOs to map drives, or logon scripts? Our GPOs seem to be flakey with drive mapping, and occasionally don't properly connect. Starting to bother me.
|
|
#
?
Feb 28, 2011 17:56
|
|
|
I believe the common comment is exactly what you have observed - logon scripts are still the best method of mapping drives.
|
|
#
?
Feb 28, 2011 20:32
|
|
|
I'm currently running a server 2003 functional level domain with about 600~ XP clients, all running SP3 and as I work on it, the latest GPSE. My question is one of best practice for structuring GPOs for GPPreferences Printer Deployment. I currently have two schools managed from one domain, one site, and one flat network. The AD structure is like this: Generic Elementary School +GES Computers ++GES Classroom Computers +++GES Wing A ++++Room 1 ++++Room 2 ++++Room 3 +++GES Wing B +++GES Wing C ++GES Computer Labs ++GES Office Computers ++GES VMs ++GES NComputing stations Theres a network printer in each classroom along with 3-4 physical computers. I've only setup 2-3 classrooms so far, but I'm making a new GPO for each classroom and setting it up with loopback processing to deploy the printer to everyone that logs on those computers in each classroom. For example, in the rudimentary example above, there would be a unique GPO for Rooms 1, 2 and 3 deploying a printer to the computers in each OU. At this rate, I'm going to have 60 GPOs for each room, and thats just the classrooms. Is this the most efficient way to do GPOs for so many individual OUs? I really like GPPrefences and the classrooms I've setup this way work perfectly, I'm just wary of deploying my GPOs incorrectly/inefficiently.
|
|
#
?
Mar 14, 2011 01:42
|
|
|
60 total GPOs? Nope not a problem at all. Id say there may be a problem if each OU had 60 to process each. But there isnt a problem, past management really, of having lots of GPOs. That being said it would make it a heck of a lot easier if you consolidated your GPOs if you wanted to script a bit. Its not hard at all to script printer deployment based on group membership/OU location or something simlar. Hit google up if you want to give it a try.
|
|
#
?
Mar 14, 2011 02:26
|
|
|
Syano posted:60 total GPOs? Nope not a problem at all. Id say there may be a problem if each OU had 60 to process each. But there isnt a problem, past management really, of having lots of GPOs. That being said it would make it a heck of a lot easier if you consolidated your GPOs if you wanted to script a bit. Its not hard at all to script printer deployment based on group membership/OU location or something simlar. Hit google up if you want to give it a try. We currently have a big kix script that handles the rest of the printers. I don't mind using scripts to manage printers, I just feel like GPOs are much neater and quicker. I could just clean up the script, which I inherited, I just thought this way would be better.
|
|
#
?
Mar 14, 2011 02:37
|
|
|
All depends on your definition of easy I guess. As far as ADs ability to handle lots of GPOs... youre in the clear. Go hog wild if that is the method you like best.
|
|
#
?
Mar 14, 2011 15:03
|
|
|
Moey posted:This has probably been covered, but I don't feel like digging through all the pages. I was having some flakey drive mapping issues that were tied to forgetting to install group policy preferences extensions for some XP computers and not having the exact group name the item level targeting(ex. I had accounting instead of ad\accounting). Syano posted:All depends on your definition of easy I guess. As far as ADs ability to handle lots of GPOs... youre in the clear. Go hog wild if that is the method you like best. Yup. Many polices makes disabling/enabling specific things much easier then having everything in a handful of polices.
|
|
#
?
Mar 14, 2011 22:04
|
|
|
Ok, I am pretty new at using Group Policy, and even newer at properly troubleshooting it, but I'm learning as I go. I've got a Windows 7 workstation with redirected folders that is giving me trouble updating to the current GPO. It's domain joined, and the IT vendor we inherited the network from had all kinds of hosed up GPOs, locking users out of all sorts of things. On this system command prompt is locked out, even though the user is a local admin on his system. MMC snap ins are locked out also, so I can't run gpupdate /force or gpresult on his system while he is logged in. Also, the extra configuration tabs in internet explorer options (security tab) are blocked via a GPO so he can't add a trusted site, which he needs so he can install an activex control. I removed any legacy settings in the GPOs that I thought were causing issues, and I am seeing NO GPO that would lock him out of anything in IE or the command prompt. I tried switching users on his system to an admin account and running a gpupdate /force there, that didn't seem to fix anything. I tried running group policy modeling on his AD account, and the results showed me what I expected, and I didn't see any GPO results blocking him from cmd prompt or anything else. I tried running Group policy results on his machine account, but it spat out "RPC Service Unreachable". Basically, are there any other tools I can run on his system to allow me to diagnose which domain controller his system is pulling GPOs from, and to see what policies are being applied? Also if anyone has any ideas how to troubleshoot from here I'd be grateful.
|
|
#
?
Mar 15, 2011 13:47
|
|
|
Anything in the local group policy? Have you tried recreating the profile locally? Ill post more when back in my office
|
|
#
?
Mar 15, 2011 16:12
|
|
|
I can't believe I'm asking this but... I've inherited some crazy poo poo on my new network. One is that somehow the last admin managed to remove the domain admins from the administrators groups on a lot of the machines. That's right. I can gently caress DNS and AD beyond belief but I can't view running services on about half my clients. Any ideas of how to do this centrally as opposed to finding each problem child machine? I know you can't control local user groups from GP. But I'm not sure if anyone else has run into this fuckery and how they fixed it.
|
|
#
?
Mar 16, 2011 20:57
|
|
|
Morganus_Starr posted:Ok, I am pretty new at using Group Policy, and even newer at properly troubleshooting it, but I'm learning as I go. We're having an identical issue with Remote Desktop on some workstations.
|
|
#
?
Mar 16, 2011 21:05
|
|
|
SmellsOfFriendship posted:I can't believe I'm asking this but... I've inherited some crazy poo poo on my new network. One is that somehow the last admin managed to remove the domain admins from the administrators groups on a lot of the machines. That's right. I can gently caress DNS and AD beyond belief but I can't view running services on about half my clients. Unless I'm misunderstanding, make a GPO from: Computer Configuration / Windows Settings / Security Settings / Restricted Groups
|
|
#
?
Mar 16, 2011 21:10
|
|
|
ozmunkeh posted:Unless I'm misunderstanding, make a GPO from: Computer Configuration / Windows Settings / Security Settings / Restricted Groups Would I just leave it blank? I'm not sure what you mean.
|
|
#
?
Mar 16, 2011 21:34
|
|
|
I'm pretty sure you can control local user groups with GP. Computer Configuration > Control Panel Settings > Local Users and Groups
|
|
#
?
Mar 16, 2011 22:28
|
|
|
FISHMANPET posted:I'm pretty sure you can control local user groups with GP. Found it! Thanks, I'm in a mixed domain and that was only available on my R2 DC.
|
|
#
?
Mar 16, 2011 22:40
|
|
|
I've got a new client who has a few out of office VPN users using Windows XP laptops. Any GPO settings I should keep in mind for them? They use Outlook and access mapped network drives, nothing really more than that.
|
|
#
?
Mar 17, 2011 16:29
|
|
|
How would I go about deploying a GPO to customize Outlook? I've downloaded the office 2007 SP2 .adm files, and imported them in GP Object Editor. I am able to customize some settings using the Outlook template, but how do I go about changing things like the default view and window layout (which aren't in the template)? The Office 2k7 admin toolkit came with a spreadsheet that has a hojillion registry keys listed in it, and even in that I couldn't find a reg key for changing views/layouts.
|
|
#
?
Mar 25, 2011 02:40
|
|
|
Shooting from the hip here but it looks like you've down alot of groundwork already. Are those settings saved in a PST/OST or maybe another config file? You could do regmon while saving the changes and see if a specific key changes. Also once you find those keys you can push them out via GPP.
|
|
#
?
Mar 25, 2011 03:15
|
|
|
Does anyone know an easy way to automatically export the GPO settings (as an HTML file) and possibly upload them somewhere? We are trying to keep track of GPO changes and if we could have the latest copy of the GPO settings on a website we could review that would make things a little easier. I wish I could trust my coworkers to follow the procedure, but it is sometimes hard to get them to read email. I am building the site in Share Point 2007, so if there was an easy way to route it straight there, that would be best. I have an announcement list being used as a generic changelog and a document library filled with the HTM GPO Reports. There are better designs out there I imagine, but we need ours in Share Point.
|
|
#
?
Mar 31, 2011 18:52
|
|
|
ytisomauq posted:Does anyone know an easy way to automatically export the GPO settings (as an HTML file) and possibly upload them somewhere? A powershell script seems like the simplest approach to this. You could also check out AGPM (Advanced Group Policy Management) from MS. It keeps track of changed policies and does a plethora of other things. I think its free for Software Assurance customers, but dont take my word for it.
|
|
#
?
Apr 2, 2011 17:44
|
|
|
Hey guys. My first time posting in this thread. I have a bit of an issue. I'm the server guy / Active Directory guy at my work. I am not the network guy, so I have no control over the routers, switches, etc. I am attempting to implement Policy-Based QoS, but it just doesn't seem to work. I created a new GPO, and I linked it to an upper-level OU. I then set the scope of said GPO to only apply to a security group that I had made called "Bandwidth Throttled Users." I put only myself in that group as a test. In the User settings on that GPO, I made a new QoS policy that supposedly set my outbound TCP and UDP throughput to 500 kilobits per second. (I would have rather been able to configure the inbound throttle rate, but I read that that's only possible with the Computer configuration.) I made sure the changes were replicated to all DCs. I rebooted my PC for good measure. Using gpresult on my PC, I confirmed that the new policy was applied to me correctly. But it just does nothing. I transfered a file to another PC at gigabit speed. I ran speedtest.net and got 2 meg up. The policy is applied, it just isn't doing anything. Can someone tell me what I'm missing? Thank you. edit: I just solved this. I feel like an idiot. I could have sworn that I read the throttle rate was in kilobits per second, but it turns out it's actually in kilobytes per second. The QoS policy works flawlessly. I'll leave this up in case it helps anyone else, though. Spudman fucked around with this message at 14:13 on Apr 6, 2011 |
|
#
?
Apr 6, 2011 13:55
|
|
|
I finally got approval for locking down our poo poo and using GP more to regulate. All our machines are still in the basic COMPUTERS OU and I'm thinking about breaking it out more into something like this: Root -Laptops -Workstations -Servers -Exchange Servers -Kiosks Trying to follow best practices so my replacement doesn't post in the "poo poo I hate thread..."
|
|
#
?
May 9, 2011 00:35
|
|
|
That's the beauty and the curse of AD, you can nest groups as you please. KISS as much as possible, and your successor won't hate you. One thing to keep in mind is group policy with your servers, as you will likely want to put in something like bginfo to all your servers as well as separate out your patching policies as appropriate. We have an overarching Servers group, with subfolders based upon patching policy - Automatically Install patches and reboot, manually install and reboot, no patches at all, video security servers, and patch testing servers. Keep one overarching "workstations" group, with sub folders for laptop/desktops/whatever. That way you can apply policies to all with inheritance enabled, or on a group by group basis, for example firewall rules on laptops that aren't necessarily needed on desktops. Keep the basic "Computers" OU as a landing zone for joining computers to the domain, where you can then move the machines to the appropriate OU. Or, if you want to get crazy with scripting, have desktops join to the Desktops OU when done imaging, laptops to the laptops OU when done imaging. devmd01 fucked around with this message at 13:36 on May 9, 2011 |
|
#
?
May 9, 2011 13:34
|
|
|
ytisomauq posted:Does anyone know an easy way to automatically export the GPO settings (as an HTML file) and possibly upload them somewhere? You can export them to an HTML report. But I discovered during my documentation process it's not a whole lot of help to figure out which keys/settings are being applied to the whole organization. If you're like us and you have a ton of OUs and 100 undocumented policies, then the html files get cumbersome. The resultant set of policy tool is really useful though.
|
|
#
?
May 9, 2011 16:44
|
|
|
devmd01 posted:That's the beauty and the curse of AD, you can nest groups as you please. KISS as much as possible, and your successor won't hate you. One thing to keep in mind is group policy with your servers, as you will likely want to put in something like bginfo to all your servers as well as separate out your patching policies as appropriate. Thanks, I didn't really think of that.
|
|
#
?
May 9, 2011 19:51
|
|
|
I'm about to push out Adobe Reader 9.4 to a bunch of new PCs. Whats the deal with getting them up to the latest version (9.4.4) and keeping them there? Is there an MSI installer at the latest version, or do I need to use these .msp files somehow?
|
|
#
?
May 10, 2011 05:52
|
|
|
BangersInMyKnickers posted:Policy drive mapping has been inconsistent for quite a few people that tried it here. Haven't figured out a cause to it, but some people got it working by toggling the reconnect switch on the mapping. If it gives you grief I would say just stick to a logon script to do the work. Found out my problem. FQDM. Using just the server name wont cut it. I feel like a mega-dunce.
|
|
#
?
May 10, 2011 06:34
|
|
|
Swink posted:I'm about to push out Adobe Reader 9.4 to a bunch of new PCs. Whats the deal with getting them up to the latest version (9.4.4) and keeping them there? Is there an MSI installer at the latest version, or do I need to use these .msp files somehow? You need to use the MSPs but you can slipstream them directly into the installation and don't have to run msiexec 4 times code:
|
|
#
?
May 10, 2011 10:38
|
|
|
SmellsOfFriendship posted:The resultant set of policy tool is really useful though. I kinda hate RSOP since it uses the old layout for Group Policy options; am I missing some easy way to get GP options displayed in the same way that GPMC displays them?
|
|
#
?
May 10, 2011 13:43
|
|
|
peak debt posted:You need to use the MSPs but you can slipstream them directly into the installation and don't have to run msiexec 4 times Tried to patch 10.0.0 to 10.0.1. The MSI thinks it's 10.0.1, but when I install it, Adobe Reader still think it's 10.0.0. Oh well, applying the MSP to an installed copy works fine, so I'm going with that.
|
|
#
?
May 10, 2011 15:31
|
|
|
Test the poo poo out of 10.x before deploying it, the new way it handles pdf opening fucks up royally if you have IE lockdown settings enabled such as "do not save encrypted pages to disk." Ask me how I know!
|
|
#
?
May 10, 2011 16:23
|
|
|
I was pushing out some proxy settings to a small test group here at work and things just aren't working out so I wanted to turn them off. I went in and turned off all the proxy settings last night and figured I'd let it go overnight and come back in to a proxy-less test group this morning. Hmm nope. If I do a gpupdate /force, it's still not changing anything over and I'd rather not have to call these people and walk them through changing it. Any idea why taking those settings out and doing a gpupdate isn't clearing the settings?
|
|
#
?
May 10, 2011 16:55
|
|
|
|
| # ? Apr 26, 2024 07:48 |
|
|
devmd01 posted:Test the poo poo out of 10.x before deploying it, the new way it handles pdf opening fucks up royally if you have IE lockdown settings enabled such as "do not save encrypted pages to disk." Hahaha, that assumes that anybody in IT has any access to the webapps everybody uses. Only way to test is to let it out into the wild, and wait for the silence, because nobody bugs us unless their computer is on fire or something.
|
|
#
?
May 10, 2011 17:59
|
|