|
Definitely stop using Computers CN. You can't target Group Policy to it directly, unlike if you created an OU. We have our people organized by physical location, but only so that printers can be deployed by GP to computers. I've wanted to change printer deployment to be user based for a long time, but that's been a tough sell for some reason (other admin's laziness in not wanting to maintain user groups).
|
#
?
Jun 23, 2011 04:55
|
|
|
|
| # ? Apr 26, 2024 22:08 |
|
|
Our OU breakdown is by physical department. If a GPO needs to target across multiple departments I set up in the structure as high as I can to get all objects that are needed and use the security filtering for the GPO(basically change it from authenticated users to something more specific, possibly targeting an oddly specific security group like "Do not turn off display" ).
|
|
#
?
Jun 23, 2011 15:51
|
|
|
So what do people use for server configuration documentation? Right now my current company just throws poo poo into Google Docs, which is an admittedly lovely way to do things. I'm looking for something that we can use to keep track of configurations/documents/software installed on the machines/etc.
|
|
#
?
Jun 24, 2011 22:32
|
|
|
Wicaeed posted:So what do people use for server configuration documentation? Right now my current company just throws poo poo into Google Docs, which is an admittedly lovely way to do things.
|
|
#
?
Jun 25, 2011 16:27
|
|
|
SCCM Task Sequence Questions Again! Following things don't seem to work I'm probably just doing something wrong. Any suggestions or help would be appreciated. 1. Installing IIS on Windows 7 x64 via Command line. Using default options, should I be doing anything else? I know there's a ton of little options here and there. code: 2. Invoke a batch script on Windows 7 x64 via Command line. code:lol internet. fucked around with this message at 21:01 on Jun 27, 2011 |
|
#
?
Jun 27, 2011 20:59
|
|
|
lol internet. posted:SCCM Task Sequence Questions Again! Try running it yourself as the system account. You can do that with psexec, it has a -s option that will run whatever command as the system user, so if you run psexec -s cmd, you'll get a shell as the system user on your local machine. E: Also, make those software packages instead of command lines run in a task sequence?
|
|
#
?
Jun 27, 2011 21:01
|
|
|
For both of your command lines, you don't need to run CMD.EXE /C, as they're actually executables, and not shell commands (like copy, move, etc). Nor do you need to provide the patch to cmd.exe. For the second, in 'start in' put: C:\TEMP\Oracle\ and for the command line just put InstallODP.NET4.bat You also don't need START WAIT. SCCM does that automatically. Not sure that really helps you, but it makes it cleaner. I second the psexec comment. I think I call psexec.exe -i -s cmd.exe. Not sure if the -i is needed. Because I like things clean, I would also consider putting the .bat file for the second into a package, and call it from there. Why litter up the c: drive. I would probably also consider turning the batch file into a Task Sequence, that way I could get return codes from each step.
|
|
#
?
Jun 28, 2011 04:36
|
|
|
quackquackquack posted:sccm stuff  Just so we're on the same page here.. should the "command line" field be "psexec.exe -i InstallODP.NET4.bat" for the Oracle ODP and for the IIS install it should be "psexec.exe -i DISM /Online /Enable-Feature /norestart /FeatureName:IIS-ApplicationDevelopment" Or should I put the IIS install into a batch file and execute similar to the InstallODP.NET4.bat file?
|
|
#
?
Jun 29, 2011 05:25
|
|
|
Yeah, sorry, I read my post again, and it's pretty confusing (they make breathalyzers that disable the keyboard, right?) psexec.exe is for testing your install before it gets anywhere near SCCM. From an elevated command prompt, run 'psexec.exe -s -i cmd.exe', which will open up another command prompt in the SYSTEM context (which is how SCCM installs things). In this SYSTEM command prompt, run 'C:\TEMP\Oracle\InstallODP.NET4.bat' and see what happens. Also try your massive IIS7 command, but chop everything before DISM. Completely unrelated to the above comments about psexec, I was suggesting that instead of using InstallODP.NET4.bat, it might be possible to take the contents of it and change it into a task sequence. For example (please excuse the syntax): If a line says : IF EXIST c:\program\file1.exe c:\temp\setup.exe Translate that to a 'Run command line' task sequence step: Command-line: setup.exe Start in: c:\temp (or better yet, use some environment variables) On the Options tab (and this is from memory), add a condition that 'c:\program\file1.exe' exists. Why are task sequences better than batch files? When a batch file runs, the best you'll get is a single error code from the batch file. In a task sequence, each step can provide an error code, and the error code is from the program itself, not the batch file. So if one step is to create a directory, but permission is denied, you get a message that permission was denied. If you do end up definitely needing to use a batch file, I recommend putting it into a package, and then either making a program in that package that runs the batch file, or using a 'run command-line' step to call that batch file (I don't really know which is better). This way you're not littering the target computer with files which might become out of date, the end user might run them out of curiosity (I love curious users, yet boy can they be frustrating). If you post the contents of the batch file I would be happy to take a stab at turning it into a task sequence for you so you can see what I mean.
|
|
#
?
Jun 29, 2011 13:35
|
|
|
quackquackquack posted:If you post the contents of the batch file I would be happy to take a stab at turning it into a task sequence for you so you can see what I mean. http://www.oracle.com/technetwork/database/windows/downloads/index-090165.html There was no installer, just a ton of files with a batch script.
|
|
#
?
Jun 29, 2011 16:20
|
|
|
I recently upgraded from SCCM SP1 to SCCM SP3 (note: no R2/R3). Everything appeared to go peachy keen, except now a bunch of my clients are not reporting back. The SCCM server is in domain "HORSE", and it's the only server related to SCCM (ie: it runs SQL, IIS, etc). 80% of my clients are in HORSE. The AD schema was extended in HORSE. The other 20% of my clients are in domain "COW". In this domain I don't have much control, the schema is not extended. There is no trust with HORSE. I noticed that the clients in COW were not reporting hardware inventory. SCCM server did not have any errors in Status. I checked the logs on a client in COW, and LocationServices.log has: quote:[CCMHTTP] HTTP ERROR: URL=http://SCCM-SERVER.HORSE.COM/sms_slp/slp.dll?site&sc=LOL, Port=80, Protocol=http, SSLOptions=0, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE And in Clientlocation.log, before the upgrade it said: quote:Current Management Point is SCCM-SERVER.HORSE.COM with version 6221 and capabilities: <Capabilities SchemaVersion="1.0"/>. quote:Current Management Point is with version 0 and capabilities: . These errors do not appear on clients in HORSE. I would guess it is because they do not have to look for the SLP, since they find the info they need in AD. On the SCCM server firewall I have 80 and 443 poked (the canned IIS rules) Suggestions?
|
|
#
?
Jun 29, 2011 16:55
|
|
|
lol internet. posted:http://www.oracle.com/technetwork/database/windows/downloads/index-090165.html I am not registered, but I did not realize it was a vendor provided batch file. In that case I would probably throw the whole thing in a package and call the batch.
|
|
#
?
Jun 29, 2011 16:56
|
|
|
And now for something completely different! I have a program that is mostly self-contained in the install folder, and of course, it has to install in c:\program\. There is a DLL or two that gets installed to the Windows folder. However, as long as the program has been installed on a computer, I can copy the install directory and put it somewhere else without needing to re-install. I want to have this program on my Remote Desktop Server, but since it keeps the configuration files in the install directory (and each person logging in might want different configuration settings), I can't just install it normally and let people at it. What's the best way to handle this? One option would be to install it in each person's profile. Or, is it possible to create a symlink from c:\program\conf\ (where all the configuration files are) to %appdata%, and create a copy of those configuration files for each person that logs on? I'm leaning toward no, as I don't think symlinks can point different places at the same time. Ideas? quackquackquack fucked around with this message at 20:23 on Jun 29, 2011 |
|
#
?
Jun 29, 2011 20:20
|
|
|
I have some Windows licensing questions. The licensing thread was archived, so I hope this is a good place for them. How do small-medium size business handle Windows licenses? I'm coming from an all XP environment with a VLK, and everything is pretty simple. We have about 100 PCs, all running XP. 75% of them have been bought about 5 at a time over the last 2-3 years, all with Vista Home or 7 Home. The other 25% are 8+ years old and will be replaced. Should we get OEM Pro licenses with the new PCs, get upgrade licenses for the rest of them, and then get the OEM licenses for any future machines? Or, should we buy the new ones with 7 Home, and get upgrade licenses for all of them? How are these licenses handled and managed compared to XP's volume license key? How would either type of license affect our ability to deploy workstations through imaging? Would we need to remember which PCs had an OEM license and go type it in off the sticker each time it was imaged? Licensing makes my head hurt, so I appreciate any advice.
|
|
#
?
Jun 30, 2011 00:23
|
|
|
^^^^^^^^^ Are you looking to setup automated imaging/package deployment? How are you going to handle office? Because if you want to bundle office + windows 7 + imaging you're best off getting some form of volume licensing from microsoft, the cost will be comparable probably to just buying OEM office + windows and you'll save yourself the headaches of keeping track of a million keys. No matter what you will pay for the OEM 7 licenses though, so just accept that. quackquackquack posted:I recently upgraded from SCCM SP1 to SCCM SP3 (note: no R2/R3). Everything appeared to go peachy keen, except now a bunch of my clients are not reporting back. Little bit over my head but for our remote SCCM clients on non-domain PCs I remember we had to install SSL certificates on them before deploying them, because the default certificate wouldn't be trusted otherwise. Something like that, sorry it was a few years ago and not something I deal with myself. Now I think we just put a internet facing MP with a FQDN and a wildcard SSL cert E: HAHAH just looked, more ghetto than that. We added the MP's local DNS name to the hosts file 
adaz fucked around with this message at 04:24 on Jun 30, 2011 |
|
#
?
Jun 30, 2011 03:53
|
|
|
Cpt.Wacky posted:I have some Windows licensing questions. The licensing thread was archived, so I hope this is a good place for them. Why would you buy double licenses? Purchase Pro OEM licenses on your machines (it's cheaper this way) buy one VLK license for ease of installation and have at it. If you need SA then you're required to buy something that's 'upgradeable'.
|
|
#
?
Jun 30, 2011 16:59
|
|
|
Nebulis01 posted:Why would you buy double licenses? Purchase Pro OEM licenses on your machines (it's cheaper this way) buy one VLK license for ease of installation and have at it. If you need SA then you're required to buy something that's 'upgradeable'. I forgot to mention that we qualify for the Open License for Charity too. From Dell it looks like adding 7 Pro is $45. The price we can get for the charity license w/o SA is $58. I'm just trying to figure out the pros and cons between buying 25 PCs with OEM 7 Pro, and 75 7 Pro open license for charity versus buying 25 PCs with OEM 7 Home and 100 7 Pro open license for charity. Since we'll be adding more PCs over time in the future it sounds like we might as well only get the volume licenses for the PCs we already have, and the OEM licenses for anything new. Will I need to keep track of which PCs have OEM licenses and remember to go put the license key in when it gets imaged? We're definitely getting Office through the Open License for Charity since it's dramatically cheaper. We're going to continue using WPKG to install software, including Office, so all I need from imaging is a quick way to get the base OS installed with the right drivers.
|
|
#
?
Jun 30, 2011 17:21
|
|
|
Cpt.Wacky posted:so all I need from imaging is a quick way to get the base OS installed with the right drivers. Windows deployment services.
|
|
#
?
Jun 30, 2011 17:31
|
|
|
Trying to do imaging with mixed licenses will be a pain in the rear end. Nitr0 is right about using WDS, but I would strongly, strongly recommend using MDT (Microsoft Deployment Toolkit), which can use WDS for the actual transport portion of the deployment.
|
|
#
?
Jun 30, 2011 19:01
|
|
|
quackquackquack posted:Trying to do imaging with mixed licenses will be a pain in the rear end. Can you go into more detail about why? How do larger businesses handle this when they buy additional new computers?
|
|
#
?
Jun 30, 2011 21:27
|
|
|
Cpt.Wacky posted:Can you go into more detail about why? You buy the absolute cheapest OEM copy of windows available for those PCs and then when you get the PCs image them with 7 enterprise or whatever you bought.
|
|
#
?
Jun 30, 2011 21:51
|
|
|
adaz posted:You buy the absolute cheapest OEM copy of windows available for those PCs and then when you get the PCs image them with 7 enterprise or whatever you bought. Ok, so say I have 100 PCs and a volume license for 100 copies of 7 Pro. Six months later we buy 1 more PC (or 5, or 10). I call up my reseller and ask for what exactly? Can I just buy more copies that add on to this volume license whenever I need to?
|
|
#
?
Jun 30, 2011 23:39
|
|
|
Cpt.Wacky posted:Ok, so say I have 100 PCs and a volume license for 100 copies of 7 Pro. Six months later we buy 1 more PC (or 5, or 10). I call up my reseller and ask for what exactly? Can I just buy more copies that add on to this volume license whenever I need to? Typically you true up at the end of your fiscal year. Your VLK is probably good for many thousands of actual licenses, at the end of the year they'll ask you how many PCs you have and you pay that amount. So you never have to deal with it outside the true up and initial setup. Typically nowadays they also license by user not computer as well, so you can have 3 computers licensed to yourself or whatever, handy for people who have laptops. The actual nuts and bolts of the volume licensing agreements can get complicated. adaz fucked around with this message at 00:08 on Jul 1, 2011 |
|
#
?
Jul 1, 2011 00:05
|
|
|
adaz posted:Typically you true up at the end of your fiscal year. Your VLK is probably good for many thousands of actual licenses, at the end of the year they'll ask you how many PCs you have and you pay that amount. So you never have to deal with it outside the true up and initial setup. Typically nowadays they also license by user not computer as well, so you can have 3 computers licensed to yourself or whatever, handy for people who have laptops. No kidding. Part of the reason I put this off for so long is how frustrating it can be to figure out what to buy. From what I read this afternoon, it sounds like you're describing the Open Value model and that makes sense for commercial businesses. The Open License for Charity only seems to have the "transactional" model, which I guess means we buy what we want when want. Thanks for the help. I'm going to bug my reseller about it.
|
|
#
?
Jul 1, 2011 00:23
|
|
|
adaz posted:You buy the absolute cheapest OEM copy of windows available for those PCs and then when you get the PCs image them with 7 enterprise or whatever you bought. Why not buy systems with no OS like N-series Dells?
|
|
#
?
Jul 1, 2011 01:05
|
|
|
The Enterprise VLKs you buy are only for "upgrade", ie: computer that were purchased with some form of Windows. I have no clue what we pay for our Windows licenses. To me, they're unlimited. So when I purchase new PCs from Dell, I buy them with Vista Home Basic to save a couple bucks on each PC.
|
|
#
?
Jul 1, 2011 01:52
|
|
|
bear shark posted:Why not buy systems with no OS like N-series Dells? From what I recall N-series aren't any cheaper than normal ones with the OEM licenses and per law we have to buy OEM licenses with our PCs. Long story, government, but our PCs go to sale at auction for public once we're done with them and they have to come with a windows license for some ~law reason~ above my paygrade. Also as quackquack said the VLKs are usually technically upgrade licenses as far as I know.
|
|
#
?
Jul 1, 2011 07:02
|
|
|
Makes sense I guess - we're academic and we just have N-series OptiPlexes and a KMS that activates any Professional or Enterprise variant. Don't really know the details (someone else is our licensing wizard) but it works for us. 
|
|
#
?
Jul 2, 2011 05:40
|
|
|
so if I want to restrict 3 machines on the domain from being able to access the internet, am I going to have to make a complex series of policy objects to make it happen? I was thinking the following: disable ie/proxy server to local network only, maybe a squid server that only gives local access or something disable USB ports in the bios (no chrome on a stick) and then we'd be good and have a locked down machine that would only be able to run the single program installed on it and nothing else? Is there a better way to do this? I don't have time (and neither do the stupid users) to flatten and start over with a machine when these idiots get a virus or malware and since they're editing video antivirus isn't great. They can get another machine in the room they can gently caress up all they want, just not my edit machines.
|
|
#
?
Jul 4, 2011 20:58
|
|
|
Group policy that cuts down everything on the computer except a few desktop icons that are pushed out via policy as well. Software restrictions also would help if you're paranoid. Login as a standard user with limited rights. Think of the computers like a remote desktop session that would be totally locked down. If users can't launch IE, install programs, or plug in a USB drive it would be pretty hard to do anything, right?
|
|
#
?
Jul 5, 2011 05:27
|
|
|
I assume when you say "access the internet", you mean "access websites we don't want them to"? See if you can solve the problem somewhere other than the GPO level. Do you have control over the network?
|
|
#
?
Jul 5, 2011 13:14
|
|
|
"Roaming Profiles" is forever tainted around here, even though nobody has ever used them. "Folder Redirection" is too difficult to explain, and not catchy enough. What can I use to pitch Roaming Profiles with extensive Folder Redirection (as per the thread here in the SH/SC)? I was thinking "Cloud Profiles". Makes me throw up in my mouth a little, but VPs tend to understand how GMail works, and they've been reading about clouds in random ads. I've also been using the Outlook OST concept to help explain it. Still worried about making it over the "VP support" hurdle.
|
|
#
?
Jul 5, 2011 17:44
|
|
|
quackquackquack posted:"Roaming Profiles" is forever tainted around here, even though nobody has ever used them. "Folder Redirection" is too difficult to explain, and not catchy enough. Are you doing full system level backups? Could I guess also unleash a godawful can of worms, but pitching the ability to just walk over to another computer, login and have your desktop, settings, files, etc all waiting for you if your PC died worked pretty well for us in the past.
|
|
#
?
Jul 5, 2011 17:46
|
|
|
Trying explaining it as a version 2.0 or version 5.0 or whatever if you want, but use the correct name. Using some fancy buzzword thing will probably bite you in the rear end down the road when it slips that it's still just roaming profiles. Explain the benefits over the older versions with a quick comparison slide of the changes that impact performance and whatnot. Dial the experience to the technical level of your management and then take it one step further so it's like some sort of voodoo they don't really understand, but will want to look like they do, so they approve it. VPs will likely care most about user productivity, lessened support, or some other cost impact, so gear everything towards that.
|
|
#
?
Jul 5, 2011 17:54
|
|
|
quackquackquack posted:I assume when you say "access the internet", you mean "access websites we don't want them to"? I mean literally, I don't want them using a computer that is designed for their specific job purpose (ie: running editing software) doing anything that is not part of their job, ie: any web browsing of any kind, running anything I didn't install and all that crap. I'd be fine with network access restrictions but I don't want them finding clever ways around it if they're grumpy about not being able to facebook on a work machine. The real reason is simply that I can't have them get malware on these machines and Windows being Windows it's really loving tough to do that unless it can't hit the internet at all. I don't know that I have control over the network (I can ask for things to change or get configured but I don't know that it'd be approved) but I definitely have control over the machines.
|
|
#
?
Jul 6, 2011 00:34
|
|
|
Telex posted:I mean literally, I don't want them using a computer that is designed for their specific job purpose (ie: running editing software) doing anything that is not part of their job, ie: any web browsing of any kind, running anything I didn't install and all that crap. There are dozens of ways of doing what you want, but there are also dozens of ways of getting around them. What are these PCs functions, and why is it so terrible if they get malware (they running Avid or something?) There might be another solution for you...
|
|
#
?
Jul 6, 2011 01:40
|
|
|
That's why I asked about whether you have control over the network. Doing this at PC level sucks. If you cut off the ability to "access the internet" (which is too vague to be a useful statement) how do they run Windows Updates? Do you have your own WSUS, or do they normally connect directly to MS? How do people get data onto the PCs? Do they need to perform any tasks that require access to websites? Tutorials? Schedules? Other?
|
|
#
?
Jul 6, 2011 03:07
|
|
|
To the roaming profiles guy: Microsoft calls roaming + folder redirection "user state virtualisation". It sits atop the other desktop technologies like med-v and RDS. E- test the ever-loving poo poo out of it first.
|
|
#
?
Jul 6, 2011 07:12
|
|
|
I've come to the conclusion that installing Flash without a reboot sucks, so I'm going to force a reboot on all the machines Friday night, then later on install the updates, all with SCCM. A task sequence would probably be best, but I like being able to check the status of a specific advertisement, and if I use a task sequence the "advertisement" for an individual program will never run, so it won't show up in those reports. I can't really find any other report I would run to see if a program has run successfully on a machine. I'll probably set the task sequence to continue on error, so I'd really like to be able to see if anything fails come Monday morning. I could just advertise a reboot and then advertise the software, but I can't guarantee the reboot would happen before the software install (unless I made the reboot a package/program/advertisement, and then made all the packages depend on that advertisement first). Any thoughts geniuses?
|
|
#
?
Jul 6, 2011 17:12
|
|
|
|
| # ? Apr 26, 2024 22:08 |
|
|
Could you use a script to install it on shutdown?
|
|
#
?
Jul 7, 2011 02:46
|
|