|
My boss keeps on buying Dell machines with OEM licenses (we buy machines as we need). I cannot convince him to just go VL so that is a losing battle. Our company: about 300 people with 5 different configurations (almost all windows 7 users) Technology: We currently use Ghost 2.5 what we want: use minimum WDS as I hear wonderful things about it. possibly SCCM is there any logical way of achieving an easy to maintain imaging/deployment in our case? I keep on reading that unless you have Volume License, you are kind of screwed. the only way to get around it is to purchase 1 VL (but only can be sysprepped twice or something like that) I don't even use sysprep on ghost 2.5 
|
#
?
Jul 7, 2011 16:42
|
|
|
|
| # ? Apr 24, 2024 14:22 |
|
|
Helmet Jap posted:My boss keeps on buying Dell machines with OEM licenses (we buy machines as we need). I cannot convince him to just go VL so that is a losing battle. I don't entirely understand the licensing we have, but it requires that the machine already have a valid Windows license. Then we can install any Windows we want on the machine, and we can buy the cheapest Windows Dell will sell us, usually Vista Business or something like that. With only five configurations, you're a prime candidate for SCCM. What are his objections to a new licensing scheme? Is it money? If so figure out how much time you're spending rebuilding a single machine, turn that into dollars (see if you can get your salary+benefits into the cost, not just salary) and compare that to the 3 minutes you'll spend imaging a machine with SCCM.
|
|
#
?
Jul 7, 2011 16:50
|
|
|
Just to verify; Are you talking about flash player? If so, you can: A: Set the program to reboot the computer after its done running. No need for a task sequence. B: Make a script that does the same thing, or better. Just remember to make sure that the script exits with the installers exitcode when it's done (so the reports will be accurate) Installing/updating flash player without a reboot is not an issue, as long as you make sure that no dependent application is running during the install/update (Browsers come to mind). If a browser is running, windows installer will handle it by either killing the application, or waiting until the computer reboots. The latter will make the application live in a "limbo" where it's half-installed until next boot. In my enterprise, we have no regular usage-times or maintenance windows for client computers. We can't just kill peoples browsers without a fair warning, or let them live in the aforementioned limbo. As a result of this, i had to develop a powershell script which checks if the user is running any browsers that will make the installation want to reboot/force close. The logic is fairly simple: -If a browser isn't running, everything is fine and the installation/update will go silently. -If browsers are running, a messagebox will appear, giving the user a 60 minute countdown to close any browsers. If the user closes his browser, installation/update (with progress bar) will begin immediately. -If it times out, browsers will be forciby killed and the installation/update will begin. The only negative side to this is that you have to turn on "allow users to interact..." in the SCCM program. A blank powershell window will be up for about 1-2 seconds, until it manages to initialize and understand that it's supposed to be hidden. Some users manage to close the window in that short time-frame, which will stop the installation and make it spit out a weird exitcode. This isn't a big problem though, since you can set the advertisement to rerun if failed.
|
|
#
?
Jul 7, 2011 16:53
|
|
|
With WPKG we have the flash installation run when the system boots up, and it kills any browser processes just to be sure. Works fine, except for those users who never turn off or log out of their PCs.
|
|
#
?
Jul 7, 2011 17:10
|
|
|
Cpt.Wacky posted:With WPKG we have the flash installation run when the system boots up, and it kills any browser processes just to be sure. Works fine, except for those users who never turn off or log out of their PCs. Yeah, thats part of our problem. People just put the laptops into sleep/hibernation and go.
|
|
#
?
Jul 7, 2011 17:49
|
|
|
Helmet Jap posted:the only way to get around it is to purchase 1 VL (but only can be sysprepped twice or something like that) This is true, you can buy one volume license and use it to deploy all of your machines as long as their oem license is for the same version of windows as the volume one. I'm not aware of any limitations, you might have to call MS sometimes to get them to reset the activation count, but it's a supported thing http://download.microsoft.com/download/6/A/1/6A1647EE-3FC7-47F2-9AFE-470AD5E5D856/OEMSoftwareLicensingRulesandRestrictions.pdf
|
|
#
?
Jul 7, 2011 17:58
|
|
|
Ifan posted:Just to verify; Are you talking about flash player? That has not been my experience. Even if I run the MSI myself by double clicking it, it bombs out with a weird error, it doesn't hold it in limbo, it just fails, until the program is run again. So rebooting after the install won't do anything, because by then the install has already failed.
|
|
#
?
Jul 8, 2011 05:02
|
|
|
Can you just use the .exe Flash installers? I believe the silent install switch for those is just /install or -install. Just do a taskkill /IM with iexplore.exe and firefox.exe to kill the browser processes before running the installer.
|
|
#
?
Jul 8, 2011 06:07
|
|
|
FISHMANPET posted:That has not been my experience. Even if I run the MSI myself by double clicking it, it bombs out with a weird error... Haven't experienced this before, but i don't use Adobes plain MSI files either. Some property is probably set to make it default to stop the installation instead of finish it after a reboot. Try enabling logging for the installation (msiexec /i "foo.msi" /qb /l*vx "C:\foo.log") and upload it somewhere for me to look at. FISHMANPET posted:Can you just use the .exe Flash installers? To both of you; I would advice against using the Adobes plain MSIs/EXE installers etc. Unless all your users have administrative rights to their workstation and actually updates their applications themselves, you will need to disable stuff like automatic updates (because it won't work) and set other default values. For the MSI file, this can be done through making a tranform file which you apply "on top" of the MSI during installation. Check out appdeploy.com for some tips on how to do this, as it's a bit too much to explain in a single forum post.
|
|
#
?
Jul 8, 2011 17:24
|
|
|
I maintain a computer lab and manually deploy new Flash versions via Altiris, usually within a day or two of their release, and I've never seen our lab machines pop up a flash update notification. But I guess it couldn't hurt to disable updates just in case. Looking on appdeploy.com it seems that some people are saying mms.cfg file doesn't work in Windows 7, but I don't see anything about applying a transform to disable updates. I also don't see anything obvious when looking at the MSI in Orca. Do you have a link to an appdeploy thread or page on that?
|
|
#
?
Jul 8, 2011 18:18
|
|
|
I just felt like sharing the crappiest network ever which I've inherited as the new lan admin at a hospital, and if anyone has advice that'd be great too. We have about 150 XP machines, and Windows 2003. Corporate in their infinite wisdom are making us switch to an entirely new domain with only a single 2k3 domain controller, but the clients still need shortcuts and drives from the old domain (plus the DNS will no longer resolve). Our DHCP server won't work with our absurd Catalyst configuration (and corporate won't let us manipulate it) so we said gently caress it and changed all 150 clients to Static IP's and carry a spreadsheet now. Startup scripts run whenever the gently caress they feel like. A new script put into active directory might run instantly or 6 hours later. I used some wacky hack to get Server 2008's Group Policy Preferences running on all the XP clients, administrated from a non-server Windows 7 box. Likewise, these also take effect whenever they want. Oh, of the 150 PC's, we have over 20 different models and brands, and somehow their local security policies are all drastically different from eachother. A couple of them have turbo buttons. Also 20 models of printer. Also, I have no extra workstations left after frankensteining the spares to replace busted ones. We've been waiting on a shipment of more for the past 4 months and the company is complaining about the price for 20 lousy Dells. Management Questions: 1) I have a lot of "All Users" shortcuts to change. Is there an app that can let me bring up all of the C$ shares from say a list of IP's and replace every instance of a file on every one of those local hard drives at once? 2) A lot of crap is installed on older workstations, like uh, Lotus Notes. Is there a group policy to uninstall that garbage even if I can't find an MSI? 3) Is there some kind of hardware independent XP image that I could load on every last workstation that can play nice with group policy and be completely user-proof? Sorry if this is all stream-of-consciousness. I'm a temp employee, and my boss and I are the only two IT's at a 700 user, 150 workstation hospital. Basically GPO and Scripts run so drat inconsistently that ANYTHING we change is typically done by hand for every last PC. EDIT: Best part... the entire active directory forest has full permissions... any dumbass could take out 60,000 (seriously) employees with a stray right-click. Zero VGS fucked around with this message at 19:37 on Jul 8, 2011 |
|
#
?
Jul 8, 2011 19:31
|
|
|
1. Super easy with vbscript/powershell and a text input file. 2. Find the install GUIDs, write a script to call msiexec /x for each guid. EDIT: Misread. Manual folder, registry tree, and shortcut deletion with a script may be an option, depending on how involved the app is. 3. Yes, start from scratch. You will need one of every machine type to build for your reference machines, since it's XP. MDT may be able to do this so you don't need reference; I haven't messed around with that functionality as I have one of each hardware type sitting on a shelf for this purpose.
|
|
#
?
Jul 8, 2011 20:13
|
|
|
Megiddo posted:Windows 7, but I don't see anything about applying a transform to disable updates. I also don't see anything obvious when looking at the MSI in Orca. Do you have a link to an appdeploy thread or page on that? I haven't made the flash player transforms myself, so i don't have any information on exactly which settings needs to be set right now. I'll split the transform open on Monday and let you know. Zero VGS posted:1) I have a lot of "All Users" shortcuts to change. Is there an app that can let me bring up all of the C$ shares from say a list of IP's and replace every instance of a file on every one of those local hard drives at once? Group Policy preferences sounds like your best bet for this. You clearly know the drill about the CSEs for XP clients etc. I'd check the event logs and RSOP on your clients to see what goes wrong. If it isn't applying, something is probably set horribly wrong  Or you could just make a script to do it for you  Zero VGS posted:2) A lot of crap is installed on older workstations, like uh, Lotus Notes. Is there a group policy to uninstall that garbage even if I can't find an MSI? Find the product code (it's a GUID, should be located in HKLM\Software\Microsoft\Windows\Currentversion\Uninstall) and run msiexec /x {GUID} /qn for a silent uninstall. You can also find uninstall-strings for non-windows installer applications here aswell. Just play with the switches if you want it done silently. Zero VGS posted:3) Is there some kind of hardware independent XP image that I could load on every last workstation that can play nice with group policy and be completely user-proof? There are many options here depending on what you really want to do. The easiest solution is probably to just use them as thin clients. Any other options probably requires more work. I know that the stripped-down XP image on hirens boot CD works nice with most hardware i've come across. Maybe you could modify it/create something similar to it that suit your needs? MDT has auto-apply driver capabilities aswell, but i haven't tried it myself.
|
|
#
?
Jul 8, 2011 20:41
|
|
|
Awesome advice guys, I appreciate it. 1) With Group Policy Preferences, I'm running them on a standalone Windows 7 workstation and if I do something simple like create a new OU, I won't see it on the server's ADUC or AD Group Policy Editor for like a half hour. It's really hard to test anything like that. Sites and services "Replicate Now" is supposed to fix that right? Or do I need something else because the Win7 PC isn't a domain controller? 2) I was looking into thin clients, but that does mean I'd need to buy like 100 terminal server licenses, correct? 3) Oh yeah, whoever set up this network five years ago didn't know what folder direction was. I'm trying to get it going retroactively but the server won't always scoop up the files from a user's Profile. Is there a trick to this, or should I just move it all manually when there's issues? I actually do have the Hirem Mini XP thing on a USB drive, I'll check into that. I mean, I don't know if it's exactly kosher to roll it out for our company even if we have an XP volume license for everything. It might be considered  , I dunno.
|
|
#
?
Jul 8, 2011 21:25
|
|
|
Zero VGS posted:Awesome advice guys, I appreciate it. I inherited two departments, one department just in the other's domain. Once I pull the second department out into their own domain, I'm going to  the original domain and start from scratch.They poo poo they've done to that domain, I don't even know...
|
|
#
?
Jul 9, 2011 04:46
|
|
|
Zero VGS posted:*stuff* 1) You're probably not pointing at the local DC. By default, Group Policy Editor points to one of the FSMO holders - can't remember which off-hand. Point it locally and you'll see faster (instant) updates. 2) You'll need to buy some sort of additional licensing. Thin clients aren't cheaper than traditional desktops, they just change the administration techniques. 3) Sometimes it takes a few reboots for the redirect policies to stick. Try running gpupdate /force and reboot. Rinse and repeat if it didn't work. It can also not work right if permissions on their profile share are jacked up, so verify that. Honestly it sounds like you have a few problems, but many could be fixed by a more knowledgeable administrator. No offense meant, but you need to go take some classes or network with some other techies in the area to learn your trade a bit better. You and your users will be much better for it.
|
|
#
?
Jul 9, 2011 06:38
|
|
|
Zero VGS posted:so we said gently caress it and changed all 150 clients to Static IP's and carry a spreadsheet now. ...
|
|
#
?
Jul 9, 2011 08:18
|
|
|
Had 5 minutes to check out the Adobe Flash Player transform today. Without going into too much detail, it basically switches out the files "mmc.cfg" and "settings.sol" to disable automatic updates.
|
|
#
?
Jul 11, 2011 17:01
|
|
|
Thanks, but that's a bit more complicated than I was looking for - I've never manually transformed an MSI, but I'll have to give it a try sometime. For now I'd probably want to just copy the files via a batch script just so it's completely obvious what's happening (I'm pretty sure I'm the only one who even has Orca installed on their computer).
|
|
#
?
Jul 11, 2011 17:34
|
|
|
I don't know if this is the right thread for this, but it's more "enterprise" than anything else. What do you all use for managing updates on "mission critical" network accessible servers like a domain controller? That is, how do you keep such computers secure, without rebooting them for every patch Tuesday? I'm in a research group looking at buying a server grade computer (with redundancy, etc) to operate some of our testing equipment. The primary reason is so that the computer can be on continuously, without crashes or required reboots. We currently use consumer grade PCs (not my purchase) which are not able to stay on for more than a week, it seems. I know one option is to leave the computers disconnected from the internet, but the convenience of automatically backing up our data to a remote storage drive as it's collected is incredible (in addition, it removes the need for virus-spreading USB drives). Therefore, I also want to know what my options are for keeping things secure while network connected. What I would like to know is: how do you all keep such computers secure? We're on a university network, so I don't have many options for a hardware firewall - although it's a possibility if required. I know how to configure a Windows to make browsing the internet difficult, but "remote code execution" attacks scare me. Do most of those attacks require user interaction, or can affected computers be attacked just by sitting on the network? Thanks for any advice you have, and please point me in another direction if this thread isn't appropriate for such questions.
|
|
#
?
Jul 11, 2011 19:06
|
|
|
kapinga posted:What do you all use for managing updates on "mission critical" network accessible servers like a domain controller? That is, how do you keep such computers secure, without rebooting them for every patch Tuesday? What is the reason you don't want to reboot? Is there any way you can design around it? The main risks are services that listen for connections, people using the machine and executing code (drive-by attacks from websites) and people plugging things into it like USB flash drives. If it's only used for a specific purpose with physical access secured, you use the built-in software firewall, and turn off any unnecessary external services then it would be reasonably secure. But unpatched servers are a bad idea, so avoid doing this if at all possible.
|
|
#
?
Jul 11, 2011 19:22
|
|
|
Reboot at night. Most vital Microsoft services can be split among multiple machines, so if one machine goes down, others pick up the slack.
|
|
#
?
Jul 11, 2011 19:28
|
|
|
kapinga posted:What do you all use for managing updates on "mission critical" network accessible servers like a domain controller? That is, how do you keep such computers secure, without rebooting them for every patch Tuesday? Buy two servers to run the same service and don't reboot them at the same time. Otherwise, put them in lockdown so hard that they will never see the light of day (or internet). You have to understand there is a tradeoff between secure and usable, and at some point it will be unusable but very secure. An alternative would be virtualization (with snapshots taken regularly) or amazing backups. If your server is compromised a restore to pre-compromised state would be used to bring it back online. This is not a good idea, but something that I've seen implemented before in a pinch.
|
|
#
?
Jul 11, 2011 19:28
|
|
|
Megiddo posted:(I'm pretty sure I'm the only one who even has Orca installed on their computer). If you guys have the time, money and willingness to learn windows installer i'd recommend Adminstudio for customizing vendor MSIs and repackaging applications. There's also a free edition for those who use novell zenworks or SCCM, but it's very limited in terms of functionality. You can also find companies who will do this for you. You essentially subscribe to a catalog of applications. All applications will be delivered customized and deployment friendly. When an update comes around, they will deliver the update, and also make sure that it plays nice with any old versions installed. In theory, all you have to do is to remove the old version out of deployment, and put the new version in. I always do some testing first though. I get the best of both worlds by having a subscription to the stuff that gets updated most frequently, and then repackage/make poo poo work/customize anything else myself.
|
|
#
?
Jul 11, 2011 20:05
|
|
|
Any mentions of what companies provide packaging service? That seems like a really useful card to play if necessary.
|
|
#
?
Jul 11, 2011 20:11
|
|
|
We use Atea. They do both the catalog stuff and they also do custom repackaging work. They do good work and know what they are doing. Can't tell you about anyone else though. You could check out the appdeploy forums, there ought to be some companies advertising there.
|
|
#
?
Jul 11, 2011 20:22
|
|
|
I actually use Orca, it's loving obnoxious how huge companies can't put together a working MSI file. We dropped a grand on 50 sophos av seats and the guys shrugged at me when their msi threw up in my event log. Oh, and why only 50? The company said seats for every PC was too expensive so "hey here's 50"; now I have three systems to support. CA etrust which is the corporate prescribed av that doesn't catch poo poo, 50 sophos licenses, and Microsoft security essentials doubled up on everything else just so I can keep patient information safe from keyloggers, which people have caught. gently caress this place.
|
|
#
?
Jul 11, 2011 22:36
|
|
|
Cpt.Wacky posted:What is the reason you don't want to reboot? Is there any way you can design around it? Unfortunately, this computer is controlling a physical piece of equipment, on which we run a number of (electrochemical) test cells. Since each unit can test multiple cells at once, there's pretty much at least one cell running at any one time. And since these tests can run for (potentially) hundreds of hours, it's difficult to schedule reboots in advance (nobody pays attention to "this computer will be rebooted a week from Saturday"). And, because the software & firmware of the equipment isn't very good, there's no way we'd be able to transfer control from one computer to another during a reboot. Still, thank you for all the replies. I was trying to understand how to reconcile monthly "patch Tuesdays" with the people who claim >12 months uptime for their servers - and the answer is "not securely on Windows with internet access". We will consider the security/convenience trade-offs for between network access and using USB sticks. Given the number of trojans I've cleaned off our other lab computers (without internet access) I'm prone to thinking that the USB sticks are more dangerous. Physical access is (reasonably) secure from malicious outsiders (keycard access), and we have no need for any services to be listening to the outside world. The only two things the network/internet would be used for is Windows/MSE update and a connection to our shared research drive for writing data to. Virus propagation through the shared drive is definitely a concern, but I haven't seen it happen yet. Anyways, thanks again for the responses.
|
|
#
?
Jul 12, 2011 01:04
|
|
|
Is there any way to make run the Windows System Assessment Tool silently via a deployment tool like Altiris? It works fine when I'm logged on interactively and run "winsat formal" but when I try to send it as a script (either as the system account or another user when no one is interactively logged on) it just exits with with no error message and no error in the event viewer related to the failure of the assessment. Here's what the log file shows: pre:Windows System Assessment Tool > Running the Formal Assessement (Why am I trying to do this via script instead of during OOBE, you ask? The chuckleheads at central IT decided not to bother with pre-populating or generating the Windows Experience Index Ratings anymore and Aero isn't working on some of our machines. We have no control over the images or OOBE and do a scripted install on top of a provided base image.)
|
|
#
?
Jul 13, 2011 18:40
|
|
|
this is a crosspost, but I figure if anyone knows how to do this with the minimum of headaches, it'd be enterprise level sysadminsquote:is there a good way to remove a user/computer from a domain, but keep all of the user's profile information, program settings, documents, etc in tact? I assume someone is just going to tell me to use USMT, right?
|
|
#
?
Jul 14, 2011 21:24
|
|
|
mindphlux posted:this is a crosspost, but I figure if anyone knows how to do this with the minimum of headaches, it'd be enterprise level sysadmins So as it stands, the profile is on the machine, and owned by domain\user, and you want to take the machine off the domain, and change the ownership to machine\user?
|
|
#
?
Jul 14, 2011 21:30
|
|
|
FISHMANPET posted:So as it stands, the profile is on the machine, and owned by domain\user, and you want to take the machine off the domain, and change the ownership to machine\user? yep. I just want the profile to go from domain\user.name to computer\user.name with basically the profile remaining exactly the same in every other respect - at which point I could safely remove the computer from the domain. I've already un-redirected all redirected folders and all the potentially tricky bits - so 100% of the data for the user profile is on the machine. I have domain admin rights as well as rights to the local administrator account on the computer, so the sky is the limit as far as what I can do.
|
|
#
?
Jul 14, 2011 21:37
|
|
|
mindphlux posted:yep. I just want the profile to go from If that thing in the other thread doesn't work, you should be able to just change all the file ownership from domain\user.name to computer\user.name, and have them log in. e: I would test this first, because there might be stuff in the registry hive that links to the domain somehow.
|
|
#
?
Jul 14, 2011 21:49
|
|
|
FISHMANPET posted:If that thing in the other thread doesn't work, you should be able to just change all the file ownership from domain\user.name to computer\user.name, and have them log in. isn't this pretty much the same as making a complete copy of the domain\user.name directory to the computer\user.name profile location and changing the permissions? because if so, I did do that, to no avail - I mean some stuff worked but for whatever reason there was no mail profile, desktop background, etc etc. Pretty sure there must be some relatively heavy registry stuff that's unique to the SID
|
|
#
?
Jul 14, 2011 21:57
|
|
|
mindphlux posted:isn't this pretty much the same as making a complete copy of the domain\user.name directory to the computer\user.name profile location and changing the permissions? because if so, I did do that, to no avail - I mean some stuff worked but for whatever reason there was no mail profile, desktop background, etc etc. Pretty sure there must be some relatively heavy registry stuff that's unique to the SID Outlook profile you need the registry hive at HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\ and reimport it And desktop backgrounds it can pull the picture from anywhere on the computer...
|
|
#
?
Jul 14, 2011 22:42
|
|
|
mindphlux posted:isn't this pretty much the same as making a complete copy of the domain\user.name directory to the computer\user.name profile location and changing the permissions? because if so, I did do that, to no avail - I mean some stuff worked but for whatever reason there was no mail profile, desktop background, etc etc. Pretty sure there must be some relatively heavy registry stuff that's unique to the SID You got rid of ntuser.dat, which is the user registry hive, where all that good stuff is stored. If you keep that but change the perms it should work. Like I say, should, because I've never tried anything like this, it just makes sense based on what I know about profiles.
|
|
#
?
Jul 15, 2011 04:12
|
|
|
Ifan posted:If you guys have the time, money and willingness to learn windows installer i'd recommend Adminstudio for customizing vendor MSIs and repackaging applications. I've worked with Adminstudio, and I still prefer Wise package studio over it. It could be because I was playing around with Symantec streaming and virtualization, but I think the interface and capture methods are so much cleaner.
|
|
#
?
Jul 18, 2011 07:43
|
|
|
I just got a request from a client. - Any input is appreciated. The client had a computer stolen, but since his setup is HTTPS enabled, the stolen computer is currently in daily contact with the server. - It's public IP has been registered, and the authorities have been notified, but not much is happening in that department so far... So the client wants to wipe the disk and all it's data, the sooner the better. (Lots of homegrown videos I guess) I doubt there is a simple way of doing this in vb, so I'm looking for a 3 party tool (with a reasonable price tag) that runs from the command line. - Alternatively I will push a WinPe to the client, with a fixed start-up script to wipe the disk, but that will take a lot longer to make work.
|
|
#
?
Jul 19, 2011 14:25
|
|
|
Kullrock posted:I just got a request from a client. - Any input is appreciated. psexec.exe deltree /y I don't really know what you're getting at with "his setup is HTTPS enabled". I'm assuming you have remote access to the system, which means you can do all kinds of stuff to the perp. Remote wipe is not going to work very well without booting an alternative OS, though, since Windows will freak when you start deleting system files. It will likely take care of the questionable files - or you could target them directly with a batch file or remote access. It might be better to change the desktop to an image saying you've contacted the authorities, call ### to the return the laptop no questions asked. Or just spy on the person for a while and report what he's doing to police.
|
|
#
?
Jul 19, 2011 15:48
|
|
|
|
| # ? Apr 24, 2024 14:22 |
|
|
zero0ne posted:I've worked with Adminstudio, and I still prefer Wise package studio over it. I've tried Wise and didn't like it. I don't repackage much these days anyway. I mostly customize vendor MSIs or create installers from scratch. It's all about personal preferences i guess. Also, it seems like Symantec doesn't care much about updating WPS.
|
|
#
?
Jul 19, 2011 17:20
|
|