|
Drumstick posted:Im trying to deploy a shortcut through GPO. Im under Computer> Preferences > Shourtcuts Do the machine accounts have access to the path/directory as well?
|
#
?
Jan 12, 2012 19:03
|
|
|
|
| # ? Apr 29, 2024 17:59 |
|
|
No idea, how do I check that?
|
|
#
?
Jan 12, 2012 19:29
|
|
|
psexec -s -i cmd.exe This will open a command window as the SYSTEM account of your local test machine. Then try to access/copy as below: copy \\your\share\file C:\Some\Directory\path\
|
|
#
?
Jan 12, 2012 22:21
|
|
|
Also check the application log after doing a gpupdate /force, and do a "rsop.msc" on a PC to check if any errors are reported in there (occasionally you get a yellow exclamation mark on a policy that cannot be applied). Out of interest, do the target PCs have the group policy extensions installed if they are Windows XP? XP out of the box doesn't support shortcut group policies.
|
|
#
?
Jan 12, 2012 22:36
|
|
|
Welp, thats the problem. No they do not have that installed. I was beginning to wonder if that was the case, I vaguely remember that some of the new gpo settings are not supported in xp. Ill copy the shortcut through batch file then.
|
|
#
?
Jan 13, 2012 14:54
|
|
|
This is what I hit when I first started doing GPO stuff at my current work. Client Side Extensions and XML Lite. http://blogs.technet.com/b/grouppol...on-xmllite.aspx Edit: This should get installed as long as your XP workstations have SP2 installed, but for some reason a small handful of ours were having issues (they must have not taken the update or something). Moey fucked around with this message at 22:12 on Jan 14, 2012 |
|
#
?
Jan 14, 2012 22:10
|
|
|
A user requested their last name be changed. What's the best practice for doing this in AD? In Groupwise/eDirectory I could just rename the user object and it'd add nicknames and would just "work" (or at least I think so, I'm not well versed in Novell's poo poo either - hurray for the network admin job being dumped on me) but I'm not sure about how that works in AD. Is there a way to make both <ALastname> and <ANewname> both login to the same account? What about user directories? We mount //server/users/alastname to U:\ - should I rename the alastname to anewname on the file server as well, or is there a way to make both of those work too?
|
|
#
?
Jan 16, 2012 15:51
|
|
|
You should be fine just renaming the account. I do it a few times a year in our AD an have never had a problem really. Behind the scenes everything only cares about the SID anyway. As for the U: drive mounting, it depends. Is it a script that pulls the %username% variable? If so you'll need to rename the users folder. If not you should be fine leaving it, but you'll still want to change it anyway for the user. Don't want them bitching about it. to answer this specific question quote:Is there a way to make both <ALastname> and <ANewname> both login to the same account? No, to the best of my knowledge in AD a user object can only have one logon name.
|
|
#
?
Jan 16, 2012 17:03
|
|
|
So Adobe released a new patch for Acrobat and Acrobat Reader (10.1.2). I have Acrobat Reader deployed via GPO starting at 10.1. I have applied the 10.1.1 patch via the same GPO and doing an upgrade. That all worked fine. Now I am trying to install the 10.1.2 patch and when the installer runs, I get this message: "The upgrade patch cannot be installed by Windows Installer Service as the program to be updated maybe missing or the upgrade patch may install different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade patch." The release notes for the patch say it can be installed on either 10.1 or 10.1.1 so I should be good to go. Anyone have suggestions on this one?
|
|
#
?
Jan 16, 2012 18:25
|
|
|
Just started at a new position and re-imaged 100+ laptops for use in two separate labs. After creation of the image and a few other sundry bits, they came to me and said 'oh yeah, we need Powerpoint installed even though we told you we didn't need it installed. Sorry.' I know this can be done via group policy - the install remotely to all the systems. The problem is, I can't get it to work. I create the policy, point it to the right place, and nothing. Rebooting the systems and logging in just brings up the desktop with no indication that PowerPoint was installed, and there's no sign of it anywhere on the system, which leads me to believe it's not running. The question I have is why? The server I'm using has Windows Server 2008 r2, for those who need to know. The MSI for PowerPoint is saved on a network drive that can (should be able to) be accessed by all systems involved. I've set up a GPO called PowerPoint Deployment that's both enforced and enabled on the two OU's below it, and the GPO has Computer Configuration/Policies/Software Settings/Software Installation with the right path to the shared folder. So, what am I missing? What's the trigger to start the install? HALP.
|
|
#
?
Jan 17, 2012 23:17
|
|
|
First thing first, run gpresult on a client and see if the client is actually picking up the GPO.
|
|
#
?
Jan 18, 2012 02:35
|
|
|
Are you sure you can install office programs using just the msi? Edit - to clarify, I don't believe you can do this via GPO software policies, you have to do it via a startup script. Swink fucked around with this message at 05:30 on Jan 18, 2012 |
|
#
?
Jan 18, 2012 05:22
|
|
|
Will do first thing in the morning.
|
|
#
?
Jan 18, 2012 06:42
|
|
|
What version of Office? As mentioned by Swink, for 2007+ I believe the only option is to make an MSP and deploy using a startup script. See: http://technet.microsoft.com/en-us/library/cc179134(office.12).aspx
|
|
#
?
Jan 18, 2012 13:20
|
|
|
It's office 2010. Okay, awesome. You guys have given me a place to start looking. I'll report back on how/if it worked. Thanks!
|
|
#
?
Jan 18, 2012 16:41
|
|
|
I need to break out and organize Computers on my Domain in AD. Is it okay if I start branching off within the Computers container, or should I create a new OU? Looking for best practices guidance and naming conventions if anyone has suggestions. You know in case I get killed, my replacement isn't bitching in the "poo poo I hate..." thread. \/\/\/\/ Thanks. Well that would have been simple to figure out if I tried. Any suggestions for names for a root OU replacement for Computers? I would like to do <root> and then do /servers, /laptops, /desktops, /kiosks. ghostinmyshell fucked around with this message at 03:33 on Jan 19, 2012 |
|
#
?
Jan 19, 2012 03:01
|
|
|
ghostinmyshell posted:I need to break out and organize Computers on my Domain in AD. Is it okay if I start branching off within the Computers container, or should I create a new OU? Looking for best practices guidance and naming conventions if anyone has suggestions. You know in case I get killed, my replacement isn't bitching in the "poo poo I hate..." thread. You can't make OUs underneath the built-in containers. So making a new root OU is the only way to go.
|
|
#
?
Jan 19, 2012 03:12
|
|
|
Remember to change where new computer accounts go when a computer is joined.
|
|
#
?
Jan 19, 2012 04:12
|
|
|
I don't know how big your environment is but we break things down geographically, and under each geographical OU we have users/groups/computers/servers OU's
|
|
#
?
Jan 19, 2012 05:07
|
|
|
Yeah, the "proper" OU structure will depend on the size of your environment, overall corporate structure (# of locations/departments/divisions/etc), what you're doing (or would like to be doing) with group policy, plus other factors I'm sure I'm not thinking of at the moment. We're also using a geographical breakdown here with sub OUs for users/computers/etc. (We're a consulting company, so we also have a separate OU for our remote workers.) This allows us to apply GPOs to a specific location's OU to handle folder redirection, mapped drives, printers, etc using local resources. But for a company where everyone is in the same building/campus, OUs based on departments/divisions would probably make more sense.
|
|
#
?
Jan 19, 2012 21:24
|
|
|
I'm doing Windows 7 deployment testing for my lab and I'm having a problem deploying printers to local users. Currently, all of the printers are deployed to "The users of that this GPO applies to (per user)" to our XP machines. As expected, the printers are only available to domain accounts that log in to the computers with this setting (and not local accounts). However, for my Windows 7 test machines I want these printers to be available to local accounts such as the local admin. I've deployed the printers to "The computers that this GPO applies to (per machine)" but they only show up on domain accounts and not my local admin account. Am I misunderstanding something here? I thought that deploying the printers to "The computers that this GPO applies to (per machine)" would make the printer available to all users on any computer the GPO applies to, both local and domain, whereas deploying the printers to "The users that this GPO applies to (per user)" would only make the printer available to domain users on any individual computer and not local users.
|
|
#
?
Jan 19, 2012 23:04
|
|
|
This might seem like basic poo poo, but is the printer deployed in the User Configuration part of the GPO, or the Computer Configuration?
|
|
#
?
Jan 20, 2012 00:05
|
|
|
Caged posted:This might seem like basic poo poo, but is the printer deployed in the User Configuration part of the GPO, or the Computer Configuration? Computer configuration.
|
|
#
?
Jan 20, 2012 05:00
|
|
|
What does the Group Policy Results Wizard spit out? Anything useful?
|
|
#
?
Jan 20, 2012 11:50
|
|
|
Caged posted:This might seem like basic poo poo, but is the printer deployed in the User Configuration part of the GPO, or the Computer Configuration? There are actually printer configuration options in both User and Computer Configuration, and both have their advantages. If you're using a print server and sharing them via SMB, you'll want to connect them in User Config -> Preferences -> Control Panel Settings -> Printers | Add Shared Printer.
|
|
#
?
Jan 20, 2012 12:40
|
|
|
Caged posted:What does the Group Policy Results Wizard spit out? Anything useful? Under "Computer Configuration\Policies\Windows Settings\Printer Connections" all the same printers are showing up for both the Local and Domain Administrator accounts on that computer, but they do not show up in Devices and Printers when I log in as the Local Administrator. 
|
|
#
?
Jan 20, 2012 21:38
|
|
|
Does the local admin have rights to install those printers?
|
|
#
?
Jan 20, 2012 23:20
|
|
|
And on, you know, the actual AD printer objects?
|
|
#
?
Jan 20, 2012 23:44
|
|
|
evil_bunnY posted:And on, you know, the actual AD printer objects? This is probably your problem right here. When you're logged into the computer as a local user can you manually add the printer?
|
|
#
?
Jan 21, 2012 03:41
|
|
|
FISHMANPET posted:This is probably your problem right here. When you're logged into the computer as a local user can you manually add the printer? Yep I can manually add it with no problem--local admins have the right to add the printer. Even though the settings in this GPO are all under Computer Configuration and even though it's in assigned to a Computer OU, it's acting as if it's being applied under a User's OU.
|
|
#
?
Jan 21, 2012 07:27
|
|
|
I'm fairly new to Group Policy administration, aside from the basics like mapping drives and printers. I would like to create a policy with a scope of all Authenticated Users that forces a password protected screen saver and an idle time of at most 900 seconds/15 minutes. The problem is, several users here (myself included) like a much lower idle time (2-5 minutes). I am setting these two options in User Config\Admin Templates\Control Panel\Personalization\. Is there a way to craft a policy that would just put an upper limit on the idle time?
|
|
#
?
Jan 26, 2012 16:03
|
|
|
No, you cannot set such a maximum time, only a fixed time at which the screen will lock. If someone wants to lock their screen faster, they will have to press Windows+L.
|
|
#
?
Jan 26, 2012 16:11
|
|
|
Thanks. Would it be possible to create another policy that has the idle time set at 300 seconds, and have it take priority for a small (voluntary) subset of users? Basically we have users who are extremely cautious about security (and should be) to the point where 15 minutes as a backup for forgetting Win+L is "too long" and users who would otherwise never lock their computers, so we need to enforce at least some kind of idle time. Edit: Answered my own question, just give the 300 second GPO a higher priority. babies havin rabies fucked around with this message at 18:23 on Jan 26, 2012 |
|
#
?
Jan 26, 2012 18:18
|
|
|
Yeah you could create a security group for your "cautious" users, make the GPO only apply to that group and have it take higher priority than your default user screensaver GPO. Or you guys could just hit Win+L when you get up from your desk.
|
|
#
?
Jan 26, 2012 18:21
|
|
|
Mierdaan posted:Yeah you could create a security group for your "cautious" users, make the GPO only apply to that group and have it take higher priority than your default user screensaver GPO. This worked, thanks. It must be really nice to have users who are conscious of security 
|
|
#
?
Jan 26, 2012 18:56
|
|
|
babies havin rabies posted:It must be really nice to have users who are conscious of security Somewhere in SHSC's history there was a guy who posted about his job, where everyone had laptops. If IT walked by your laptop and it was unlocked, they posted a note reminding you to lock it. There was no second note - IT would confiscate your laptop and you'd have to get it back from your manager after explaining why you couldn't follow simple instructions.
|
|
#
?
Jan 26, 2012 19:07
|
|
|
Mierdaan posted:Somewhere in SHSC's history there was a guy who posted about his job, where everyone had laptops. If IT walked by your laptop and it was unlocked, they posted a note reminding you to lock it. There was no second note - IT would confiscate your laptop and you'd have to get it back from your manager after explaining why you couldn't follow simple instructions. Hell we would even pull that prank on coworkers at customer premises. No one forgot twice.
|
|
#
?
Jan 26, 2012 22:36
|
|
|
Mierdaan posted:Yeah you could create a security group for your "cautious" users, make the GPO only apply to that group and have it take higher priority than your default user screensaver GPO. I just tried applying this logic to removable storage and it didn't seem to apply as expected. First I set up a universal GPO that blocked all removable storage access (user config -> admin templates -> system -> removable storage access -> "All Removable Storage Classes: Deny all access" : Enabled). Then I set up a GPO in the same OU that just set that same setting to Disabled, and filtered it for some users who would still need access. They were still blocked, even with the second GPO set at higher priority.  I hate how behavior isn't universal across different policy types.edit: and yes I checked gpresult, it was displayed exactly as it was supposed to, but was still loving with removable storage access across all storage classes I tested. capitalcomma fucked around with this message at 01:56 on Jan 28, 2012 |
|
#
?
Jan 28, 2012 01:50
|
|
|
Sounder posted:I just tried applying this logic to removable storage and it didn't seem to apply as expected. Your second policy needs to enable it, setting it to default means that it's not set at all, and it just takes the value from above.
|
|
#
?
Jan 28, 2012 02:19
|
|
|
|
| # ? Apr 29, 2024 17:59 |
|
|
FISHMANPET posted:Your second policy needs to enable it, setting it to default means that it's not set at all, and it just takes the value from above. If you're referring to setting it to "Not Configured", I didn't...
|
|
#
?
Jan 28, 2012 05:15
|
|