|
sanchez posted:I had a coworker who would put both user and computer settings in the same policy and then link it in two different places.
|
#
?
Mar 14, 2012 00:05
|
|
|
|
| # ? Apr 16, 2024 17:26 |
|
|
skipdogg posted:Don't worry about having too many GPO's. Just name them well so they're easy to organize. I rather have things seperate and NEVER EVER EVER touch DDP. One guy that worked here before me messed up the DDP and managed to lock everyone out of the domain controllers or some poo poo. Very early in my career, I took a look at what was even set in DDP. Finding nothing important, I unlinked it 
|
|
#
?
Mar 14, 2012 01:11
|
|
|
IT Guy posted:I could condense the GPOs but I find it more organized to keep certain things separate. Condensing causes issues when one system needs one thing but not another. I re-did all the policies here and they ballooned from 20 to something close to 180 right now. But now everything is logical and predictable (at least as far as that goes) and I don't have to wonder where something is being set. And I know without having to look it up exactly what's being applied when I use GPRESULT. And definitely, as others have said, naming is key for your sanity.
|
|
#
?
Mar 14, 2012 05:38
|
|
|
skipdogg posted:Don't worry about having too many GPO's. Just name them well so they're easy to organize. I rather have things seperate and NEVER EVER EVER touch DDP. One guy that worked here before me messed up the DDP and managed to lock everyone out of the domain controllers or some poo poo. Here is a question for the ages: How do you un-gently caress up the default domain policy. I know its there...wrongly named and has a billion things it should not have. Sometimes I stare into the abyss of the settings.
|
|
#
?
Mar 14, 2012 05:57
|
|
|
Swink posted:I asked the same question and was told that there is no real issue with having 100 gpos. Apart from the issue of managing them all. This argument comes up all the time between me and my boss. I split them up and give them descriptive names. He sees that we have like 15 different GPOs and tells me how it will make everyone's logon times take 10000000 years. I explain to why it doesn't/won't, he doesn't believe me. I'm pretty sure he is still living in the NT era or something, he always rambles about the "olden days".
|
|
#
?
Mar 14, 2012 05:58
|
|
|
I don't think you'll have any issues with 22 GPOs. We're just shy of 800 GPOs here and things keep on trucking along. How many could be deleted is another question.
|
|
#
?
Mar 14, 2012 09:38
|
|
|
In the early days of active directory Microsoft had a best practice of limiting the number of GPOs if at all possible. The reason being is that back in 99/2000/2001 and so on, physical network limitations like WAN bandwidth, cpu speed, RAM and similar could noticeably be affected when a machine had to process through 40 different GPOs on boot up and log in. However in 2012, all those physical limitations have typically so far outrun what GPOs need then really today it makes most sense to be extremely granular with your GPOs, even if it means you end up with hundreds of them.
|
|
#
?
Mar 14, 2012 16:06
|
|
|
incoherent posted:Here is a question for the ages: How do you un-gently caress up the default domain policy. Apparently in Server 2003 and newer, there's a command-line utility named DCGPOFix that will recreate either or both of the Default Domain Policy and Default Domain Controllers Policy objects for you. There's some other utility to do it for Windows 2000 Server but honestly not even God can help you if your newest DCs are running 2000 Server at this point.
|
|
#
?
Mar 14, 2012 21:02
|
|
|
Syano posted:In the early days of active directory Microsoft had a best practice of limiting the number of GPOs if at all possible. The reason being is that back in 99/2000/2001 and so on, physical network limitations like WAN bandwidth, cpu speed, RAM and similar could noticeably be affected when a machine had to process through 40 different GPOs on boot up and log in. However in 2012, all those physical limitations have typically so far outrun what GPOs need then really today it makes most sense to be extremely granular with your GPOs, even if it means you end up with hundreds of them. We're in a rural area where many of our branches are running on 800kbit/60kbit DSL connections usually out past 5kilometers from the CO. These branches also do not have AD servers on site... poo poo gets rough.
|
|
#
?
Mar 14, 2012 21:29
|
|
|
You're probably just going to have to just play with it until it works for you then. There never really has been a guideline saying 'x amount of GPOs is too much for y bandwidth' and thats really just due to the insane amount of variables in play.
|
|
#
?
Mar 14, 2012 22:44
|
|
|
Still shouldn't be a problem, each GPO is only a couple KB. You can actually look at them physically by going to \\domain\sysvol\domain.fqdn\policies GPO traffic will be vastly outshadowed by emails, updates and other stuff.
|
|
#
?
Mar 14, 2012 22:45
|
|
|
Anyone know if using %logonserver% in folder redirection is going to break anything? Think I can clear up a few gpos across a couple of our sites with this.
|
|
#
?
Mar 14, 2012 22:54
|
|
|
Honey Im Homme posted:Anyone know if using %logonserver% in folder redirection is going to break anything? Think I can clear up a few gpos across a couple of our sites with this. I wouldn't do it. Better question.. why would you redirect folders to a domain controller?
|
|
#
?
Mar 14, 2012 23:16
|
|
|
Multiple sites with dc's on each site, simplifies AD instead of having multiple site specific policies. Just redirecting start menu's and desktops btw. Honey Im Homme fucked around with this message at 23:26 on Mar 14, 2012 |
|
#
?
Mar 14, 2012 23:22
|
|
|
Honey Im Homme posted:Multiple sites with dc's on each site, simplifies AD instead of having multiple site specific policies. Don't the sites have file servers?
|
|
#
?
Mar 14, 2012 23:57
|
|
|
Honey Im Homme posted:Anyone know if using %logonserver% in folder redirection is going to break anything? Think I can clear up a few gpos across a couple of our sites with this. I think you can probably do this, with caveats (users must only authenticate to one DC, or you must have DFS sync on all the DCs, which sort of eliminates the gains from multiple sites) Non-answer: Unless you're hurting for $$$ for a Windows license, I'd at the very least virtualize onto ESXi free and have 1 DC and 1 FS per site. Separation is good.
|
|
#
?
Mar 15, 2012 03:55
|
|
|
mute posted:Condensing causes issues when one system needs one thing but not another. I re-did all the policies here and they ballooned from 20 to something close to 180 right now. But now everything is logical and predictable (at least as far as that goes) and I don't have to wonder where something is being set. And I know without having to look it up exactly what's being applied when I use GPRESULT. I'm just getting started with group policy. Could you or anyone else go into more detail about naming and organizing the policies? Do you have separate policies for everything like deploying printers, redirecting folders, mapping drives, remote desktop/admin, firewall exceptions, etc?
|
|
#
?
Mar 15, 2012 17:56
|
|
|
Cpt.Wacky posted:I'm just getting started with group policy. Could you or anyone else go into more detail about naming and organizing the policies? Do you have separate policies for everything like deploying printers, redirecting folders, mapping drives, remote desktop/admin, firewall exceptions, etc? I'll tell you what I do and you can see if that helps you any: I make a separate policy for every 'thing' I want to do where each 'thing' may have several actual actions associated with it. For instance, I have a policy called 'billing department folder redirection'. This policy of course has several settings within it that redirect their folders to a fileserver. I try not to get more granular than that because I don't want to have to search through a thousand policies to find what I am looking for. I want to stay that granular though so if I need to disable this policy for troubleshooting or what not I can easily do so without affecting any other settings. Feel free to be as descriptive with your policy names as you can. It can only help.
|
|
#
?
Mar 15, 2012 18:04
|
|
|
Cpt.Wacky posted:I'm just getting started with group policy. Could you or anyone else go into more detail about naming and organizing the policies? Do you have separate policies for everything like deploying printers, redirecting folders, mapping drives, remote desktop/admin, firewall exceptions, etc? I typically separate these. My naming convention right now is: Policy Name (User/Computer) This allows the policy to still be listed alphabetically but you still know whether it is per machine or per user (or both). Don't touch the two default policies (Default Domain(Controller) Policy) I have a main policy that dumb little poo poo goes into called the "Global Domain Policy" and these are policies that apply to all users and computers. I also have a "Global Domain Preferences" for global user/computer preferences. Everything else I separate. I have separate policies for Firewall, Internet Explorer, Drive Maps, Printer Deployment, WSUS Local, WSUS Remote, WSUS Servers, and one for each piece of software that needs exceptions. On that last note. gently caress software that only installs in the user profile as a local admin.
|
|
#
?
Mar 15, 2012 18:05
|
|
|
Syano posted:You're probably just going to have to just play with it until it works for you then. There never really has been a guideline saying 'x amount of GPOs is too much for y bandwidth' and thats really just due to the insane amount of variables in play.
|
|
#
?
Mar 15, 2012 22:56
|
|
|
Does anyone have recommendations for how to best do Mapped Drives using only group policy? In the past, we have used logon scripts, and placed a common "net use * /delete" script to delete any mapped drives before mapping other drives. This way, if we changed a map for a user, it would delete the old drive and update the new one. Is there a way I can do this using only Group Policy on 2008 R2 domains?
|
|
#
?
Mar 20, 2012 14:52
|
|
|
Gyshall posted:Does anyone have recommendations for how to best do Mapped Drives using only group policy? In the past, we have used logon scripts, and placed a common "net use * /delete" script to delete any mapped drives before mapping other drives. This way, if we changed a map for a user, it would delete the old drive and update the new one. You could use the Drive Maps policy under User Configuration\Preferences\Windows Settings.
|
|
#
?
Mar 20, 2012 15:17
|
|
|
Hiyoshi posted:You could use the Drive Maps policy under User Configuration\Preferences\Windows Settings. What he ^ said. Use the "Update" action and it will delete any mapping they already had for that drive letter and update it to the new one. Edit: You can also use item-level targeting for each mapping if you have any that overlap. For example, each of our branches has an F:\ drive to their local site file server. I only need one GPO with all the drive mappings and just use item level targeting using security groups.
|
|
#
?
Mar 20, 2012 15:30
|
|
|
Is there any way to push a 32-bit ODBC connection to a 64-bit Windows machine through group policy? Or hell, even a login script? When I use group policy to create the connection, this one lovely old 32-bit app we have can't see it at all. I have to launch the 32-bit version of the ODBC editor and create the connection by hand.
|
|
#
?
Mar 22, 2012 17:37
|
|
|
peak debt posted:Still shouldn't be a problem, each GPO is only a couple KB. You can actually look at them physically by going to \\domain\sysvol\domain.fqdn\policies When you say GPO are you referring to each individual folder with the long GUID? I've noticed that since I have administrative templates setup, the folders are actually pretty bloated. The ADM folder alone is 4.5 MB and it definitely adds up with 39 policies. I wonder if it affects policy processing speed at all, but it still seems negligible. Does anyone know if you can only enable administrative templates in the policies where you need them?
|
|
#
?
Mar 22, 2012 23:11
|
|
|
Kerpal posted:When you say GPO are you referring to each individual folder with the long GUID? I've noticed that since I have administrative templates setup, the folders are actually pretty bloated. The ADM folder alone is 4.5 MB and it definitely adds up with 39 policies. I wonder if it affects policy processing speed at all, but it still seems negligible. There's a policy apparently in Computer>Administrative Templates>System>Group Policy that is named "Always use local ADM files for Group Policy Object Editor" that will keep affected machines from copying the ADM files into the GPO folder. According to the book I'm reading it does not work on XP, though it is supposed to, so it only functions on Windows Server 2003. Found a blog post on it with a commenter that says the policy may change some things in unusual ways as a result. Probably the best thing if you're concerned would be to use Vista, 7, or Server 2008 or Server 2008R2 as your GPO editing station and perhaps remove and recreate any already affected GPOs.
|
|
#
?
Mar 22, 2012 23:47
|
|
|
Someone in this thread recommended Moskowitz's book and I can confirm it rules. He devotes a chunk of space to talking about ADM bloat. The TLDR boils down to a couple things... 1) As parasyte said, if you use a Win 7 or Server 2008/R2 box to create and edit GPO's, you will use ADMX files rather than ADM and they are only a couple KB vs multiple megabytes. I'm not sure how to undo the bloat if it's already there... maybe copy the old GPO (using a Win 7 management station), link it everywhere the old one is and then delete the old one? 2) If your vendor (or you if you made them yourself) offers ADMX files, use those instead of the ADM files. It will avoid copying them around all over the place and wasting space. Disclaimer: I'm just parroting what I read, working through the book right now. But the dude appears to know what he is talking about.
|
|
#
?
Mar 23, 2012 00:09
|
|
|
I'm having a problem with software installation via GPO that I can't nail down. The software in question is NSClient++ (Nagios monitoring agent for Windows). It already comes as an MSI. The MSI installs just fine via the GPO. The MSI updates an existing older version of the software just fine via GPO. The problem occurs when I manually uninstall the software. What I've seen in the past on other software deployments is that in this case, the software will just be reinstalled on the next reboot. What's happening here is that the reinstall is attempted but quickly fails. There are no error messages in the event log, the application doesn't show up in Programs in control panel, the files and service are not created. For all intents and purposes, the install didn't happen, EXCEPT that it does show up in the MSI cleanup tool. It doesn't show up in there after the manual reinstall was done, only after a reboot when it attempts to reinstall it. Removing that entry from the tool does NOT allow it to be successfully reinstalled via GPO. I am at a loss.
|
|
#
?
Mar 26, 2012 17:39
|
|
|
Docjowles posted:Is there any way to push a 32-bit ODBC connection to a 64-bit Windows machine through group policy? Or hell, even a login script? When I use group policy to create the connection, this one lovely old 32-bit app we have can't see it at all. I have to launch the 32-bit version of the ODBC editor and create the connection by hand. I also need to know this.
|
|
#
?
Mar 26, 2012 17:44
|
|
|
Briantist posted:I am at a loss. Try turning on verbose logging for the installer service. Can be done via registry edit or group policy. This has helped me in the past finding problems with Java's abortion of an installer  KB article.
|
|
#
?
Mar 26, 2012 17:46
|
|
|
Docjowles posted:Try turning on verbose logging for the installer service. Can be done via registry edit or group policy. This has helped me in the past finding problems with Java's abortion of an installer I've done this on two different servers now, and no log was created during the installation via GPO; even starting from scratch where there was no installation and uninstallation (that is, the install via GPO was successful, and still no log). I also started a command prompt as the computer account using psexec -s cmd and ran the installer with msiexec (this time, specifying logging options via command line). This was successful for some reason. The log was created and showed no problems, the install worked well.
|
|
#
?
Mar 26, 2012 19:11
|
|
|
Okay I figured out what the problem was with logging. The KB articles say that you can use a value of "*" but it turns out that doesn't work! Setting it to "voicewarmup" does though. This is the result of one of my failed reinstallations:quote:
|
|
#
?
Mar 26, 2012 20:09
|
|
|
Does anyone have tips on creating a WMI query for a GPO that I want deployed on only physical machines? For some reason Google isn't helping much right now. I know you can get the machine manufacturer with a WMI query such as code:coffee edit: Had my morning coffee and figured it out  Proper syntax to filter is code:Wicaeed fucked around with this message at 14:39 on Mar 30, 2012 |
|
#
?
Mar 30, 2012 14:15
|
|
|
So what the gently caress? Does Mac OS X 10.6 not support NTLMv2? Anyone have problems with SMB shares with Windows Server 2008 R2 file server? My Mac OS X 10.6 machines can't authenticate.
|
|
#
?
Apr 2, 2012 20:59
|
|
|
IT Guy posted:So what the gently caress? Does Mac OS X 10.6 not support NTLMv2? Correct, no SMB2 support in 10.6. Should still work though, falling back to SMB, just like Windows XP would. Is the time on your Mac and the time on the 2008r2 server 5 minutes apart or more?
|
|
#
?
Apr 2, 2012 23:17
|
|
|
Edit: I think I misinterpreted what the author was saying. He randomly has a big warning about Roaming Profile caching in the middle of the Folder Redirection chapter. I figured it applied to both but it seems he really did only mean Roaming Profiles. I need some protips on Folder Redirection. I had it working, but reading through my new group policy book, the author states that as a best practice the share hosting the redirected folders should have caching disabled. I had it enabled, so I went ahead and flipped it off. All hell immediately broke loose with laptop users. Couldn't access their documents, IE bookmarks went missing, they'd even get permission errors browsing to the share (wut). Unless they were in the office on a wired connection when their PC booted, their profile was just basically empty. Spending quality time on Google, I get a shitload of conflicting info on this. Some pages say caching must be disabled because Folder Redirection has its own internal cache and they stomp on each other. Other pages say it can and should be left on. Based on my experience, it sure seems to be necessary unless you live in a wonderful world where you only have desktop users who never leave the office. I had caching on for a few months, then turned it off, maybe that hosed things up and it would have been fine if I had it off from day 1? So, which is it? Docjowles fucked around with this message at 00:00 on Apr 3, 2012 |
|
#
?
Apr 2, 2012 23:36
|
|
|
My memory could be hazy since it's been a few weeks since I looked at it, but I think with Windows 7 clients you want it on, and older clients you want it off.
|
|
#
?
Apr 2, 2012 23:56
|
|
|
Docjowles posted:Edit: I think I misinterpreted what the author was saying. He randomly has a big warning about Roaming Profile caching in the middle of the Folder Redirection chapter. I figured it applied to both but it seems he really did only mean Roaming Profiles. This is basically it. Roaming profile shares should not (in the RFC meaning, I think) have offline caching enabled and must not have auto-caching enabled as there can be times when the caching will interfere with the roaming profiles synchronization. If you don't have users who will pin files manually it's probably not a big deal but it is safer to have the roaming profile share never allow offline caching. Redirected folders on the other hand must allow caching as the OS will automatically cache all redirected folders.
|
|
#
?
Apr 3, 2012 00:08
|
|
|
IT Guy posted:So what the gently caress? Does Mac OS X 10.6 not support NTLMv2? By default, 2008 R2 disables NTLMv1 authentication, and will only talk to NTLMv2 or better clients. You can change this at the group policy or local security policy level, and reboot for the change to take effect. There is also a registry setting for it, but other policy changes could overwrite that, so GPO is better in this case. There are also third party tools for OSX that add support for SMB2 (DAVE, I think)
|
|
#
?
Apr 3, 2012 01:50
|
|
|
|
| # ? Apr 16, 2024 17:26 |
|
|
EoRaptor posted:By default, 2008 R2 disables NTLMv1 authentication, and will only talk to NTLMv2 or better clients. You can change this at the group policy or local security policy level, and reboot for the change to take effect. I changed the NTLM authentication down to LM + NTLM with NTLMv2 if negotiated. I guess I'll find out tomorrow if the Macs can connect. Edit: I assume Lion will use NTLMv2, right? I don't plan on keeping my NTLM authentication so low for a long time. IT Guy fucked around with this message at 04:18 on Apr 3, 2012 |
|
#
?
Apr 3, 2012 04:16
|
|