|
skipdogg posted:Just wrote my first custom ADM template and feeling pretty loving awesome about it. <3 Group Policy. I see that too but I have no idea how that works in conjunction with 2008 R2's print services.
|
#
?
May 17, 2012 20:13
|
|
|
|
| # ? Apr 16, 2024 12:25 |
|
|
Default printer is one of the things that turned out easier to just write a script for. It's more flexible especially if your print situation is as bizarre as mine.
|
|
#
?
May 18, 2012 02:33
|
|
|
This isn't a group policy question, but all the AD nerds hang out in here. Why can't I add users/groups from a trusted forest to a universal security group in my domain? But when I go to add objects to a universal security group, I don't see the trusted forest at all; just my own:  DNS is set up with conditional forwarders and is working fine - I can verify the trusts and they check out just fine.
|
|
#
?
Jun 6, 2012 20:03
|
|
|
I was part of a 4 domain (three 2003 ad's and one 2008 ad) merge a couple of year back. The 2008 ad was going to be where everything was going to be migrated, so we set up new file servers, exchange, MOC, etc, in it. The funny thing was, that we could only add the users from the trusted domains into domain local groups, universal groups didn't even see the other domains.
InfiniteDonkey fucked around with this message at 20:32 on Jun 6, 2012 |
|
#
?
Jun 6, 2012 20:30
|
|
|
InfiniteDonkey posted:I was part of a 4 domain (three 2003 ad's and one 2008 ad) merge a couple of year back. The 2008 ad was going to be where everything was going to be migrated, so we set up new file servers, exchange, MOC, etc, in it. The funny thing was, that we could only add the users from the trusted domains into domain local groups, universal groups didn't even see the other domains. Huh. That's exactly the case for me as well. What the hell is going on with that?
|
|
#
?
Jun 6, 2012 20:44
|
|
|
Mierdaan posted:Huh. That's exactly the case for me as well. What the hell is going on with that? I never figured what was the cause. We started running down the 2003 domains slowly and everything worked, so didn't ever bother to find out.
|
|
#
?
Jun 6, 2012 20:50
|
|
|
Mierdaan posted:This isn't a group policy question, but all the AD nerds hang out in here. Why can't I add users/groups from a trusted forest to a universal security group in my domain? http://technet.microsoft.com/en-us/library/cc755692%28v=ws.10%29.aspx http://networkadminkb.com/KB/a106/universal-group-limitations.aspx If I'm remembering and reading correctly, this is by design.
|
|
#
?
Jun 7, 2012 19:22
|
|
|
Is there a way to set a shutdown rule in Active Directory? I would love to be able to set a rule that automatically shuts computers down at a certain time, so that I could then also enforce a virus scan to run at a universal time on every computer in the office. Ideally it should start a shutdown, but give an option for the user to cancel it if they choose to (on the off chance they're currently using the computer at the time).
|
|
#
?
Jun 14, 2012 15:56
|
|
|
Frozen-Solid posted:Is there a way to set a shutdown rule in Active Directory? I would love to be able to set a rule that automatically shuts computers down at a certain time, so that I could then also enforce a virus scan to run at a universal time on every computer in the office. Despite everyone and their grandmother telling Microshit to add a central-management option for issuing domain-wide automated reboot/shutdowns, you still have to make a stupid login script.
|
|
#
?
Jun 14, 2012 15:59
|
|
|
Digital_Jesus posted:Despite everyone and their grandmother telling Microshit to add a central-management option for issuing domain-wide automated reboot/shutdowns, you still have to make a stupid login script. What about having group policy add a scheduled task? Is that a reliable enough method?
|
|
#
?
Jun 14, 2012 16:07
|
|
|
Frozen-Solid posted:What about having group policy add a scheduled task? Is that a reliable enough method? Yeah you can do that too.
|
|
#
?
Jun 14, 2012 16:20
|
|
|
Digital_Jesus posted:Yeah you can do that too. Quick and dirty shutdown app it is! 
|
|
#
?
Jun 14, 2012 17:03
|
|
|
Except when they hit cancel it auto-powers off without properly closing windows, causing them to lose their files. Nobody is allowed to get around the system. Shut down means shut down. Plebs.
|
|
#
?
Jun 14, 2012 17:13
|
|
|
"Hey what's this BOFH.EXE that keeps popping up in task manager?"
|
|
#
?
Jun 14, 2012 17:15
|
|
|
cozpop.exe on startup
|
|
#
?
Jun 14, 2012 21:11
|
|
|
I keep running into an error in my Group Policy management snapin with Policies that have registry items configured. When I go to view details I get the following error: I've actually created a similar GPO for a separate site, and the domain controller at Site A can't read the registry setting enclosed in the GPO of Site B, and vice versa. Being an AD/GPO noob, I've checked the error logging on both DC's and run dcdiag, but that's as far as my skills take me. Where else could I look to see what might be causing this? Further frustrating is when I try to run a 'gpresult /R' as my domain admin account I get an Access Denied error 
Wicaeed fucked around with this message at 21:24 on Jun 27, 2012 |
|
#
?
Jun 27, 2012 21:22
|
|
|
It looks like your GPO is messed up in sysvol. Check the folder that matches GPO's GUID in sysvol. Lost like the XML file is missing of there's something else wrong with it. Earlier this year i had most of out trusted site settings messed up when a junior tech support Guy inserted an URL wrong to the trusted sites list. It also caused a somewhat similar error. Luckily the fox was easy (http:\/ -> [url]http://[/url]).
|
|
#
?
Jun 28, 2012 06:00
|
|
|
Hmm it looks like the folder itself isn't even being created in the Sysvol folder, even after I forced replication manually.
|
|
#
?
Jun 28, 2012 16:23
|
|
|
Are your sysvols being replicated via FRS or DFSR? Also question time: what is the difference between workstation and computer certificates when setting up a AD CS? e: saw the pictures "policy definitions retrieved from the local machine" get on DFSR migration asap, unless there is something horrible preventing you.
|
|
#
?
Jul 2, 2012 07:15
|
|
|
Can the old fashion way of storing group policies co-exist with a central store?
|
|
#
?
Aug 3, 2012 08:57
|
|
|
Is it possible to redirect a folder in AppData\Local to a network location? Before anyone tears my head off, we run Google Apps and some users aren't quite comfortable using their browser for email and calendar, so they use Google Apps Sync. Now for some reason the program provides no options when setting itself up, it takes your email address and password and goes off and makes an Outlook profile. The three/four things that it relies on are:
The way I see it, I can solve this a couple of ways. Either I copy the contents of AppData\Local\Google\Google Apps Sync to a file share on log off, and copy it back on log on (  ), or I somehow redirect the folder to a network location, and get Group Policy to tell the OS to always make it available offline.I have a crazy idea to push a symbolic link via GP, should I be shot for attempting this?
|
|
#
?
Aug 8, 2012 21:57
|
|
|
I would tell them that the browser is the only supported solution, everything else is at their own risk (that's what we do here with Google Apps) but obviously your mileage may vary with that.
|
|
#
?
Aug 8, 2012 22:03
|
|
|
I'd love to, and I think eventually we will get to that point, but I'm under pressure to try and make something work for the guys clinging on to Outlook. However, buried in Google's support site is this: http://support.google.com/a/bin/answer.py?hl=en&answer=1041455&topic=22447&ctx=topic posted:Set the paths to PSTs and log files by modifying a registry key So I'm going to try that with some Offline Folders and see if it blows up in my face.
|
|
#
?
Aug 9, 2012 01:06
|
|
|
Caged posted:Is it possible to redirect a folder in AppData\Local to a network location? It's not going to be possible without a script. You've probably already seen this, but you can only redirect certain folders within the Users folder. The symbolic link route is tempting, but since you're going to have to do an initial copy of the folder to your file server before you make the symbolic link anyway, you may as well just write the log on/log off script. Edit: ^^^ Nice. Let us know how that goes.
|
|
#
?
Aug 9, 2012 01:14
|
|
|
I've just been testing it out (briefly), and first impressions are good. I didn't bother changing the log folder directory since I don't care about those, and it's probably more useful if the logs stay with the machine that generated them. It's survived a log on, set up, log off, remove the profile from the machine, log back in again. The Google Apps Sync setup thing barfed at a UNC path and failed to make the profile, so I ended up deploying a drive mapping GPP as well. I will probably hide this once I'm happy that this solution works so people don't have something to screw around with. Performance is hard to judge since I'm doing this over a slow link to an RDP session in the office, but it seems as quick as it was. Obviously I'm now essentially running a PST file from a network, hopefully having it available offline will minimise the risk of it going horribly wrong. Also there's no possibility of being logged in on two machines with Outlook running on both, but that's a downside that I think everyone can deal with. I think I'll write this up into a little article at some point once I've tested it with some more users, hopefully it will help other people in the same position. Also: gently caress you Google for not making ADMX templates for Sync. Thanks Ants fucked around with this message at 01:43 on Aug 9, 2012 |
|
#
?
Aug 9, 2012 01:39
|
|
|
So this may be more of a general Active Directory question but it could be GPO related as well. Figured I'd start here. I've got a custom AD taskpad that displays the Find, Open, and Properties tasks for a single OU and all sub-OUs within. The objective is to give the Help Desk the option to add and remove people from security and distribution groups. Is there a GPO to remove all options other than Properties when right-clicking a group or OU? The taskpad would be deployed locally to help desk users' desktops and optimally we'd just like to remove any and all other options other than Properties.
|
|
#
?
Aug 27, 2012 19:15
|
|
|
http://www.petri.co.il/create_taskpads_for_ad_operations.htm This appears to give you every step you need to focus down the AD taskpad to just "properties". It will hide the OU from their view and only let them click on a user. Delegating rights rather than hiding features is going to be your best bet in the long run. They'll get a access denied when trying the other tasks outside of the delegated rights "manage groups". incoherent fucked around with this message at 09:33 on Aug 30, 2012 |
|
#
?
Aug 30, 2012 09:27
|
|
|
Is there a way to limit what flash drives get mounted so that only "approved" drives can be used? And is there a way to do it with Local Policy, because some of the machines might not be on the network.
|
|
#
?
Aug 30, 2012 13:50
|
|
|
FISHMANPET posted:Is there a way to limit what flash drives get mounted so that only "approved" drives can be used? And is there a way to do it with Local Policy, because some of the machines might not be on the network. What antivirus suite do you use? There might be something in there. Hell, even Endpoint Protection has something like that, as lovely as it is.
|
|
#
?
Aug 30, 2012 17:37
|
|
|
Before I dig into it, is anyone else having problems with group policy preference drive mappings in Windows8 RTM? edit: oh hey I guess not. Mierdaan fucked around with this message at 17:44 on Aug 30, 2012 |
|
#
?
Aug 30, 2012 17:41
|
|
|
FISHMANPET posted:Is there a way to limit what flash drives get mounted so that only "approved" drives can be used? And is there a way to do it with Local Policy, because some of the machines might not be on the network. Take a look at this
|
|
#
?
Aug 30, 2012 17:54
|
|
|
It's probably a fools errand, becuase these are Win 95/98/2k machines that don't have network connections and therefore don't have up to date AV, so some bozo researcher plugs in a virus laden flash drive and infects the instrument computer. gently caress this place.
|
|
#
?
Aug 30, 2012 21:18
|
|
|
FISHMANPET posted:It's probably a fools errand, becuase these are Win 95/98/2k machines that don't have network connections and therefore don't have up to date AV, so some bozo researcher plugs in a virus laden flash drive and infects the instrument computer. FYI almost all current viruses and malware on the net completely fails to run on 95 and 98. They're usually built for NT 5 kernel or later operating systems and they can't do anything on a Win9x system other than cause the OS to tell you you tried to run an invalid application. And correspondingly, the ones that can still infect Win9x systems usually don't manage to do anything on an NT kernel OS, especially Vista and later. Your Windows 2000 machines, however, those are likely vulnerable to most stuff that's currently on the web. Guard those, but don't be too worried about the 9x machines.
|
|
#
?
Aug 30, 2012 22:49
|
|
|
Ever wanted an online resource where you could search policies by name, see their description and the registry key it changes? Now there is one! http://gps.cloudapp.net Edit: This poo poo has been around since 2010 and I had no idea. What the gently caress.
|
|
#
?
Sep 3, 2012 03:31
|
|
|
I'm about to setup a number of remote desktop servers shortly and plan to lock them all down using GPO. Does anyone have any resources for "recommended" policies for such a situation. I assume MS do but I can't find it and I want to lock these down tighter than *insert pun here*
|
|
#
?
Sep 4, 2012 01:06
|
|
|
Have a bit of a head scratcher. Windows 7 Pro SP1, VDI environment. Mapping drives, printers, etc. via GPP. Drives and Printers appear to map properly but the event log is throwing up an event id 1112 for the drive map policy (..."changes must be processed before the system startup or user logon") The detailed error description is "the group policy framework should call the extension in the synchronous foreground policy refresh." RSOP shows the drive map policy as "pending." All the drives have mapped. They're primarily departmental shares that mapped based on item level targeting by security group. KB2561285 is installed on the master image. Wait for network is also enabled in the default vdi policy. Anything I should be looking at?
|
|
#
?
Sep 12, 2012 16:21
|
|
|
I just got event collecting/forwarded events working (mostly). I also, today, deployed some software. The forwarded events log is full of events like: The Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. Is there anything I can do to stop these from appearing? I'm worried about filtering them out or I'll miss warnings that aren't related to logged in users.
|
|
#
?
Sep 13, 2012 17:27
|
|
|
gooby pls posted:Have a bit of a head scratcher. Windows 7 Pro SP1, VDI environment. Mapping drives, printers, etc. via GPP. Drives and Printers appear to map properly but the event log is throwing up an event id 1112 for the drive map policy (..."changes must be processed before the system startup or user logon") This mean Fast logon is being applied via a GPO. Its to help speed up XP machines logging into the network, but depending on your network you may not need it for Win7. http://technet.microsoft.com/en-us/library/jj573586.aspx gpupdate /sync will force an update on reboot. Trinitrotoluene posted:I'm about to setup a number of remote desktop servers shortly and plan to lock them all down using GPO. Does anyone have any resources for "recommended" policies for such a situation. I assume MS do but I can't find it and I want to lock these down tighter than *insert pun here* Microsoft security compliance manager will spit out GPOs for you to deploy. http://technet.microsoft.com/en-us/library/cc677002.aspx They're the evolved start GPOs that you see when you create a new GPO in GPMC incoherent fucked around with this message at 06:23 on Sep 14, 2012 |
|
#
?
Sep 14, 2012 06:04
|
|
|
incoherent posted:
Wow, did not know this existed.
|
|
#
?
Sep 14, 2012 16:36
|
|
|
|
| # ? Apr 16, 2024 12:25 |
|
|
I figured I would running something through you guys. I love the thought of group policy restricting groups that are in the built in administrators group. Saying that, we do have the need for users to be local admins on specific machines. So in other words, I need a solution that meets the following. 1. Restricts the administrators group to per-determined groups on each workstation. 2. Allows an exception for specified users to specified machines, while still being centrally managed. 3. A user who has an exception can only have admin access to the machine they have the exception for. Anything I have thought of so turns into a complicated mess. Am I missing something simple?
|
|
#
?
Sep 27, 2012 16:04
|
|
