|
I can't find an anti-virus thread anywhere so I guess this is as good a place as any to ask: What are you guys using for AV? The place I'm at now has been using Kaspersky for forever, but after three years of dealing with its bullshit I'm finally in a position to evaluate alternatives. I know SCCM/Forefront is pretty popular, but I think it's overkill for our small company in terms of complexity and cost.
|
#
?
Jan 14, 2014 16:47
|
|
|
|
| # ? Apr 25, 2024 19:03 |
|
|
Karthe posted:I can't find an anti-virus thread anywhere so I guess this is as good a place as any to ask: What are you guys using for AV? The place I'm at now has been using Kaspersky for forever, but after three years of dealing with its bullshit I'm finally in a position to evaluate alternatives. I know SCCM/Forefront is pretty popular, but I think it's overkill for our small company in terms of complexity and cost. I've used ESET's NOD32 at a number of companies and really like it quite a bit. Another admin friend of mind recommended Vipre by Threat Track Security (http://www.threattracksecurity.com/) and we're giving it a shot for a year, it replaced Kaspersky for us and we've been very happy so far. They also include 3rd party patch management (Java, iTunes, Firefox, Flash, etc) in their business premium license.
|
|
#
?
Jan 14, 2014 16:55
|
|
|
Karthe posted:I can't find an anti-virus thread anywhere so I guess this is as good a place as any to ask: What are you guys using for AV? The place I'm at now has been using Kaspersky for forever, but after three years of dealing with its bullshit I'm finally in a position to evaluate alternatives. I know SCCM/Forefront is pretty popular, but I think it's overkill for our small company in terms of complexity and cost. We use ESET and I couldn't be happier with it. You get some false positives on obfuscated javascript every once in a while but its been rock solid for me.
|
|
#
?
Jan 14, 2014 16:59
|
|
|
Karthe posted:I can't find an anti-virus thread anywhere so I guess this is as good a place as any to ask: What are you guys using for AV? The place I'm at now has been using Kaspersky for forever, but after three years of dealing with its bullshit I'm finally in a position to evaluate alternatives. I know SCCM/Forefront is pretty popular, but I think it's overkill for our small company in terms of complexity and cost. Sophos is another 'big enterprise' AV recommendation. I like it quite a bit, but it's definitely targeted at larger enterprises. NOD32 seems to be the SMB AV of choice these days.
|
|
#
?
Jan 14, 2014 17:23
|
|
|
FISHMANPET posted:I'm not sure why you would want the computer to get a MINIT when you could let it have its actual name. I often don't know the final name for a computer until after the build process is done (a preliminary build order will come in before hiring is completed). We also don't tend to recycle computer names all that often so I usually just delete it from AD and create it all from scratch.
|
|
#
?
Jan 14, 2014 21:30
|
|
|
We have Sophos spam and web appliances and apparently AV is free with it now. We found that out after spending all the hours implementing Forefront.
|
|
#
?
Jan 14, 2014 21:34
|
|
|
The SCCM server I am working with doesn't have PS 3.0 installed (and unfortunately doing anything about that isn't an option), but I have other machines available that do. Is there any way for me to use add-cmdevicecollectiondirectmembershiprule to add devices to a collection? I am thinking that invoke-command on the server might do the trick, but I haven't found any documentation on that and would be interested to know if that could cause any problems before messing around.
|
|
#
?
Jan 14, 2014 21:39
|
|
|
Number19 posted:3. This is also something I've wanted to get working. I'm tired of going around and chasing down computers for people who are on vacation to turn them in and let updates install. I just ended up deploying a WOL script that activated the option today. I tested and it works in sleep mode, I actually haven't it with the computer in shutdown mode(I think that is based on a bios setting though? iAMT?) FISHMANPET posted:I'm not sure why you would want the computer to get a MINIT when you could let it have its actual name. Our naming convention is first letter first name + last name (I know not the best.) So yeah.. most likely when I'm re-imaging it will be renamed, and as I mentioned if it takes on the old name, and the computer is in a mandatory deployment, it will just reinstall all the stuff again once the computer is imaged. I know you could have that popup for OSDcomputername at re-build but I wanted to keep that at zero touch but perhaps that's my only option. I'd prefer to change the name post-image as I need to login to the machine anyways to create the new profile for the user. edit: Also did not know about offline update service. *Should probably read the SCCM 2012 release notes at one point. lol internet. fucked around with this message at 03:48 on Jan 15, 2014 |
|
#
?
Jan 15, 2014 01:37
|
|
|
AreWeDrunkYet posted:The SCCM server I am working with doesn't have PS 3.0 installed (and unfortunately doing anything about that isn't an option), but I have other machines available that do. Is there any way for me to use add-cmdevicecollectiondirectmembershiprule to add devices to a collection? I am thinking that invoke-command on the server might do the trick, but I haven't found any documentation on that and would be interested to know if that could cause any problems before messing around. Install the console on a workstation that has PS 3.0 or above. There's a command you run to load the SCCM cmdlets (which I can post in the morning when I get to work) and then you just run it from your workstation.
|
|
#
?
Jan 15, 2014 08:30
|
|
|
Any IIS pros in this thread? For proof of concept I am attempting to build an IIS/NLB cluster with shared configuration enabled. The catch is that I'm attempting this on server core. Big deal, just use the remote IIS admin tools and set up shared config that way right? No, apparently you need to be on the box locally in order to generate the encryption key (configEncKey.key). The workaround for this is to use redirection.config as shown below.code:
|
|
#
?
Jan 15, 2014 16:59
|
|
|
Oops, posted this in the general Windows thread before I saw this one... taking a shot here as well. Trying to sort out an issue with junctions and SMBv2. This is with Server 2008 and Windows 7 as well as Mac 10.9. We have shared folders with junction folders inside of them. When users on Windows 7 go into these junction folders, and then click "back," they end up having the junction folders disappear. Upon further investigation, they are going hidden. You can view them if you enable hidden folders and turn off hide protected files. On a Mac, the junction folders show up but appear to be completely empty. I found this KB article which is the same problem, but the "fix" is changing a registry key on the clients. This is not feasible and also of course doesn't work for the Macs. We found that disabling SMBv2 on the server keeps this from happening, but causes other issues. Anybody run across this before and know what to do?
|
|
#
?
Jan 15, 2014 17:28
|
|
|
Here's my script:code:
|
|
#
?
Jan 15, 2014 17:39
|
|
|
Goons who have experience with SAP Business Objects- Is there a way to create a dashboard almost identical to the "Document List" link in InfoView? I tried using the navigation list and the viewer, but it seems to only let me add specific reports to the navigation list, whereas I'd like to add the folders with the reports and have it display like your average Windows navigation pane. Basically, I'm trying to create a dashboard for my users that is nearly identical to what you'd see if you clicked "Document List" in InfoView, except I want it branded and only want it to contain specific folders. Does that make sense? Any ideas? This is the best place I could think of to ask this. If I should post somewhere else please let me know.
|
|
#
?
Jan 16, 2014 23:18
|
|
|
Can someone explain KMS licensing to me please? I was under the impression that you setup a KMS server on your network and then through DNS your client machines (Windows 8.1 in our case) would activate through this server. We have a KMS key for Windows 8.1 but whenever I Google "how to setup a KMS server", all I get is how to configure a KMS host (client?). How does this work? edit: or is it when they say KMS host, is the KMS host the server? kiwid fucked around with this message at 17:00 on Jan 21, 2014 |
|
#
?
Jan 21, 2014 16:57
|
|
|
KMS host/KMS server, same thing. Whatever hosts the KMS service. It's pretty straightforward to be honest. This has everything you need. http://technet.microsoft.com/en-us/library/ff793419.aspx
|
|
#
?
Jan 21, 2014 17:05
|
|
|
skipdogg posted:KMS host/KMS server, same thing. Whatever hosts the KMS service. It's pretty straightforward to be honest. So I can't use a Windows 8.1 Pro KMS key on a Windows 2008 R2 server (the server I want to be the host). Still don't quite understand. Where am I supposed to use this Windows 8.1 KMS key?
|
|
#
?
Jan 21, 2014 17:18
|
|
|
http://technet.microsoft.com/en-us/library/ff793434.aspx read padiwan
|
|
#
?
Jan 21, 2014 17:20
|
|
|
kiwid posted:So I can't use a Windows 8.1 Pro KMS key on a Windows 2008 R2 server (the server I want to be the host). Still don't quite understand. Where am I supposed to use this Windows 8.1 KMS key? You need to install a hot fix to have Windows 8 or 8.1 auth to a 2008R2 server http://support.microsoft.com/kb/2885698
|
|
#
?
Jan 21, 2014 17:25
|
|
|
skipdogg posted:You need to install a hot fix to have Windows 8 or 8.1 auth to a 2008R2 server Ah, perfect, thank you.
|
|
#
?
Jan 21, 2014 17:28
|
|
|
poo poo pissing me off. We have a new customer. New enough that we do not have our own administrative logins on their systems. We are told "that's ok, just use the customer login." The first ticket we get? "Please reset password for customer login, as it is not working." Talking to the sales team just got a response of "Good luck, and keep us advised of your progress. We need to show this customer a can do attitude!" fake edit: Not pissing me off: My manager just read the sales team the riot act regarding the poor onboarding of this customer.
|
|
#
?
Jan 21, 2014 17:38
|
|
|
skipdogg posted:You need to install a hot fix to have Windows 8 or 8.1 auth to a 2008R2 server And now I get this exact issue: http://support.microsoft.com/kb/2752119/en-us loving bullshit. So it looks like I need to setup a Windows 8 KMS host or something. edit: so just to make sure I'm reading this correctly, I can buy a Server 2012 KMS key and activate it on a 2008 R2 machine, correct? I don't really want to setup a Windows 8 box to be the kms host. kiwid fucked around with this message at 17:56 on Jan 21, 2014 |
|
#
?
Jan 21, 2014 17:48
|
|
|
I was going to post this in the Exchange thread, but I think the problem isn't with Exchange. I have an Exchange 2010 server (on VMware ESX 5.0 U1) that when users access email using RPC over HTTP, it occasionally throws a cert error for a cert issued to the root of the domain. The SSL cert for Exchange is issued to smtp.domain.com while the problem cert is for domain.com. When I look in EMC at the certs, there's no trace of this certificate. I assume this is the result of a improper decommissioning and clean up of several old domain controllers, one that was a CA, I believe. http://technet.microsoft.com/en-us/library/cc771494.aspx ^Looking through ADSS in Public Key Services I see traces of what I think is old poo poo, but I'm not sure how to determine if what's in there is of any importance or if it can be safely deleted.
|
|
#
?
Jan 21, 2014 18:17
|
|
|
goobernoodles posted:I was going to post this in the Exchange thread, but I think the problem isn't with Exchange. I have an Exchange 2010 server (on VMware ESX 5.0 U1) that when users access email using RPC over HTTP, it occasionally throws a cert error for a cert issued to the root of the domain. The SSL cert for Exchange is issued to smtp.domain.com while the problem cert is for domain.com. Although maybe I'm missing the problem completely - does the SSL cert for smtp.domain.com show domain.com's bad cert as its root CA?
|
|
#
?
Jan 21, 2014 20:33
|
|
|
wyoak posted:It's probably easier if your Exchange certs are signed by an external trusted vendor (Verisign and others like them), since you'll run into issues with ActiveSync/OWA/Outook Anywhere on non-domain machines (if you allow those sorts of things) if you don't. Also, that certificate is expired so even if you get it into the trusted roots on everyone's machine it'll still throw errors. The cert is through Digicert and all of the "SSL Certificate Check" tools show everything as good. It's good until late 2015.
|
|
#
?
Jan 21, 2014 20:55
|
|
|
If you go to certification path tab on smtp.domain.com's cert it'll show you, but if it's a Digicert certificate with those dates it's probably fine (the root CA will be one of Digicert's servers). So now you have to figure out where people are getting this invalid cert from...in IIS on the CAS server, the correct cert is being used on the site, correct? Maybe you've got something weird like two IIS sites, one of which is using the bad cert? Does the error pop up immediately when they open Outlook, or maybe when they try to search the address book or book a meeting or something? Do you have any load balancing or SSL offloading in front of the CAS?
|
|
#
?
Jan 21, 2014 21:03
|
|
|
No load balancing. We do have a Barracuda ~virtual~ spam filter, but I implemented that in the past few months and we had the issue before then. In fact, we've had cert errors since my predecessor was here, which makes me think it's related to something that was supposed to be decommissioned. Granted, our Exchange 2003 server was a virtualized box of dog poo poo. Here are the certs and IIS; no weird secondary site or anything.  
goobernoodles fucked around with this message at 23:28 on Jan 21, 2014 |
|
#
?
Jan 21, 2014 23:24
|
|
|
What's your OWA url (is it something other than smtp.domain.com, and getting redirected somehow)? If you run Get-ClientAccessServer, Get-OABVirtualDirectory, and Get-WebServicesVirtualDirectory powershell commands, make sure the URL's (Autodiscover and internal/external) are all pointed at your CAS with the FQDN. Maybe check if some of the IIS virtual directories are set to accept or require client certificates (on the SSL settings for each directory), unless you're actually using client certificate authentication.
|
|
#
?
Jan 21, 2014 23:55
|
|
|
Could an HTTP redirect to webmail.domain.com for OWA cause the problem? The URL should be https://smtp.domain.com/owa
|
|
#
?
Jan 22, 2014 00:25
|
|
|
It could, if whatever is doing the redirecting has the old certificate on it....
|
|
#
?
Jan 22, 2014 00:31
|
|
|
wyoak posted:It could, if whatever is doing the redirecting has the old certificate on it.... I disabled the setting - I'll check to see if it has any effect. goobernoodles fucked around with this message at 01:17 on Jan 22, 2014 |
|
#
?
Jan 22, 2014 01:15
|
|
|
SCCM 2012 question. When creating an application and setting up file detection. Does anyone else have an issue with SCCM not detecting system variables? ie. %PROGRAMFILES(x86)% ? I setup a detection for Adobe Acrobat for instance Folder - %PROGRAMFILES(X86)%\Adobe\Acrobat 10 File - Acrobat.exe but it still fails? The example is not the exact path, but pretty sure I got it 100% correct.
|
|
#
?
Jan 22, 2014 02:29
|
|
|
lol internet. posted:SCCM 2012 question. Try using just %ProgramFiles% and checking the box below it for 'This file or folder is associated with a 32-bit application on 64-bit systems'. That makes it choose the proper variable automatically depending on the system that the detection is running on.
|
|
#
?
Jan 22, 2014 02:57
|
|
|
Calodram posted:Try using just %ProgramFiles% and checking the box below it for 'This file or folder is associated with a 32-bit application on 64-bit systems'. That makes it choose the proper variable automatically depending on the system that the detection is running on. I guess that makes sense, but the wizard\console was the one that automatically made it %programfiles(x86)%. I did actually test it with checking that off. I setup SCCM with ALL packages, now stuck converting them to Applications and testing again and re-testing OSD. When I started at my current place, I asked one of my old coworkers what's the difference between Applications and Packages as I only had sccm 2007 experience, he basically told me use packages because Applications took .msi only.  Then I only found out last week you could use .exe and now I want to setup the app catalog for deployments. kiwid posted:And now I get this exact issue: http://support.microsoft.com/kb/2752119/en-us No you don't buy KMS keys. What you do buy though is 5 keys through a vendor, and then you'll get registered with microsoft VLC (if you havent already) When you login to VLSC, goto windows 8, you'll see KMS keys (probably 5) and MAK keys (Prob 50+). Here's how you setup KMS - You install that hotfix or whatever which allows your 2008 box to host KMS keys (They actually have this for Office as well if you want to activate office against a KMS server) - You install your KMS server key (this is off the VLSC website) Look at the readme\install guide where you got the hotfix as it will tell you how to install the KMS key - You should already have a ton of windows 8 boxes in your environment that have MAK (from VLSC, activates against the internet) or OEM product keys (poo poo that came with the manufacturer license) - You need to convert these OEM\MAK keys to KMS client keys (download VAMP 2.0 or 3.0, I've only used 2.0 as you can install it as a mmc snap in 3.0 is a dedicated solution which runs SQL express and stores your information) Ok now that your KMS key is installed and your box is a "KMS Server.." not really..still one more thing to do I am not sure with windows 8 but windows 7 had this limitation\rule before it became a fully fledge kms server. You will need to look this up for win8 but for windows 7, basically you needed to convert 25 windows 7 boxes from MAK\OEM keys to KMS client keys within 30 days? Then everything will be fine and dandy. For Server 2008, you needed 5 machines converted to KMS client keys, then your KMS server will accept 2008 activations. KMS server = computers in your domain activate against that server, not microsofts internet activation server. When you format and install windows, you don't enter in a key, the OS knows to check the local network for a KMS server. The computer would check-in every 20 days or some crap, to tell the KMS server, HEY IM alive so count me as a active license, computers that don't check in past that day, KMS server assumes the computer is formatted\dead\stolen and it drops the license count. So for notebooks, in generally you want to either continue using the OEM or MAK keys because sometimes those can be off the network past 20 days, if they are their computers will say they are not licensed, enter in a license key. ** the 20 day threshhold I made up, i can't recall exactly, but it's roughly 20 days for windows 7. I think you can probably change this. ** 25 computers was a requirement for a KMS server to fully accept windows 7 activations. I am not sure what this is with Windows 8, but it's probably the same. Research that first ** I've only used VAMP 2.0 (volume activation management tool) this allows you to connect to the machiens in your network to convert them from MAK\OEM to KMS Client keys. It is also client side, the data stays with the machine it's installed on. 3.0 is server side and stores the data on whichever server you installed it on.) ** So now budgeting month for next year is coming up. Your boss says, hey neckbeard, we only paid for 20 win8 licenses, can you tell me how much win8 machines are actually setup? You use VAMP to scan the network and check, or there's a command you can enter in command prompt on the KMS host and it tells you how much computers are active\activated. So if it spits out you have 40 active licenses, you tell your boss budget to at least buy 20 extra licenses for windows8 next year. ** You might as well make the KMS server host office\windows7 KMS activations if you have those in your environment as well. And as a couple people already mentioned, it's actually pretty straightforward, and doesn't require much setting up or maintenance afterwards. Just throw up a test VM, and mess around. Download VAMP 2.0 and learn how to convert keys on a machine with the snap in. (it's easy, add computer, right click update with credentials, right click install KMS key, right click activate) lol internet. fucked around with this message at 04:29 on Jan 22, 2014 |
|
#
?
Jan 22, 2014 03:58
|
|
|
lol internet. posted:SCCM 2012 question. Go on a test rig and install the app package, which should report failed but have it on. Then fire up the console and manually navigate to the file for your detection rule. It will auto-fill the environment variable that matches anyway. I always fill in detection rules on test rigs so problems like your's don't happen. For Acrobat 10 Pro, I used Adobe's costumization tool to build a custom installer, which happens to have an MSI. The detection rule is to check for the install status of the MSI GUID. You'll probably want that tool because it can inject the serial and suppress nags for EULA, updates, registration, etc.
|
|
#
?
Jan 22, 2014 15:23
|
|
|
double post
|
|
#
?
Jan 22, 2014 15:24
|
|
|
lol internet. posted:I setup SCCM with ALL packages, now stuck converting them to Applications and testing again and re-testing OSD. Make sure you're on SCCM 2012 R2 for that. SCCM SP1 (earlier than CU2) has issues with Applications in an OSD Task Sequence. Getting it setup to update the client prior to installing applications is a giant pain and can be avoided by using R2. Also, Applications frigging rock for software deployment.
|
|
#
?
Jan 22, 2014 18:34
|
|
|
Zaepho posted:Also, Applications frigging rock for software deployment. This cannot be said enough. They rock for hotfix deployment too once you figure out how to detect them. The big pro to Applications is that they do installation checks before running so you can deploy them to devices that already have them installed and (so long as your checks work right) it will just install on the computers that are missing the Application. I just converted one of the client hotfixes to an application and it works perfectly. Also being able to specify requirements allows you to easily include x86 and x64 installs in the that Application and reduce your deployment count. Or if you really want to get creative, you can use those requirements to do fun things like deploy all the different OS-dependent versions of something like video drivers in one Application and have the requirements filter out all the wrong ones and just install the correct one. It's very powerful and I'm so glad I've managed to wrap my head around it. Edit: RE: hotfixes. I don't get why they don't let SCCM deploy updates in the Hotfix category that are imported from the WSUS catalogue. It seems like a silly limitation.
|
|
#
?
Jan 22, 2014 21:14
|
|
|
Any of you large enterprise guys, how do you handle AD Delegation? We have an absurd (50+)number of people in domain admins and one of my main goals this year is to get that number down to around 5 or so. I've grabbed a couple of large docs from Microsoft on AD Delegation and Security and a found a couple of blog posts to start, but really this seems like a how do you eat an elephant thing.
|
|
#
?
Jan 23, 2014 18:47
|
|
|
skipdogg posted:Any of you large enterprise guys, how do you handle AD Delegation? We have an absurd (50+)number of people in domain admins and one of my main goals this year is to get that number down to around 5 or so. I've grabbed a couple of large docs from Microsoft on AD Delegation and Security and a found a couple of blog posts to start, but really this seems like a how do you eat an elephant thing. If you have money to waste, I'd suggest quest active roles. It sounds like you're at a pretty big organization. It's hard to stay consistent as one admin will do something different from the next and also would be a bit harder to track down if someone does something they shouldn't or doesn't admit to a mistake they might of made.
|
|
#
?
Jan 24, 2014 01:41
|
|
|
|
| # ? Apr 25, 2024 19:03 |
|
|
I've just gotten Quest Active Admin up and going. Haven't started looking at the permissions templates but the auditing loving rules.
|
|
#
?
Jan 24, 2014 02:02
|
|