|
Orcs and Ostriches posted:While we're on printer deployment, we currently deploy printers through group policy preferences. However, most of our computers are shared (student) machines, so have dozens, if not more, profiles. Works fine, except during initial log in when the system downloads and installs the printer drivers. This is done over a moderately slow WAN link, plus the computers themselves are pieces of poo poo. You could set up shared printers on the server and deploy them to the computers but with the security settings as 'deny' to all the students. This should install the printers w/ drivers as the computer boots (I'm assuming) but then once a student logs in they'll be hidden. Then if your GPP printers are pointed directly to the printer or are pointed to a different shared printer (which could just be pointed to the same eventual printer) then they should work normally.
|
#
?
Feb 2, 2014 02:58
|
|
|
|
| # ? Apr 19, 2024 23:10 |
|
|
hihifellow posted:Failure code says it's a login failure, sounds like the scheduled task is trying to use an account that either doesn't exist or doesn't have the password to. Did you just leave it blank or are you trying to use a domain account? I did set it as NT AUTHORITY\System, after searching yielded it was potentially a login issue. Oh well, I'll keep having a look at it.
|
|
#
?
Feb 5, 2014 10:20
|
|
|
Is there a general infrastructure thread? I looked through SH/SC and Cobol and didn't see one but I might have missed it. I've got some questions about an infrastructure automation framework called Chef and the company that makes it only has an IRC channel to ask questions in. I figured you sys admin types might know if such a thread existed.
|
|
#
?
Feb 21, 2014 22:36
|
|
|
The Linux questions thread is probably the best place to ask Chef questions, assuming you're managing Linux machines with Chef.
|
|
#
?
Feb 21, 2014 22:38
|
|
|
FISHMANPET posted:The Linux questions thread is probably the best place to ask Chef questions, assuming you're managing Linux machines with Chef. I'm not, but for my specific question it shouldn't make too much of a difference. Do they talk about Chef there?
|
|
#
?
Feb 21, 2014 22:40
|
|
|
Chef is commonly used to manage Linux machines and some people there use it. What are you managing if not Linux machines? I'd imagine if it's windows, something from the System Center suite would suit your needs better.
|
|
#
?
Feb 21, 2014 22:42
|
|
|
There was briefly a thread for config management/automation but it died off and got archived  That stuff is like 90% of my day job so I'm always happy to talk about it, unfortunately I have no Chef experience. Just Puppet and now SaltStack.
|
|
#
?
Feb 21, 2014 22:49
|
|
|
My company decided on Chef. We're currently a Windows shop, but we're migrating to Linux to save money. The initial go of using Chef will be 5-600 servers running Windows Server 2008. I've been getting us up to speed for the past few months and my question is fairly specific, but I'll give the Linux thread a go. Thanks.
|
|
#
?
Feb 21, 2014 22:50
|
|
|
Quick question for the Goon GPO masters. Is it best practice to have one GPO with all settings necessary to the group of PC's to which it is being applied or should each and every GPO setting have its own GPO? Maybe a combination of the 2?
|
|
#
?
Apr 30, 2014 22:36
|
|
|
I use a combination. There are settings that 90+% of everyone uses, so they share a couple large, generic gpos. For other more specific needs, I break them into smaller policies. As an example, a typical student will have the All Students policy, which covers things like removing access to the control panel, local drives, the command prompt, etc. Students at a specific school have their school-related policies in a large gpo, to deal with folder and home dir redirection, printer mapping, etc. This policy is shared with administrators, teachers and other staff at the school as well. I have a couple smaller things, like a software restriction policy, and access to changing keyboard locale settings. Both of these have their own policy, and they are applied as need be.
|
|
#
?
Apr 30, 2014 22:46
|
|
|
I tend to have each GPO achieving a 'thing' - so if I want to set the power policy on my desktops then all the various settings are one GPO. This makes it easy to toggle on and off since you aren't going to change anything else when you do that, and it's a lot easier than having to remember that 5 GPOs together achieve one objective.
|
|
#
?
Apr 30, 2014 22:48
|
|
|
You build GPO's with groups of settings that belong together, for whatever reason.Caged posted:I tend to have each GPO achieving a 'thing' - so if I want to set the power policy on my desktops then all the various settings are one GPO. This makes it easy to toggle on and off since you aren't going to change anything else when you do that, and it's a lot easier than having to remember that 5 GPOs together achieve one objective.
|
|
#
?
Apr 30, 2014 22:48
|
|
|
I might have one GPO that applies to Domain Workstations, which is your basic stuff that is applied to all workstations. Inside that, I'll have another policy that applies settings to Programmer Workstations because I only need those applied to that specific OU. The majority of my stuff is in larger GPOs. However, if I'm testing a new change (test environment, hah, what's that, live on the edge do it live) I will create a new GPO for that change, test it in my Sandbox OU which is a few test workstations, and if that works, then I link that GPO to what it needs to go to. If it's only temporary - for example, disabling Flash inside IE like we have right now, I'll keep that as a separate GPO so I can unlink it when I don't need it any longer. If it's permanent, then I'll edit whatever top level GPO it needs to go in and add it there. So to answer your question, a bit of both.
|
|
#
?
Apr 30, 2014 22:57
|
|
|
Managing GPO sprawl is definitely a balancing act. You want some atomicity, so that you can disable/enable GPOs on a granular basis. This is useful for testing, implementing new GPOs, and getting fine-grained control. You also want some batching, so that you're not taking forever to process your GPOs and not having to manage hundreds of objects. What I've seen work well is a large GPO that contains proven/tested settings that are unlikely to change. So you roll up most of your GPOs into one big GPO. Then just use smaller GPOs for stuff you're touching all the time, new GPOs (which might get rolled into the big GPO later), etc.
|
|
#
?
Apr 30, 2014 22:58
|
|
|
Lord save you if you test in production for complex changes, but the way to test is to copy whatever you have and makes changes. When you want to implement, link the copy. Boom.
|
|
#
?
Apr 30, 2014 23:01
|
|
|
Excellent insight everyone, thank you. My firm is not segregated into departments for IT purposes. In a way this makes sense for us because someone in lets say the tax department at some point will be doing audit work and vice versa. We are not large enough for the employees to completely specialize so everyone wears all hats and needs access to all software. My main concern was dumping every setting I need into the default domain policy GPO being applied to all of the workstations in the firm and having it take forever to process. Although from what I am hearing it actually takes longer to process if they are sprawled out into multiple GPO's so there you have it my question is answered.
|
|
#
?
Apr 30, 2014 23:23
|
|
|
If GPO processing time worries you, the event log will time GPO processing in milliseconds by subsection; preference application, drive mapping, etc. From there you can turn on auditing per section by policy and see what exactly takes how much time. Was very useful in determining why logins were taking almost 4 to 5 minutes for some users after a DC was retired (linux samba server was looking at the retired DC for ldap and hadn't been switched to a new DC)
|
|
#
?
May 1, 2014 00:05
|
|
|
americanzero4128 posted:If it's only temporary - for example, disabling Flash inside IE like we have right now, I'll keep that as a separate GPO so I can unlink it when I don't need it any longer. Which method did you go for on this? Block the add-on via CLSSID or a software restriction?
|
|
#
?
May 1, 2014 01:14
|
|
|
I'm a big fan of Advanced Group Policy Management (AGPM) for being able to roll back / track changes. It's quite neat
|
|
#
?
May 1, 2014 07:06
|
|
|
hihifellow posted:If GPO processing time worries you, the event log will time GPO processing in milliseconds by subsection
|
|
#
?
May 1, 2014 10:25
|
|
|
Is GPO processing time a serious thing? Just curious since I've never worked anywhere large enough to potentially need hundreds or thousands of GPO's. But I do remember the books I was studying saying "yes in theory more GPO's will slow things down. In practice you'd need to have like 5000 of them for it to matter since each one only takes a couple ms usually." Wondering if anyone's seen total GPO count actually impact perf in the real world.
|
|
#
?
May 1, 2014 18:38
|
|
|
Docjowles posted:Is GPO processing time a serious thing? Just curious since I've never worked anywhere large enough to potentially need hundreds or thousands of GPO's. But I do remember the books I was studying saying "yes in theory more GPO's will slow things down. In practice you'd need to have like 5000 of them for it to matter since each one only takes a couple ms usually." Wondering if anyone's seen total GPO count actually impact perf in the real world. I don't think it slows anything on my network, and I have a GPO with like 100+ Hashes stored in it for a software whitelist.
|
|
#
?
May 1, 2014 18:48
|
|
|
Docjowles posted:Is GPO processing time a serious thing? Just curious since I've never worked anywhere large enough to potentially need hundreds or thousands of GPO's. But I do remember the books I was studying saying "yes in theory more GPO's will slow things down. In practice you'd need to have like 5000 of them for it to matter since each one only takes a couple ms usually." Wondering if anyone's seen total GPO count actually impact perf in the real world. GPO processing time can be an issue, but it's more a factor of item-level targeting and WMI filters. There was a blog post a year or so ago, and I think I linked it earlier in this thread. For simple GPOs, yea, I can't imagine a couple dozen would be a huge issue. Organization-wise, I just group like settings. Network drives everyone gets are one GPO, drives based on groups/location are another. Printers are one GPO by office location. We have a relatively-sane OU AD structure, and GPOs are linked to the highest-level OU.
|
|
#
?
May 1, 2014 22:05
|
|
|
From what I remember what really kills GPO processing is group-based and WMI filtering. And I've always encountered the weird loving random setting here and there when diagnosing slow startup.
|
|
#
?
May 1, 2014 22:28
|
|
|
Serfer posted:Which method did you go for on this? Block the add-on via CLSSID or a software restriction? I'll double check tomorrow when I'm back at work since I was off today, but I am pretty sure I blocked the add-on by CLSSID. I can post the steps I took to do this tomorrow as well.
|
|
#
?
May 1, 2014 23:45
|
|
|
Oh yeah, I finally started introducing some Win 7 32-bit workstations to our environment. Unfortunately all our servers are 2003 and I noticed that our GPO bookmarks and homepage in the Internet Explorer Maintenance section don't get added to Win 7. I worked around it by making a script that copies all the bookmark files into %USERPROFILE%\Favorites but what should I do about setting the homepage? Don't say Group Policy Preferences, I don't have and 2008+ servers and I'm so not in the mood for running it from a workstation. Also, half my scripted printers magically mapped correctly on the Win7 machine (using apparently the XP 32-bit drivers), and half didn't. I examined it and, sometimes with two printers of the same model and driver, only one would map and the other would give error x0000007e with no additional information in the Event Log. Any ideas?
|
|
#
?
May 2, 2014 02:10
|
|
|
You can use the Internet Explorer Administration Toolkit to configure whatever version of IE is on those machines, but its meant to be a one time shot rather than an ongoing management tool.
|
|
#
?
May 2, 2014 05:39
|
|
|
thebigcow posted:You can use the Internet Explorer Administration Toolkit to configure whatever version of IE is on those machines, but its meant to be a one time shot rather than an ongoing management tool. We tried to use that to manage content whitelists for people at my old job and yeah, using to try and deploy ongoing changes to IE is not worth it.
|
|
#
?
May 2, 2014 19:25
|
|
|
americanzero4128 posted:I'll double check tomorrow when I'm back at work since I was off today, but I am pretty sure I blocked the add-on by CLSSID. I can post the steps I took to do this tomorrow as well. Yeah, I did block it by CLSID. This TechNet post is what I did to disable it. http://social.technet.microsoft.com/wiki/contents/articles/11406.how-to-disable-internet-explorer-ie-add-ons-through-group-policy.aspx I did this through Computer Configuration, and not User Configuration, but it shouldn't make a difference.
|
|
#
?
May 2, 2014 21:23
|
|
|
This might not be the right thread for this question, but the windows admins I'm working with seem convinced that we're running in to a GPO issue with permissions so I'll roll with it. My work place is unifying host and service monitoring, and has settled on Zenoss since it works quite well the the bulk of our infrastructure, which is RHEL and ESX vms. Anyway, Zenoss attempts to get performance metrics and system info over a combination of WinRM and WinRS. After getting the kerberos authentication set up against our AD domain, we're not able to get full device monitoring unless the windows admin gives full administrative access to the username that's been set up for monitoring systems. That doesn't sound quite right to me, but I'm not a windows server admin. The idea that needing full admin rights to run SELECT * from Win32_Service seems weird.
|
|
#
?
Jun 1, 2014 16:38
|
|
|
WinRM doesn't allow access unless the account is a member of the target computer's administrator group. WinRS is an extension of WinRM so can't do one without the other.
|
|
#
?
Jun 1, 2014 18:43
|
|
|
This isn't a group policy question, but it's a domain question so I guess it can go here, if it belongs elsewhere please let me know - So we have a 2008 domain that's hosting exchange, a fileserver, and a few other servers. It is primarily email as of right now, but we're looking to start joining up our myriad environment to the domain to provide centralized services. Right now our domain is a domainname.local, which is no good. I've never really tried changing a domain name from .local to our actual .edu domain name and I was hoping someone had done a name switch like that and could offer some advice. What are the gotchas that we should look out for? Will our exchange environment be affected? I'm primarily worried because of a note on this site: http://social.technet.microsoft.com/wiki/contents/articles/1347.renaming-a-windows-server-2008-active-directory-domain-dsforum2wiki.aspx "The domain rename operation is not supported in Microsoft Exchange Server 2007 or Exchange Server 2010. DNS domain rename is supported in Exchange Server 2003. However, renaming of the NetBIOS domain name is not supported in any version of Exchange Server. Other non-Microsoft applications might also not support domain rename." I'm curious if not supported means it will still kinda work, or if we need to do a shitload of work to recreate the exchange environment. Thanks!
|
|
#
?
Jun 4, 2014 19:20
|
|
|
People (in this and the Enterprise thread) say don't use the same ad domain name as your real one, but I've never understood why. I use company.tld and the only change I've had to make is a DNS entry for www so the website can be accessed internally. Admittedly, the networks I've run have been nice and straightforward. I've done two successful domain renames too. Read the docs, reboot everything twice was the gist.
|
|
#
?
Jun 5, 2014 00:08
|
|
|
alanthecat posted:People (in this and the Enterprise thread) say don't use the same ad domain name as your real one, but I've never understood why. I use company.tld and the only change I've had to make is a DNS entry for www so the website can be accessed internally. It's because you have to do that for every service - mail.domain.com, sip.domain.com, etc. It's a lot easier to have your AD domain use ad.domain.com and not have to worry about adding DNS records in multiple places.
|
|
#
?
Jun 5, 2014 00:49
|
|
|
I've got a question about mapping drives with group policy. A few people have had trouble with long logon times. On the one I looked at it took 98 seconds to map their drives (I think it was only 3 or 4 drives), I've not looked at any others (since nobody ever tells us when it happens) but I would not be surprised if that was the case. Sometimes the logon time is normal. At this particular site the DC is also the file server since it's a small site. We are not using DFS shares to map the drives, just regular shared drives pointing to the local server name. What should we look into to figure out why this is happening?
Yaos fucked around with this message at 04:02 on Jun 5, 2014 |
|
#
?
Jun 5, 2014 03:53
|
|
|
Spudalicious posted:This isn't a group policy question, but it's a domain question so I guess it can go here, if it belongs elsewhere please let me know -
|
|
#
?
Jun 5, 2014 07:00
|
|
|
Spudalicious posted:So we have a 2008 domain that's hosting exchange, a fileserver, and a few other servers. It is primarily email as of right now, but we're looking to start joining up our myriad environment to the domain to provide centralized services. Right now our domain is a domainname.local, which is no good. I've never really tried changing a domain name from .local to our actual .edu domain name and I was hoping someone had done a name switch like that and could offer some advice.
|
|
#
?
Jun 5, 2014 12:24
|
|
|
How does GPO process and/or logic? I need to apply a printer to all but two users. I can't take the two users out of the group they're in and I don't want a new group for everybody but them. I'm using item level targeting, but I don't trust GPO to process logic as I would expect it to. If I do: create printer if not user A AND if not user B Do I get; p = ~A ^ ~B, Or is it; p = ~(A ^ B) If GPO groups both "not" cases together, the second result, I'll get the printer every time unless I change the logic to "OR". Or is there a better way to do this that I'm just missing altogether?
|
|
#
?
Jun 5, 2014 20:05
|
|
|
Just add a Deny permission under Security filtering for the GPO. Either make another group for these two users or just explicitly give them each a deny permission.
|
|
#
?
Jun 5, 2014 20:13
|
|
|
|
| # ? Apr 19, 2024 23:10 |
|
|
Judge Schnoopy posted:How does GPO process and/or logic? You need an OR there. Using AND, it will check to see if the user is both User A and User B, which I can't imagine ever actually happening. GPOs will process each exception individually. Honestly, I'd just set up a separate group called "Finance Printer Distro" or whatever, and just put the people that need it in there. That way, if three months down the line, someone else needs to be able to print there, you just add them to the existing group, and they wouldn't get any extra permissions to, say, sensitive file shares. You won't see any serious slowdowns (under normal conditions) for adding another group or two, or building out separate GPOs.
|
|
#
?
Jun 6, 2014 02:34
|
|