|
nescience posted:doh. Windows 7 and 2008 R2 have the same kernel version (6.7.7601).
|
#
?
Jul 16, 2014 22:23
|
|
|
|
| # ? Apr 19, 2024 09:53 |
|
|
XP = 2003 Vista = 2008 7 = 2008 R2 8 = 2012 8.1 = 2012 R2
|
|
#
?
Jul 16, 2014 22:43
|
|
|
Thalagyrt posted:Why not spin up a few VMs and play around with it in a lab environment to get a feel for it? AD CS isn't really that scary. There are definitely some best practices for doing it securely, though. It's recommended that your production root CA be offline and only be used to sign intermediate CAs, which you run online and then use to sign end user certificates. Yeah, this is what I'll end up doing in the long run, I've just got a hundred other things on my plate .. I figured I could knock this out with a trusted cert from a known CA 
|
|
#
?
Jul 16, 2014 22:54
|
|
|
Dr. Video Games 0089 posted:My office is trying to implement a new server. They contacted a local IT company and they provided us a quote for buying hardware, software, and installation. The boss isn't too technology focused and I'm only a little better at it than he is. It's worth it if they're really accountable for their work, or if it's a consultant that you know is good. If not, scrap it. There's dozens of ways you could gently caress up an enterprise windows install, and I've worked with enough newbie consultants to know. The software stuff is what's really important. If it was me, I'd just hire a known good consultant to set up your OS / AD and buy whatever they tell you to buy.
|
|
#
?
Jul 17, 2014 03:22
|
|
|
Here's a really weird situation, and I'll do my best to convey it via text. SP2010, unknown functional level -- I'll have that soon. User logs in to their PC using their normal domain account 'jdoe'. User opens up IE and goes to sharepoint site. In this site, they have site collection admin privileges. User chooses to 'Sign in as a different user' and logs in as 'jtest', which is a read-only account. In the top-right corner it correctly shows this account, however, any actions they perform are at the permission level of the 'jdoe' account. So they can delete, add, edit all documents. If they log off the PC and log in a 'jtest', then go to the SP site as 'jtest', they have the correct read-only permissions level. If they log in as 'jdoe' while 'jtest' is logged in on the PC, they stay at the read-only permission level. Any ideas? Their IT guy said it might be because they sync AD with SP since they intend on using the site with things other than our product.
|
|
#
?
Jul 18, 2014 23:46
|
|
|
IE passes login rights through to sharepoint. I bet if he tried that with firefox it would just work.
|
|
#
?
Jul 19, 2014 00:06
|
|
|
GreenNight posted:IE passes login rights through to sharepoint. I bet if he tried that with firefox it would just work. That's what I was thinking as well, unfortunately FF/Chrome is not an option. Neither of them play very nicely with Sharepoint and our application that's built on it. I'm just trying to see what we can change to remove this behavior.
|
|
#
?
Jul 19, 2014 00:21
|
|
|
What kind of authentication are you using? NTLM or Kerberos?
|
|
#
?
Jul 19, 2014 00:22
|
|
|
Jeoh posted:What kind of authentication are you using? NTLM or Kerberos? Fairly certain it's NTLM. VPN requests were given a strong "No," so I'll have to wait until Monday to confirm.
|
|
#
?
Jul 19, 2014 00:28
|
|
|
Let's talk about DFS for high-availability of a network share. Just how chatty is Windows in a DFS environment? I'd like to tune for a sub-30 second failover. I gather that means that machines will be querying for namespace referrals every 30 seconds. My target site would be, let's say 30 desktops, 7 DFS shared folders in total. Network is gigabit and generally not terribly congested at the moment. Is there any way to estimate the additional network traffic that I'll throw on the lan before I start cranking the cache duration down to 30 seconds? I guess theoretically I could just do it and see, but I typically dislike that approach 
|
|
#
?
Jul 20, 2014 21:59
|
|
|
We are finally getting rid of our old Microsoft TMG2010 server in my office. However one thing that it did do was decently monitor what Active Directory user accounts were going to which websites, taking metrics on web traffic, etc. Anyone have a recommended solution for a replacement of those features? -Must show web history based on AD accounts -Must give basic website traffic info, which sites are being hit, how much % of time, etc.
|
|
#
?
Jul 21, 2014 15:44
|
|
|
We ran into a weird one last week that we're still fighting with. Server 2012 Hyper-V box. Has a single guest, a server 2008 VM that was created from a physical install via disk2vhd. Everything works great except the networking. Host can get out to the internet, talks to everything just fine. Guest can be connected to, but cannot talk out. It has proper network info, can ping other internal devices and the gateway with no problem, but can't get out. DNS (internal DNS server) resolves fine as well. It just never gets past the gateway. It's on a virtual switch configured as external along with the host, has the correct virtualized drivers to share the host nic, etc. Anyone ever seen anything like this?
|
|
#
?
Jul 21, 2014 17:48
|
|
|
Martytoof posted:Let's talk about DFS for high-availability of a network share. Trying to understand what part of DFS you're looking at network traffic for, the namespace queries alone or DFSR? DFSR is pretty efficient and replicates changed blocks, and you can set schedules and throttles on each replication group. Namespace queries are all done via the nearest domain controller using AD site cost, there's a whole referral ordering system in the namespace too. I'm the DFS/file server admin here so I'm definitely interested in helping you and taking a look at this!
|
|
#
?
Jul 21, 2014 20:16
|
|
|
Silly Newbie posted:We ran into a weird one last week that we're still fighting with. This is an incredibly bad one, but is the Subnet mask set correctly? it really seems like you're getting traffic out (and I would guess even out beyond your local subnet) but not receiving it back when you go outside your local subnet. Check your overall IP settings on the box just to make sure it all lines up properly. You can also look at the Routing Table (route print) to see if everything looks good there.
|
|
#
?
Jul 21, 2014 20:33
|
|
|
Zaepho posted:This is an incredibly bad one, but is the Subnet mask set correctly? it really seems like you're getting traffic out (and I would guess even out beyond your local subnet) but not receiving it back when you go outside your local subnet. The subnet mask is correct. We did previously have an issue with multiple static routes showing up, so we blew out the route to the gateway and recreated it. It shows fine now, but still will not ping out or tracert to, for example, 8.8.8.8. This site runs a Cisco ASA, and I can see the traffic move through the gateway, but nothing ever comes back. We also have another site connected to this one via an ipsec vpn tunnel. Thin clients and computers at that site can RDP into this server and pass traffic to/from it with no problem at all over the tunnel.
|
|
#
?
Jul 21, 2014 21:59
|
|
|
CLAM DOWN posted:Trying to understand what part of DFS you're looking at network traffic for, the namespace queries alone or DFSR? DFSR is pretty efficient and replicates changed blocks, and you can set schedules and throttles on each replication group. Namespace queries are all done via the nearest domain controller using AD site cost, there's a whole referral ordering system in the namespace too. I think it's the namespace queries. Basically in my lab tests I was successfully able to bring up two file servers, create a \\mydomain.blah\shares\testshare, edit testfile.txt in that folder, bring the active DFS server down, then edit and save testfile.txt after it fails over to the second. My problem is that this failover took a good minute or so. I'd love to tune this down to sub-minute recovery, and everything I hear is that this will basically increase the namespace requests going out to the network from clients. I don't really know if it's significant or not for the number of clients I'm working with
|
|
#
?
Jul 22, 2014 00:02
|
|
|
Martytoof posted:I think it's the namespace queries. Basically in my lab tests I was successfully able to bring up two file servers, create a \\mydomain.blah\shares\testshare, edit testfile.txt in that folder, bring the active DFS server down, then edit and save testfile.txt after it fails over to the second. My problem is that this failover took a good minute or so. I'd love to tune this down to sub-minute recovery, and everything I hear is that this will basically increase the namespace requests going out to the network from clients. I don't really know if it's significant or not for the number of clients I'm working with It will, but you want to make sure you have the namespace set to "Optimize for scalability" which means it will always poll the nearest DC rather than the PDC. I'm guessing you may have it set to "Optimize for consistency" which is the default. Once it's set to poll the nearest DC I don't think that should be a problem, having increase traffic, assuming you have a domain controller in each site. I haven't tried before what you're trying to do though, getting that interval down super low, I think I have it set to 5 minutes right now.
|
|
#
?
Jul 22, 2014 00:09
|
|
|
So does anyone have much experience with WQL queries for SCCM? Trying to build device collections based on AD OU's. Here is my query: select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemOUName = "XXX.LOCAL/XXX/ACCOUNTING/ACCOUNTING COMPUTERS" Which kind of works. There are 18 computers in that AD group and this query gets 14 of them.
|
|
#
?
Jul 22, 2014 15:30
|
|
|
BaseballPCHiker posted:So does anyone have much experience with WQL queries for SCCM? Trying to build device collections based on AD OU's. Here is my query: Check the other machines and see what they have for OU in resource explorer. Its possible they're missing or inaccurate. Also check your limiting collection to verify you're not inadvertently limiting them out of the possible devices for the collection,
|
|
#
?
Jul 22, 2014 16:11
|
|
|
Zaepho posted:Check the other machines and see what they have for OU in resource explorer. Its possible they're missing or inaccurate. It was indeed the limiting collection. Thanks for the tip. Reminds me that I still have a ton of work to do in cleaning out our AD site. Unfortunately legal wants me to put in a ticket for each individual system that I need to remove from AD. Ugh, lots of work ahead for me.
|
|
#
?
Jul 22, 2014 16:38
|
|
|
BaseballPCHiker posted:Unfortunately legal wants me to put in a ticket for each individual system that I need to remove from AD. Ugh, lots of work ahead for me. Dear lord, I cleaned up over 2000 old computer accounts here not too long ago. Good thing I didn't have to check with anyone.
|
|
#
?
Jul 22, 2014 16:59
|
|
|
BaseballPCHiker posted:It was indeed the limiting collection. Thanks for the tip. Reminds me that I still have a ton of work to do in cleaning out our AD site. Unfortunately legal wants me to put in a ticket for each individual system that I need to remove from AD. Ugh, lots of work ahead for me. Work with them to develop an operational process whereby a system does it automatically. Typically in enterprise environments I see something along the lines of if a computer does not login or change it's password in 60-90 days, it is disabled and moved to a DisabledComputers UO. 30-90 days later it is then removed from active directory. If you could convince them to turn this into a standard policy you would have carte blanch to enforce it daily via automation without Change Control, or individual approvals or anything crazy like that.
|
|
#
?
Jul 22, 2014 17:04
|
|
|
We are not allowed to ever delete a user account from AD. Yes, it sucks.
|
|
#
?
Jul 22, 2014 17:13
|
|
|
skipdogg posted:We are not allowed to ever delete a user account from AD. Yes, it sucks. What the gently caress? Do you have an OU titled "old employees" with thousands of user accounts?
|
|
#
?
Jul 22, 2014 17:28
|
|
|
GreenNight posted:What the gently caress? Do you have an OU titled "old employees" with thousands of user accounts? Pretty much, each geographic OU has a OU with disabled accounts in it. code:
|
|
#
?
Jul 22, 2014 17:40
|
|
|
Zaepho posted:Work with them to develop an operational process whereby a system does it automatically. Yeah I've got a powershell script that will give me a list of all computers that haven't logged onto the network in the last 60 days. Which I then gave to them, they still seem super paranoid about me making any changes. I'll try to talk them into letting me at least disable all of them and move them into a separate OU.
|
|
#
?
Jul 22, 2014 17:42
|
|
|
AD Info is a pretty good free tool too. Gives a ton of reports, GUI based which can be exported.
|
|
#
?
Jul 22, 2014 17:49
|
|
|
BaseballPCHiker posted:Yeah I've got a powershell script that will give me a list of all computers that haven't logged onto the network in the last 60 days. Which I then gave to them, they still seem super paranoid about me making any changes. I'll try to talk them into letting me at least disable all of them and move them into a separate OU. Try to make them understand that Active accounts that are unused are a risk from a security and audit perspective. The audit/regulatory perspective is usually the best route to go. I think most of the regulatory frameworks have some controls around proper onboarding and offboarding of both user and computer accounts.
|
|
#
?
Jul 22, 2014 18:53
|
|
|
Fantastic, this talk about Airwatch and MaaS360 is just what I'm looking for; though between them which is the most absolute simplest to remotely attach new phones to? Because the company I work for already has ALL of its phones in the wild (95% iPhones, the only control I have is setting up iCloud and Location services with setting the device name on new phones we get in), and the chances of me getting them back in house is almost nil. MaaS360 looked neat in the sense that you can E-mail out a form for enrolling the phone, but I pretty much need something that a 5 year old could understand and not get scared of or gently caress up. Additionally the MD wants some functionality to track/record phone calls from the devices. NSA eat your heart out, but are there actually apps or services which can easily pull this off?
|
|
#
?
Jul 22, 2014 22:47
|
|
|
MaaS360 can email out a URL that just straight up enrols the device if you want (the end user will still have to accept the enrolment). I think it can do it via SMS message as well if email isn't setup on the things. I'd assume pretty much every other MDM can do the same. They are all identical in terms of features to a point because they all rely on the API hooks in the underlying OS. Some MDM systems will advertise extra features which comes from the installation of an agent app, but there is no real way to ensure that app is installed, other than by threatening to remote wipe the device unless the app is installed. It's a growing market though, so expect iOS in particular to keep adding new features that actually make it manageable in each release.
|
|
#
?
Jul 22, 2014 23:24
|
|
|
BaseballPCHiker posted:Yeah I've got a powershell script that will give me a list of all computers that haven't logged onto the network in the last 60 days. Which I then gave to them, they still seem super paranoid about me making any changes. I'll try to talk them into letting me at least disable all of them and move them into a separate OU. When I started here I couldn't even do that, Windows 2000 functional level... I ended up using something called "ADTidy" (pretty much just a GUI for powershell scripts) to search for old rear end computer accounts, then disable/move them in bulk.
|
|
#
?
Jul 22, 2014 23:28
|
|
|
GPO question here. I'm creating a GPO to push out an ODBC connection. The ODBC connection is auto put in ODBC x64 and not x32. How do I specify that I want it in both? I don't see any setting for x32 ODBC in Group Policy.
|
|
#
?
Jul 23, 2014 17:43
|
|
|
GreenNight posted:GPO question here. I'm creating a GPO to push out an ODBC connection. The ODBC connection is auto put in ODBC x64 and not x32. How do I specify that I want it in both? I don't see any setting for x32 ODBC in Group Policy. Never had to do this before, but it looks like it is just a registry push. http://www.explodingbraincells.com/2012/04/16/32-bit-odbc-system-dsn-on-64-bit-windows-using-group-policy-client-preferences/
|
|
#
?
Jul 23, 2014 20:35
|
|
|
What is the MS best practice for share permissions on file servers? Domain Users (or similar) with read/write or full control, then restrict with NTFS permissions? I can't find it written anywhere or any kind of technet reference.
|
|
#
?
Jul 23, 2014 20:45
|
|
|
CLAM DOWN posted:What is the MS best practice for share permissions on file servers? Domain Users (or similar) with read/write or full control, then restrict with NTFS permissions? I can't find it written anywhere or any kind of technet reference. I have always done read/write for everyone, then lock it down with NTFS permissions by security groups.
|
|
#
?
Jul 23, 2014 20:49
|
|
|
Moey posted:I have always done read/write for everyone, then lock it down with NTFS permissions by security groups. I want to avoid "Everyone" because well that's a generally bad idea security-wise, so I was just gonna use Domain Users or even Authenticated Users for read/write. I was just hoping to find an official or semi-official reference for this so my manager can see written proof and approve it for me to implement
|
|
#
?
Jul 23, 2014 20:51
|
|
|
Everyone on Shares isn't a problem. Lock your poo poo down with NTFS permissions within that share and you'll be fine. Doubly so with Access Based Enumeration.
|
|
#
?
Jul 23, 2014 21:10
|
|
|
So, I'm switching people over from Office 2003 to 2013 (365) through SCCM and there's a problem with the file association, prompting users for choosing which program to use when they open an Office file. This happened in my test workstation, and I'm wondering if there's some script I can deploy that changes the file associations to a set executable, or which registry I should be looking at. My Google-Fu seems to be failing me since every registry change / command I've seen in Google ended up not working. Thanks a lot in advance.
|
|
#
?
Jul 23, 2014 21:18
|
|
|
I haven't mucked around with Office Installers in a while, but is there an option in there to set the new Office as the default for opening files? setup.exe /admin is your friend. You are installing using a custom .msp file, right? Right?
|
|
#
?
Jul 23, 2014 21:32
|
|
|
|
| # ? Apr 19, 2024 09:53 |
|
|
Gyshall posted:Everyone on Shares isn't a problem. Lock your poo poo down with NTFS permissions within that share and you'll be fine. Doubly so with Access Based Enumeration. I use Authenticated Users on the shares so people have to have a valid domain account and then apply the permissions on NTFS directly.
|
|
#
?
Jul 23, 2014 21:59
|
|
