Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
skipdogg
Nov 29, 2004
Resident SRT-4 Expert

I'm a terrible person and like share level permissions...I find them easier to manage. You can do it either way, but the generally more accepted 'better practice' is to do 'Full Control' on the Share permission and lock things down with NTFS permissions.

Adbot
ADBOT LOVES YOU

Moey
Oct 22, 2010

I LIKE TO MOVE IT

Riso posted:

I use Authenticated Users on the shares so people have to have a valid domain account and then apply the permissions on NTFS directly.

I guess it doesn't matter either way, just make sure your NTFS permissions are setup properly. It sure pisses me off when people apply actual permissions in both places.

Edit: Yes skipdogg, you are a terrible person. :)

BaseballPCHiker
Jan 16, 2006

orange sky posted:

So, I'm switching people over from Office 2003 to 2013 (365) through SCCM and there's a problem with the file association, prompting users for choosing which program to use when they open an Office file. This happened in my test workstation, and I'm wondering if there's some script I can deploy that changes the file associations to a set executable, or which registry I should be looking at. My Google-Fu seems to be failing me since every registry change / command I've seen in Google ended up not working. Thanks a lot in advance.

Try building a new msi on a computer that had 2003 installed that you then upgraded to 2013 and set the correct defaults to. Whichever program you use to build the msi should capture the registry changes and apply them on install the next time you use it.

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010

skipdogg posted:

You can do it either way, but the generally more accepted 'better practice' is to do 'Full Control' on the Share permission and lock things down with NTFS permissions.

Not only is this the "better practice", microsoft conditions admins in their documentation. They phrase it as "IT professionals hate this, and despite designing the software that should do this task far more elegantly, we're telling you you should set it to everyone and configure the NTFS permissions."

Zaepho
Oct 31, 2013

BaseballPCHiker posted:

Try building a new msi on a computer that had 2003 installed that you then upgraded to 2013 and set the correct defaults to. Whichever program you use to build the msi should capture the registry changes and apply them on install the next time you use it.

For Office I would very strongly recommend to handle all of this in your transform. This is the supported method for handling all of this and can do pretty much anything you need it to. I've been burnt by capturing changes in the past (as in complete work stoppage for all users at a bank until a fix could be deployed). Don't be that guy!

Sacred Cow
Aug 13, 2007
I'm not sure if this is the right thread but we just deployed Lync through O365 and everything is going great as long as you are not an Android user. It looks like only our users with Android devices are having issues connecting through the app. Win8 and iOS phones are just fine. The only thing we can find is issues with autodiscover but can't figure out why it's Android only.

Had anyone else had this issue?

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010
https://testconnectivity.microsoft.com/

Test your lync configurations here.

GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.


Yeah so apparently if you choose User ODBC it fills in both x32 and x64 where as if you do System it only does x64. User works just fine.

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams

BaseballPCHiker posted:

Try building a new msi on a computer that had 2003 installed that you then upgraded to 2013 and set the correct defaults to. Whichever program you use to build the msi should capture the registry changes and apply them on install the next time you use it.

Holy moly don't capture Office into an MSI, especially not when deploying with SCCM. Run setup.exe with the /admin flag to generate a transform.

BaseballPCHiker
Jan 16, 2006

FISHMANPET posted:

Holy moly don't capture Office into an MSI, especially not when deploying with SCCM. Run setup.exe with the /admin flag to generate a transform.

I'm new at administering SCCM so I'm interested to know why you wouldn't want to do that? I haven't yet with Office but can't you just make a program in SCCM and enter in your account license and use msiexec to run the installer?

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams
Capturing an install into an MSI (as opposed to using an included MSI installer) is waaaaay at the bottom of the list of ways you want to use to install software, well after "find a different vendor." Apparently when using GPO to deploy software, it had to be an MSI (I don't know, I've never used GPO) but SCCM doesn't have that requirement. Capturing an MSI has all sorts of problems because you don't know if what you're capturing is just what you installed, or other system changes as well.

Using built in tools to manage an install is a much better idea. For example, if you want to change a setting in your installer. Making a transform for the Office installer means you just have to run setup.exe /admin again and change your transform. Capturing the MSI requires reinstalling the software and recapturing.

Lights
Dec 9, 2007

Lights, the Peacock King, First of His Name.

So I have a sort of frustrating issue that I've been unable to research a solution to, and am hoping someone might have some ideas.

One of my client sites is a k-12 school, and they're very serious about having their internet access be "safe". So they're using a default search engine called "Kidrex", which is a rebranded custom Google Search site. This gives them everything they want.

However, the problem is that the kids can still go to Google directly, and even with SafeSearch turned on, both Google Images and the auto-complete will give them what the school considers to be "inappropriate" results. If we block Google, then Kidrex stops working as it relies on Google for its search results. My thought was to simply block Google Images and then disable the autocomplete function, but for the life of me I cannot find a way to actually disable the feature. Google Instant can be blocked, but there doesn't seem to be a way to stop the autocomplete.

My boss has reached a point of wanting to outright abandon Google for their site and look into a move to Bing. Is there another alternative?

Lights fucked around with this message at 16:46 on Jul 24, 2014

dox
Mar 4, 2006

Kaninrail posted:

So I have a sort of frustrating issue that I've been unable to research a solution to, and am hoping someone might have some ideas.

One of my client sites is a k-12 school, and they're very serious about having their internet access be "safe". So they're using a default search engine called "Kidrex", which is a rebranded custom Google Search site. This gives them everything they want.

However, the problem is that the kids can still go to Google directly, and even with SafeSearch turned on, both Google Images and the auto-complete will give them what the school considers to be "inappropriate" results. If we block Google, then Kidrex stops working as it relies on Google for its search results. My thought was to simply block Google Images and then disable the autocomplete function, but for the life of me I cannot find a way to actually disable the feature. Google Instant can be blocked, but there doesn't seem to be a way to stop the autocomplete.

My boss has reached a point of wanting to outright abandon Google for their site and look into a move to Bing. Is there another alternative?

I've seen this before. Instead of coming up with a respectable solution, the school decided to create their own cert for Google and all hell broke loose.

I would recommend taking a look at OpenDNS.

BaseballPCHiker
Jan 16, 2006

FISHMANPET posted:

Capturing an install into an MSI (as opposed to using an included MSI installer) is waaaaay at the bottom of the list of ways you want to use to install software, well after "find a different vendor." Apparently when using GPO to deploy software, it had to be an MSI (I don't know, I've never used GPO) but SCCM doesn't have that requirement. Capturing an MSI has all sorts of problems because you don't know if what you're capturing is just what you installed, or other system changes as well.

Using built in tools to manage an install is a much better idea. For example, if you want to change a setting in your installer. Making a transform for the Office installer means you just have to run setup.exe /admin again and change your transform. Capturing the MSI requires reinstalling the software and recapturing.

Good to know. I've been using included MSI installers whenever possible because it's just one less step for me. Is it appropriate then to build your own MSI for something like a simple program that then needs a custom batch file ran after the install or should you create a package that runs one program then in advanced properties click to run another program first and just have it deploy itself piece by piece?

This whole system has been new to me and I'm trying to learn on the fly as part of a whole department overhaul. Been trying to educate myself through the latest CBT Nuggets series on the 70-243 exam and SCCM 2012 SP1 Mastering the Fundamentals book. Any other good training recommendations?

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010
This has been making the rounds, for those of you maintaining 2003+2012 R2...

http://blogs.technet.com/b/askds/ar...ontrollers.aspx

Sacred Cow
Aug 13, 2007

BaseballPCHiker posted:

Good to know. I've been using included MSI installers whenever possible because it's just one less step for me. Is it appropriate then to build your own MSI for something like a simple program that then needs a custom batch file ran after the install or should you create a package that runs one program then in advanced properties click to run another program first and just have it deploy itself piece by piece?

This whole system has been new to me and I'm trying to learn on the fly as part of a whole department overhaul. Been trying to educate myself through the latest CBT Nuggets series on the 70-243 exam and SCCM 2012 SP1 Mastering the Fundamentals book. Any other good training recommendations?

I learned with CBT and a lot of test packages send to a test laptop. If something isn't working, learn which logs you need to check and where to find them (server or client?). Speaking of logs, use the SCCM log parser (CmRcViewer) whenever possible. It makes it much easier to spot the errors then slogging through a text doc.

For deploying Office, do a setup.exe /admin then save the MSP file in the "updates" folder of the source. When you create the package, use the following for the Command Line
code:
setup.exe /adminfile .\updates\AutoInstall.msp
You can call the MSP whatever you want, I used "AutoInstall". When you create the MSP there are 2 settings that will save you a headache later. Under Modify Setup properties, add Name -"AUTO_ACTIVATE" Value - 1 which will automatically activate the license without prompting the user. Under Modify user settings, go to Microsoft Office 2013 > Privacy > Trust Center and set "Disable Opt-in Wizard on firs run" and that will keep Office from bugging them about setting up automatic updates on first run.

When it comes to creating a deployment, I like to do separate packages and then have dependencies. It makes it easier to troubleshoot where in the chain of events something goes wrong if it doesn't work. Just my opinion though.

Gyshall
Feb 24, 2009

Had a couple of drinks.
Saw a couple of things.

Kaninrail posted:

My boss has reached a point of wanting to outright abandon Google for their site and look into a move to Bing. Is there another alternative?

What gateway firewall are they using? Most modern UTM firewalls can do some sort of "Safe Search enforcement" or something along those lines to satisfy that.

PUBLIC TOILET
Jun 13, 2009

Sacred Cow posted:

I learned with CBT and a lot of test packages send to a test laptop. If something isn't working, learn which logs you need to check and where to find them (server or client?). Speaking of logs, use the SCCM log parser (CmRcViewer) whenever possible. It makes it much easier to spot the errors then slogging through a text doc.

For deploying Office, do a setup.exe /admin then save the MSP file in the "updates" folder of the source. When you create the package, use the following for the Command Line
code:
setup.exe /adminfile .\updates\AutoInstall.msp
You can call the MSP whatever you want, I used "AutoInstall". When you create the MSP there are 2 settings that will save you a headache later. Under Modify Setup properties, add Name -"AUTO_ACTIVATE" Value - 1 which will automatically activate the license without prompting the user. Under Modify user settings, go to Microsoft Office 2013 > Privacy > Trust Center and set "Disable Opt-in Wizard on firs run" and that will keep Office from bugging them about setting up automatic updates on first run.

When it comes to creating a deployment, I like to do separate packages and then have dependencies. It makes it easier to troubleshoot where in the chain of events something goes wrong if it doesn't work. Just my opinion though.

Yeah you almost always should use setup.exe /admin when customizing Office installs for deployment. That will launch OCT and you can customize any settings you want end-users to have when their systems receive Office. Save as an MSP file, save to the Updates folder of the extracted Office installation. I personally don't use the /adminfile command to call the custom MSP file and I don't modify the setup.xml file. The install looks at the Updates folder, sees the service pack files and the msp file and just automatically applies all of it during the install. I had problems when trying to manually specify MSP files using /adminfile to call either a local location or a network share. Created a little more work when building and customizing but it works.

Always try to use included MSI installers because they have the functionality you need already built-in. Use /? on the MSI file to see what commands are available (which are universal for the most part) or if it already has an MST (transform file) then that's a good starting point. Some self-extracting EXE files that use InstallShield can also be customized (if an MSI is unavailable.) Try setup.exe /? or setup.exe /R to run a recorded install which will generate a custom ISS file. A lot of programs will also have their own customization utilities as well like Adobe applications. Adobe has an application that can build customized MSI/MST files for Reader, Flash, etc. Microsoft has a utility called Orca which can handle MSI/MST files.

hihifellow
Jun 17, 2005

seriously where the fuck did this genre come from

incoherent posted:

This has been making the rounds, for those of you maintaining 2003+2012 R2...

http://blogs.technet.com/b/askds/ar...ontrollers.aspx

We got hit with this, fun thing is even when all your 2003 DCs are gone the DCs themselves can still hose their keys when resetting their passwords. Been a few months since I disabled computer account password resets on the DCs...

goobernoodles
May 28, 2011

Wayne Leonard Kirby.

Orioles Magician.
Can anyone recommend software for finding/cleaning up duplicate files on a file server (Server 2003)?

thebigcow
Jan 3, 2001

Bully!
Roughly how lovely is Server 2008? I never hear anything about it.

CLAM DOWN
Feb 13, 2007




thebigcow posted:

Roughly how lovely is Server 2008? I never hear anything about it.

It's the Vista server OS. Use R2.

Zaepho
Oct 31, 2013

CLAM DOWN posted:

It's the Vista server OS. Use R2.

Definitely use R2. Why not 2012 R2 though?

lol internet.
Sep 4, 2007
the internet makes you stupid
Enabled some power settings through Computer Configuration > Preferences > Control Panel Settings > Power Options > Power Plan > Properties and now it seemed to of removed the option to hibernate on Windows 7 machines. Any ideas?

Edit: Nevermind, apparently it's the hybrid sleep option.

lol internet. fucked around with this message at 15:53 on Jul 25, 2014

orange sky
May 7, 2007

Crossposting from another thread, does anyone have any idea what I can do? I've designed good flows but they don't work because the KSC sucks :(

quote:

So, I've been trying to uninstall McAfee and deploy Kaspersky through SCCM and Kaspersky Security Center and I'm running into a wall here. Too many restarts needed, even if I had wake on lan it'd be really hard to do it. KSC, now that's something I hate right there. gently caress, what a headache. Filters don't work on machines and it starts a task and just hangs there all day and I have no idea what the hell is really going on - I just wish it'd go well

Also, I can't just insert a shutdown in my batch file after uninstalling McAfee, because if someone comes in in the morning and downloads the machine policy, then starts to work, bam machine off.

Zaepho
Oct 31, 2013

orange sky posted:

Crossposting from another thread, does anyone have any idea what I can do? I've designed good flows but they don't work because the KSC sucks :(

What are you replacing it with? Most of the current Enterprise AV Suites will detect and remove the other suites. System Center Endpoint Protection for example this although my goole-gu is failing me this morning when trying to find the list of supported 3rd party AV suites it can remove.

orange sky
May 7, 2007

Zaepho posted:

What are you replacing it with? Most of the current Enterprise AV Suites will detect and remove the other suites. System Center Endpoint Protection for example this although my goole-gu is failing me this morning when trying to find the list of supported 3rd party AV suites it can remove.

Uninstalling McAfee with KSC doesn't work, leaves a lot of stuff from McAfee behind. So that was out of the question.

I'm uninstalling with SCCM, restarting afterwards.

Then, I'm deploying kaspersky agent and endpoint client with KSC.

Then when that's all done and ok I put the clients on the 2nd group, for database updates and a virus scan.

But guess what, I can't know for sure that McAfee really is deleted, restarts sometimes don't work, Kaspersky sometimes doesn't start up after installing (creating a situation where the subsequent restarts don't work), Kaspersky locks up because of.. who knows?.... drat.

orange sky fucked around with this message at 17:57 on Jul 26, 2014

Zaepho
Oct 31, 2013

orange sky posted:

I'm uninstalling with SCCM, restarting afterwards.

Are you trying to use an app/package to do the uninstall/cleanup/install? Have you considered using a Task Sequence? It should be able to survive the multiple reboots that you were referring to before.

kiwid
Sep 30, 2013

What is the preferred way to setup a file server, do you guys share out the root folder and control all sub folders via NTFS permissions or do you share out each folder as a separate share?

For example:

pre:
Data
--> Accounting
--> Brokerage
--> Executive
--> Human Resources
--> IT
--> Operations
--> President
--> Production
--> Public
--> Shipping
10 shares, one for each sub folder or 1 share for data and control access via NTFS perms?

kiwid fucked around with this message at 01:54 on Jul 28, 2014

CLAM DOWN
Feb 13, 2007




kiwid posted:

What is the preferred way to setup a file server, do you guys share out the root folder and control all sub folders via NTFS permissions or do you share out each folder as a separate share?

For example:

pre:
Data
--> Accounting
--> Brokerage
--> Executive
--> Human Resources
--> IT
--> Operations
--> President
--> Production
--> Public
--> Shipping
10 shares for each sub folder or 1 share for data and control access via NTFS perms?

Using your case, I share out all subfolders so I'd have 10 shares there. Quotas set on each share root as well.

skipdogg
Nov 29, 2004
Resident SRT-4 Expert

10 different shares in that case, and then say if under Human Resources you needed a 'Payroll' folder, you can secure that with NTFS from other HR folks. That's a scenario we have. We have a HR share that like a dozen folks have access to, and then payroll only 3 folks can get to that data.

hihifellow
Jun 17, 2005

seriously where the fuck did this genre come from
We have users who "float" between departments or need access to more than one so we share out the root as a DFS share then use ABE and NTFS to control which subfolders the users see and have access to.

vanity slug
Jul 20, 2010

hihifellow posted:

We have users who "float" between departments or need access to more than one so we share out the root as a DFS share then use ABE and NTFS to control which subfolders the users see and have access to.

That's pretty much what we do, too.

Cpt.Wacky
Apr 17, 2005
I work in a healthcare environment and I foresee getting more and more requests to send confidential info by email. It appears that Outlook supports using certificates to encrypt emails. It seems like I'll have to purchase certs so that recipients don't get annoying pop-ups, and the recipients will also need their own certs. We're likely going to be corresponding with numerous other organizations so exchanging our own CA certs won't work.

The alternative I'm trying to avoid is one of those lovely web portals where you don't encrypt the email but instead send an email saying there's a new message and a link to login to the portal.

Is this the best course to take? Any pitfalls to watch out for? Any good certificate vendors that make buying and managing lots of individual certs easier?

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010

Cpt.Wacky posted:

The alternative I'm trying to avoid is one of those lovely web portals where you don't encrypt the email but instead send an email saying there's a new message and a link to login to the portal.

This is what all the medical record companies do. (AIG only method of digital document delivery) you're going to have to get everyone in the room and train, there is no easy out from this.

Yaos
Feb 22, 2003

She is a cat of significant gravy.
I have a question about adding a server to a domain. We have a file server with a few people using local accounts on the server, if I add the server to the domain will they still be able to access their files over the network using their local accounts? I'm pretty sure they can but I just want to make sure before I destroy myself. Thanks!

CLAM DOWN
Feb 13, 2007




Yaos posted:

I have a question about adding a server to a domain. We have a file server with a few people using local accounts on the server, if I add the server to the domain will they still be able to access their files over the network using their local accounts? I'm pretty sure they can but I just want to make sure before I destroy myself. Thanks!

Probably think about migrating them to AD accounts or groups, but yeah local accounts will still work just fine on a domain.

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams
I think the only potential gotcha would be if previously auth attempts were made with the assumption that local was the default domain to logon to, and depending on things they could try and auth as DOMAIN\User instead of LOCAL\User, but if you're explicitly being LOCAL\User you should be fine.

Yaos
Feb 22, 2003

She is a cat of significant gravy.
Thanks for the answers. They are only local users because they were already local users, they'll be on AD soon enough. They'll probably be the first on the domain so I can get rid of these local accounts. Gotta get everything setup though.

Edit: All this worry for nothing. Nobody is actually using the server yet. :)
Edit 2: Spoke too soon, 26 connections. :)

Yaos fucked around with this message at 21:21 on Jul 28, 2014

Adbot
ADBOT LOVES YOU

Cpt.Wacky
Apr 17, 2005

incoherent posted:

This is what all the medical record companies do. (AIG only method of digital document delivery) you're going to have to get everyone in the room and train, there is no easy out from this.

Is there an industry name for this type of product? Are there any that don't suck?

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply