|
Jeoh posted:What are the requirements? Just Server 2012 + Win 8 Enterprise right? You can pretty much only get it with an Enterprise Agreement / Software Assurance... I think the cheapest you can pull that off is something like ~$100/year per PC. But that gives you Windows 7/8/10 Enterprise and then you can use Direct Access / Applocker / Windows to Go.
|
# ? May 1, 2015 00:44 |
|
|
# ? May 12, 2024 02:40 |
|
I have a permissions issue that I can't figure out and what's ticking me off is that I'm missing something glaringly obvious, but I can't see what it is. I have deployed a brand new windows image to a server after sysprepping the gold image, telling it to preserve credentials. I have created a new user that is in the administrators group on the local server. When I am logged on at the console and try to create a new file under c:\inetpub\[WebRootFolder] by RightClick-New the only option (instead of a list of the new files types to create, including New Text File) is New Folder with the little security shield next to it: If I right click on my desktop, the full list of file types appears. Creating a new file on my desktop and copying it to the web root, I get the following security popup: If I click continue, the file copies just fine. Similarly, I cannot save a notepad file into that location unless I've "Run As Administrator" for notepad. Clearly this is a permissions issue but I can't figure out how to remove this block as this is a development server and I do a ton of dev work straight on the console. I've tried moving the UAC slider down to never notify and have verified that my logon is a local log on with local admin rights. This server is not a member of a domain. Agrikk fucked around with this message at 01:10 on May 1, 2015 |
# ? May 1, 2015 00:54 |
|
Take a look at your NTFS ACL, paste it here if you'd like, your Administrators group probably has limited permissions similar to System32.
|
# ? May 1, 2015 01:12 |
|
At a remote office I'm going to be migrating DHCP duties from the current DHCP server, our router, to the win2k8 r2 server that is located in the same office. I've put together a checklist of things to do to make the change but I'm wondering if I should delete all the DNS records for clients in this subnet just before I switch on the new DHCP service. Currently DNS records at this location are kinda...screwy (duplicates, and it looks like there may be AD replication issues, but thats a whole other problem), and I'd like the machines to pull fresh addresses from the new server and then update DNS with the new address. The subnet isn't changing, it's staying 192.168.30.x/24. It's only about 35 workstations at this location so we're not talking a large number of addresses. Am I overthinking this and is this step completely unnecessary?
|
# ? May 1, 2015 01:37 |
|
CLAM DOWN posted:I am (I'm running tcpview, procmon, etc, as well), and that was my assumption at first too. But WebDAV isn't installed on the server, and the feature/component isn't on this workstation either. I tried fooling around with the network provider order too, no effect. Weird, I'd be half tempted to check out what it's actually requesting with tcpdump or wireshark.
|
# ? May 1, 2015 01:41 |
|
I have a valid license to upgrade a machine from Win 8.1 to Win 8.1 Pro. The upgrade process keeps failing with a non-specific error ("Something went wrong"). So far I have tried: -Completely updating the machine -sfc /scannow -Disabling Nalpeiron Licensing Service -Clean boot -Refreshing the computer -Doing a clean reinstall -Calling Microsoft support (complete dead end) Am I missing anything? I can't think of what else to try.
|
# ? May 1, 2015 01:46 |
|
theperminator posted:Weird, I'd be half tempted to check out what it's actually requesting with tcpdump or wireshark. It's not actually requesting anything. There are 3 tcp syns over about 15-20 seconds, times out with no ack because the destination doesn't permit port 80 inbound, and then starts the SMB authentication over 445. It's the weirdest goddamn thing I have seen in a long time.
|
# ? May 1, 2015 02:05 |
|
Thread might like this.. So I'm the Active Directory Lead for a major airline. They use RSA for remote access and they're stuck on 7.1 coz they're stupid and gently caress, please, don't make me explain. So 7.1 isn't supported for Server 2012, only 2008 R2. So I look at their release doco for 7.1 and they say 'only a domain controller running 2008 R2 in 2003 Active Directory Emulation mode'. What? Go and poke the Solution Architects and ask what the gently caress is this, I've never heard of it. They all shrug and say they haven't either. So I email back RSA saying there is no such thing as 2003 Emulation mode and do you mean the functional level of the forest? Tech support jockey gets a bit pissy and says but I refer you to page blah of our lovely document, it says it in there. I say I don't care what you've written in your document, you're making the poo poo up. I need to be sure you mean functional level of the forest because huge corporate production network, airline, you get the idea? He comes back later and says yes, their documentation is 'worded poorly' and they meant functional level. This is RSA, as in the loving huge vendor of cryptographic solutions. This is the release documentation for their flagship product, the thing that generates the key tokens and you give to all your users. IT. We make it up as we go along.
|
# ? May 1, 2015 03:18 |
|
parasyte posted:Enterprise is volume-licensing only, but isn't quite how it used to be. Enterprise used to only be available with software assurance, but last year it was changed to be a separate license. Which is pretty great for people who don't update since it's less expensive to get those Enterprise features, but it's more expensive initially to get any of the Software Assurance features since Pro-only SA was discontinued. That's still $100/year per machine just to let it have Enterprise on it though? Were I to go that route the Microsoft licensing portion of the IT budget would be about half of what I budget for repairs and replacement in any year. The total number I'd be looking at is a drop in the bucket of the overall budget but I'd much rather throw that money at upgrading some lovely piece of our network infrastructure somewhere instead. In conclusion goddamnit Microsoft just let me use DirectAccess without a subscription
|
# ? May 1, 2015 03:29 |
|
Tony Montana posted:He comes back later and says yes, their documentation is 'worded poorly' and they meant functional level. This is RSA, as in the loving huge vendor of cryptographic solutions. This is the release documentation for their flagship product, the thing that generates the key tokens and you give to all your users. Because the IT security industry is nothing more than racketeering at times. Symantec managed PKI is impressively dumb, watch as I take 2 minutes to export the non-exportable private keys so the infosec guys at this 60,000 employee company can login remotely using a Linux.
|
# ? May 1, 2015 03:42 |
|
CLAM DOWN posted:Take a look at your NTFS ACL, paste it here if you'd like, your Administrators group probably has limited permissions similar to System32. That was it. When I added the user explicitly to the folder, it worked fine. What I don't understand is that this user account is added to the computername\Administrators group and this group as full control to the folder. Any idea how that could happen?
|
# ? May 1, 2015 04:50 |
|
Mr. Clark2 posted:At a remote office I'm going to be migrating DHCP duties from the current DHCP server, our router, to the win2k8 r2 server that is located in the same office. I've put together a checklist of things to do to make the change but I'm wondering if I should delete all the DNS records for clients in this subnet just before I switch on the new DHCP service. Currently DNS records at this location are kinda...screwy (duplicates, and it looks like there may be AD replication issues, but thats a whole other problem), and I'd like the machines to pull fresh addresses from the new server and then update DNS with the new address. The subnet isn't changing, it's staying 192.168.30.x/24. It's only about 35 workstations at this location so we're not talking a large number of addresses. Am I overthinking this and is this step completely unnecessary? Turn on DNS scavenging and secure dynamic DNS updates, that should fix your "screwy" DNS records. You don't have to delete the DNS records when you switch to the new dhcp server, everything will self resolve eventually once you have DNS scavenging and secure dynamic DNS updates turned on.
|
# ? May 1, 2015 04:59 |
|
devmd01 posted:Turn on DNS scavenging and secure dynamic DNS updates, that should fix your "screwy" DNS records. You don't have to delete the DNS records when you switch to the new dhcp server, everything will self resolve eventually once you have DNS scavenging and secure dynamic DNS updates turned on. Muchas gracias senor!
|
# ? May 1, 2015 21:19 |
|
Sheep posted:Out of curiosity, any other manufacturers have similarly easy to configure site to site VPN setups? Dragging this one back from the past, but I've been out of the country for a week . Sophos have RED boxes which are a plug-and-play remote office VPN solution, it looks like Sonicwall are moving in that direction with their TZ-series coming with GMS and tying back to an NSA appliance at a central location as well. Expect everything to do it soon, basically.
|
# ? May 3, 2015 16:10 |
|
DirectAccess is so good
|
# ? May 4, 2015 09:17 |
|
If anyone is interested, SCCM 2016 Technical Preview is available for download Here! Hopefully I'll have some free time this week to stand up a VM and try it out.
|
# ? May 4, 2015 20:34 |
|
Hasn't that been available since a while now? It looks like either January or October. Man MS makes this stuff so hard to figure out.
|
# ? May 4, 2015 20:51 |
|
This one was just announced from Ignite this morning. I figured if people like Johan Arwidmark are making a big deal out of it, it must be new. http://blogs.technet.com/b/server-c...brid-cloud.aspx Looks like its a new revision of the technical preview. It adds things like DSC, native SSH and a bunch of monitoring Edit - SCCM 2012 and 2012 R2 Service Pack next week http://blogs.technet.com/b/configmg...on-manager.aspx Sacred Cow fucked around with this message at 21:26 on May 4, 2015 |
# ? May 4, 2015 21:07 |
|
Sacred Cow posted:Edit - SCCM 2012 and 2012 R2 Service Pack next week Yay, I'm so happy I can do Windows 10 in SCCM 2012 R2.
|
# ? May 4, 2015 22:04 |
|
Nano Server is really exciting. About time, too.
|
# ? May 4, 2015 22:26 |
|
m.hache posted:Look into the GPO itself. For each folder being redirected open up the properties and look for the following: ok so yes. it is a LOT of content. In testing it does the whole thing during "applying folder redir policy" so users can't do anything until it's done syncing. Yuck. Here's what I think I'll do - is move the folder redirect shares somewhere else but keep the GPO pointing to the original place. that way they will have "blank" folders. Then remove the GPO. Then tell them "all your stuff is in your U: drive" :-/
|
# ? May 5, 2015 00:44 |
|
Jeoh posted:Nano Server is really exciting. About time, too. Could some explain what's so cool about nano-server?
|
# ? May 5, 2015 01:39 |
|
One of the interesting things is being able to give you developers a true "private cloud" experience on prem. Their apps get staged and deployed using DSC, developers monitor via Visual studio, and you significantly close the footprint on a windows instance. You begin to turn windows from a pet-centric platform to a cattle. Plus, RIP wow64 finally.
|
# ? May 5, 2015 05:12 |
|
NevergirlsOFFICIAL posted:ok so yes. it is a LOT of content. In testing it does the whole thing during "applying folder redir policy" so users can't do anything until it's done syncing. Yuck. Honestly, I would just cut them over small groups at a time. It may suck that they have to wait 10 minutes to log in but that's just once. If your end game was to get them onto the local systems just rip off the proverbial band aid. Send out emails to the select groups warning them of the slow logins a few days prior and you should be fine. Alternatively, if you don't mind keeping them as roaming profiles, use robocopy to move them. You can maintain permissions that way so you just need to redirect the GPO to the new drive
|
# ? May 5, 2015 15:21 |
|
So this is pretty great. It lacks the audit trail of a 3rd party appliance/service but I'm leveraging it to finally get us away from using the same local admin password on all of our servers.
|
# ? May 5, 2015 17:13 |
|
We use TPAM from Dell/Quest so this new tool is redundant for us, but it's really good that MS is releasing it!
|
# ? May 5, 2015 17:16 |
|
hihifellow posted:So this is pretty great. It lacks the audit trail of a 3rd party appliance/service but I'm leveraging it to finally get us away from using the same local admin password on all of our servers. That looks great. I'm going to push this out to our clients too as it's a goddamn nightmare hodgepodge of local admin passwords on our clients. Time to test!
|
# ? May 5, 2015 17:28 |
|
hihifellow posted:So this is pretty great. It lacks the audit trail of a 3rd party appliance/service but I'm leveraging it to finally get us away from using the same local admin password on all of our servers. That.....that is insanely cool. Not a week ago, we had an entire department freaking out because their new IT manager started randomizing local admin passwords on systems (and writing them down, of course). This department had everything cryptowalled last year and has a long history of terrible practices, mind you. This may prove useful for those bitching about inconvenience.
|
# ? May 6, 2015 04:25 |
|
Roargasm posted:More of a server 2012 thing but try the following commands in Powershell to make sure everything is enabled: This worked immediately, no reboot even! Thank you very much. Demie posted:If you want to RDP into a Win8/2012+ puter from your Win7 desktop, you have to go into the win8 VM's firewall settings and disable security on remote desktop protocol rules. That's the only way I have found to make it work. This makes perfect sense. I remember all the times I've seen "cannot verify the identity of the remote computer" before. I guess they've tightned things up a bit.
|
# ? May 6, 2015 13:15 |
|
Agrikk posted:That was it. When I added the user explicitly to the folder, it worked fine. It's a UAC thing: local console sessions running under credentials that are in the local Administrators group are actually running as standard user accounts. When you try to access something, and the only way you'll be granted access is because you belong to the local Administrators group, then the calling application (Windows Explorer) needs to be elevated. Notepad works when you Run as Administrator because it's elevated. But you can't elevate all of Windows Explorer; all those UAC prompts you get are only for the underlying call -- i.e. to enumerate a folder or modify a file. If a particular call isn't UAC-aware then it's going to have its access denied. So that's why if you add your user account directly you won't get cockblocked by UAC. It's a pain so I usually work around it by remotely accessing the machine's ADMIN$ share, which works in my environment because we don't have Remote UAC enabled.
|
# ? May 6, 2015 17:01 |
|
https://technet.microsoft.com/library/security/ms15-may ugh what a month
|
# ? May 12, 2015 18:29 |
|
Does anyone know of a good checklist to go through when replacing a DC from 2003 to with a new one with 2012 R2. I've read over http://blogs.technet.com/b/canitpro...erver-2012.aspx but this feels like way too little.
|
# ? May 13, 2015 01:42 |
|
I did that exact upgrade a year ago and honestly there's not much more to it than that link. We were running constant domain controller health checks throughout the whole process (dcdiag on 2012 r2 is pretty extensive, and repadmin /showrepl still works) and verifying service records were correct in DNS but beyond that there really wasn't anything else.
|
# ? May 13, 2015 03:06 |
|
Methanar posted:Does anyone know of a good checklist to go through when replacing a DC from 2003 to with a new one with 2012 R2. Anyone know of a good check list for 2008 R2 to 2012 R2? I imagine it's even more straight forward, but it'd be nice to have steps laid out.
|
# ? May 13, 2015 04:41 |
|
CLAM DOWN posted:https://technet.microsoft.com/library/security/ms15-may ugh what a month Look on the bright side, pretty much every single update this month is a critical security update, so it's not like you have to spend any time investigating before approving them for installation.
|
# ? May 14, 2015 02:39 |
|
Shuntly posted:It's a UAC thing: local console sessions running under credentials that are in the local Administrators group are actually running as standard user accounts. When you try to access something, and the only way you'll be granted access is because you belong to the local Administrators group, then the calling application (Windows Explorer) needs to be elevated. Huh. Well whadaya know about that? This was really interesting. Thanks for the explanation.
|
# ? May 14, 2015 03:03 |
|
Ok Win Enterprise thread, evaluate and discuss. https://support.microsoft.com/en-us/kb/3062591 https://technet.microsoft.com/en-us/library/security/3062591.aspx Being at the leading edge is fun, when it's not breaking poo poo either now or in the future. It's gone from schema update from some random on a forum (lol no we're not doing that) to being now an official MS thing. I'm thinking of reasons to shoot my Desktop Manager down but maybe he's really onto something this time.
|
# ? May 15, 2015 01:48 |
|
Its on my to do list on back burner, one of the domains I manage only has 100ish machines, what could go wrong?
|
# ? May 15, 2015 02:36 |
|
Tony Montana posted:Ok Win Enterprise thread, evaluate and discuss. I posted it halfway up the this page and it's not a bad idea, especially if you have nothing managing local admin passwords except a spreadsheet you hope people keep updated (or worse, the same password for everything (like us )) As far as impact it's pretty drat minor. I mean if your AD is held together with rope and ritual sacrifices yeah it might break something, but if you're in that situation you've got more important things to worry about.
|
# ? May 15, 2015 03:12 |
|
|
# ? May 12, 2024 02:40 |
|
hihifellow posted:your AD is held together with rope and ritual sacrifices A Challenger Appears! (for new thread title)
|
# ? May 15, 2015 03:46 |