|
This is what I did...and yet it still haunts me. Maybe I have no choice but to get support involved.
|
# ? Jul 28, 2018 18:06 |
|
|
# ? Apr 24, 2024 23:21 |
|
snackcakes posted:This is what I did...and yet it still haunts me. Maybe I have no choice but to get support involved. Do yourself the favor, the second you put in a ticket via the web and get called, tell them you want INTUNE support and to transfer . Or if your enterprise customer don't waste time and just select the intune group and wait.
|
# ? Jul 28, 2018 19:40 |
|
In a Windows domain, it it necessary to configure the 'configure windows ntp client' GPO for time syncing? Or will domain joined devices automatically seek out the DC with the PDC role for time?
|
# ? Jul 30, 2018 16:00 |
|
Spring Heeled Jack posted:In a Windows domain, it it necessary to configure the 'configure windows ntp client' GPO for time syncing? Or will domain joined devices automatically seek out the DC with the PDC role for time? Devices will automatically sync with the DC Hierarchy. (i.e. a DC in their AD Site). By default, the DCs all sync back to the Infrastructure Master (I think) which should be configured to sync externally.
|
# ? Jul 30, 2018 16:13 |
|
Spring Heeled Jack posted:In a Windows domain, it it necessary to configure the 'configure windows ntp client' GPO for time syncing? Or will domain joined devices automatically seek out the DC with the PDC role for time? I recommend utilizing the GPO for the PDC to sync externally, don't just configure it on the machine itself; that's my opinion anyway. To answer your question though, all domain machines (except the PDC itself) will sync back to the PDC, by default the PDC will sync to the CMOS clock or (if the PDC is a hyper-v VM) if you have integrated services running it will sync to the hosts CMOS (I think, or just the host itself, I forget how integrated services works because we shut it off)
|
# ? Jul 30, 2018 16:19 |
|
Cool thanks guys, that is what I suspected but wanted to be sure. We're using some DR software and we have the NTP server for domain devices hardcoded via GPO. I aim to remove that and set the external NTP servers for the active PDC via GPO and WMI filtering.
|
# ? Jul 30, 2018 16:41 |
|
JackDRipper posted:Do yourself the favor, the second you put in a ticket via the web and get called, tell them you want INTUNE support and to transfer . Or if your enterprise customer don't waste time and just select the intune group and wait. The Intune team hasn't been all that helpful. Apparently since I joined the computer to Azure AD with my admin account that doesn't have an Intune license it's just going to apply Hello to the computers anyway. For that matter, they tell me that I have to talk to another team to get Hello disabled for these computers because the damage is done. So far, really loving Azure AD
|
# ? Jul 30, 2018 22:58 |
|
The best way to avoid what you've done is to set up Azure AD so that people can't do an Azure AD Join unless they are in a group that also has an EM+S / Intune (there's no point having Intune without Azure AD Premium really, which costs more than EM+S so just buy that) license. It's MDM first and foremost - it's not a service where you can exert heavy-touch admin control over a locked-down workstation like you can with AD+GPO. I think you're probably approaching this with the wrong idea of what Intune is and it's going to frustrate you each time you find out that your preconceptions aren't accurate.
|
# ? Jul 30, 2018 23:03 |
|
Thanks Ants posted:The best way to avoid what you've done is to set up Azure AD so that people can't do an Azure AD Join unless they are in a group that also has an EM+S / Intune license. Thanks, I honestly have no idea what Intune is. All I wanted was for users to log into Windows with their Office 365 credentials. I had no idea I would be greeted at every workstation with the requirement of entering a PIN. I'll keep that in mind for the future though. For now I'm just going to have to hit local group policy on each machine since that seems to be the fix.
|
# ? Jul 30, 2018 23:17 |
|
Testing out using Intune to manage some iOS devices, after our deployment of Android devices went...not so well. Have a wifi only iPad enrolled in Intune. It's in a group, it's checking in, it's getting policies applied, so far go good. Decided that I'd test out lost mode so see how it works. Initiate lost mode on the iPad using the Intune dashboard, get a message saying that it's "pending". About 5 minutes go by and the iPad goes into lost mode, Intune dash still shows "pending", hmmm. Since I'm testing stuff out and seeing what breaks, a few minutes later I restart the iPad, just for shits and giggles. Bad move. The iPad has restarted but now it wont connect to wifi. Since it wont connect to wifi, it cant report back to Intune that the initiate lost mode command completed, so Intune still shows "pending". Since it's pending, I can't disable lost mode. Had not yet signed into iCloud on it, so can't disable it that way. Tried plugging it into a Mac with Configurator2 installed, it doesn't even show up. Oh well, guess she's ded, learn from my mistakes people.
|
# ? Jul 31, 2018 23:42 |
|
That sounds like an entire load of fail and i'm sorry my dude. For company owned devices I wouldn't mess with anything less than authorized apple re-seller->apple dep->your MDM. Was it company bought ipad? You try apples new business manager portal https://business.apple.com/ to add your own devices post purchase. Then, sync your MDM with apple DEP and activate that way, on a fresh out of the box experience.
|
# ? Aug 1, 2018 00:55 |
|
incoherent posted:That sounds like an entire load of fail and i'm sorry my dude. For company owned devices I wouldn't mess with anything less than authorized apple re-seller->apple dep->your MDM. Was it company bought ipad? You try apples new business manager portal https://business.apple.com/ to add your own devices post purchase. Thanks, I'll be working on getting DEP integrated with Intune tomorrow. I was able to get the iPad into DFU mode and restore it, so it's good to go again and lesson learned for the future.
|
# ? Aug 1, 2018 01:04 |
|
Are there any recommended steps to take to re-use a computer object in AD? We're looking at a software migration that's already complex, however most of the changes required on our DB can be mitigated if we re-use the outgoing computer's AD Computer name & IP Address. If I say, build up my new system on a brand new hostname & IP, update it, etc, and then at migration time power down the old computer and take the new computer & rename the system & reboot, will that do everything I need automatically to take over the existing computer account object in AD?
|
# ? Aug 8, 2018 00:29 |
|
I would rename the old system, shut it down, then rename the new one. If you just shut down the old system, you will have trust relationship issues if it is ever turned back on.
|
# ? Aug 8, 2018 00:44 |
|
How do you even scale an app that is looking at HOSTNAME+IP as its security mechanism?
|
# ? Aug 8, 2018 01:57 |
|
incoherent posted:How do you even scale an app that is looking at HOSTNAME+IP as its security mechanism?
|
# ? Aug 8, 2018 02:10 |
|
incoherent posted:How do you even scale an app that is looking at HOSTNAME+IP as its security mechanism? Not a security measure per se, just easier to upgrade & not have to worry about having to update the IP on other associated systems, network devices, etc (SNMP Polls, etc). The crApp is Solarwinds Orion btw.
|
# ? Aug 8, 2018 05:41 |
|
Wicaeed posted:Not a security measure per se, just easier to upgrade & not have to worry about having to update the IP on other associated systems, network devices, etc (SNMP Polls, etc). I've done this with a Solarwinds server before. It works fine.
|
# ? Aug 8, 2018 12:38 |
|
I'm sure I already know the answer to this but I'll ask anyway: Is there any easier way to migrate users/computers from one AD domain to another than using ADMT? I mean, a way that doesn't involve me throwing thousands of $$$ at consultants.
|
# ? Aug 8, 2018 17:31 |
|
Mr. Clark2 posted:I'm sure I already know the answer to this but I'll ask anyway: Is there any easier way to migrate users/computers from one AD domain to another than using ADMT? I mean, a way that doesn't involve me throwing thousands of $$$ at consultants. I've only used the profile migration tool, but this is an option https://www.forensit.com/domain-migration.html How many users/computers are you looking at migrating? ADMT works OK, has a few gotchas. I'm fortunate that we pay for the Quest migration tool which is really nice, but not cheap.
|
# ? Aug 8, 2018 17:45 |
|
skipdogg posted:I've only used the profile migration tool, but this is an option About 70 users/computers so not a large amount. Management here is very averse to spending money so unfortunately Quest tools are a non-starter. ADMT it is!
|
# ? Aug 8, 2018 18:22 |
|
skipdogg posted:I've only used the profile migration tool, but this is an option I've used the Forensit domain migration tool on more than one occasion. The licensed version can be automated, and it is very straightforward to use. I've never had a problem.
|
# ? Aug 8, 2018 18:27 |
|
Mr. Clark2 posted:About 70 users/computers so not a large amount. Management here is very averse to spending money so unfortunately Quest tools are a non-starter. ADMT it is! I wouldn't bother with ADMT for 70 machines. Check out the ForensIT tool. It's not expensive. 70 licenses is less than 200 dollars. You're going to spend way more than 200 dollars of your time dealing with ADMT, especially if you've never used it before.
|
# ? Aug 8, 2018 18:40 |
|
skipdogg posted:I wouldn't bother with ADMT for 70 machines. Check out the ForensIT tool. It's not expensive. 70 licenses is less than 200 dollars. You're going to spend way more than 200 dollars of your time dealing with ADMT, especially if you've never used it before. While this makes perfect sense to both you and I, it wont make sense to the higher ups around here. They somehow think that labor is free I forgot to mention that the source domain is SBS2008 so I'm expecting this to be a total shitshow.
|
# ? Aug 8, 2018 18:48 |
|
Mr. Clark2 posted:While this makes perfect sense to both you and I, it wont make sense to the higher ups around here. They somehow think that labor is free I forgot to mention that the source domain is SBS2008 so I'm expecting this to be a total shitshow. "We already pay your salary, so you doing it is essentially free labor." [Edit: Not trying to be snarky, but just as a general FYI there is a small business thread for those of us stuck in that hell-world. https://forums.somethingawful.com/showthread.php?threadid=3723832 ]
|
# ? Aug 8, 2018 21:46 |
|
I posted this in the small shop thread as well, but thought I might get more bites here: I'm struggling with a WDS/MDT deploy setup. I have everything configured, captures work great, domain join parameters with custom computer names, custom driver sets based on model, etc. But. Now that I have the domain join setup properly, the deployment fails. The image is installed, and the computer reboots from Litetouch to Windows. Windows has disabled the local admin account, which means the install script doesn't continue unless I boot into safe mode, enable local admin, reboot, and then manually continue it. I read that this could be a gpo issue, so I created a new OU for the domain join script, disabled gp inherence, made sure the admin user is enabled via gp, etc. Same thing. I just rejoined my image pc to ad, moved it to the blocked inherence OU, updated group policy, unjoined AD, and kicked off another capture. I'll test another deploy when it's done. Any suggestions???
|
# ? Aug 10, 2018 15:17 |
|
Where is the default admin account getting disabled? That's not default behavior, so it's something in your implementation. If it's in the task sequence that step needs to be moved to the end. If it's a gpo, it's possible the gpo is getting applied and then removed. In which case you would need a separate gpo for your deployment ou to re-enable the account. You may need an extra gpupdate in there to get it to apply before you restart.
|
# ? Aug 10, 2018 16:28 |
|
The Fool posted:Where is the default admin account getting disabled? I think it's happening during the os install step. Image computer has the account enabled, autologin turned on. I deploy, pxe boot into Litetouch. Select the deployment, and after it finishes pushing the image, admin is disabled. I do have the domain join stuff in customsettings, so I think it does some sort of domain join during that phase? But the OU it's going into has explicit "enable admin" and "disable ctrl-alt-del to login" policies set. I may try switching back to work group and domain join manually to see if that's where the issue is.
|
# ? Aug 10, 2018 16:52 |
|
Gerdalti posted:I think it's happening during the os install step. Are you doing something weird with unattended.xml? Also, you can insert a suspend task in your deployment so that you can check settings and log files before the deployment finishes. https://blogs.technet.microsoft.com/mniehaus/2009/06/26/mdt-2010-new-feature-3-suspend-and-resume-a-lite-touch-task-sequence/
|
# ? Aug 10, 2018 17:22 |
|
The Fool posted:Are you doing something weird with unattended.xml? I haven't actually messed with unattended.xml at all, it's just doing it's own default stuff. Though I'm really starting to suspect something in my "Rules" is throwing it off. Edit: I just poked around in unattended.xml, all looks fine there. "net user administrator /active:yes" etc. The suspend task looks helpful, but this is all happening between the Install and Postinstall steps, and it only works in the State Restore sequence. code:
Gerdalti fucked around with this message at 19:10 on Aug 10, 2018 |
# ? Aug 10, 2018 17:45 |
|
Windows doesn't like passwords that are five asterisks in a row. Please select another password and try again. ____________________ Please remember to mark my replies as answers if they help. Tom MSCE 1,627 Points
|
# ? Aug 10, 2018 19:52 |
|
Potato Salad posted:Windows doesn't like passwords that are five asterisks in a row. Please select another password and try again. For a second I thought I was reading a serious reply, that's how conditioned I am by technet.
|
# ? Aug 10, 2018 21:22 |
|
Potato Salad posted:Windows doesn't like passwords that are five asterisks in a row. Please select another password and try again. Is there a unicode character that looks like asterisk? The password doesn't have to actually be 5 asterisks, but it at least needs to look like it to my boss.
|
# ? Aug 11, 2018 02:30 |
|
Has anybody got phone sign-in working with Azure AD? I've got the Authenticator app installed, I have the icon next to my account, but the thing just acts like normal 2FA and sends me a push notification.
|
# ? Aug 13, 2018 21:27 |
|
I don’t if this is the right place but I work at a small charity which has recently moved all our stuff to SharePoint. It works well and there aren’t any problems. However it does mean that we’re now running a small server in a room solely for our landline phones, I think the software is some form of Asterisk. We would like to reclaim that room as we don’t have much space, but we still need to be able to use our phones. Can anyone point me in the right direction of being able to start researching running this stuff in the cloud, or let me know if that’s even possible?
|
# ? Aug 13, 2018 21:30 |
|
Sri.Theo posted:I don’t if this is the right place but I work at a small charity which has recently moved all our stuff to SharePoint. It works well and there aren’t any problems. Your ISP probably has some kind of service where they do all of that for you. Unless you're in a country that has Calling Plans: https://docs.microsoft.com/en-us/skypeforbusiness/what-are-calling-plans-in-office-365/what-are-calling-plans-in-office-365 I think you can make that work without a PBX, but voice is not my expertise. In any case your ISP should be the best place to ask that, you usually just pay them per DDN. Now, a question. Do you guys know if there's any registry in devices with an SCCM agent that tells us the last successful connection to the SCCM server and the last successful hardware inventory cycle?
|
# ? Aug 14, 2018 09:30 |
|
Thanks for that turns out BT does have something, just got to work out the cost of that which is charged monthly versus our server which is actually working fine...
|
# ? Aug 14, 2018 16:02 |
|
Thanks Ants posted:Has anybody got phone sign-in working with Azure AD? I've got the Authenticator app installed, I have the icon next to my account, but the thing just acts like normal 2FA and sends me a push notification. Do you still have to type your password? The push notification/biometric auth should replace that.
|
# ? Aug 14, 2018 17:18 |
|
Yeah it should, but it doesn't. Had confirmation back from the Azure AD team that the feature hasn't been released yet, they were just a bit quick off the mark with their documentation.
|
# ? Aug 14, 2018 17:46 |
|
|
# ? Apr 24, 2024 23:21 |
|
incoherent posted:How do you even scale an app that is looking at HOSTNAME+IP as its security mechanism? You could probably get clever with a load balancer in front of it. FT on a VM if you don't need to scale beyond single VM/FT limits any time soon.
|
# ? Aug 14, 2018 18:06 |