|
That sounds scary.
|
# ? Oct 1, 2018 17:58 |
|
|
# ? Apr 23, 2024 09:23 |
|
GreenNight posted:That sounds scary. Yeah. GPO's should be created as 1-off configurations for collections of computers. I can't imagine a scenario that would require the creation of a bunch of identical policies. Gerdalti posted:Domain1 is on prem sync to O365 Set Domain2 as the primary proxyAddress in AD and let it sync up. Their UPN will still be Domain1, but they will receive e-mails to both of their addresses, and replies/new e-mails will be from the primary address. If you change the smtp addresses of the shared mailboxes you can leave them online for the users to copy at will. The Fool fucked around with this message at 18:06 on Oct 1, 2018 |
# ? Oct 1, 2018 18:02 |
|
And in the event you have a bunch of domains and need to apply similar policies across them, just create GPOs on one domain and export them.
|
# ? Oct 1, 2018 18:05 |
|
Yeah, you can do it. I have to bulk edit a bunch of GPO's several times a year. Even managed to automate the check in/out/deploy process when using AGPM. A couple things too look out for. You'll need to track down the registry values for the settings you want (download the excel sheet), and then there is the difference in the cmdlets between GP Preferences and regular GP (Set-GPRegistryValue and Set-GPPrefRegistryValue). You can copy, edit, link, modify permissions, etc. Should be able to do whatever you want, https://docs.microsoft.com/en-us/powershell/module/grouppolicy/?view=win10-ps edit: Test creating them in your test environment first, or at least don't link them to an OU until you verify they're correct.
|
# ? Oct 1, 2018 18:10 |
|
skipdogg posted:Yeah, you can do it. I have to bulk edit a bunch of GPO's several times a year. Even managed to automate the check in/out/deploy process when using AGPM. What is the issue that you are solving by bulk editing GPO's on a seasonal basis? Why didn't you do something like move a the workstations/users to different OU's depending on the season?
|
# ? Oct 1, 2018 18:15 |
|
The Fool posted:What is the issue that you are solving by bulk editing GPO's on a seasonal basis? It's not a seasonal change, just a few times a year a new setting or something gets requested and the way we have things structured it involves editing several dozen similar, but different GPO's that affect workstations. I've got about 60 global sites each with their own OU structure and set(s) of workstation GPO's. Yes I know this isn't ideal. I inherited the current AD structure when I came on-board my current org via acquisition. We're changing our AD structure and streamlining GPO's (only have about 400 right now) Q1 next year, but for now it is what it is and I've got to work with what I've got. It's taken drat near 2 years to get the restructure approved. Not trying to sound defensive or anything, but poo poo here moves slow and I have 4 other departments (silos) I have to deal with every time I make any sort of AD structure change.
|
# ? Oct 1, 2018 18:47 |
|
Potato Salad posted:Who is giving out socks? I need to go hit up some sock vendors! Hopefully you found the sweet Code42 socks they were giving out. I don't know about the rest of you but my key takeaways were that tons of major changes are 1-4 clicks away and to "just upgrade 20% of your clients which don't have known incompatibilities and then let your users test LOB apps in production." Has anyone played around with Autopilot yet?
|
# ? Oct 1, 2018 18:53 |
|
The Fool posted:Set Domain2 as the primary proxyAddress in AD and let it sync up. I think for my own sanity that's what I'm going to have to do. I was thinking I could use "Search-Mailbox" in powershell to do the copy of data automatically, but it's going to take ages for some of these. Now to script up the rest.
|
# ? Oct 1, 2018 19:00 |
|
Just keep in mind, when I said "for the users to copy at will" I meant that they won't do that and those shared mailboxes will stay online for all eternity.
|
# ? Oct 1, 2018 19:15 |
|
anthonypants posted:Client certificates can also be used for authenticating to things that are not AD DS servers, such as wireless access points or websites or VPN endpoints. Yeah, our use case for machine based certificates is wifi and 802.11x wired authentication. We have customers where multiple agencies share the same wired switches and get diverted to different VLANs depending on which machine certificate is presenting. The idea we had was no certificate means you had enough outside access to enroll a device in AzureAD/Intune, with a machine certificate coming down to point it in the right direction after that. That requires a machine certificate though. You can actually still do wifi with a user certificate (when you can deploy through Intune using a connector) but it means you can only log in with cached credentials as you lose the connection when you log out.
|
# ? Oct 1, 2018 22:32 |
|
https://techcommunity.microsoft.com...ing/ba-p/264460
|
# ? Oct 3, 2018 14:54 |
|
It doesn't have the ability to use scripts in requirements? Seems like that severely limits use cases.
|
# ? Oct 3, 2018 17:45 |
|
You can kick a script off as part of the install routine https://www.petervanderwoude.nl/post/deploy-customized-win32-apps-via-microsoft-intune/
|
# ? Oct 3, 2018 19:22 |
|
But won't it still require full download of content? So I want to patch existing installs of an app in my environment. If I'm understanding correctly, I have my patch file, I have my custom script that says run the patch if I detect an existing install. Every single machine then has to download all content just to determine that they probably don't need to install. In SCCM terms they made something closer to packages than app models. In good news the Intune powershell modules are awesome.
|
# ? Oct 3, 2018 21:21 |
|
Looks like the detection rules might allow you to evaluate whether something is installed before patching, it's early days for the product. I'm just glad I can deploy stuff without having to shove a zip file into Azure storage and using Powershell to download it, unzip to a temp location, kick the installer off and then clean up again.
|
# ? Oct 3, 2018 21:25 |
|
So I updated our image to 1809 but I can't for the life of me figure out how to remove Game Bar and Your Phone from the Start menu. I tried powershell removal, but there is nothing for the game bar there and removing the your phone app doesn't actually remove it from the Start menu. Anyone figure this out?
|
# ? Oct 4, 2018 13:11 |
|
Piloting LAPS to the IT department computers before applying it to the entire company. I am also piloting with a few workstations a GPO that wipes out the local admin group every refresh, then re-adds local admin, domain admins, and an LA_%Computername% AD group. To get local admin to a workstation, you’ll eventually have to get that access through an AD security group. I’m also going to tie this in with servicenow orchestration so when a computer inventory record is assigned to a user, it kicks off a process that automatically adds the user to the LA_ group for that computer.
|
# ? Oct 4, 2018 21:53 |
|
GreenNight posted:So I updated our image to 1809 but I can't for the life of me figure out how to remove Game Bar and Your Phone from the Start menu. I tried powershell removal, but there is nothing for the game bar there and removing the your phone app doesn't actually remove it from the Start menu. Anyone figure this out? I'm assuming these will be Enterprise only features again.
|
# ? Oct 5, 2018 10:24 |
|
GreenNight posted:So I updated our image to 1809 but I can't for the life of me figure out how to remove Game Bar and Your Phone from the Start menu. I tried powershell removal, but there is nothing for the game bar there and removing the your phone app doesn't actually remove it from the Start menu. Anyone figure this out? Can't you use the Import-Startlayout command to set the default start menu for a computer? devmd01 posted:Piloting LAPS to the IT department computers before applying it to the entire company. So you're planning to create an AD group for every computer account in the company? This seems like one of these cases where you should probably take a step back and reevaluate if what you're doing really makes sense.
|
# ? Oct 5, 2018 15:56 |
|
It’s a hell of a lot better than putting Domain Users in local admins like we do now! Yeah.
|
# ? Oct 5, 2018 16:11 |
|
Have you looked at Just Enough Admin? It's a powershell tool from MS that sets up specific principals with greater-than-user, less-than-admin perms that can meet the needs of many "Hey I need admin pls" cases. Then again, devs that need admin....need admin. Usually, though, an .\Administrator password cycler is the right way to go as you can conditionally MFA and audit each and every release of credentials.
|
# ? Oct 5, 2018 16:11 |
|
peak debt posted:Can't you use the Import-Startlayout command to set the default start menu for a computer? I'm not talking about the tiles. The start menu itself. We use a custom xml file for the tiles.
|
# ? Oct 5, 2018 17:04 |
|
Eh is Server 2019 in VLSC site? If so, what did they name it?
|
# ? Oct 6, 2018 08:14 |
|
So I've never successfully setup RADIUS authentication from scratch for wireless clients, but in the near future I'm going to need to make it work for something like 25-30 WAPs (Ruckus) which use their cloud based controller for management. I have two(and a half) questions: 1. Does anyone know of a good guide for setting up the Windows side for authentication? 2. How do I get tell the server that the WAPs are cool? Previously I've done this by putting the IP address of a WAP in the server. With this cloud console you can't tell a WAP what to use as an IP, so if I want to set it statically I'd have to create like 25-30 DHCP reservations. Is there an easier/better way?
|
# ? Oct 6, 2018 13:15 |
|
Specify the management VLAN you want the WAPs to use and then whitelist this subnet on your RADIUS server
|
# ? Oct 6, 2018 13:42 |
|
Thanks Ants posted:Specify the management VLAN you want the WAPs to use and then whitelist this subnet on your RADIUS server This answer is so simple that I never would have thought of it. I'll give the WAPs their own management VLAN. Thanks Thanks Ants!
|
# ? Oct 7, 2018 14:58 |
|
Possibly even look at RFC 1918 for management networks.
|
# ? Oct 7, 2018 15:04 |
|
Couple of questions 1) School I work at has a lot of iPads and we're potentially moving to Intune for Education. Everything is done except the WiFi profile. The WiFi uses RADIUS, but I can't seem to see anywhere to enter static credentials anywhere on the portal. I've read some docs about scep and other certs but that sounds massively engineered. Before you ask whether I can just setup a separate WPA2 network because the login is static: the school filtering system uses RADIUS to authenticate and thus manage access. 2) A client has a mailbox mailbox@domain.com and alias@domain.com. They want these separated so they just set alias@domain.com on their phone. These are Office 365 accounts. My current thought is to make mailbox@domain.com a shared mailbox, and alias@domain.com their primary mailbox? Is that the right way to go about this.
|
# ? Oct 12, 2018 15:42 |
|
Fruit Smoothies posted:Couple of questions If you are using static credentials, and not a certificate, or user based credentials, then why use RADIUS at all? Just have a WPA2 key that is static on all of the iPads. If you want to use RADIUS, and have static credentials programmed on all of the devices, you are using RADIUS wrong IMHO. EDIT: Someone pointed out to me that you might not have a choice to use RADIUS. From what I remember, you can accomplish setting this key with Intune. Beefstorm fucked around with this message at 21:05 on Oct 12, 2018 |
# ? Oct 12, 2018 20:40 |
|
Beefstorm posted:If you are using static credentials, and not a certificate, or user based credentials, then why use RADIUS at all? Just have a WPA2 key that is static on all of the iPads. The RADIUS does use AD user based credentials, because the majority of non-ipad devices using the WiFi will authenticate with their AD credentials. The iPads are for very young kids who just need filtered internet. We don't need to confuse them with shared ipads. We just want a way of setting the relevant AD username / password in Intune so they don't have to worry about it. Apple Server's Profile manager allows for this very scenario.
|
# ? Oct 12, 2018 21:34 |
|
Fruit Smoothies posted:The RADIUS does use AD user based credentials, because the majority of non-ipad devices using the WiFi will authenticate with their AD credentials. The iPads are for very young kids who just need filtered internet. We don't need to confuse them with shared ipads. We just want a way of setting the relevant AD username / password in Intune so they don't have to worry about it. Apple Server's Profile manager allows for this very scenario. Ah. Then what you want is a Device Enrollment Manager. This should get you started. https://docs.microsoft.com/en-us/intune/device-enrollment-manager-enroll EDIT: Hmmmm. Maybe this isn't the solution you want. Microsoft posted:(iOS only) If you use DEM to enroll iOS devices, you can't use the Apple Configurator, Apple Device Enrollment Program (DEP), or Apple School Manager (ASM) to enroll devices. This means that you can't put the device in supervised mode and thus won't have access to some configuration options. That seems like a really important component to the whole thing... Beefstorm fucked around with this message at 22:55 on Oct 12, 2018 |
# ? Oct 12, 2018 22:53 |
|
Beefstorm posted:Ah. Then what you want is a Device Enrollment Manager. Yeah that sounds a bit crazy. Any ideas on using certificates? I've never set up RADIUS to be handled in that way, rather than AD credentials. It seems like Intune supports it in some way....
|
# ? Oct 15, 2018 15:52 |
|
"Windows Server Standard" in VLSC is the semi annual channel correct? So it goes from server 2016 to 2019 to 2022? via windows updates? Anyone using it in prodution? I am thinking using it for my hyper-v hosts.
|
# ? Oct 20, 2018 10:15 |
|
That's the Long-Term Servicing Channel. SAC is the one that updates twice a year, you need Software Assurance for, and only offers the Server Core install. We've been gradually rolling out 2016 LTSC this year and haven't had any significant issues.
|
# ? Oct 21, 2018 15:17 |
|
Sorry I'm a bit confused. "Windows Server Standard" IS SAC no? and with SAC you upgrade automatically from 2016 to 2019 via updates. Windows Server 2016 would be LTSC. Has anyone had experience with SAC in production?
|
# ? Oct 22, 2018 18:16 |
|
This Microsoft blog article explains it pretty well: https://blogs.technet.microsoft.com/kammertime/2018/07/13/servicing-channels-explained/ Windows Server SAC is basically for containers where you can redeploy containerized apps quickly, instead of using in place upgrades. It also only comes in Server Core and Nano (if that's still alive). It's not a good Hyper-V host and MS says you shouldn't do it.
|
# ? Oct 22, 2018 19:09 |
|
Hi My firm bought Microsoft 365 to cover all user desktops/laptops. Does anyone have experience on the Windows part? We have SCCM and AD up and running on our site and my win server team is heavily biased on having all the core services on site rather than on azure. Is there any way to just get a kms key out of this package or do i have to migrate my gpos to azure/intune and relocate all my client to azure ad?
|
# ? Nov 1, 2018 08:51 |
|
Azure AD isn't Active Directory. At all. You need to watch a lot of videos on AD, ADFS, and AAD.
|
# ? Nov 1, 2018 14:59 |
|
With respect to kms, what are you wanting to accomplish?
|
# ? Nov 1, 2018 15:01 |
|
|
# ? Apr 23, 2024 09:23 |
|
Potato Salad posted:With respect to kms, what are you wanting to accomplish? All of our machines are either on win 7 pro or win 10 pro. My higher ups made the call that Microsoft 365 would be cheaper than office 2016 with sa and win 10 ent upgrade with sa. Sadly i have no loving idea on how to get keys to install the os without resorting to enroll the newly formatted pc into azure ad and have it fetch the key on the azure ad dns volume licensing(meaning it won't get our local ad gpo settings).
|
# ? Nov 1, 2018 16:53 |