Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«31 »
  • Locked thread
Mierdaan
Sep 14, 2004



Pillbug

BangersInMyKnickers posted:

I was more asking to make sure you didn't have some old nt4 controllers sitting around or something weird like that. Kerberos is what you should be authenticating with in in a domain unless you are going by the IP instead of hostname, the other machine isn't on the domain, or you ports aren't open right. Then it will default down to NTLM or LM. Any of those apply to you?

Nope

Adbot
ADBOT LOVES YOU

peak debt
Mar 10, 2001
b& :(

Nap Ghost

BangersInMyKnickers posted:

It looks like the name key is what we want to go by. So lets make a WQL statement.
code:
select * from Win32_Product where Name != "Symantec Antivirus"
That will pull down the Win32_Product class (table) and so long as none of the records match the name Symantec Antivirus, the WMI filter will evaluate as true and Nod32 will be installed. If it evaluates as false because the product is still there, the policy doesn't get applied and nothing is installed. To test your queries, you can use CIM Studio tool that is installed or just make a test policy, attach the WMI filter to it, and then run group policy modeling against accounts that you should know the result of and see if everything works there.

Actually this isn't how it works. Whether there is any product named Symantec Antivirus installed or not, that query will always return the products that aren't named like that. The only situation where that query would return false is if there isn't any software other than Symantec Antivirus installed.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



RonaldMcDonald posted:

Actually this isn't how it works. Whether there is any product named Symantec Antivirus installed or not, that query will always return the products that aren't named like that. The only situation where that query would return false is if there isn't any software other than Symantec Antivirus installed.

Yep, you're right. I was working off some old notes and that was one of my failed attempts while I was starting out. I ended up deleting the the filter I made a while ago I can't remember exactly exactly how I did it any more. There is a limitation between WQL and WMI filtering that because WMI filtering will only execute on a true statement and WQL will only return False if it didn't find something and you can't invert that behavior, you are kinda screwed if you are trying to return "True" for not finding something on a WQL statement. I believe what I ended up doing was making one policy that had a WMI filter to check for 'select * from Win32_Product where Name = "Symantec Antivirus"' and then execute an attached batch script to remove SAV, and then a separate install policy for Nod32 that ran off a batch script to check for the Symantec service and install Nod if it wasn't detected. Once all the Symantec clients were removed I ended up deleting those old policies and just making a normal deployment one for Nod.

NotYella
Nov 27, 2002
drunk jackass

With the vista gpmc, I can push any key I want to an OU affected by that policy, for instance having everyone's workstation automagically populate HKCU/Software/Microsoft/blablah/somekey with the value I need it to have? If so, that's pretty much awesome.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



NotYella posted:

With the vista gpmc, I can push any key I want to an OU affected by that policy, for instance having everyone's workstation automagically populate HKCU/Software/Microsoft/blablah/somekey with the value I need it to have? If so, that's pretty much awesome.

Yep, you can configure it to add a new key, update an existing key, or delete a key from a nice little GUI in either the HKCU or HKLM hives. Shortcuts, individual files or folders, the contents of .ini files, and a few other things can all be manipulated in this manner as well.

Model Camper
Feb 12, 2008

Just 'cause you got a rocking horse don't mean you can rock.

Bangers,

So I set up a Vista SP1 machine with RSAT to play around with the sweet new Vista Group Policy options, but when I run it on my current domain all the options look exactly the same as they do on my other machines. Reading the OP again, am I correct in assuming that this:

BangersInMyKnickers posted:

You also want to make sure that the optional Windows Update Group Policy Client Side Extensions is installed across the entire domain for these new features to be usable on older system, but more on that later when I get to patch management.

means that the new extensions won't show up until the update is installed on the Server 2003 machines that currently govern my network? I just want to confirm before I go ahead and reboot our primary domain controller.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



•Testing and Troubleshooting policy: Quite a few things can go wrong when policy is applying. Here are a few of the most common issues I have seen.

Having your antivirus client correctly configured is a key component of group policy working correctly. If clients are attempting to pull policy off the sysvol share, this will trigger scan events by a real-time scanning engine which can cause file locks that result in policy not being applied correctly. This issue will be intermittent and very hard to diagnose as it will appear from the client end that the connection is timing out and dropping. This guide is a fairly good guide for setting up the common exclusions to Microsoft servers and services. Keep in mind that anything running a database is going to need some manner of exclusion or you may encounter problems.

The eventlog (eventvwr.msc) is your go-to place to see if policy is applying correctly, with policy results being reported in the Application log. If you are pushing out application packages, one of the errors you may encounter will look like this:

quote:

Failed to apply changes to software installation settings. Software installation policy application has been delayed until the next logon because an administrator has enabled logon optimization for group policy. The error was : The group policy framework should call the extension in the synchronous foreground policy refresh.
which will usually be sandwiched between a few other warnings complaining about the package installation. As the error says, this is a result of logon optimizations being enabled. Group policy has two refresh modes: synchronous and asynchronous. Policy is processed at startup/shutdown or logon/logoff depending on if you are working with a machine or user policy. Once those are up and running, user and machine policy are automatically updated at a regular interval (I believe the default is 5 minutes and that value is configurable, though the specific value isn't really important to this discussion). With XP Pro and Vista (workstation OS's), policy is processed asynchronously in the background which means that a machine or user can log on before new policy is applied, resulting in the previously mentioned error. Server OS's (and 2000 Pro) will process group policy synchronously at logon and off events which results in longer wait times, but none of the previously mentioned errors. If you need to manually refresh group policy on a system or user account, use the tool gupdate.exe and be sure to check the switches, though the most common ones are /force and /sync.

If you are not seeing policy being applied, attempt to manually update policy with gpupdate.exe. If there is an error at this point, there may be something wrong with the sysvol DFS share your domain controllers run. Make sure you can manually navigate to it via \\[domain fqdn]\sysvol. Also check to make sure you are pointed at your internal DNS servers an not somewhere else, as not being able to resolve the name to your packages share will shoot you down quickly. Beyond those things to check, you will most likely need to do some googling with error codes.

If policy says it is applying correctly but you do not see this reflected in the eventlog or on the actual settings, then odds are the machine or user is not falling within the scope of the policy. The first thing is to check your Active Directory structure and verify that the user or machine object falls at or below the level where the link is placed and that there aren't Inheritance Blocks causing the problem. Keep in mind that machine policy will only apply to machine objects and likewise with user policy and objects. Because of this I keep all of my user and machine policy settings in discrete GPOs to avoid confusion on their scope. The exception to this may be your default domain policy as this is a good place to configure settings to which all objects within the domain should adhere to. If a quick spotcheck doesn't reveal anything out of the ordinary, your best bet is to use group policy modeling and results. Modeling is mostly used to figure out what policies are filtering down to a specific OU but won't tell you much about a specific machine. Results gives you a much more granular look at one specific machine, including which WMI filters evaluated as true or false and what security group apply so you can get a better idea of what is causing the policy to fall out of scope.

When it comes to actual software deployment testing, VMWare Server or ESXi are great free tools that you can use to easily load up a single machine with a bunch of OS installs and test their installation as well as rolling back to an established snapshot. I have had a few packages (Acrobat Reader 8, Java 6u1) to which the uninstallers break and catching and testing in this environment is critical to a smooth rollout without a bunch of things breaking and people screaming down your neck. For a general hint, a large number of uninstaller errors can be circumvented by deleting the associate package key from HKCR\Installer\Products.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



Model Camper posted:

Bangers,

So I set up a Vista SP1 machine with RSAT to play around with the sweet new Vista Group Policy options, but when I run it on my current domain all the options look exactly the same as they do on my other machines. Reading the OP again, am I correct in assuming that this:


means that the new extensions won't show up until the update is installed on the Server 2003 machines that currently govern my network? I just want to confirm before I go ahead and reboot our primary domain controller.

Are you editing local group policy or are you in the actual "Group Policy Management" applet. gpedit.msc will look exactly the same as before but if you run the group policy management app from Administrative Tools (or add the snap-in to a mmc console) you should see the new policy options by default. The ability to build policy using the new options are there by default with RSAT, the restriction is that for a machine to interpret the new options you need to have the that update installed. Group policy is basically a set of configuration files hosted on the network share your domain controllers run, and machines and user by default look there for policy as domain members. You should not need to modify your domain controllers or reboot them to host a policy object created with the new features RSAT provides.

Mierdaan
Sep 14, 2004



Pillbug

Are the CSEs included in XP SP3 and/or Vista SP1? Do I need to worry about pushing those out separately?

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



Mierdaan posted:

Are the CSEs included in XP SP3 and/or Vista SP1? Do I need to worry about pushing those out separately?

They are optional updates and not bundled with SP3 or SP1, but with Vista it was flagged as an Important update instead of Optional so most systems should have it already (not sure about 2008 but I assume it would be classified as Important there as well). Look for KB943729 in XP, XP-64, Server 2003, and Server 2003-64 flavors depending on what you are running.

Mierdaan
Sep 14, 2004



Pillbug

Got it, thanks. It actually doesn't show as being compatible with XP SP3 in WSUS, so I'm glad I hadn't pushed that out to clients yet...

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



Mierdaan posted:

Got it, thanks. It actually doesn't show as being compatible with XP SP3 in WSUS, so I'm glad I hadn't pushed that out to clients yet...

Yeah, I forgot to mention this but there is a flaw in the detection logic where XP SP3 thinks that this specific KB doesn't apply even though it does. Apparently the WSUS team has acknowledged the issue and is testing compatibility of the update on SP3 or some nonsense and expects a fix "soon". I haven't pushed out SP3 yet either because I expected some kind of screwball issue like this, though I didn't exactly expect group policy to get dicked up. Hopefully it will be sorted at or before the October security patches.

Sock on a Fish
Jul 17, 2004

What if that thing I said?

BangersInMyKnickers posted:

Yeah, I forgot to mention this but there is a flaw in the detection logic where XP SP3 thinks that this specific KB doesn't apply even though it does. Apparently the WSUS team has acknowledged the issue and is testing compatibility of the update on SP3 or some nonsense and expects a fix "soon". I haven't pushed out SP3 yet either because I expected some kind of screwball issue like this, though I didn't exactly expect group policy to get dicked up. Hopefully it will be sorted at or before the October security patches.

This is some goddamned bullshit right here. I just bought a Vista license for the sole purpose of testing group policy for my handful of Vista clients and using the new GPMC to push new group policy objects out to everyone.

edit: Just discovered that I can install the update manually without any problems. How can I turn this into an MSI to push to all of my clients with a GPO?

Sock on a Fish fucked around with this message at Sep 17, 2008 around 17:50

Sock on a Fish
Jul 17, 2004

What if that thing I said?

So, what did you guys do before the new Vista group policy extensions that would allow a user without a connection to the domain controller to have a drive map at login that he could then reconnect once he established a VPN connection to the office?

I'm thinking I should just tell WSH to map the drive persistently, but I'm worried that I'm going to regret that later on if I need to change drive mappings.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



Sock on a Fish posted:

This is some goddamned bullshit right here. I just bought a Vista license for the sole purpose of testing group policy for my handful of Vista clients and using the new GPMC to push new group policy objects out to everyone.

edit: Just discovered that I can install the update manually without any problems. How can I turn this into an MSI to push to all of my clients with a GPO?

Take the downloadable exe and decompress it with the /x:[somepath] switch. Then take the contents of the update subdirectory and save it someplace on the network. Then you are going to need a machine startup script GPO that looks something like this:

code:
reg query hklm\Software\Microsoft\Windows\CurrentVersion\Uninstall\KB943729
if NOT ERRORLEVEL = 0 then "\\server\share\whatever\update.exe /quiet /norestart"
exit /b
And you will also want to make a WMI filter for this policy so it only applies to machines running XP 32-bit.

As for the VPN issue, correct me if I am wrong but so long as you create the VPN connection in Windows and mark it as available to all users you can use the "Connect with dial-up networking" option at logon to connect the machine to the VPN before logon processes and then you won't have the problem with not seeing the domain controller.

BangersInMyKnickers fucked around with this message at Sep 17, 2008 around 20:52

Dessert Rose
May 17, 2004

awoken in control of a lucid deep dream...


Just checking in to say that this thread is awesome. You're awesome.

GPOs are one of the major reasons why Active Directory is really good in enterprise scenarios. Being able to just set a policy that affects a specific class of computer or user and have it just HAPPEN is an administration dream.

Sock on a Fish
Jul 17, 2004

What if that thing I said?

BangersInMyKnickers posted:

Take the downloadable exe and decompress it with the /x:[somepath] switch. Then take the contents of the update subdirectory and save it someplace on the network. Then you are going to need a machine startup script GPO that looks something like this:

code:
reg query hklm\Software\Microsoft\Windows\CurrentVersion\Uninstall\KB943729
if NOT ERRORLEVEL = 0 then "\\server\share\whatever\update.exe /quiet /norestart"
exit /b
And you will also want to make a WMI filter for this policy so it only applies to machines running XP 32-bit.

As for the VPN issue, correct me if I am wrong but so long as you create the VPN connection in Windows and mark it as available to all users you can use the "Connect with dial-up networking" option at logon to connect the machine to the VPN before logon processes and then you won't have the problem with not seeing the domain controller.

Sweet, I never thought of that. Thanks!

Sock on a Fish
Jul 17, 2004

What if that thing I said?

Sock on a Fish posted:

Sweet, I never thought of that. Thanks!

I just realized that I can't make it work. The reg query outputs an error that it can't find the key, but then the conditional doesn't do anything after checking for NOT ERRORLEVEL = 0.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



Sock on a Fish posted:

I just realized that I can't make it work. The reg query outputs an error that it can't find the key, but then the conditional doesn't do anything after checking for NOT ERRORLEVEL = 0.

Sorry, I was just mashing out half-assed script without really testing it. Lets go this way:

code:
reg query hklm\Software\Microsoft\Windows\CurrentVersion\Uninstall\KB943729

if NOT ERRORLEVEL 1 GOTO ABORT 

reg /s "\\share\whatever.key"

:abort
exit /b
That should do it.

Sock on a Fish
Jul 17, 2004

What if that thing I said?

Thanks for the help. I learned a shortcut to avoid needing to check the ERRORLEVEL variable. Just put a double pipe after the reg query -- if the query fails, everything after the double pipe gets executed.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



Sock on a Fish posted:

Thanks for the help. I learned a shortcut to avoid needing to check the ERRORLEVEL variable. Just put a double pipe after the reg query -- if the query fails, everything after the double pipe gets executed.

Very cool, I didn't know you could use || and && in that manner. Thanks for the tip, that will simplify my scripts a lot.

Jailbrekr
Apr 8, 2002
A TOWN LEVELED BY AN EXPLOSION? DOZENS LIKELY KILLED? OH GOD LET ME SEE THAT SWEET VIDEO OH MY GOD I'M CUMMING


BangersInMyKnickers posted:

You don't need Vista clients to use the new group policy features, only a Vista machine to build the actual policies. So long as the group policy extension update is installed on the XP or Server 2003 system they will apply there just fine, which is why I was trying to shift focus away from using VBScript and batch scripting.

That right there just eliminated around 40-50% of the crap I had to script using vbscript at my former employer. I'm still a script monkey at heart but god drat this tutorial is awesome. It almost makes me want to go back to being a Windows sysadmin (I'm a unix sysadmin now). Well, almost...

I'm not sure if this was covered yet (I'm still reading and digesting), but you might want to mention how GPOs are deployed over slow connections and how to diddle the rules surrounding what gets deployed when.

ogreboy
Apr 1, 2003


I'm in a school environment that has a relatively simple 2 domain structure:

Teacher Server (domain-1):
Teacher GPO
Office admin GPO
Tech admin GPO

Student server (domain-2):
Jr Sr Student GPO
Elementary GPO
Tech admin GPO

The OUs pretty much match up exactly with that.

This thread has opened my eyes beyond just scripting commands into login batch files... but people seem to have TONS AND TONS more GPOs going on. Am I missing something? Do you apply multiple GPOs to an OU just to keep types of settings clean and separate?

I would love to read descriptions and see pictures of really complex OU/Group Policy configurations.. I have not seen many AD configurations beyond the ones at my current job.

ogreboy fucked around with this message at Sep 18, 2008 around 04:35

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



ogreboy posted:

This thread has opened my eyes beyond just scripting commands into login batch files... but people seem to have TONS AND TONS more GPOs going on. Am I missing something? Do you apply multiple GPOs to an OU just to keep types of settings clean and separate?

Yes, it typically boils down to multiple policies to a single OU so you can keep them segregated. It is a lot easier to make a change or revert on a whole policy that does a limited scope of things (like pre-configures IE and WMP to skip the EULA and enforce some default settings) if things go screwy so you don't need to go digging for individual settings in another policy to revert things, just disable the link. You also hit situations where different departments or user groups request divergent settings and having multiple smaller policies makes it much easier to give people the settings they want why not pissing off everyone else. In my environment we have different departmental OUs for things as divergent engineers, waste management, telecommunications, and a power plant. Because their functions are all so different, a lot of forethought needs to be put in to your Active Directory structure if you want something that is easily manageable and scales well.

In your environment, I question the logic of running separate domains within a single building (assuming that is your situation). It will double the number of domain controllers you need and nothing would stop you from segregating teacher and student user objects through an OU structure like you already use but in a single domain. Typically you want to set up different domains for geographically separate locations. Two within the same building would be more hassle within benefit that I can see.

Sock on a Fish
Jul 17, 2004

What if that thing I said?

Any tips on using the new GPE to mount a drive with different credentials than the logged in user? I've put in both the username and password for the share in my GPO, but when I login the drive is mapped, I double click it, and I get prompted for a password for the username that I had put in the GPO. I've quadruple checked that the credentials have been correctly entered.

Also, does Vista need an update to use the new GPEs? My Vista test client shows that my new drive mapping policy is being applied, but drives don't actually map.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



Sock on a Fish posted:

Also, does Vista need an update to use the new GPEs? My Vista test client shows that my new drive mapping policy is being applied, but drives don't actually map.

There is a KB943729 for Vista as well which should be installing by default, but verify just in case. You also want SP1, so do that if you haven't for some reason. From what I am reading, a few of the newer policies won't apply correctly until your schema is updated to Server 2008 (this can be done on Server 2003 DCs) and configuring a drive mapping to log in with alternative credentials may be one of those situations.

Sock on a Fish
Jul 17, 2004

What if that thing I said?

BangersInMyKnickers posted:

There is a KB943729 for Vista as well which should be installing by default, but verify just in case. You also want SP1, so do that if you haven't for some reason. From what I am reading, a few of the newer policies won't apply correctly until your schema is updated to Server 2008 (this can be done on Server 2003 DCs) and configuring a drive mapping to log in with alternative credentials may be one of those situations.

Oh well, I was planning on extending the schema to support MCX anyway. This should be fun.

It looks like the registry in Vista doesn't store the Uninstall information for updates in the same location, and Google is no help in revealing the real location. Can you tell me where Vista stores that info?

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



Sock on a Fish posted:

Oh well, I was planning on extending the schema to support MCX anyway. This should be fun.

It looks like the registry in Vista doesn't store the Uninstall information for updates in the same location, and Google is no help in revealing the real location. Can you tell me where Vista stores that info?

That one has been a mystery to me. The registry only contains garbage randomly named keys that reference the garbage randomly named patch installers in c:\windows\installer now and how it keeps track of that stuff is no longer in the registry. There is a command line tool you can use that will dump out the name of all the installed KBs on the system and you can pipe that in to a find for the GPE KB number, but I can't remember what the command is offhand. You may also be able to fish for it with a WMI query.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



Alright, figured it out. Run this query
code:
systeminfo |find "943729"
which will let you know if the GPE are installed.

Sock on a Fish
Jul 17, 2004

What if that thing I said?

This thread just keeps on delivering. Thanks!

UserNotFound
May 7, 2006
???

Would you care to explain some of the intricacies as to why some policies will not apply on a first, or even second 'gpupdate /force'? Specifically, I've been going around to our users to remove the last of them on roaming profiles, and adding them to an OU that has the RedirectFolders policy on it. Every machine and every user is in the security group for the policy, but some machines require magical amounts of gpupdates/time passing for the redirect to take effect. I understand applying multiple policies could take multiple restarts, but this one is baffling me.

Specifically some times I'll see "RedirectFolders Filtering: Not Applied (Empty)" on the gpresult under user settings...until some time later when it works.

___

Just out of curiosity, do we have a number of people using SCCM'07 that might warrant a similarly awesome thread? I'm not finding a lot of reliable sources of help for some things outside of our current testing group.


VVV I didn't see anything on the first two I encountered that did this, and consequently ignored it then next 5-6 times (out of 35 or so machines). I just told them to shut down every night, and by the end of the week, the server showed their redirected folders had been created, and assumed that if I went to the machine, the policy would have been applied fine by that point.

UserNotFound fucked around with this message at Sep 18, 2008 around 21:19

swalk
Nov 20, 2004
bucka blaow

Always check the Event Log on the computers that aren't applying the GPO. If gpresult says it's applying but it doesn't, odds are there will be an error in the event log.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



UserNotFound posted:

Would you care to explain some of the intricacies as to why some policies will not apply on a first, or even second 'gpupdate /force'? Specifically, I've been going around to our users to remove the last of them on roaming profiles, and adding them to an OU that has the RedirectFolders policy on it. Every machine and every user is in the security group for the policy, but some machines require magical amounts of gpupdates/time passing for the redirect to take effect. I understand applying multiple policies could take multiple restarts, but this one is baffling me.

Specifically some times I'll see "RedirectFolders Filtering: Not Applied (Empty)" on the gpresult under user settings...until some time later when it works.

___

Just out of curiosity, do we have a number of people using SCCM'07 that might warrant a similarly awesome thread? I'm not finding a lot of reliable sources of help for some things outside of our current testing group.


VVV I didn't see anything on the first two I encountered that did this, and consequently ignored it then next 5-6 times (out of 35 or so machines). I just told them to shut down every night, and by the end of the week, the server showed their redirected folders had been created, and assumed that if I went to the machine, the policy would have been applied fine by that point.

With XP/Vista policies will apply asynchronously by default to improve logon times. If your domain controllers are running slow (not setting up the AV scanner exclusions of the DFS share caused a similar problem for us that you are describing) it make skip policy and try to pull it down again once you are logged in. Try using gpupdate /sync to force it to do a synchronous policy refresh that it can't opt out of during the logon process.

Fourteen
Aug 15, 2002

No, no, no you imbecile! That's not talc, that's paprika!

GP is some incredibly, powerful stuff when you really get into it. People can rip on MS for a lot (and deservedly so), but GP deserves their utmost praise. You guys should check out the Jeremy Moskowitz books if you want to read more (Amazon search - the 2 new 2008 books are 1 and 2 on this page). Moskowitz really knows his stuff. If I could get my company to pay for it, I'd attend one of his workshops.

Sock on a Fish
Jul 17, 2004

What if that thing I said?

You know what doesn't deserve praise? VBScript. It always makes me feel like an idiot.

I'm trying to get the output of systeminfo | find command that the OP posted, and it just won't work. I've tried all of these variations to capture this text into a variable called Result:
code:
Result = oShell.Exec(command)
Result = oShell.Exec(command).StdOut
Result = oShell.Exec(command).StdOut.ReadAll
Google can't help when I feed it the query "vbscript get output shell exec". Why the gently caress can't Python be a native component of Windows!??!

ogreboy
Apr 1, 2003


BangersInMyKnickers posted:

In your environment, I question the logic of running separate domains within a single building (assuming that is your situation). It will double the number of domain controllers you need and nothing would stop you from segregating teacher and student user objects through an OU structure like you already use but in a single domain. Typically you want to set up different domains for geographically separate locations. Two within the same building would be more hassle within benefit that I can see.

I would agree and this would have made my life a lot easier, especially when we migrated to Server 2008.

Unfortunately, while I am the school admin, my hands are tied due to REALLY FRUSTRATING, STUBBORN AND ESPECIALLY ARROGANT higher IT powers especially in regard to AD design and configuration. Anyways, that's an e/n rant.

UserNotFound
May 7, 2006
???

BangersInMyKnickers posted:

With XP/Vista policies will apply asynchronously by default to improve logon times. If your domain controllers are running slow (not setting up the AV scanner exclusions of the DFS share caused a similar problem for us that you are describing) it make skip policy and try to pull it down again once you are logged in. Try using gpupdate /sync to force it to do a synchronous policy refresh that it can't opt out of during the logon process.

Interesting, I always just did /force, thinking...well...if I force it, it'll have to work!

Are you saying the workstations were scanning a mapped DFS share, slowing down the network link? That's just silly :P

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



UserNotFound posted:

Are you saying the workstations were scanning a mapped DFS share, slowing down the network link? That's just silly :P

I am saying that workstations trying to access the DFS share will cause the antivirus client on the domain controllers to flip the gently caress out as it tries to scan the files being read as well as trying to scan the DFS database as it is read and modified which can lead to file locking conflicts and gently caress up your group policy.

Mierdaan
Sep 14, 2004



Pillbug

If a service is set to disabled on a client, will adding it under Computer Configuration->Preferences->Control Panel Settings->Services, set to

Action=Start Service
Startup Type=Automatic

do what I think it'll do? It hasn't yet and I don't know if I'm impatient or doing something wrong.

edit: yes it does, if I actually have 943729 installed instead of just thinking that I do.

Mierdaan fucked around with this message at Sep 19, 2008 around 16:45

Adbot
ADBOT LOVES YOU

Sock on a Fish
Jul 17, 2004

What if that thing I said?

What should I do if my predecessor checked off the 'Grant user exclusive rights to My Documents' on a Folder Redirection policy and I now want to give all domain admins full permissions on those folders but I can't even read the permissions?

  • Locked thread
«31 »