|
alanthecat posted:I haven't used it yet, but there's a workaround involving a shortcut to a scheduled task that might help you out there. I might be using it myself this week. Woah. Thanks for this. I have one really goddamn annoying program in our LA office which relates to agents and actors that has the worst loving setup. Every time it loads it downloads GZIPPED updates for the program pushed from the "developers" and they refuse to fix their app so it doesn't trip UAC/need admin privileges. I've asked them time and time again for a MSI based install/update system and their eyes just gloss over and they go "What's MSI". Obviously the windows program isn't a priority for them. Those machines run slow as poo poo because I have ESET set to scan loving everything except network drives.
|
#
?
Nov 7, 2013 22:10
|
|
|
|
| # ? Apr 25, 2024 12:12 |
|
|
Why is MSI seemingly so uncommon? I've asked before and never gotten a response.
|
|
#
?
Nov 7, 2013 22:39
|
|
|
You can also follow these instructions, just replace the UPS worldship .exe with whatever needs to run as admin. Now a program that requires domain admin, THAT I refuse to believe is possible without willfully using AD functions that require it.
|
|
#
?
Nov 7, 2013 23:03
|
|
|
thebigcow posted:Why is MSI seemingly so uncommon? I've asked before and never gotten a response. For the same reason so many apps require local administrator: That's how it's always been done. It's certainly getting better on both fronts, though. My favorite example was an older program, probably circa 2008. The (.exe) installer would only run under the Administrator account. Not "an account with local admin privileges". Straight Administrator.
|
|
#
?
Nov 8, 2013 00:57
|
|
|
Does a Domain controller running Server 2012 need a lot of space? We've got a spare computer with two 160 gig SSDs, but based on what I'm seeing, that might be too little? Also, can I run an exchange server on the same box or would it be better to separate them?
|
|
#
?
Nov 8, 2013 11:40
|
|
|
Cynic Jester posted:Does a Domain controller running Server 2012 need a lot of space? We've got a spare computer with two 160 gig SSDs, but based on what I'm seeing, that might be too little? DCs don't need SSDs. Mine only use about 16 gigs. Exchange should definitely be on it's own server. DCs shouldn't really run anything besides AD, DNS and DHCP. Have you looked into virtualization? You'd probably get more answers to this stuff in the Enterprise Megathread too.
|
|
#
?
Nov 8, 2013 17:11
|
|
|
LmaoTheKid posted:You what to know what's a nightmare? Deploying Photoshop Elements via GPO. gently caress this, I'm just going to install it manually.
|
|
#
?
Nov 16, 2013 00:13
|
|
|
pyrofreak421 posted:Which version of elements are you trying to use? If it's a newer version, I believe Adobe has an app to create a specific setup package. Which deploys like a champ. That made my life a lot easier. I'll check what it's called when I get back to work Monday. Please do. We have licenses for 11 and 12.
|
|
#
?
Nov 16, 2013 15:57
|
|
|
It looks like the program is called Adobe Application Manager Enterprise Edition. You feed it the installer for whatever adobe app you are working with and it goes out and grabs any updates that are available. After that it creates an installer with decently documented parameters.
|
|
#
?
Nov 18, 2013 13:36
|
|
|
pyrofreak421 posted:It looks like the program is called Adobe Application Manager Enterprise Edition. You feed it the installer for whatever adobe app you are working with and it goes out and grabs any updates that are available. After that it creates an installer with decently documented parameters. Thank you very much, I'll play around with this today.
|
|
#
?
Nov 18, 2013 19:01
|
|
|
Yaos posted:What sucks is doing best practices for everything except you have to do local admin for a lovely program that requires admin to run and requires UAC to be off. So close. If it's an application that installs into c:\program files try what happens when you give a non-admin user write rights on only the directory that application is installed in. Upgrade to Windows 8 and install StartIsBack. It's all the good features of Windows 8 without the bad ones. VV peak debt fucked around with this message at 21:58 on Nov 18, 2013 |
|
#
?
Nov 18, 2013 21:33
|
|
|
One thing to keep in mind, you can't manage Server 2012 machines from Windows 7, so if your workstations are 7 it kinda sucks to do anything since you have to RDP to a server as a first step.
|
|
#
?
Nov 18, 2013 21:56
|
|
|
Why is a substantial amount of stuff in a RSoP showing up in languages other than English? I seem to remember hearing about this happening to someone else and can't remember the cause at all.
|
|
#
?
Nov 19, 2013 15:49
|
|
|
do you have other languages in your centeral store for GPO? or locally in your local GPOs if you're running the RSoP on your workstation?
|
|
#
?
Nov 20, 2013 02:09
|
|
|
I've been using Group Policy Preferences to define a few service accounts on some computers, and it's been working very well. But today I receive a warning message from GPM that I haven't seen before: So am I defining passwords for these accounts insecurely? And if so, what's a better method for defining these accounts?
|
|
#
?
Jan 3, 2014 23:12
|
|
|
Sounder posted:I've been using Group Policy Preferences to define a few service accounts on some computers, and it's been working very well. But today I receive a warning message from GPM that I haven't seen before: So these are local accounts that are created and defined by GPOs, correct? The only other solution I can see is setting the GPO to not have a password, and configuring the password by hand. Which may or may not be feasible, depending on your environment. Or not deploying these accounts by GPO at all, and instead include them in your base PC image. In terms of minimizing attack surface, your current situation probably isn't ideal, but I don't know that it's a huge concern, either. If these accounts have local admin access, while (most) domain accounts wouldn't, I can see how things could go wrong if someone (1) realized the account was there, and distributed by GPO, (2) wasn't afraid to break things in the long run to get a short-term gain, and (3) has physical access. If someone has physical access, all bets are pretty much off, especially if they only need access once (to pull data off). What kind of environment are we talking about here? If you've got 50 people, I wouldn't really worry about it. If you've got 5,000 I maybe would.
|
|
#
?
Jan 4, 2014 02:10
|
|
|
Wizard of the Deep posted:So these are local accounts that are created and defined by GPOs, correct? The only other solution I can see is setting the GPO to not have a password, and configuring the password by hand. Which may or may not be feasible, depending on your environment. Or not deploying these accounts by GPO at all, and instead include them in your base PC image. A few hundred users. I wouldn't mind defining the account in a system image, but my concern is making changes to those accounts later on...This was why GPP was so appealing: A computer gets the accounts and their settings when they're joined to the domain, and by changing the GPO I can make changes to new computers and existing computers easily. If they're in the system image, how do I change settings to the accounts on the dozens of hosts already deployed? capitalcomma fucked around with this message at 02:36 on Jan 4, 2014 |
|
#
?
Jan 4, 2014 02:24
|
|
|
You could apply the GPO and then remove it. The downside to this approach is that you will always miss some machines.
|
|
#
?
Jan 4, 2014 02:59
|
|
|
Is there some reason you can't use an domain account? You can define the computers that an account can log into, and automatically make the account a local admin only on certain machines. You could change the password/account at will at that point, too. The domain account could be locked down pretty extensively, too. The only issue I could see with that is if you need to be able to access these hosts when they're off the network. If that's a concern, maybe a scheduled task will ensure the credentials are cached locally? I'm not sure, I've never tried something like that.
|
|
#
?
Jan 4, 2014 03:33
|
|
|
(Crossposting here and the enterprise Windows thread) Is there any way to create a GPO for IE compatibility view settings that only applies to a particular IE version (IE11, in this case)? From what I can tell, the Group Policy Preferences settings only let you target IE10 or greater (without making a distinction between IE10 and IE11) and the root\cimv2\Applications\MicrosoftIE WMI namespace was removed after XP. Unless my google-fu is failing me, that means the only way to determine IE version is by grabbing the version number property of iexplore.exe, which seems incredibly hacky. Is there some other option (using MS's native tools) I'm overlooking? Or alternatively, is it possible to add just a subdomain to the compatibility view list? I really just need to have http://bar.foo.com use compatibility mode, but it only seems to let me add *.foo.com to the whitelist. For context, I find myself in an annoying position. Because MS didn't bother testing to see if the Business Portal portion of Dynamics SL 2011 works in IE11, I need to push out a GPO to force time.company.com to use compatibility mode. However, that means that www.company.com is also forced to use IE7 compatibility mode, but it doesn't work properly with anything older than IE8. If I could either have the GPO only apply to IE11, or have it just use compatibility mode for time.company.com, that would solve my problem.
|
|
#
?
Jan 9, 2014 00:46
|
|
|
I just got done syspreping and capturing an image. I went to test deploy (with a copyprofile answer file) and everything seems to copy except for the taskbar pinned items. Is there a way to easily fix this? Our users are too retarded to pin their own taskbar icons.
|
|
#
?
Jan 27, 2014 22:46
|
|
|
You need to use a script. I put mine in the startup folder.It removes all the default icons, then adds what I want. (Office etc). Then deletes itself. Here's mine: code:There's plenty more examples if you google "taskbar pin script" or similar. Swink fucked around with this message at 02:20 on Jan 28, 2014 |
|
#
?
Jan 28, 2014 02:14
|
|
|
Swink posted:You need to use a script. I put mine in the startup folder.It removes all the default icons, then adds what I want. (Office etc). Then deletes itself. Do you deploy this via GPO and then just set the flag to apply once and don't reapply? edit: ahh gently caress it, what a mess. I'll just create documentation. kiwid fucked around with this message at 15:40 on Jan 28, 2014 |
|
#
?
Jan 28, 2014 14:29
|
|
|
I cannot seem to find a solid answer on this. Can Server 2012 or 2012 R2 be a DC on a 2003 functional level domain? Current setup consists of 7 domain controllers also running DNS/DHCP/DFS (one at each remote branch). 6 of those are still running Windows 2003 R2, with one running Windows 2008 (non-R2). We are adding an additional branch, and I was going to go with 2012 R2 for that location's local DC/file server. But if 2012 can't be a DC on a 2003 domain, I'll have to stick with 2008 R2. Replacing the 2003/2008 machines is not going to happen for at least another year...
|
|
#
?
Jan 28, 2014 20:44
|
|
|
Yes, both 2012 and 2012 R2 can be DCs on a 2003 native forest/domain.
|
|
#
?
Jan 28, 2014 20:50
|
|
|
No problems there. Windows 2000 is a no go, and the functional level needs to be 2003 http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_FunctionalLevels Start planning that upgrade before 2003 goes end of support.
|
|
#
?
Jan 28, 2014 20:53
|
|
|
Thank you! I must suck at the Googles... That page from MS never appeared during my search. Instead all I got was a bunch of forum postings of people asking the same question and getting conflicting answers.
|
|
#
?
Jan 28, 2014 20:58
|
|
|
kiwid posted:Do you deploy this via GPO and then just set the flag to apply once and don't reapply? It's in our windows image at C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pin.vbs It gets copied to each new user profile that is created on a machine.
|
|
#
?
Jan 29, 2014 00:10
|
|
|
What's the best to install printers in an enterprise environment. I had been setting users up individually, mapping their printers when they're logged on. This is a lot of work, but it's how we do things. Today I found the local policy editor and figured out how to deploy a printer. It works sorta Ok on windows 7. I'm having to do a gpupdate before it works. XP doesn't seem to work right but whatever, 67 days left. This is a pain though because I have to add computers one at a time as snap ins to my console. How do the pros do this, or at the very least, is there a more sophisticated way to do this stuff?
|
|
#
?
Jan 31, 2014 03:26
|
|
|
Group Policy Preferences can deploy printers. We have AD groups that people are members of generally based on where they sit, so I limit the printing group policies by groups (Finance group gets Finance printers, etc etc). The only time I have to think about it is when we add a new printer or a new business unit.
|
|
#
?
Jan 31, 2014 03:39
|
|
|
If you deploy the printer right from the printer management console in RSAT, it'll even create the GPO for you IRC. I mean, you'll still have to create the empty GPO and scope it to certain users but the printer management console will setup the settings. If you have Windows Vista machines still, I think you need to look into using the pushprinterconnections.exe (just Google it). If I remember I can upload a screen shot of our printer GPOs tomorrow.
|
|
#
?
Jan 31, 2014 03:48
|
|
|
FISHMANPET posted:Group Policy Preferences can deploy printers. We have AD groups that people are members of generally based on where they sit, so I limit the printing group policies by groups (Finance group gets Finance printers, etc etc). The only time I have to think about it is when we add a new printer or a new business unit. This is pretty much the best way. Map out your OUs in line with the organisation layout, shell GPO, right click the printer in the print management (remember to install x86 and x64 printers!) and deploy with group policy. Its a fairly basic interface, but it works.
|
|
#
?
Jan 31, 2014 07:41
|
|
|
I've heard using the print management MMC to deploy printers by GPO doesn't work all that well. We're still at the 2003 functional level so I haven't tried it, at least. The way we do it is a GPO on a computer OU that matches the group of computers that need to be able to print to that printer, set on a user preference shared mapping by \\print-server\printer, then enable loopback processing (merge). For Vista/7/8, Computer Configuration\Administrative Templates\Printers\Point and Print Restrictions needs to be set to disabled in order for the printer to map without nagging the user for admin rights. I made a starter GPO that has loopback processing enabled and point and print restrictions disabled so I don't have to remember to set these for any new printer mapping. Works for XP and above.
|
|
#
?
Jan 31, 2014 08:50
|
|
|
I've tried using the print management MMC to deploy printers in both 2008r2 and 2012r2 and never gotten it to work, so I would like to know how to do it. However using GPO user preferences and shared printers work perfectly, just remember to install x86 and 64bit drivers. Printspooler crashes on 32bit if it only has a 64bit driver. As hihifellow says remember to disable point and print restrictions in computer policy, it exists in the user policy part as well, but newer OS ignore it by design. If using the GPO user preferences to share printers, the easiest way to trouble shoot is to go to the computer where it fails, go to \\PRINTSERVER and double click the printer. That way you get an real error message instead of the crap it writes in evertviewer. DagPenge fucked around with this message at 11:31 on Jan 31, 2014 |
|
#
?
Jan 31, 2014 11:25
|
|
|
Anyone got a clue why creating a scheduled task doesn't seem to work? DCs - 2008 R2 and 2012.. client.. Windows 7. I create a scheduled task applied to the computer, but it doesn't get created. GPresult gives me: Result: Failure (Error Code: 0x8007052e) This is just great. Anyone had to create a scheduled task before, distributed by GPO? HalloKitty fucked around with this message at 12:01 on Jan 31, 2014 |
|
#
?
Jan 31, 2014 11:56
|
|
|
Failure code says it's a login failure, sounds like the scheduled task is trying to use an account that either doesn't exist or doesn't have the password to. Did you just leave it blank or are you trying to use a domain account? Since your clients are Windows 7, you can use a Win7 scheduled task and set the account to the NT AUTHORITY\system account and it'll be able to do everything it needs to.
|
|
#
?
Jan 31, 2014 14:25
|
|
|
Dr. Arbitrary posted:What's the best to install printers in an enterprise environment. Here's how you get XP working with deployed printers: http://community.spiceworks.com/topic/164327-deploying-printers-with-gpo-not-working-for-xp?page=1#entry-990737
|
|
#
?
Jan 31, 2014 16:21
|
|
|
While we're on printer deployment, we currently deploy printers through group policy preferences. However, most of our computers are shared (student) machines, so have dozens, if not more, profiles. Works fine, except during initial log in when the system downloads and installs the printer drivers. This is done over a moderately slow WAN link, plus the computers themselves are pieces of poo poo. Since each student gets the same shared printers, we thought that the very fist install should get the drivers stored and installed somewhere. It takes 5 minutes sometimes, but whatever, it's the initial install. But instead, what we see is every single person downloads and installs the drivers during logon, for the same identical printer each time, meaning logon times suck poo poo. During subsequent logons, it's a very brief process. Anyone know how to deal with this?
|
|
#
?
Jan 31, 2014 19:08
|
|
|
Orcs and Ostriches posted:Anyone know how to deal with this? You can add drivers to your windows image with DISM, or with DPINST. The first can even run on an offline WIM if you're using SCCM.
|
|
#
?
Jan 31, 2014 19:13
|
|
|
|
| # ? Apr 25, 2024 12:12 |
|
|
DagPenge posted:I've tried using the print management MMC to deploy printers in both 2008r2 and 2012r2 and never gotten it to work, so I would like to know how to do it. remember to click the add button. The print management uses GPP to deploy anyway, so you're basically doing a extra step crafting the GPO and editing it. 
|
|
#
?
Feb 1, 2014 00:48
|
|