Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«31 »
  • Locked thread
univbee
Jun 3, 2004



poo poo, Camwood took down the link to the AppEditor download, and I can't find it anywhere else. Does anyone have another working link, or know of a similar tool to get the job done? I've got a pretty enormous undertaking (doing some massive update deployments to about 20 companies with random assortments of Windows/Office/etc versions) and every tool I can get to ease things helps.

Adbot
ADBOT LOVES YOU

Erwin
Feb 17, 2006



Is there a way to create or change the password for a local account on a machine through GP? The other day one of our desktop's clock was off enough to prevent logging in under a domain account and nobody knew the local administrator password (machine was set up before I got here). I'd like to standardize the local administrator account on all of my machines.

Richard Noggin
Jun 6, 2005
Redneck By Default


Erwin posted:

Is there a way to create or change the password for a local account on a machine through GP? The other day one of our desktop's clock was off enough to prevent logging in under a domain account and nobody knew the local administrator password (machine was set up before I got here). I'd like to standardize the local administrator account on all of my machines.

Any reason you couldn't just have a logon script that does 'net user administrator password'?

Phuzion
Jun 30, 2006

LAN Parties 4 Lyfe!

Richard Noggin posted:

Any reason you couldn't just have a logon script that does 'net user administrator password'?

It's insecure as hell.

Open Run

\\domaincontroller\sysvol\Domain\SCRIPTSDIR

Open the login script.

Hey, there's the local admin account password in plaintext.

It totally defeats the purpose of a password.

The way I would suggest standardizing the local administrator account password would be to use psexec and use a batch file that does the same thing.

psexec @complist.txt -u domainadmin -p password net user administrator password

That should run 'net user administrator password' over every computer listed in complist.txt in the current working directory.

Wicaeed
Feb 8, 2005


Are there any guidelines on creating GPO's from scratch that recommend best policy for security? I'm looking at setting up a domain w/GPO's for around 30-40 users and would like to know how complex the most simple deployment would be for such a scenario.

skipdogg
Nov 29, 2004
Resident SRT-4 Expert


Wicaeed posted:

Are there any guidelines on creating GPO's from scratch that recommend best policy for security? I'm looking at setting up a domain w/GPO's for around 30-40 users and would like to know how complex the most simple deployment would be for such a scenario.

Depends on what you want the GPO's to do. I like keeping things seperate, so I can easily back out of one specific GPO if I have to. Also don't be afraid to name them well. I name all mine GPO_<LOCATION>_FUNCTION

edit: Just realised you might be looking for recommendations to increase security on workstations via GPO. Grab the list and figure out what you want to do. You can also use the security templates from MS, but usually those are overkill.

skipdogg fucked around with this message at Oct 15, 2009 around 22:55

Richard Noggin
Jun 6, 2005
Redneck By Default


Phuzion posted:

It's insecure as hell.

Open Run

\\domaincontroller\sysvol\Domain\SCRIPTSDIR

Open the login script.

Hey, there's the local admin account password in plaintext.

It totally defeats the purpose of a password.

The way I would suggest standardizing the local administrator account password would be to use psexec and use a batch file that does the same thing.

psexec @complist.txt -u domainadmin -p password net user administrator password

That should run 'net user administrator password' over every computer listed in complist.txt in the current working directory.

Considering the local admin password can be changed with a boot disk...but yeah, psexec is a better idea.

Jreedy88
Jun 26, 2005
thirty4

Not a Domain Admin. Just wanted to say that the OP was the best OP I've seen in all my time here on SA.

Sharrow
Aug 20, 2007

So... mediocre.

Erwin posted:

Is there a way to create or change the password for a local account on a machine through GP?

Pretty sure GPP CSE covers this, under something like Computer/Preferences/Control Panel/Local Users & Groups.

Edit: Screenshot in the first post says that's exactly where it is.

bomb
Nov 3, 2005



Jreedy88 posted:

Not a Domain Admin. Just wanted to say that the OP was the best OP I've seen in all my time here on SA.

Hopping on this too, should be really helpful in the future. Thanks OP!

univbee
Jun 3, 2004



I am very, very close to getting Software Deployment working correctly, but I've hit a snag I can't find a solution for.

I made a test policy to test software deployment to an intentionally outdated virtual machine, running Windows XP with Service Pack 2. The server in question is Windows Server 2003, and it was already set up for Active Directory and Group Policy Management. The test policy is meant to push out Adobe Reader 9.1 (yes, I know .2 is out, this is just a test) to the specific machine, I've used the Adobe Deployment Wizard and gotten an MSI going in a global shared folder, and everything seems to be set up correctly. However, when booting the VM, the message "Installing Adobe Reader 9.1" only shows up for about a second and then disappears, bringing me straight to the login screen, no Adobe Reader installed. If there was a log somewhere I could access it would help. I also tried it with an MSI for VIPRE Enterprise with our domain's AV policy, but that also only showed up for a split second, so I suspect it's something not configured correctly.

VV Nope, I've linked it to its absolute network path and confirmed that it works as intended from the target machine when done manually. BTW, thanks a ton for the AppDeploy link you sent me earlier.

Looking in Event Viewer confirms it couldn't access the share for some reason, I'll play around with permissions and security settings.

EDIT: GOT IT! I had to give share permissions for the folder to the MACHINE, as it stood all the permissions were to user groups.

Thank you all, I am now ready to royally unfuck a lot of computers.

univbee fucked around with this message at Oct 30, 2009 around 18:14

EoRaptor
Sep 13, 2003




My first guesses are that you have a reference to mapped drive (X:) in the group policy, instead of a UNC path. The second is that the event viewer really should have something in it in reference to the policy actions.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



univbee posted:

poo poo, Camwood took down the link to the AppEditor download, and I can't find it anywhere else. Does anyone have another working link, or know of a similar tool to get the job done? I've got a pretty enormous undertaking (doing some massive update deployments to about 20 companies with random assortments of Windows/Office/etc versions) and every tool I can get to ease things helps.

AppDeploy's InstEdit! http://www.instedit.com/ basically replaces the AppEditor functionality 1 for 1.

Richard Noggin
Jun 6, 2005
Redneck By Default


And you thought this thread had died!

Does anyone know if it's possible to use the Drive Mappings portion of GP in Server 2008 to map a drive to a WebDAV location (specifically, a Sharepoint library)? The client is XP SP3. I've tried entering the URL, but the clients don't seem to pick it up. Standard drive mappings work fine in the GPO, and I can manually map the drive using 'net use z: http://sharepoint/library'.

Well, apparently the third time's the charm. It's working fine.

Richard Noggin fucked around with this message at Jan 21, 2010 around 21:41

The Diddler
Jun 22, 2006



Bumpin this awesome thread with a problem I've been working on off and on for a few months: how do you schedule a nightly reboot?

My network: ~250 workstations, running XP, Vista or Windows 7. We have disabled administrative shares. My users are mostly local admins, but I'm in the process of converting them to local power users. Our domain controller is Server 2003, but I'm doing the GPO stuff from a Windows 7 machine.

I've tried to use PSShutdown, but power users cannot run it. I also tried to schedule it using the at command, but that schedules the job to run as system, which also does not work for power users. I looked into using a combination of 'runas' and 'sched', but it looks to me like the runas requires the password as text. I don't really want to do that, because our default local admin account has the same name and password as our main domain admin account.

Also, is there a list of the GP options that have with Windows 7? I have one for Windows XP/2003, but haven't been able to find a new one.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



Bob Cthulhu posted:

Bumpin this awesome thread with a problem I've been working on off and on for a few months: how do you schedule a nightly reboot?

My network: ~250 workstations, running XP, Vista or Windows 7. We have disabled administrative shares. My users are mostly local admins, but I'm in the process of converting them to local power users. Our domain controller is Server 2003, but I'm doing the GPO stuff from a Windows 7 machine.

I've tried to use PSShutdown, but power users cannot run it. I also tried to schedule it using the at command, but that schedules the job to run as system, which also does not work for power users. I looked into using a combination of 'runas' and 'sched', but it looks to me like the runas requires the password as text. I don't really want to do that, because our default local admin account has the same name and password as our main domain admin account.

Also, is there a list of the GP options that have with Windows 7? I have one for Windows XP/2003, but haven't been able to find a new one.

I'm not sure about the latter thing, but a scheduled task through policy should take care of it:



Leave the runas stuff blank and it will default the job to system credentials which is fine. Then just schedule it to run a 'shutdown -r -t 60 -c "Whatever"' at your desired time.

jmu
Feb 12, 2004

weoo.org

So the new way of deploying printers using Group Policy preferences is pretty neato. I tried setting it up for a client and one issue I ran into is that after deploying the policy my test system tried to install several printers but failed because I had the wrong drivers setup on the server. So I corrected the drivers and rebooted my test system several times, ran GPUpdate etc etc but it doesn't seem like its trying to run the policy again. I guess I could just delete and recreate the policy but it seems sort of weird (I'm looking at the eventlog on the test system and it doesn't seem like its trying to process that policy at all).

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



jmu posted:

So the new way of deploying printers using Group Policy preferences is pretty neato. I tried setting it up for a client and one issue I ran into is that after deploying the policy my test system tried to install several printers but failed because I had the wrong drivers setup on the server. So I corrected the drivers and rebooted my test system several times, ran GPUpdate etc etc but it doesn't seem like its trying to run the policy again. I guess I could just delete and recreate the policy but it seems sort of weird (I'm looking at the eventlog on the test system and it doesn't seem like its trying to process that policy at all).

Try GPUpdate /force if you haven't already. If they are user-assigned printers, those go in during logon so do that as well.

The Diddler
Jun 22, 2006



I got the reboot to work, thanks! Follow up question: is there any way to make this effect laptops that aren't on the network when the reboot is scheduled to run? It didn't appear that it would work, but I only messed with that for a few minutes.

Also, after you deploy Adobe products thru Group Policy, how do you find out about updates? I see some of them on the SANS RSS, but those seem to be the more critical fixes.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



Bob Cthulhu posted:

I got the reboot to work, thanks! Follow up question: is there any way to make this effect laptops that aren't on the network when the reboot is scheduled to run? It didn't appear that it would work, but I only messed with that for a few minutes.

Also, after you deploy Adobe products thru Group Policy, how do you find out about updates? I see some of them on the SANS RSS, but those seem to be the more critical fixes.

Once policy applies a scheduled task, they stay there until a policy refresh completes that removes them. So even if your laptops are only occasionally communicating with the domain, they'll still have the scheduled task sitting there ready to go.

As for adobe, I do the exact same thing with the SANS ISC feed and just re-deploy when an update comes out. It sucks, but Shavlik is a worse in my opinion and I don't want to get back in to that. Mostly I am banking on Microsoft pulling their head out of their rear end and opening up their automatic update framework to support 3rd party vendors in the next few years so this gets simplified. If you want to minimize the risk from Adobe products, check out my other thread on DEP. That shoots down most of those exploits easily.

IT Guy
Jan 12, 2010

You people drink like you don't want to live!

BangersInMyKnickers posted:

The Forced attribute will not override the Block Inheritance attribute of an OU or Domain.

So, I've been studying for my MCSE and I admittedly do not have much experience with GPOs.

One of the books I'm reading, it explained that a GPO with the Enforced attribute will apply down through the OU even if the OU explicitly has the Block Inheritance attribute.

The book is: 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

I'm confused, which is correct?

Also, on an unrelated note. We may be rolling out Windows 7 machines shortly but we still have an Active Directory 2003 Domain. Is there features that come with Server 2008 that will allow more control over Windows 7? Is Windows 7 able to be controlled with a 2003 Domain?

SaintofKillers
Jul 22, 2003
The most merciful thing in the world . . . is the inability of the human mind to correlate all its contents. - H.P. Lovecraft

Yes, that should be the case. In the Microsoft exams you always answer it the Microsoft way. Doesn't matter what your experience is. If it says it Enforced overrides Block Inheritance than it does.

Windows 7 works fine in a 2003 domain. Client Side extension can be setup in a 2003 domain to add most of the new group policy support as stated in this thread I believe.

The Diddler
Jun 22, 2006



IT Guy posted:

Also, on an unrelated note. We may be rolling out Windows 7 machines shortly but we still have an Active Directory 2003 Domain. Is there features that come with Server 2008 that will allow more control over Windows 7? Is Windows 7 able to be controlled with a 2003 Domain?

It works pretty well. I administer our 2003 domain from a Windows 7 machine.

I have a couple of questions, though. Someone in my company recently got busted playing minesweeper. Because of that, all games now need to be removed, and implementation has fallen on me. Is there any easier way to do this than by blocking access to the executables, and then creating hash rules for each game? I would think that this would be easier to do these days, but it doesn't look like it. And if I have to block executables, where can I find a list of the executable names for Vista and Windows 7? The XP names are all over the internet, but none of the other ones are.

I seem to remember someone mentioning a free VM solution with free guest OS's that work really good for testing group policies. I can't remember what thread this was in, though, and I didn't save the information. Does anyone know what I'm talking about?

The Diddler
Jun 22, 2006



Bob Cthulhu posted:

I have a couple of questions, though. Someone in my company recently got busted playing minesweeper. Because of that, all games now need to be removed, and implementation has fallen on me. Is there any easier way to do this than by blocking access to the executables, and then creating hash rules for each game? I would think that this would be easier to do these days, but it doesn't look like it. And if I have to block executables, where can I find a list of the executable names for Vista and Windows 7? The XP names are all over the internet, but none of the other ones are.

I figured it out: collect the games from each version of Windows and make a hash rule. I guess I was over-thinking it.

Gozinbulx
Feb 19, 2004


I just need to throw this out there since its a networking question:

At the network I manage, I put a computer on the domain which we use. As in, instead of having that XP screen where you click a series of pcitures representing a fixed set of users, it converted into a login prompt for a login and password.

all good.


for whatever reason (kinda stupid) I wanted to switch it back. in retrospect I think i should have just gone to my computer/properties/change ID or whatever it is and just deleted the domain name. instead i switch it to WORKGROUP and put it in some improvised name and when asked for a login, put it one from the network and for some reason it worked.

now im stuck with a login prompt that isnt for the domain and I dont seem to have any of the logins for it. everyone i tried failed, as if i were trying to login to a workgroup that has no members.

how in gods name can i get it back to something i can get into.

Erwin
Feb 17, 2006



Gozinbulx posted:

I just need to throw this out there since its a networking question:

At the network I manage, I put a computer on the domain which we use. As in, instead of having that XP screen where you click a series of pcitures representing a fixed set of users, it converted into a login prompt for a login and password.

all good.


for whatever reason (kinda stupid) I wanted to switch it back. in retrospect I think i should have just gone to my computer/properties/change ID or whatever it is and just deleted the domain name. instead i switch it to WORKGROUP and put it in some improvised name and when asked for a login, put it one from the network and for some reason it worked.

now im stuck with a login prompt that isnt for the domain and I dont seem to have any of the logins for it. everyone i tried failed, as if i were trying to login to a workgroup that has no members.

how in gods name can i get it back to something i can get into.

I don't quite understand what you're saying. Can't you just change the third field (log on to:) to the local computer and log in as a local account?

Also, this has nothing to do with this thread.

Ray_
Sep 15, 2005

It was like the Colosseum in Rome and we were the Christians." - Bobby Dodd, on playing at LSU's Tiger Stadium


Gozinbulx posted:

I just need to throw this out there since its a networking question:

At the network I manage, I put a computer on the domain which we use. As in, instead of having that XP screen where you click a series of pcitures representing a fixed set of users, it converted into a login prompt for a login and password.

all good.


for whatever reason (kinda stupid) I wanted to switch it back. in retrospect I think i should have just gone to my computer/properties/change ID or whatever it is and just deleted the domain name. instead i switch it to WORKGROUP and put it in some improvised name and when asked for a login, put it one from the network and for some reason it worked.

now im stuck with a login prompt that isnt for the domain and I dont seem to have any of the logins for it. everyone i tried failed, as if i were trying to login to a workgroup that has no members.

how in gods name can i get it back to something i can get into.

There are linux boot cds that will let change the password for local accounts.

This has nothing to do with group policy.

da sponge
May 24, 2004

..and you've eaten your pen. simply stunning.

Does AD in 2008 apply security filtering to GPOs differently than in 2003?

Example - create a new GPO in a computer OU. Under security filtering, remove authenticated users, replace with a security group of computers (including multiple computers in that OU).

In 2003, the members of the security group had that policy applied (I'm pretty sure). Policy modeling says the policy should be applied, but gpresult shows that the policy is denied on security filtering. Only after I manually delegate read permission to authenticated users does the policy apply. This doesn't make sense to me - the group the policy applies to is automatically delegated read permission when I add them to security filtering/apply the policy to it. Why does it need authenticated users delegated read permission for the group member when that member already has read & apply perms?

Dan Landry
Oct 30, 2003
Stone Dead Forever

da sponge posted:

This doesn't make sense to me - the group the policy applies to is automatically delegated read permission when I add them to security filtering/apply the policy to it. Why does it need authenticated users delegated read permission for the group member when that member already has read & apply perms?

Could it be a token issue? Maybe the machines need a reboot to pick up their new group memberships.

da sponge
May 24, 2004

..and you've eaten your pen. simply stunning.

Dan Landry posted:

Could it be a token issue? Maybe the machines need a reboot to pick up their new group memberships.

Nope, multiple reboots & gpupdate /force.

The Diddler
Jun 22, 2006



Regarding screensavers: I have a policy set to force the logon screensaver. Company policy requires the screensaver to be set and the the workstation to lock when the screensaver kicks in. People would turn them off, and the workstation would never lock. It's been 6 months, and people are still whining about not have kitties or whatever for their screensaver.

Is there any way to 'disallow' a screensaver? Specifically, I don't want them to be able to choose (None). I don't care what they have, as long as they have something.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



Bob Cthulhu posted:

Regarding screensavers: I have a policy set to force the logon screensaver. Company policy requires the screensaver to be set and the the workstation to lock when the screensaver kicks in. People would turn them off, and the workstation would never lock. It's been 6 months, and people are still whining about not have kitties or whatever for their screensaver.

Is there any way to 'disallow' a screensaver? Specifically, I don't want them to be able to choose (None). I don't care what they have, as long as they have something.

I have a feeling you're just going to need to pick one as a corporate standard and stick with it. Beyond that, there is a business case that screen savers leave displays on and waste power (and are pointless, we really don't have burn in issues anymore). You're better off setting the screen saver to the black one or something generic, enforcing a password lock for security if the screen saver comes up, and then setting the user's power settings for displays to correspond with the screen saver so the whole thing turns off and saves electricity.

IT Guy
Jan 12, 2010

You people drink like you don't want to live!

Bob Cthulhu posted:

Regarding screensavers: I have a policy set to force the logon screensaver. Company policy requires the screensaver to be set and the the workstation to lock when the screensaver kicks in. People would turn them off, and the workstation would never lock. It's been 6 months, and people are still whining about not have kitties or whatever for their screensaver.

Is there any way to 'disallow' a screensaver? Specifically, I don't want them to be able to choose (None). I don't care what they have, as long as they have something.

I'm in the same boat as you. If my user base can't have their ugly baby pics cycled through the screensaver then they freak the gently caress out. We are very lenient on policies around here.

The Diddler
Jun 22, 2006



BangersInMyKnickers posted:

I have a feeling you're just going to need to pick one as a corporate standard and stick with it.

That's what I thought. I have no problem with that, because if you're sitting there working, how does your screensaver even turn on? Also, screensaver names and filenames changed with Win 7. Sometimes I wonder if the people who develop Windows have ever actually used Windows.

macado
Jun 3, 2003

How to keep an idiot busy, Click here.

So I just moved to a new IT department within my existing company where I work and I am unable to remotely manage any computers using Computer Management nor can I access any of the hidden administration shares. I also tried by IP address rather than NetBIOS name. I'm thinking it's a group policy or a setting I am missing. As of now the group policies are pretty basic but Client Side Extensions was installed via our WSUS and I am going to eventually start customizing them a bit more.

I enabled the Remote Administation Group Policy because it was previously not configured. These are the settings I used:

Computer Configuration/Administative Templates/Network/Network Connections/Windows Firewall/Domain Profile
Windows Firewall: Allow remote administation exception: Enabled
Allow unsolicited incoming messages from: 100.12.204.0/24,100.12.206.0/24,100.12.55.0/24
My PCs are spread throughout about 3 subnets which I enabled by entering "100.12.204.0/24,100.64.206.0/24,100.12.55.0/24" (Note: These aren't my real subnets..)

Checked on PCs
-Windows firewall is enabled however it not set to Block File and Print Sharing. (Does this explicitly need to be enabled in a GPO for remote administration to work??)
-Remote Registery Service is enabled
-Computer Browser Service is disabled (Does this need to be enabled?)
-I am in the Administrator group on all computers
-I can ping computers and remote desktop into them fine.
-Forced group policy by doing gpupdate /force numerous times.




Any ideas?

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



Here's what's in my firewall policy:

%windir%\PCHealth\HelpCtr\Binaries\Helpctr.exe:[your subnets]:Enabled:Remote Assistance
%windir%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:[your subnets]:Enabled:Offer Remote Assistance
%systemroot%\system32\sessmgr.exe:[your subnet]:Enabled Remote Assistance

Those get remote assistance working if you care (we let users connect to each other for that if they want).

Windows Firewall: Allow inbound file and printer sharing exception: Enabled, your management subnet

Allow ICMP exceptions: Enabled so you can ping

Allow inbound Remote Desktop exceptions: Enabled, whatever subnet works for you

Inbound port exceptions:

135:TCP:[management subnet]:Enabled:DCOM Does a lot of the RPC stuff work windows and you'll need it open if the Remote Management policy isn't working right.

IT Guy
Jan 12, 2010

You people drink like you don't want to live!

I seem to have a situation here.

We have several branches on slow connections. I'm trying to update our OfficeScan client with is 100MB. Therefore I want to copy it to each branches server where every computer has a mapped drive to with a specific drive letter.

For example.

Branch: 1
Server: serv1
Mapped Drive: M:\ (which is \\serv1\Folder)

Branch: 2
Server: serv2
Mapped Drive: M:\ (which is \\serv2\folder)

Can I create a single GPO that looks at the M:\ Drive for the file? When I goto set it up, it wants me to choose the file which I'm scared that the second branch will download and install from branch 1's server.

mute
Jul 17, 2004



IT Guy posted:

Can I create a single GPO that looks at the M:\ Drive for the file? When I goto set it up, it wants me to choose the file which I'm scared that the second branch will download and install from branch 1's server.

I remember dealing with something similar to this--I'm sure there is a better way, but I worked around it and cheated by calling a .bat file that points to the mapped drive/executable due to lack of time to get it solved. I don't know if that would work for your specific situation, though.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



I'm not really sure how to address your particular issue, but long-term shouldn't you be using DFS to get content locally mirrored to all the branches more efficiently?

Adbot
ADBOT LOVES YOU

IT Guy
Jan 12, 2010

You people drink like you don't want to live!

BangersInMyKnickers posted:

I'm not really sure how to address your particular issue, but long-term shouldn't you be using DFS to get content locally mirrored to all the branches more efficiently?

Our site servers are Windows XP boxes

  • Locked thread
«31 »