|
BangersInMyKnickers posted:Assigning it under the user section publishes the program to their Add/Remove programs list where they can then install it manually (assuming they have admin rights). I don't know of a way to make it happen automatically through that. Some packages are made by monkey idiots and don't detect the OS language correctly, so you might want to hit the check box to tell the policy to ignore the language settings. Also, some don't like being executed by the system account. Not much to do about that one except scream and/or cry. Ahh drat. Well I guess i'll give my scripting skills a run for their money >< thanks man
|
#
?
Sep 14, 2010 20:40
|
|
|
|
| # ? Apr 29, 2024 13:25 |
|
|
emtoor posted:Ahh drat. Well I guess i'll give my scripting skills a run for their money >< thanks man I usually just do something like this: code:
|
|
#
?
Sep 14, 2010 20:42
|
|
|
We have a bunch of admins in a Windows 2003 environment, a bunch of DC's at different sites. Is there a way to see who the last person was that changed a group policy (or hell, moved a computer around to a different OU), and when they did it? Also, is there some sort of CVS-like versioning system where we could roll back to what the group policy for the New York office was like 2 days ago?
|
|
#
?
Sep 16, 2010 00:59
|
|
|
Bob Morales posted:We have a bunch of admins in a Windows 2003 environment, a bunch of DC's at different sites. Audit directory service access
|
|
#
?
Sep 16, 2010 02:32
|
|
|
Bob Morales posted:Also, is there some sort of CVS-like versioning system where we could roll back to what the group policy for the New York office was like 2 days ago? There is powershell integration that allows you to save a domain's policy to a dump file that you can include in the backup set, so you could pull that off tape and import it to revert changes.
|
|
#
?
Sep 16, 2010 16:09
|
|
|
Bob Morales posted:We have a bunch of admins in a Windows 2003 environment, a bunch of DC's at different sites. It sounds like you need to lock things down and delegate control more? Make it so admins at office X can only move computers and adjust policy for their own OU's.
|
|
#
?
Sep 16, 2010 16:12
|
|
|
Or there is ActiveRoles if you want to take it to the next level. I don't have any permissions within Active Directory. http://www.quest.com/activeroles-server/
|
|
#
?
Sep 17, 2010 09:11
|
|
|
Mully Clown posted:Or there is ActiveRoles if you want to take it to the next level. I don't have any permissions within Active Directory. You need to enable Advanced Features under the View menu. Or just use the Delegate Control wizard which will do most of the work for you.
|
|
#
?
Sep 17, 2010 13:42
|
|
|
I'm in a crappy situation where I've got to try and convince the current network admin, who is a sperging "Install linux problem solved" old lady, that we should actually move to using Active Directory and Group Policy on our network of ~60 users. What's the best one-paragraph explanation of why we should take everyone off the various workgroups and put them into a domain and start using Active Directory to manage them? (I TOTALLY want to do this and feel the network is an epic disaster, but I'm also not as experienced as I'd like to be with AD, see my "Baby's first server migration" thread for more details on what I'm dealing with)
|
|
#
?
Sep 21, 2010 06:02
|
|
|
Tsaven Nava posted:I'm in a crappy situation where I've got to try and convince the current network admin, who is a sperging "Install linux problem solved" old lady, that we should actually move to using Active Directory and Group Policy on our network of ~60 users. What's the best one-paragraph explanation of why we should take everyone off the various workgroups and put them into a domain and start using Active Directory to manage them? Do users do dumb things with company computers? If so, would you like to stop them from doing dumb things with company computers? Thanks to the magic of group policy you can centrally administer that.
|
|
#
?
Sep 21, 2010 06:24
|
|
|
Since this seems to be the Windows Admin/GPO thread, guess I'll post my question here. I've got a majority XP environment, but have added a few Win7 machines lately - mostly because those machines have SSDs and I wanted the TRIM support. Anyway, I've been using a simply batch file for years and it works just fine on XP but the 7 machines lose all drives pretty regularly. It's set to run as a logon script inside a GPO. Here's the script: code:Anyone run into this? Have a good workaround? I don't have 7 or 2k8 on an admin machine to use the new drive mapping GPO, is that my only option?
|
|
#
?
Sep 22, 2010 17:34
|
|
|
Install the admin tools on one of those random 7 machines, use that to create the GPO? They're much nicer than login scripts, may as well give it to your XP people too. (install client side extensions first)
|
|
#
?
Sep 22, 2010 19:18
|
|
|
sanchez posted:Install the admin tools on one of those random 7 machines, use that to create the GPO? They're much nicer than login scripts, may as well give it to your XP people too. (install client side extensions first) Yeah, you don't actually need a 2008 server to implement, them, there's a patch for XP and it's built into 7 and that's all you need.
|
|
#
?
Sep 22, 2010 21:01
|
|
|
sanchez posted:Install the admin tools on one of those random 7 machines, use that to create the GPO? They're much nicer than login scripts, may as well give it to your XP people too. (install client side extensions first) I thought of that, problem is they're all for higher ups or power users so if there's any issues with a GPO it might be tough to get in front of the 7 box due to traveling, etc. I'll probably end up rolling a 2k8 server on our ESX box for testing out stuff like Lync that requires it, just wondering if anyone had an alternate workaround. FISHMANPET posted:Yeah, you don't actually need a 2008 server to implement, them, there's a patch for XP and it's built into 7 and that's all you need. I know that, but thanks 
|
|
#
?
Sep 23, 2010 07:04
|
|
|
You can always implement that with GPPs and use a WMI filter to only target the Windows 7 systems for now Select * from Win32_OperatingSystem where Version = 6.1.7600
|
|
#
?
Sep 23, 2010 11:07
|
|
|
peak debt posted:You can always implement that with GPPs and use a WMI filter to only target the Windows 7 systems for now That will also include 2k8R2, so fyi on that.
|
|
#
?
Sep 23, 2010 13:52
|
|
|
I have a registry key I'd like to deploy to all Windows 7 machines in a 2003 domain. Is it possible to use group policy with a WMI filter to do this? Would I have to make a script to apply the registry key (already made a .reg file) and put that in the startup script setting in a GPO?
|
|
#
?
Sep 23, 2010 14:40
|
|
|
ryo posted:I have a registry key I'd like to deploy to all Windows 7 machines in a 2003 domain. Is it possible to use group policy with a WMI filter to do this? If you're making the policy on a Windows 7/Vista machine, you can do it directly.  Then pair that with the WMI filter select * from Win32_OperatingSystem where BuildNumber > 6100 or whatever the hell it is.
|
|
#
?
Sep 23, 2010 14:59
|
|
|
I tried this (without the WMI filter, just applied it to an OU that had one computer in it) But it didn't work, I did a gpresult /Z and it said that the policy was being applied but looking in regedit it hadn't been. Before doing all this, I had created the key and deleted in registry of the client machine. Should that make a difference? Also, our 2003 domain controller AFAIK doesn't have the client side extensions installed.
|
|
#
?
Sep 23, 2010 21:01
|
|
|
ryo posted:I tried this (without the WMI filter, just applied it to an OU that had one computer in it) I think the CSE need to be installed on the DC before these things will apply. If you're using WSUS it is really something that all workstations and servers should have.
|
|
#
?
Sep 23, 2010 21:34
|
|
|
oh god software deployment i dont know how i got here i am not very good with computers  I followed along with your Java deployment and was able to roll out Java 1.6.0_21 with a transform to a couple XP machines, but it will not go to a windows 7 box. I keep getting error 1612* in the event viewer on the machines that this tries to go to. However, I am able to run the installer from the Win 7 machines when logged in. I have both Domain Computers, Authenticated Users, and SYSTEM with full control on the file shares in question, the folders are not marked read only, and the policy is applying to Domain Computers and the OU has the drat computers in it. I read somewhere that the file server OS would matter if it wasn't 2008r2, but it is. What am I missing? *The installation source for this product is not available
|
|
#
?
Sep 29, 2010 21:48
|
|
|
Some packages are compiled wrong and don't work properly installing under the SYSTEM account. If that's the case, you might be screwed. I'm a little behind on my Java updates and haven't done u21 yet, so I haven't hit this. I'll play around with it tomorrow and see what I can come up with.
|
|
#
?
Sep 29, 2010 21:59
|
|
|
BangersInMyKnickers posted:Some packages are compiled wrong and don't work properly installing under the SYSTEM account. If that's the case, you might be screwed. I'm a little behind on my Java updates and haven't done u21 yet, so I haven't hit this. I'll play around with it tomorrow and see what I can come up with. I don't think it is a Java being retarded thing. I added Firefox, Flash, and Flash plugin to my GPO this morning and they all rolled out to an XP machine no problem, but they all failed with the 1612 error to my Windows 7 box.  e: wtf is with adobe reader? Are the folks who package that so self important that they want money to "redistribute" their free software via GPO? They are not the only game in town! Flash didn't have that problem. 
|
|
#
?
Sep 30, 2010 19:54
|
|
|
Naramyth posted:I don't think it is a Java being retarded thing. I added Firefox, Flash, and Flash plugin to my GPO this morning and they all rolled out to an XP machine no problem, but they all failed with the 1612 error to my Windows 7 box. The license is free, you just have to apply to get it. As for Java and Win 7, are installing on 32 bit or 64 bit? I had to do some fuckery with the registry to get it to install because the 32 bit path was hard coded into the 32 bit installer and it died miserably running as SYSTEM on a 64 bit machine.
|
|
#
?
Sep 30, 2010 20:48
|
|
|
FISHMANPET posted:The license is free, you just have to apply to get it. Oh.  My windows 7 copies are 32 bit. 
|
|
#
?
Sep 30, 2010 21:41
|
|
|
Double posting time. I'm trying to setup printers so that anybody that logs into the machine gets that machine's printers. I'm a GPO newbie so I know it's not working, but I have no idea how to see why. I've created the GPO, and the scope is my test machine. The GPO is linked to the OU my machine is in. I've added the printer under user configuration > prefrences > control panel settings > printers as a shared printer, and it doesn't work. Some things I see on the internet say I should use Item level targetting and target the GPO to an OU, but isn't that already done by linking the GPO to the OU?
|
|
#
?
Sep 30, 2010 21:54
|
|
|
You set the printers up in the User Configuration, so they will apply to Users in that OU. If you want them to apply to Computers in that OU, configure them in the Computer Configuration section, or configure them in the User Configuration section and turn on loopback processing.
|
|
#
?
Sep 30, 2010 22:11
|
|
|
Noel posted:You set the printers up in the User Configuration, so they will apply to Users in that OU. I had to configure them in the User section because you can't configure shared printers in computer. I managed to find out that I also needed to enable loopback. So when I run gpresult, the policy is being applied under computer settings, but denied under user settings, which I guess makes sense, since the scope is only to my test machine. But how can I tell what's actually happening?
|
|
#
?
Sep 30, 2010 22:31
|
|
|
Ok, I got the JRE rollout to work. Here is what I did. First the MST. This is what mine looks like:  Those are the only modifications I made. Once you are in your GPO and applying the MSI, make sure you do an Advanced deployment. One thing I noticed that it was reporting that the package is language neutral. I've had problems with this in the past where if English isn't specified on the package, the user-mode install will work fine because it pulls that data our of the user's shell session but a system install fails. To correct this, go to the Deployment tab and Advanced. Hit the check box to "Ignore language when deploying this package". I would recommend always doing this anyway, since you know what software you're pushing out and you probably aren't dealing with a multi-lingual deployment. After that was done, everything went as I expected for rolling it out.
|
|
#
?
Oct 1, 2010 15:28
|
|
|
BangersInMyKnickers posted:Cool. I did get it working on XP, but Java(and Flash, Adobe Reader, and Firefox) won't roll out to my Windows 7 boxes. I have a feeling it has something to do with the way SYSTEM is working on Windows 7. Did you have to do any UAC finagling to get things to deploy to Windows 7?
|
|
#
?
Oct 1, 2010 18:31
|
|
|
The system account has total access to the computer, UAC isn't a factor. If you need to do debugging, make a command line tool that will run the install silently 'msiexec /i \\server\share\package /qn /norestart /le %temp%\install_error.log' and set that to a scheduled task to run with system credentials, then manually start it. If it doesn't work (and it probably won't) you should be able to look at the install_error.log file it generates in c:\windows\temp to get a good idea of exactly what is going on.
|
|
#
?
Oct 1, 2010 18:48
|
|
|
BangersInMyKnickers posted:The system account has total access to the computer, UAC isn't a factor. If you need to do debugging, make a command line tool that will run the install silently 'msiexec /i \\server\share\package /qn /norestart /le %temp%\install_error.log' and set that to a scheduled task to run with system credentials, then manually start it. If it doesn't work (and it probably won't) you should be able to look at the install_error.log file it generates in c:\windows\temp to get a good idea of exactly what is going on. I prefer to use psexec instead of a scheduled task for this. psexec.exe -s -i cmd.exe
|
|
#
?
Oct 1, 2010 18:54
|
|
|
Noel posted:I prefer to use psexec instead of a scheduled task for this. I thought Vista/Win7 blocked interactive system sessions?
|
|
#
?
Oct 1, 2010 19:32
|
|
|
You can't use the old AT trick, but psexec works. I've tested it on Vista and 2008.
|
|
#
?
Oct 1, 2010 21:59
|
|
|
BangersInMyKnickers posted:The system account has total access to the computer, UAC isn't a factor. If you need to do debugging, make a command line tool that will run the install silently 'msiexec /i \\server\share\package /qn /norestart /le %temp%\install_error.log' and set that to a scheduled task to run with system credentials, then manually start it. If it doesn't work (and it probably won't) you should be able to look at the install_error.log file it generates in c:\windows\temp to get a good idea of exactly what is going on.  I feel just dense as gently caress right now. I downloaded psexec and did the following on my Windows 7 VM logged in as the OU admin. 1. Ran cmd as admin 1a) cd c:\pstools 2. 'psexec.exe -s -i cmd.exe' 2a) Which opened a new cmd box 3. I that new box: 'msiexec /i \\fileserver\myOU\shared\apps\java\jre1.6.0_21.msi /qn /norestart /le %temp%\install_error.log' That created a log file, but it didn't have anything in it. If I remove the logging options I get an error window that says "The installation package could not be opened. Verify the package exists and that you can access it..." So System can't see that share? I gave it full loving control!  e: I tried the 'msiexec /i blah blah' from a non psexec prompt and it did install.
|
|
#
?
Oct 4, 2010 19:48
|
|
|
Does the SYSTEM account have access to that share? I also seem to recall not being able to use UNCs like that from a command prompt (but I could be remembering wrong). I often make a batch file with the msiexec.exe command and run that.
|
|
#
?
Oct 5, 2010 02:55
|
|
|
Did you make sure that the Domain Computers group has read access to BOTH the share itself and the underlying NTFS directory structure?
|
|
#
?
Oct 5, 2010 04:27
|
|
|
Ray_ posted:I've searched around and apparently in 7, login batch files run with downgraded permissions. I couldn't find a good workaround online, though. Just a bunch of people with the same issue. My company spent years fighting the Vista/7 UAC/login script/network drive problems, but I found a very simple fix for it when I finally got a chance to look at it: http://technet.microsoft.com/en-us/library/ee844140%28WS.10%29.aspx Create a new DWORD and set it to 1 - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections That's it, all your login scripts will work just like the did with XP. Basically, the problem is caused by having Local Administrator rights with UAC enabled. The login script runs under the limited token for domain\username, but your session running under the full token for domain\username. Windows treats these two as seperate "accounts", so you don't see any drives/printers mapped through a login script. The fix allows these two accounts to share network connections. Works like a drat charm, and should frankly be the default as far as I'm concerned. I created a basic adm file that had set this reg key, and created a GPO that applied it to all domain PCs.
|
|
#
?
Oct 5, 2010 12:47
|
|
|
SYSTEM is actually the same account as the computer. So if you run a program under SYSTEM on a PC called NYC-SRV1, the NYC-SRV1 account in AD needs to have access rights to all resources it needs. For the case of remote software installations like SCCM and stuff you typically assign the read right to "Domain Computers".
|
|
#
?
Oct 5, 2010 14:10
|
|
|
|
| # ? Apr 29, 2024 13:25 |
|
|
BangersInMyKnickers posted:Did you make sure that the Domain Computers group has read access to BOTH the share itself and the underlying NTFS directory structure? I have access to the NTFS permissions but not the share permissions. I emailed the powers that be to see if I can get access to try it out.  Thank you Bangers, you are awesome.
|
|
#
?
Oct 5, 2010 20:34
|
|