|
Zedlic posted:I'm using WEP-PSK right now but I could switch to WPA if necessary. I actually tried setting up a GPO for only the laptops telling them to connect to the AP using WPA-PSK but it didn't give me the option of specifying the key itself. Maybe I'm missing something. I've never had to do it personally, but if you look under Computer Config, Windows Settings, Security Settings, Wireless Network (IEEE 802.11) Policies you should see what you need: Then you need to jump through a few hoops with importing a certificate on the clients (which you can also do through policy) which will supply the access key. Or maybe this is a situation where you should be using straight WPA2 and using LDAP for authentication, maybe with the computer system account credentials. Again, this isn't something I have had to do personally. BangersInMyKnickers fucked around with this message at 17:21 on Mar 3, 2009 |
# ? Mar 3, 2009 17:17 |
|
|
# ? Apr 25, 2024 17:33 |
|
BangersInMyKnickers posted:I've never had to do it personally, but if you look under Computer Config, Windows Settings, Security Settings, Wireless Network (IEEE 802.11) Policies you should see what you need: I took the easy way out by plugging "net use x: //server/share" into a login script for all users. Apparently that's executed a bit later than drive map GPO's, so it worked.
|
# ? Mar 4, 2009 11:45 |
|
I only have XP clients on a 2003 domain so don't know if this is different in 2008 with Vista/7 clients. Whenever I have a wireless laptop acting funny with login scripts or Group Policy the thing that normally fixes it is this: http://support.microsoft.com/kb/840669/en-us quote:Creating a Group Policy network start timeout policy
|
# ? Mar 26, 2009 19:37 |
|
ozmunkeh posted:GpNetworkStartTimeoutPolicyValue Hmm, interesting timing. I was just coming in here to post a question about GPO-created drive preferences. I just switched our users over to having them created this way instead of via the old logon script method, and we're having sporadic complaints of "I logged in but I have no drives mapped" from end users. A logoff/logon, or a reboot tends to fix it, so I know it's no problem with the GPO itself, and no events are logged in the client's event log to indicate why the drive mappings aren't created... they just silently fail for reasons I don't understand. These aren't wireless clients, they're hardwired and don't really have any problems contacting either of our two DCs, so I'm a bit unsure about what to check as I'm not a Group Policy wizard. Any thoughts? Is the KB ozmunkeh linked a good option to start with?
|
# ? Apr 1, 2009 21:00 |
|
I'm writing a script that captures environment information (e.g. windows update history, video adapter information, the like) using WMI over the network. I can't figure out how to get resolution and bit-depth information from dual-headed video-cards - I can only get the resolution, etc from the first monitor, not its sibling. I've tried win32_desktopmonitor, CMI_videocontroller, etc... pretty much a lot of bullshit. I'm inclined to think it cannot be done - I tried having processmonitor open and changing the resolution of a monitor and apparently within that timeframe Windows accessed the registry 50,000 times, and the information is stored in incredibly retarded ways (current control set doesn't tell me what loving monitor goes with what resolution or what video card), and the only reliable way I've found even of counting how many monitors are attached is querying Win32_PNPDevice for everything that starts with display, but I can't figure out how to associate resolution settings with PnP device id. I would appreciate being able to find this information out using some dos command but since this script will be used remotely and I can't install new software on the machines I'm pretty much limited to WMI, even though it seems inadequate for this particular task.
|
# ? Apr 1, 2009 22:11 |
|
I know you can query the data from HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Control\Video\{BLAHRGH some stupid SID BLARGH}\0000 and 0001, but the trick will be querying for the active display adapter SID and resolving that. Not exactly sure about a direct WMI call that will give you the info.
|
# ? Apr 1, 2009 22:18 |
|
BangersInMyKnickers posted:Ideally you would want to make a WMI filter that only applies if it does not see the Symantec Antivirus program installed on a system. Unfortunately at this point we hit a limitation with WMI filters that makes life difficult: WMI filters cannot be used to detect the absence of something and return a true value to the filter falls within scope. For this kind of thing you will need to revert to a batch script that runs a reg query that looks for the indicator key and then catch the error level and execute the rest of the batch file from there, either by doing file manipulation, registry merges, or msiexec commands. Hopefully in future iteration of group policy you can customize a WMI filter to fall within scope on your choice of a true or false return instead of just true, but at this point the flexibility isn't there. Why I needed a negative result: We have typically been using Office 2003 Basic edition on our computers. This is Outlook, Word, and Excel. More people need to view Powerpoint presentations than need to create them, so I had the (free) PowerPoint Viewer 2007 being pushed out to everyone. I also had the Office 2007 Compatibility Pack being pushed out to everyone, which allows them to view Office 2007 files in Office 2003. We don't do upgrades here all at one time. What happens is that basically someone's needs change and their existing old machine can't do what they need to do effectively anymore, so our upgrades are piecemeal. As I get new machines, I get Office 2007 for them. On a recent one I noticed that Windows update had service packs for the compatibility pack and the viewer (which were both installed despite Office 2007 Standard, which includes Powerpoint, being installed). Now I wouldn't have cared since it didn't negatively affect things, even though it was redundant, but for some reason the service packs wouldn't install, and so it was always prompting for updates. I wanted a way to have group policy NOT install these components if they weren't necessary. The compatibility pack shouldn't be installed if Office 2007 is installed (in my case, this means if Word 2007 and Excel 2007 are installed) and the Powerpoint viewer shouldn't be installed if Powerpoint 2007 is installed (but it should be installed if Office 2007 Basic was installed, or any other non-Powerpoint 2007 parts of office). The solution: I created a policy called NegativeValues. This policy will assign values on the machine that I can then check for in WMI filters for installing software. I'm not using a separate policy for each value because I am not using a WMI filter on the policy itself, I'm using item-level filtering within the policy. Originally I was setting registry values, but then I found out that querying the registry through WMI is a pain in the rear end, so now I'm setting environment variables instead. Computer Configuration -> Preferences -> Windows Settings -> Environment These are easily queryable from WMI and don't take forever to process. I use the Replace action so that if the result of the item level targeting changes, the variable will be deleted (in theory; I have not tested this). I have it creating environment variables named NegativeValues_whatever but the name doesn't matter since you need to specify it in your WMI filter. You might want to make it something you and your other admins will recognize if you happen to be looking in the environment variables on any given system. The value doesn't matter because you're only really going to be checking for its existence. I just used 1. On the common tab, you'll see a check box for item level targeting. Check that, click the targeting button, and then new item. Your choices here are a lot better than you can do with WMI alone, in my opinion, especially since you can use [multiple] WMI queries here if you want. In addition, you can negate any of these by changing it to IS NOT in the item options. For my purposes, I did come up with a WMI query that could tell if an individual office component was installed, but it took about 10 minutes to run with the CPU maxed on a newer dual core machine (only uses one core though), so it really wasn't viable. I found it a lot to easier to just check for the existence (actually the lack of, using IS NOT) of the registry keys (HKLM\Software\Microsoft\Office\12\[Word|Excel|Powerpoint]) and it runs really fast. Then I created a WMI filter, like Powerpoint2007Missing which consists of the following query: code:
|
# ? Jun 1, 2009 21:16 |
|
Is anyone having a problem with drive maps in Vista? I have a few Vista machines here where the drive mapping policy is not working. It works on all of the XP machines, it works on some of the Vista machines, but not others. It works on my machine, but I don't think it's a problem of access rights because when I log onto to one of the affected machines with my credentials, it still doesn't work. The odd thing is, I've looked through the event log and I can't find any errors. I've run the results and I see no problems; as far as I can the policy is definitely being applied, but I have no errors at all. I'm stumped.
|
# ? Jun 8, 2009 19:15 |
|
Are you using the new Vista/Server2008 Group Policy Preference Objects, or old-school logon scripts? If the former, and the Vista computers have UAC turned on, you'll need to follow this KB to make it work.
|
# ? Jun 10, 2009 16:49 |
|
Mierdaan posted:Are you using the new Vista/Server2008 Group Policy Preference Objects, or old-school logon scripts? If the former, and the Vista computers have UAC turned on, you'll need to follow this KB to make it work.
|
# ? Jun 10, 2009 19:39 |
|
Same behavior for all users? Does local admin vs not make any difference?
|
# ? Jun 10, 2009 20:17 |
|
Mierdaan posted:Same behavior for all users? Does local admin vs not make any difference? Here's some new info: the other machine I thought was affected is a laptop, and I just realized he wasn't on a wire. When I had him reboot connected via wire it worked fine. So I think at the moment I'm down to this one machine. It's brand new (refurbed, but a new installation). I even took it off the domain and put it back on. I've tried gpupdate, both /force and /sync (over and over).
|
# ? Jun 10, 2009 21:26 |
|
Are you using 802.1x authentication on the wireless network? My google-fu is failing me right now but I seem to remember that the delay involved there can cause GP processing to fail over a wireless connection.
|
# ? Jun 10, 2009 21:37 |
|
The laptop turned out not to be affected. The one that is is a desktop and is wired only; sorry for the confusion.
|
# ? Jun 15, 2009 17:46 |
|
I'm trying to use the new RSAT Group Policy options on my domain and I noticed that those updates have been pushed out to some machines but not others. (All of our clients are Win XP, but I'm running the RSAT tools on a Vista machine.) I checked our WSUS server because I could've sworn that I had set the Client Side Extensions update to install on all our client machines. Unfortunately, a large number of machines are reporting the update as Not Applicable. Is there any way to override that NA setting in WSUS to ensure that KB943729 is installed on all machines?
|
# ? Jun 17, 2009 21:00 |
|
Model Camper posted:I'm trying to use the new RSAT Group Policy options on my domain and I noticed that those updates have been pushed out to some machines but not others. (All of our clients are Win XP, but I'm running the RSAT tools on a Vista machine.) I checked our WSUS server because I could've sworn that I had set the Client Side Extensions update to install on all our client machines. There was some goofiness with SP3 and WSUS, where installing SP3 before the CSE's cause WSUS to think the update was no longer applicable. The MS WSUS team said that issue was resolved months ago through once the CSE's were verified to be fully SP3 compatible. Revision 1.03 of KB943729 released was on 11/25/09, do you have this version of the KB?
|
# ? Jun 17, 2009 21:13 |
|
BangersInMyKnickers posted:There was some goofiness with SP3 and WSUS, where installing SP3 before the CSE's cause WSUS to think the update was no longer applicable. The MS WSUS team said that issue was resolved months ago through once the CSE's were verified to be fully SP3 compatible. Revision 1.03 of KB943729 released was on 11/25/09, do you have this version of the KB? KB943729 shows up twice in my WSUS list with one saying it has expired, but I'm not seeing revision 103 (only revisions 100 and 101). This server synchronizes every evening... any reason why it wouldn't pick up 103?
|
# ? Jun 17, 2009 21:50 |
|
Model Camper posted:KB943729 shows up twice in my WSUS list with one saying it has expired, but I'm not seeing revision 103 (only revisions 100 and 101). This server synchronizes every evening... any reason why it wouldn't pick up 103? Which version of WSUS are you using? Is your upstream set to Microsoft or another WSUS server that might not be providing the update? I'm not too up on the inner-workings of WSUS, so if it is acting up I may not have anything more constructive for you than saying to dump the datastore and database and rebuild.
|
# ? Jun 17, 2009 22:04 |
|
BangersInMyKnickers posted:Which version of WSUS are you using? Is your upstream set to Microsoft or another WSUS server that might not be providing the update? I'm not too up on the inner-workings of WSUS, so if it is acting up I may not have anything more constructive for you than saying to dump the datastore and database and rebuild. Currently running 3.0.6000.374, which as far as I can tell is just WSUS 3 without SP1. I'll update the SP and see if that makes any difference. It's the only update server we're running so the upstream is pointed at MS.
|
# ? Jun 17, 2009 22:14 |
|
Quite possibly a stupid question, but can anyone think of a way to use GPs to make Outlook 2003 only pick up emails from Exchange during a designated time period? I've had a rummage round the editor and can't see anything that looks like I could set up a scheduled task in it....
|
# ? Jun 18, 2009 01:35 |
|
Morlock posted:Quite possibly a stupid question, but can anyone think of a way to use GPs to make Outlook 2003 only pick up emails from Exchange during a designated time period? I've had a rummage round the editor and can't see anything that looks like I could set up a scheduled task in it....
|
# ? Jun 18, 2009 05:07 |
|
Misogynist posted:Exchange over MAPI is a push protocol. What are you hoping to accomplish?
|
# ? Jun 18, 2009 12:17 |
|
Morlock posted:Boss is pissed that managers on remote sites (connected over VPN) may be reading email when he wants them to be out on site working, so he wants it set up that they can't send or receive except at specified times. I think this is something that's best solved by actually, y'know, talking to them, but he disagrees and he's the boss. Since I already have them all in a "site managers" group with its own policy I was wondering if I could do it through that, since all I can seem to do in Exchange is set login hours rather than "login but no email" hours. That's pretty dumb but hey, so is my idea. Set up a scheduled task to run ADModify to add a Deny Full Mailbox Access ACE to Mailbox Rights, then remove it in another task. You might actually have to do it with a similar hack in the end.
|
# ? Jun 18, 2009 14:41 |
|
Lacc posted:That's pretty dumb but hey, so is my idea. (And yeah, he's going to give up the idea in a week tops, bet you. Sucks to be me, but he's got to see it not working to be convinced it won't.)
|
# ? Jun 18, 2009 15:25 |
|
Morlock posted:I might at that. I was just thinking about a script in scheduled tasks on the local PCs to block incoming connections to Outlook in the Windows Firewall, so I suspect our minds work similarly.... Outlook clients initiate the connection and the XP firewall won't do outbound filtering for you. You can mangle it together with an IPSec rule to prevent outbound traffic on the MAPI port and then toggle that (had to do something similar to block IRC traffic outbound from a terminal server), but I wouldn't recommend it.
|
# ? Jun 18, 2009 15:35 |
|
Would setting the logon hours for this guy's AD user account and then configuring the machine to strictly enforce them get the job done?
|
# ? Jun 18, 2009 15:36 |
|
BangersInMyKnickers posted:Would setting the logon hours for this guy's AD user account and then configuring the machine to strictly enforce them get the job done?
|
# ? Jun 18, 2009 15:50 |
|
BangersInMyKnickers posted:Outlook clients initiate the connection and the XP firewall won't do outbound filtering for you. You can mangle it together with an IPSec rule to prevent outbound traffic on the MAPI port and then toggle that (had to do something similar to block IRC traffic outbound from a terminal server), but I wouldn't recommend it. I can see that going so, so horribly wrong though.
|
# ? Jun 18, 2009 15:52 |
|
Morlock posted:Hmmm - I can do timed rules on the Sonicwall that handles the VPN. Maybe a timed LAN-to-LAN block on the MAPI port? That seems like the simplest way to do it that you have some hope of managing down the road. If you were working with Vista you could have some more options when it comes to blocking inbound/outbound connections for just Outlook in the firewall, but I understand if you haven't upgraded yet.
|
# ? Jun 18, 2009 16:07 |
|
BangersInMyKnickers posted:That seems like the simplest way to do it that you have some hope of managing down the road. If you were working with Vista you could have some more options when it comes to blocking inbound/outbound connections for just Outlook in the firewall, but I understand if you haven't upgraded yet. Incidentally recent experimentation is showing that Outlook (2007 at least) doesn't pick up from Exchange automatically when blocked in the local Windows Firewall, though it does when you hit Send/Receive. I wonder if I could rely on user laziness in this matter?
|
# ? Jun 18, 2009 16:27 |
|
Morlock posted:Incidentally recent experimentation is showing that Outlook (2007 at least) doesn't pick up from Exchange automatically when blocked in the local Windows Firewall, though it does when you hit Send/Receive. I wonder if I could rely on user laziness in this matter? If a user isn't getting mail, odds are the first thing they will do is mash send/receive. I think you are better off blocking the port so it throws a CANNOT CONNECT error.
|
# ? Jun 18, 2009 16:31 |
|
BangersInMyKnickers posted:If a user isn't getting mail, odds are the first thing they will do is mash send/receive. I think you are better off blocking the port so it throws a CANNOT CONNECT error.
|
# ? Jun 18, 2009 16:36 |
|
I'm sick of dealing with WebEx for remote support when most of our clients have their own Windows 2003 or 2008 domain controllers and we can create a group policy object to help us utilize the Remote Assistance feature that's built into Windows. So I'm currently trying to test this out. In doing so, I've discovered that our internal network is apparently all kinds of hosed up. DFS hadn't been replicating for a while because somebody decided to put several 900 MB zip files in the share, and now it looks like sysvol is also having problems. Here's the layout: dc01 and as01 are domain controllers in the main office in01 is a domain controller in the remote office (where I am) I created the policy on dc01, specifically for a PC here that I'm testing with. When I reboot or do a gpupdate /force on the PC, I get an error in event log saying it can't find the path for the GPO. I check, sure enough, it's not there. I check \\domain\sysvol\domain.local\policies from dc01, the GUID is present. So my policies aren't replicating, swell. I do some more digging, find that in01 is complaining that it's having problems replicating from as01. I verify the fqdn resolves, double-check that frs is running, that looks fine. From some searching I found the command ntfrsutl version as01.domain.local and that returns results (although apparently the major and minor version numbers are both 0 for NtFrsApi and NtFrs, which seems weird). So at this point I'm a little stumped. I know that as01 has been through some hell recently, having been upgraded to 2003 SP2 then downgraded again to SP1 because SP2 broke some important software, so that may be contributing a little bit to the problem. Or maybe it's something completely different. Anyway, I really don't know what to check next. I just want to prove that this GPO works so that we can start rolling it out to other servers and I can stop using WebEx. It'd probably be faster and easier to build a VM test network for this poo poo, but hey, troubleshooting NtFrs errors is good for me, right?
|
# ? Jun 19, 2009 14:31 |
|
What's with all the double negatives in group policy settings? It always makes me pause and think "is this going to do what I think or exactly the opposite" "Change to false to disallow the allowing of disallowing not allowing the user to run task"
|
# ? Jun 19, 2009 15:33 |
|
talk show ghost posted:What's with all the double negatives in group policy settings? It always makes me pause and think "is this going to do what I think or exactly the opposite" It seems to mostly happen with settings that are disabled in the OS by default, but it still sucks and I wish Microsoft would clean up their templates. BRC, you may want to bounce that FRS issue off Cidrick. I'm not too up on the diagnostic tools for troubleshooting replication issues but I think he is fairly experienced with it.
|
# ? Jun 19, 2009 15:41 |
|
talk show ghost posted:What's with all the double negatives in group policy settings? It always makes me pause and think "is this going to do what I think or exactly the opposite"
|
# ? Jun 19, 2009 15:45 |
|
Any idea if the servers would implode if I just, say, manually copied the policy folder I'm wanting to test with to the server that isn't getting it via replication?
|
# ? Jun 19, 2009 18:09 |
|
Does anyone here know if you can install RSAT on Windows7 RC? I have been trying to do this, and have even downloaded the RSAT tool for Windows 7 from Microsoft's website: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d#filelist All that this does, is give me an error stating: "This update is not applicable to your computer" Any help with this would be greatly appreciated!
|
# ? Aug 14, 2009 18:40 |
|
pyrotherm posted:Does anyone here know if you can install RSAT on Windows7 RC? quote:Remote Server Administration Tools for Windows 7 can be installed on computers that are running the Enterprise, Professional, or Ultimate editions of Windows 7.
|
# ? Aug 14, 2009 21:38 |
|
|
# ? Apr 25, 2024 17:33 |
|
Any clue why I can't RDP into a Server 2008 terminal services server with NLA flipped on using an account from a trusted domain? Flipping off NLA or connecting using an account from the TS server's native domain with NLA enabled works fine. I get a "The Local Security Authority cannot be contacted" error in the first situation. My google-fu is failing me here.
|
# ? Sep 1, 2009 20:29 |