|
Erwin posted:When I worked at a public school district, I became good at getting software to work without admin rights. The first thing to do is update the user to Windows 7 if you can. If not: Application compatability toolkit is great at analysing and remediating these issues. Specifically the standard user analyzer. http://www.microsoft.com/downloads/details.aspx?familyid=24da89e9-b581-47b0-b45e-492dd6da2971&displaylang=en
|
#
?
Jul 23, 2010 22:46
|
|
|
|
| # ? Apr 29, 2024 12:19 |
|
|
FISHMANPET posted:I did some more thinking and digging, and found the GPO stuff in 2008 that does drive mappings. The way this domain was doing it before was by running login scripts that would 'net use' the drive in question. It's worth it. I used a script to manage mapped drives based on group membership and it was a lot of code. Now in GPO, you can item-level target based on a whole slew of things, its quite nice. And you don't need to know how to read VBS to understand or make changes. The changes added in 2008 are really amazing.
|
|
#
?
Jul 28, 2010 12:43
|
|
|
ytisomauq posted:It's worth it. I used a script to manage mapped drives based on group membership and it was a lot of code. Now in GPO, you can item-level target based on a whole slew of things, its quite nice. And you don't need to know how to read VBS to understand or make changes. Can you get the drive mappings to work without a 2008 DC? I admin my GPO's from a Win7 box, but it's a 2003 domain with XP, Vista, and Win7 clients. It'd be pretty cool to set up drive mappings and not have to worry about scripts and stuff.
|
|
#
?
Jul 29, 2010 01:02
|
|
|
The clients need the GPP CSEs (can be installed through WSUS), and you need one computer running 7/2008 to configure them, but you do not need 2008 DCs.
|
|
#
?
Jul 29, 2010 02:42
|
|
|
Hey, a Group Policy thread! I figured I would share what happened at work (DoD) today. I'm in the office working right along when we get an e-mail from the head of C-4 (base tech) telling us not to restart our computers. Apparently, NMCI our outsourced tech support decided to push a policy across the network to blacklist yet more applications. Except, they accidentally blacklisted all of the applications. So anyone who happened to have given this policy a chance to be applied could no longer run any programs. I'm sure somewhere, someone got poo poo canned. After about an hour it was fixed with a restart.
|
|
#
?
Jul 29, 2010 22:08
|
|
|
Ok, I have a question that should hopefully be simple. We're finally moving off of Novell based servers and going to Windows based ones. With the group policy deployment, I don't think there's an easy way to do drive mappings the way we used to... We used to have the drives get mapped based on what location you where physically in, and also what groups you were in. Without creating a couple dozen group policy objects, I don't think there's a good way to do this, correct? I mean, not without using a KiXtart script or something like that.
|
|
#
?
Jul 30, 2010 00:20
|
|
|
Serfer posted:Ok, I have a question that should hopefully be simple. We're finally moving off of Novell based servers and going to Windows based ones. With the group policy deployment, I don't think there's an easy way to do drive mappings the way we used to... You can link specific GPOs to AD sites instead of OUs. I've never really gone down that route, but it may do what you want.
|
|
#
?
Jul 30, 2010 14:16
|
|
|
BangersInMyKnickers posted:You can link specific GPOs to AD sites instead of OUs. I've never really gone down that route, but it may do what you want. I have used that feature once, to prank a coworker. Nobody ever checks the Sites tree, or uses RSOP... Seems like it'd be useful for printer deployment though.
|
|
#
?
Jul 30, 2010 14:22
|
|
|
I'm having a huge problem with something so simple and it's doing my head in. I've got 5 different organisational units I want to apply 2 different polices to that both involve screensaver locking after x minutes ( 5 and 60 respectively ). I haven't touched the default domain policy and created 2 new policies with each of the different screensaver/lock settings and then linked them to the OU's I want to apply them to. But it doesn't appear to be working at all. It doesn't apply the screensaver or lock after the specified time in any of the groups. This is on SBS 2008 with Windows XP Pro sp3 clients. Quick addition: If I place either of newly created polices at the root it applies to everyone fine without any problems. Not sure where I'm going wrong here, is there something fundamental I'm missing?
|
|
#
?
Jul 30, 2010 14:29
|
|
|
subl1me posted:I'm having a huge problem with something so simple and it's doing my head in. You are definitely applying user policies to users and computer policies to computers?
|
|
#
?
Jul 30, 2010 14:32
|
|
|
Yup, I'm only applying these to users. So for example the two polices I've created are under: user configuration - admin templates: policy definitions - control panel - display And the security filtering is against Authenticated Users. Then the templates are applied to the OU's where I've split the users up into.
|
|
#
?
Jul 30, 2010 14:37
|
|
|
Use the results modeling tool to see if they policy will actually apply to a user in that OU and if not it should give you an idea why it is falling out of scope. Or the GPRESULT tool can be useful to see if said users are getting the policy but it is corrupt or being ignored for some reason.
|
|
#
?
Jul 30, 2010 14:57
|
|
|
IT Guy posted:This is my co-worker, a sysadmin who think he knows a lot about computers. I spend most of my day fixing poo poo he breaks. He was hired because he knew the right people, not because he actually is capable of doing his job. I don't get this, the new start menu is loving awesome and is pretty much the best feature of windows 7 besides the ability to move program groups around on the taskbar. I'll admit I have UAC turned down pretty low because I hate when it dims my desktop and steals focus for poo poo.
|
|
#
?
Jul 30, 2010 15:35
|
|
|
BangersInMyKnickers posted:Use the results modeling tool to see if they policy will actually apply to a user in that OU and if not it should give you an idea why it is falling out of scope. Or the GPRESULT tool can be useful to see if said users are getting the policy but it is corrupt or being ignored for some reason. Thanks guys, I'll take a look and see if something's up this way.
|
|
#
?
Jul 30, 2010 16:18
|
|
|
subl1me posted:Thanks guys, I'll take a look and see if something's up this way. One thing that has made me want to whack my dick in a drawer was finding out that the computer's have a loopback policy applied, overwriting any user policy I was trying to send. Something to check.
|
|
#
?
Jul 30, 2010 16:24
|
|
|
Is there any downside to having heaps and heaps of policies? In our current environment a lot of settings are all thrown in together and its sometimes hard to track down which policy has a particular setting. In our new environment I want to separate out a bunch of settings into their own policy, for ease of administration.
|
|
#
?
Jul 31, 2010 04:48
|
|
|
Swink posted:Is there any downside to having heaps and heaps of policies? Not really, as long as you name them properly so you can keep track of them it doesn't matter. I actually prefer, to keep policies separate. Don't need to get crazy with separating everything, but keep things manageable, so when troubleshooting it's easier.
|
|
#
?
Aug 1, 2010 06:31
|
|
|
Swink posted:Is there any downside to having heaps and heaps of policies? I get wtf looks for this sort of thing sometimes, like skipdogg says, especially with software deployment, it's nice to separate them out. The generic workstation policy has a bunch of stuff in it though, no reason to split that up. (Restricted = group based, everything else is scoped to authenticated users)
|
|
#
?
Aug 1, 2010 14:35
|
|
|
I really really wish the management console can some way to create a folder structure for the policies container. Once you get up to the 50 range it can become a pain in the butt even with a solid naming scheme.
|
|
#
?
Aug 3, 2010 18:44
|
|
|
BangersInMyKnickers posted:I really really wish the management console can some way to create a folder structure for the policies container. Once you get up to the 50 range it can become a pain in the butt even with a solid naming scheme. I've never used it but Advanced Group Policy Management which is part of MDOP could be worth a look. You could at least Search and Filter then.
|
|
#
?
Aug 4, 2010 10:59
|
|
|
Hi everyone, I'm working on a multiple site environment and trying to troubleshoot group policy. I've noticed something that seems random. When running a GPRESULT on a workstation the "Group Policy was applied from:" seems to pick a domain controller at random, I can't find out how this selection is made, can anyone help?
|
|
#
?
Aug 5, 2010 11:14
|
|
|
saminnes posted:Hi everyone, I'm working on a multiple site environment and trying to troubleshoot group policy. I've noticed something that seems random. Are your DC's assigned to specific sites/subnets? It should always use one in the same site.
|
|
#
?
Aug 5, 2010 13:04
|
|
|
Thanks foer getting back to me, strangely it is picking DC's form other subnets and sites even though there is a perfectly functional one in their own site/subnet. I thought this might possibly be a DNS round robin problem.
|
|
#
?
Aug 5, 2010 14:25
|
|
|
Make sure active directory sites and services has the appropriate subnet objects in place and that they are assigned correctly to their corresponding sites.
|
|
#
?
Aug 5, 2010 17:03
|
|
|
sanchez posted:I get wtf looks for this sort of thing sometimes, like skipdogg says, especially with software deployment, it's nice to separate them out. The generic workstation policy has a bunch of stuff in it though, no reason to split that up. (Restricted = group based, everything else is scoped to authenticated users) Any suggestions/tips/pitfalls I should know about for deploying Adobe Reader / Flash / Java via GPOs off of DFS? I'm initiating a project to make exactly this happen and while the Adobe documentation is very thorough, it never hurts to hear from someone who has done it. This will be my first application deployment via GPO, with our environment it's just not feasible to get 100% distribution of application updates utilizing Altiris. I just looked up Sun's documentation on Java distribution via GPOs and had to laugh - Adobe's is step by step with plenty of screenshots and detail, Java's is "here's how to get the file, you should know how to do this once you have it."
|
|
#
?
Aug 6, 2010 15:33
|
|
|
Flash is dead simple. Google "download flash MSI" and it is the first link to their super-secret MSI installer page (they want you to do the application to apply for a license to internally re-distribute their products). For Java, download the full offline exe install and start to run it, when the first window comes up open up your %temp% directory and find the newest stuff written there and it should be your msi package. You can build a transform off the Properties table to try and disable stuff like the auto-updater agent and the JRE speedload service, but good loving luck because it's never honored those for me in the past. As for Adobe Reader, just make sure that people don't try to manually update after policy installs it or you're going to be seeing some goofy-rear end registry error and may have to do some manual cleanup in HKCR\Installer\Products.
|
|
#
?
Aug 6, 2010 15:43
|
|
|
devmd01 posted:I just looked up Sun's documentation on Java distribution via GPOs and had to laugh - Adobe's is step by step with plenty of screenshots and detail, Java's is "here's how to get the file, you should know how to do this once you have it." Well, there's not much to Java install. There's probably a better way (isn't there always) but this is the way I do it: 1. download latest installer and fire it up 2. get the CAB and MSI from the "jre1.x.0_xx" folder in %APPDATA%\Sun\Java\ and put them somewhere with appropriate permissions like \\fileserver\deploypath\java\<version> 3. create a MST with Orca and modify the property section to remove all the autoupdate bullshit 4. add to software installation GPO Flash gets installed with a startup script and Reader needs all that customization wizard crap because it's a giant stinking piece of poo poo. edit: like a red-headed stepchild
|
|
#
?
Aug 6, 2010 15:47
|
|
|
Does Orca have much additional functionality over InstEd? The first time I tried to use Orca, it seemed way over-powered and complicated for the kind of transform building I was doing. But maybe I'm missing out on something.
|
|
#
?
Aug 6, 2010 15:52
|
|
|
Thanks, and thanks. Good to know i'm on the right path so far. I'm familiar with the retarded "redistribution license" and the adobe customization wizard, so this shouldn't be too hard to accomplish. Now I just need to productize my customer-centric methods and rightshore my permissions when I touch base with the server team for access to make it pop.
|
|
#
?
Aug 6, 2010 15:54
|
|
|
BangersInMyKnickers posted:Does Orca have much additional functionality over InstEd? The first time I tried to use Orca, it seemed way over-powered and complicated for the kind of transform building I was doing. But maybe I'm missing out on something. Orca was the first thing I came across when I needed to make transforms so it's either that or Camwood's Appeditor. They're both on the context menu so it's really a crapshoot which one gets used at any given moment. I've just downloaded InstEd and will take a look at that also, thanks.
|
|
#
?
Aug 6, 2010 16:10
|
|
|
ozmunkeh posted:Orca was the first thing I came across when I needed to make transforms so it's either that or Camwood's Appeditor. They're both on the context menu so it's really a crapshoot which one gets used at any given moment. I've just downloaded InstEd and will take a look at that also, thanks. InstEd is the successor to AppEditor since they stopped development for it. I think it is just bugfixes at this point. devmd01 posted:Thanks, and thanks. Good to know i'm on the right path so far. I'm familiar with the retarded "redistribution license" and the adobe customization wizard, so this shouldn't be too hard to accomplish. I recommend A Gun.
|
|
#
?
Aug 6, 2010 16:17
|
|
|
BangersInMyKnickers posted:I recommend A Gun. Way ahead of you. It's really loving annoying being "desktop administrator" and not having permissions to edit/create GPOs. I have to send off a ticket for that kind of stuff on a regular basis, despite me being on the same team as the two guys who have full ad access besides our boss. 
|
|
#
?
Aug 6, 2010 17:00
|
|
|
devmd01 posted:Any suggestions/tips/pitfalls I should know about for deploying Adobe Reader / Flash / Java via GPOs off of DFS? I'm initiating a project to make exactly this happen and while the Adobe documentation is very thorough, it never hurts to hear from someone who has done it. You will notice flash is unlinked at the moment, it seemed to stall while installing on pc's that already had flash. I didn't have time to mess with it further, it might be fine now. Just test everything first. Adobe is fine with the customization tool, although you need to add the updates to your install point in a specific, not exactly sequential order (9.0->9.1.0->9.1.2->9.2->9.3). If you install for example, 9.1.3, it all breaks. For Java we use the MSI per Bangers with another script that runs seperately to disable the auto update. sanchez fucked around with this message at 21:46 on Aug 6, 2010 |
|
#
?
Aug 6, 2010 21:44
|
|
|
I've been trying to setup a group policy to do drive maps (we're migrating from Novell to Windows, finally), but it seems like it's failing. I get this error on the server: The client-side extension caught the unhandled exception '0xC0000005' inside: 'threadEntry : client main' See trace file for more details. And there doesn't seem to be a trace file on either the server or the client, and the drives don't map. Client is Win7, server is 2003. I've fallen back to login scripts for now, but group policy should be working for this... Any ideas?
|
|
#
?
Aug 6, 2010 22:32
|
|
|
Finally got access to create/modify group policy and apply them to a testing OU. As dumb as it sounds, this just made my day - no more loving around sending off tickets to other people for something I can do myself in 5 minutes.
|
|
#
?
Aug 9, 2010 15:05
|
|
|
Is there a group policy that defines what log on domain is selected by default? It's normally not a problem, but after I install a machine with SCCM, it defaults to local machine and hides the drop down box, and I'm afraid my users will get confused. We've already got a policy that blanks out the username, so I know you can do something to the box.
|
|
#
?
Aug 9, 2010 15:41
|
|
|
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultDomainName http://www.msfn.org/board/topic/79275-set-default-log-on-to-domain-through-gpo/
|
|
#
?
Aug 9, 2010 16:35
|
|
|
One more n00b question regarding distribution points for GPO software installation. How do I assign share security so the computers can access it during startup? We already have a DFS share set up across our 150+ locations to the local server, and I have full access to said share to add the applications to it as the install point. We currently have two main security groups assigned, "Sharename_RO" and "Sharename_FA." What/how do I add computer accounts to it in order to make it accessible? The GPOs I set up today in our testing container are applied to the PC, and it flashes by "installing managed software adobe flash" or whatever for a minute, then goes to the login screen. Event viewer message is that the installation source is unavailable. Ideally we would only add specific OUs themselves and not any users except for a systemwide special purpose one that this dfs share was originally created for. If that's not how it works, please enlighten me. 
|
|
#
?
Aug 10, 2010 03:07
|
|
|
You should have a default Domain Computers security group that all computer objects are a member of. Just like users, computers have their own access rights and objects, they are just hidden by default in most views (trailing dollar sign). Give the distribution share read access to that group and you should be all set for anything firing off with system credentials on your domain. You might want to create a dedicated DFS mount point for just this.
|
|
#
?
Aug 10, 2010 14:05
|
|
|
|
| # ? Apr 29, 2024 12:19 |
|
|
I figured it out about 10 minutes before you posted, but thanks! I wanted a separate DFS mount point, but they'd have to go touch 100+ servers to do it. Edit: Okay so now i'm confused. Maybe I need to wait a while for dfs replication to do its magic, but I've worked my way back through the permissions on the share, Domain Computers are in the read only Security Group that has read/list folder contents/execute permissions, my test vm computer is getting the correct policies, but it still can't access the install share. edit2: pointed the policy for update installation to a share I created on a server I control, and it runs through fine, so clearly there's still an issue with permissions somewhere in the DFS share. Time to go back to the windows admin guys! devmd01 fucked around with this message at 19:19 on Aug 12, 2010 |
|
#
?
Aug 10, 2010 14:09
|
|