|
BangersInMyKnickers posted:The Forced attribute will not override the Block Inheritance attribute of an OU or Domain. So, I've been studying for my MCSE and I admittedly do not have much experience with GPOs. One of the books I'm reading, it explained that a GPO with the Enforced attribute will apply down through the OU even if the OU explicitly has the Block Inheritance attribute. The book is: 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure. I'm confused, which is correct? Also, on an unrelated note. We may be rolling out Windows 7 machines shortly but we still have an Active Directory 2003 Domain. Is there features that come with Server 2008 that will allow more control over Windows 7? Is Windows 7 able to be controlled with a 2003 Domain?
|
#
¿
Feb 22, 2010 19:22
|
|
|
|
| # ¿ Apr 20, 2024 02:06 |
|
|
Bob Cthulhu posted:Regarding screensavers: I have a policy set to force the logon screensaver. Company policy requires the screensaver to be set and the the workstation to lock when the screensaver kicks in. People would turn them off, and the workstation would never lock. It's been 6 months, and people are still whining about not have kitties or whatever for their screensaver. I'm in the same boat as you. If my user base can't have their ugly baby pics cycled through the screensaver then they freak the gently caress out. We are very lenient on policies around here.
|
|
#
¿
Apr 1, 2010 14:25
|
|
|
I seem to have a situation here. We have several branches on slow connections. I'm trying to update our OfficeScan client with is 100MB. Therefore I want to copy it to each branches server where every computer has a mapped drive to with a specific drive letter. For example. Branch: 1 Server: serv1 Mapped Drive: M:\ (which is \\serv1\Folder) Branch: 2 Server: serv2 Mapped Drive: M:\ (which is \\serv2\folder) Can I create a single GPO that looks at the M:\ Drive for the file? When I goto set it up, it wants me to choose the file which I'm scared that the second branch will download and install from branch 1's server.
|
|
#
¿
Apr 15, 2010 20:55
|
|
|
BangersInMyKnickers posted:I'm not really sure how to address your particular issue, but long-term shouldn't you be using DFS to get content locally mirrored to all the branches more efficiently? Our site servers are Windows XP boxes 
|
|
#
¿
Apr 16, 2010 14:17
|
|
|
Ridge posted:So you don't have servers at the branch locations? Want to hear something even better? A few of the branches have over 10 people trying to connect to the XP Edit: Also, to add to ^^^ that. I dream every day that if only we had a multi domain forest with cached global catalogs at each branch, maybe the users would stop calling me everyday complaining about boot times and slow performance. Our Domain structure looks like this and I hate it, but it's been like this since before I started: -domain.com  --Computers ---Site1 ----Sales ----Management ----Other Departments ---Site2 ----Sales ----Management ----Other Departments ---Site3 ----Sales ----Management ----Other Departments --Users ---Site1 ----Sales ----Management ----Other Departments ---Site2 ----Sales ----Management ----Other Departments ---Site3 ----Sales ----Management ----Other Departments --Groups --Global --Distribution The first directory structure you listed is exactly how I would propose a change if I knew they would accept a change. Also, I was trying to avoid making multiple policies in hopes I could make one that just linked to a mapped drive and the computers would look at their respective mapped drives and be linked to their own IT Guy fucked around with this message at 19:03 on Apr 18, 2010 |
|
#
¿
Apr 18, 2010 03:59
|
|
|
I'm just popping in to see what the general consensus is on the Windows 7 Aero theme. Do you guys disable it through GPOs and send that bitch back to the classic theme or do you let the user have the Aero theme and the new task bar? I'm currently modifying GPOs and a good part of me wants to let the user have the Windows 7 Aero theme because it is just that much better but then I think about how god loving awful my users are at computers and that maybe I should just give them something they are used to. What do you all think or do currently?
|
|
#
¿
Jun 30, 2010 18:45
|
|
|
Erwin posted:And the same local admin users who fancy themselves knowledgeable about computers - you know the ones that, upon sitting down at a new computer, immediately change the Windows 7 start menu to classic, the theme to classic, turn off indexing, and every other useful feature invented since windows 3.1 - will immediately turn off UAC because they find it intrusive. This is my co-worker, a sysadmin who think he knows a lot about computers. I spend most of my day fixing poo poo he breaks. He was hired because he knew the right people, not because he actually is capable of doing his job. He has Windows 7, UAC turned off of course. Aero disabled, taskbar back to classic and start menu as classic as he can get it. He wonders why he is the only one whose computer locks up solid on a daily basis.
|
|
#
¿
Jul 2, 2010 18:41
|
|
|
God drat Adobe Reader. So, I'm in the middle of a complete GPO restructure, starting from complete scratch. One thing I can't find is to allow users to delete shortcuts that are in the All Users Desktop profile. As of right now it prompts for credentials for an admin. I haven't got the GPO setup to install Adobe Reader yet so that is still a manual job. When I goto install it, it prompts for credentials as it should, then when done, it leaves a shortcut on the desktop that users can not delete without further credentials. The shortcut is in the All User profile under Desktop. It has to be something simple that I am missing.
|
|
#
¿
Jul 5, 2010 14:35
|
|
|
Ideally I would want to let users have permission to delete icons/shortcuts that aren't in their own desktop folder in case down the road other programs happen to do this without opening any security holes or disabling UAC. Basically as it stands now, our GPOs cause more problems then they fix. I'm trying to fix this so that they reduce administration like they are meant to do.
|
|
#
¿
Jul 5, 2010 16:26
|
|
|
gently caress, another issue. We have some software that updates daily for a user and doesn't work unless the user is a local admin. Trying to cut this poo poo out because users are downloading spyware/malware. What is my best way to get the software working without a local admin?
|
|
#
¿
Jul 6, 2010 15:51
|
|
|
Erwin posted:Does it update daily itself, or you push out a new version with GP? It updates itself when you open the program, likely it is updating a database file inside its install directory. Never really got into it yet but I'll try that process explorer trick.
|
|
#
¿
Jul 6, 2010 16:00
|
|
|
Here's another one: I've rearranged our AD design structure to look like this: domain.local -Corporate Structure --Central Office ---Computers ---Groups ----Security ----Distribution ---No GPO ---Resources ---Servers ---Users --Branch ---Computers ---Groups ----Security ----Distribution ---No GPO ---Resources ---Users --Global ---Groups ----Security ----Distribution ---Users I've made a "Global Corporate Policy" GPO that contains pretty much all the defaults that we want set for all our users and their specific workstations. I've now come across some computers that we are going to be setting up for public use at some of our branch locations that will have a general user and the computer needs to be locked down hard so no damage can be done to the network. Should I be creating a new sub-OU in each computer folder for each branch/location labeled "Locked Down" or something similar and then block inheritance to our Global Corporate Policy. Or, should I be using security filtering for the GPO to target these machines? If the method is security filtering, I have a question regarding that. Let's say I create a security group for these locked down computers and put these computers into that group. If I create a GPO with both computer and user variables, will the user part of the GPO be applied to my general user if it is only the computers in the security group? The default filtering is Authenticated Users. Who is actually in this group, is it both Domain Users and Domain Computers? Just wondering how the authenticated users group actually works. (I have not Googled this as I should have, yet).
|
|
#
¿
Jul 8, 2010 16:01
|
|
|
I've decided to use UAC to control what a user can and cannot do on their machine. It works great as they can't touch anything on the computer that isn't per-user. However, I've noticed I can open regedit on Windows XP still. I can't change anything in HKLM which is fine, but the user can still edit HKCU. Basically my question is, is this a problem, can they do any damage in the HKCU? Second question, can you change the default home page for IE but still allow a user to change it? I hate having MSN as the default home page for a new user profile but any setting I've found in the GPOs seems to force the homepage and not allow it to be changed.
|
|
#
¿
Nov 1, 2011 13:34
|
|
|
BangersInMyKnickers posted:Awesome, thanks.
|
|
#
¿
Nov 1, 2011 14:22
|
|
|
We have some complicated GIS software on a few machines. It needs to run updates which prompts UAC. Is there a way to white-list this without prompting the user for elevation of an admin?
|
|
#
¿
Feb 10, 2012 19:46
|
|
|
quackquackquack posted:In cases like that, I would usually disable the updates and then push them some central way. That's what I figured. It looks like I'll have to do it that way because disabling the updates doesn't seem to be an option. Pushing them through GPOs might be too involved for this software.
|
|
#
¿
Feb 10, 2012 20:56
|
|
|
Is there a way to dynamically map a drive for each branch? For example, I want one GPO to map each branches file server to the drive letter F. Instead of creating multiple GPOs for each branch, can you create one GPO to map each shared folder resource depending on which branch they're at? Another example: I have 14 branches. Each branch has a file server. Each branch is mapped to their respective file server with drive letter F. Can I dynamically map this for each branch with one GPO or am I stuck making 14 GPOs?
|
|
#
¿
Feb 17, 2012 16:28
|
|
|
Docjowles posted:That seems like a case where you'd actually want to resort to a login script. Put in a conditional based on the PC's IP address or however you distinguish between branches. Screw managing 14 GPO's. Yeah, I guess I'll end up doing this. I'm not making 14 GPOs to map a drive.
|
|
#
¿
Feb 17, 2012 17:29
|
|
|
sanchez posted:You could do one GPO with 14 F drive entries using item level targeting if you wanted, you can target by IP range, security group or whatever. Perfect! I've never hosed around with the item level targeting before but this looks like it will work and I can just filter it by security group. Thanks!
|
|
#
¿
Feb 17, 2012 19:11
|
|
|
Does anyone know of some good auditing software to audit permission changes on the file server, changes to active directory and changes to group policy objects?
|
|
#
¿
Feb 21, 2012 19:45
|
|
|
Awesome, I'll check those out, Varonis looks pretty good. Has anyone used Netwrix before? Netwrix is what my boss has her eye on. Unrelated, I'm having a heck of a time with something that this thread could probably help me with. I'm attempting to clean up the GPOs to get rid of local admins altogether, this means that I need to white-list some directories and registry keys for older apps because I don't want them writing to the VirtualStore. Anyway, one of the apps uses an ODBC connection. If the user is a local admin when the odbc connection is setup, the program can see it even when the user isn't a local admin. However, if the ODBC connection is setup while the user is not a local admin, the app can't see it. When the user isn't a local admin, the ODBC connection is being written to the registry under [HKEY_USERS\(SID)\Software\ODBC]. When the user is a local admin, I can't see it being written to the registry at all. I've done a full blown search for it and can't find any ODBC connections, yet they are somewhere because the app sees them. Does anyone know where these are being written so I can create the ODBC connection through GPOs? Edit: Nevermind, I was using User DSN instead of System DSN. IT Guy fucked around with this message at 18:10 on Feb 22, 2012 |
|
#
¿
Feb 22, 2012 17:54
|
|
|
I hosed something up. I overwrote the permissions on our users home directories thinking I could use ADmodify to relink the users to their respected homes. So I reset the security on the \\fileserver\homes$ share to Domain Admins - Full Control and didn't add anyone else into the ACL. I used ADmodify to relink the user profiles to their shares using \\fileserver\homes$\%'sAMAccountName'% which works except it didn't add the user to the file permissions like it does if you do it individually through ADUC. So, my question is, how do I bulk fix this? edit: this isn't really GPO discussion but I figured it was close enough for the thread. edit 2: I fixed it doing the following: 1. Un-shared the old share and renamed the folder. 2. Re-created the root homes share which is an empty directory. 3. Used ADModify again to relink 4. This caused all of users folders to be recreated with the user having full control. 5. Copied all of the users folders and merged it into the new share. It appears it was due to the folders already being there so ADModify didn't add the security. Whew, that scared me a little. IT Guy fucked around with this message at 00:11 on Feb 27, 2012 |
|
#
¿
Feb 26, 2012 23:53
|
|
|
How many GPOs is typically too many? We currently have 22 GPOs but they don't always apply to everyone. I use security filtering and WMI filters where necessary to reduce the scope, in addition to disabling user or computer settings on certain GPOs. I'm assuming here that if the GPO is not scoped for the user/computer then it doesn't use network traffic, correct? I could condense the GPOs but I find it more organized to keep certain things separate. For example, for our Software security exception policy, I make a new policy for each software but I could be doing this all in one policy. Another example, I don't touch the Default Domain Policy at all. I deploy a "Global Domain Policy" that applies to all users and overrides certain things like the password policy and sets policies that aren't set in the default. However, I could always merge them both into one but I find it better organized when seperate. I just would rather have a default policy I can go back on if I decide to completely change over the GPO policy one day.
|
|
#
¿
Mar 13, 2012 19:59
|
|
|
Syano posted:In the early days of active directory Microsoft had a best practice of limiting the number of GPOs if at all possible. The reason being is that back in 99/2000/2001 and so on, physical network limitations like WAN bandwidth, cpu speed, RAM and similar could noticeably be affected when a machine had to process through 40 different GPOs on boot up and log in. However in 2012, all those physical limitations have typically so far outrun what GPOs need then really today it makes most sense to be extremely granular with your GPOs, even if it means you end up with hundreds of them. We're in a rural area where many of our branches are running on 800kbit/60kbit DSL connections usually out past 5kilometers from the CO. These branches also do not have AD servers on site... poo poo gets rough.
|
|
#
¿
Mar 14, 2012 21:29
|
|
|
Honey Im Homme posted:Multiple sites with dc's on each site, simplifies AD instead of having multiple site specific policies. Don't the sites have file servers?
|
|
#
¿
Mar 14, 2012 23:57
|
|
|
Cpt.Wacky posted:I'm just getting started with group policy. Could you or anyone else go into more detail about naming and organizing the policies? Do you have separate policies for everything like deploying printers, redirecting folders, mapping drives, remote desktop/admin, firewall exceptions, etc? I typically separate these. My naming convention right now is: Policy Name (User/Computer) This allows the policy to still be listed alphabetically but you still know whether it is per machine or per user (or both). Don't touch the two default policies (Default Domain(Controller) Policy) I have a main policy that dumb little poo poo goes into called the "Global Domain Policy" and these are policies that apply to all users and computers. I also have a "Global Domain Preferences" for global user/computer preferences. Everything else I separate. I have separate policies for Firewall, Internet Explorer, Drive Maps, Printer Deployment, WSUS Local, WSUS Remote, WSUS Servers, and one for each piece of software that needs exceptions. On that last note. gently caress software that only installs in the user profile as a local admin.
|
|
#
¿
Mar 15, 2012 18:05
|
|
|
Hiyoshi posted:You could use the Drive Maps policy under User Configuration\Preferences\Windows Settings. What he ^ said. Use the "Update" action and it will delete any mapping they already had for that drive letter and update it to the new one. Edit: You can also use item-level targeting for each mapping if you have any that overlap. For example, each of our branches has an F:\ drive to their local site file server. I only need one GPO with all the drive mappings and just use item level targeting using security groups.
|
|
#
¿
Mar 20, 2012 15:30
|
|
|
So what the gently caress? Does Mac OS X 10.6 not support NTLMv2? Anyone have problems with SMB shares with Windows Server 2008 R2 file server? My Mac OS X 10.6 machines can't authenticate.
|
|
#
¿
Apr 2, 2012 20:59
|
|
|
EoRaptor posted:By default, 2008 R2 disables NTLMv1 authentication, and will only talk to NTLMv2 or better clients. You can change this at the group policy or local security policy level, and reboot for the change to take effect. I changed the NTLM authentication down to LM + NTLM with NTLMv2 if negotiated. I guess I'll find out tomorrow if the Macs can connect. Edit: I assume Lion will use NTLMv2, right? I don't plan on keeping my NTLM authentication so low for a long time. IT Guy fucked around with this message at 04:18 on Apr 3, 2012 |
|
#
¿
Apr 3, 2012 04:16
|
|
|
madsushi posted:Correct, no SMB2 support in 10.6. Should still work though, falling back to SMB, just like Windows XP would. Is the time on your Mac and the time on the 2008r2 server 5 minutes apart or more? Nope, times were in sync. madsushi posted:There are also third party tools for OSX that add support for SMB2 (DAVE, I think) So, I changed a total of 3 GPO settings both on the Domain controller and the file server. I changed: Microsoft network server: Digitally sign communications (always) Disabled Microsoft network server: Digitally sign communications (if client agrees) Enabled Network security: LAN Manager authentication level: LM & NTLM; use NTLMv2 session if negotiated Still, my Mac OS X clients could not mount SMB (authentication error). They could however, mount NFS. This wasn't acceptable in our environment though. I even tried setting up a FreeBSD VM and it couldn't mount either. I ended up giving DAVE a try like you said and loving magically it works. We're just going to change our GPOs back to normal and purchase licenses for Dave for our Mac OS X 10.6 users. Thanks for the help.
|
|
#
¿
Apr 3, 2012 15:09
|
|
|
Caged posted:I'm having some WMI filter issues, trying to have a policy that applies only to servers using the following: It looks correct to me. I would test it out on a client. I use the exact same WMI filter and it doesn't affect any of our client windows OS's, including Windows 7. Also, it probably isn't the cause but you should be typing it in proper format (uppercase clauses): code:IT Guy fucked around with this message at 03:02 on Apr 13, 2012 |
|
#
¿
Apr 13, 2012 02:59
|
|
|
So, my help desk is just so loving retarded and I can't do anything about it. She keeps changing C:\ permissions when a program won't work properly instead of escalating the issue to me so I can assess and modify GPOs if necessary. For example, she just added full access for "Authenticated Users" on the C:\ root and then she went into program files, took off inheritance and added the username with full access. No matter how much I openly mock and ridicule her for being a dumb oval office, she still does what she wants. I need a GPO that basically resets the default security descriptors on the C:\ drive and any other folders she may have unlinked inheritance on. Is there a good way to do this? Edit: She's doing this on individual workstations by the way, not servers (thank gently caress). IT Guy fucked around with this message at 16:38 on Apr 16, 2012 |
|
#
¿
Apr 16, 2012 16:34
|
|
|
Docjowles posted:And IIRC, policies under Security Settings reapply themselves periodically so when she inevitably tries to go behind your back her bullshit will get overwritten the next day. That's what I was hoping for. Thank you.
|
|
#
¿
Apr 16, 2012 17:21
|
|
|
Couldn't you just use GPOs to make a shortcut here: C:\Users\%username%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
|
|
#
¿
Apr 25, 2012 22:51
|
|
|
Maybe I'm just not seeing it but is there a way to create a local user/local admin through GPOs? I want to roll out a GPO that enables the disabled by default local admin account on Windows 7 machines and make sure it exists on Windows XP machines and be able to change the password for the local admin account.
|
|
#
¿
May 2, 2012 13:29
|
|
|
Wicaeed posted:
When my boss hired her, she didn't even know how to change NTFS security. But since she was so dumb my boss sent her to a week long course called "Windows 7 boot camp" and when she came back she picked up all kinds of bad habits from the course. Another thing she likes to do is restart as many services she can in "services.msc". Like, she'll start from the top and just restart all the services going down. I don't understand it. I don't blame the course though, I'm sure the course didn't tell her to do this but rather showed her where to find these types of things in Windows 7.
|
|
#
¿
May 2, 2012 14:18
|
|
|
Wicaeed posted:What...no....how is she still employed? A combination of my boss doesn't give a poo poo and having connections to get the job. But back on topic. I think I resolved my original question about the local admin, I was looking at Windows Settings when it appears to be in the Preferences.
|
|
#
¿
May 2, 2012 14:30
|
|
|
I have a GPO that installs Google Chrome Frame on all client machines. I also have a GPO that prevents users from enabling or disabling addons. My problem is that sometimes Google Chrome Frame isn't enabled and I need to take the machine out of the GPO, gpupdate, enable the addon, then put them back in the gpo and gpupdate again. Is there a way to force enable this specific addon through GPO?
|
|
#
¿
Oct 25, 2012 16:54
|
|
|
frogbert posted:Perhaps this is what you're looking for: I saw that, I just didn't really understand how to use the addon list. But I'll look further into it, thanks.
|
|
#
¿
Oct 31, 2012 13:49
|
|
|
|
| # ¿ Apr 20, 2024 02:06 |
|
|
Wooo! One small step for IT, one giant step for everyone's sanity! Today, my boss gave me the "ok" to disable outlook stationary and themes via GPO. gently caress all my users, thank gently caress.
|
|
#
¿
Nov 2, 2012 19:49
|
|