|
Sock on a Fish posted:So, I'm going to be deploying a domain controller at that remote office soon. Are there any drawbacks to just letting it operate as a domain controller for our current domain, or should it get its own domain in the forest? Then I went into Active Directory Sites and Services to define a new site and made sure to set it up so that it knows that other domain controller is at the other site. This helps it conserve some bandwidth, so it's not treating it like it's on a LAN. This is also about the time I started using DFS with replication which really helped, since there's now no direct opening of files across the VPN (automatically accessed the local copy and replicates later). So yeah, after this experience, for us, I don't think I would create another domain even if that office was bigger.
|
#
¿
Nov 21, 2008 22:01
|
|
|
|
| # ¿ Apr 26, 2024 18:16 |
|
|
I'm so glad this thread hasn't died. I would like get some discussion going on the special configuration needs for mobile/laptop users. Right now, I'm struggling with how to manage some of these systems. We've got techs who might never come into the office for a month or more, because they go directly to jobs from home, and go right back home afterward. Since they aren't connected to the domain for long stretches of time they don't get group policy changes, software updates, etc. I am working on a way for them to get virus updates with NOD32 without them having to connect to he VPN, but it isn't fleshed out yet (I know you can have NOD32 mobile users update directly from the internet, but I'm trying to avoid that just to avoid embedding our credentials on portable computers). I'd love to hear how some other administrators handle issues unique to mobile users.
|
|
#
¿
Dec 4, 2008 05:38
|
|
|
BangersInMyKnickers posted:Ideally you would want to make a WMI filter that only applies if it does not see the Symantec Antivirus program installed on a system. Unfortunately at this point we hit a limitation with WMI filters that makes life difficult: WMI filters cannot be used to detect the absence of something and return a true value to the filter falls within scope. For this kind of thing you will need to revert to a batch script that runs a reg query that looks for the indicator key and then catch the error level and execute the rest of the batch file from there, either by doing file manipulation, registry merges, or msiexec commands. Hopefully in future iteration of group policy you can customize a WMI filter to fall within scope on your choice of a true or false return instead of just true, but at this point the flexibility isn't there. Why I needed a negative result: We have typically been using Office 2003 Basic edition on our computers. This is Outlook, Word, and Excel. More people need to view Powerpoint presentations than need to create them, so I had the (free) PowerPoint Viewer 2007 being pushed out to everyone. I also had the Office 2007 Compatibility Pack being pushed out to everyone, which allows them to view Office 2007 files in Office 2003. We don't do upgrades here all at one time. What happens is that basically someone's needs change and their existing old machine can't do what they need to do effectively anymore, so our upgrades are piecemeal. As I get new machines, I get Office 2007 for them. On a recent one I noticed that Windows update had service packs for the compatibility pack and the viewer (which were both installed despite Office 2007 Standard, which includes Powerpoint, being installed). Now I wouldn't have cared since it didn't negatively affect things, even though it was redundant, but for some reason the service packs wouldn't install, and so it was always prompting for updates. I wanted a way to have group policy NOT install these components if they weren't necessary. The compatibility pack shouldn't be installed if Office 2007 is installed (in my case, this means if Word 2007 and Excel 2007 are installed) and the Powerpoint viewer shouldn't be installed if Powerpoint 2007 is installed (but it should be installed if Office 2007 Basic was installed, or any other non-Powerpoint 2007 parts of office). The solution: I created a policy called NegativeValues. This policy will assign values on the machine that I can then check for in WMI filters for installing software. I'm not using a separate policy for each value because I am not using a WMI filter on the policy itself, I'm using item-level filtering within the policy. Originally I was setting registry values, but then I found out that querying the registry through WMI is a pain in the rear end, so now I'm setting environment variables instead. Computer Configuration -> Preferences -> Windows Settings -> Environment These are easily queryable from WMI and don't take forever to process. I use the Replace action so that if the result of the item level targeting changes, the variable will be deleted (in theory; I have not tested this). I have it creating environment variables named NegativeValues_whatever but the name doesn't matter since you need to specify it in your WMI filter. You might want to make it something you and your other admins will recognize if you happen to be looking in the environment variables on any given system. The value doesn't matter because you're only really going to be checking for its existence. I just used 1. On the common tab, you'll see a check box for item level targeting. Check that, click the targeting button, and then new item. Your choices here are a lot better than you can do with WMI alone, in my opinion, especially since you can use [multiple] WMI queries here if you want. In addition, you can negate any of these by changing it to IS NOT in the item options. For my purposes, I did come up with a WMI query that could tell if an individual office component was installed, but it took about 10 minutes to run with the CPU maxed on a newer dual core machine (only uses one core though), so it really wasn't viable. I found it a lot to easier to just check for the existence (actually the lack of, using IS NOT) of the registry keys (HKLM\Software\Microsoft\Office\12\[Word|Excel|Powerpoint]) and it runs really fast. Then I created a WMI filter, like Powerpoint2007Missing which consists of the following query: code:
|
|
#
¿
Jun 1, 2009 21:16
|
|
|
Is anyone having a problem with drive maps in Vista? I have a few Vista machines here where the drive mapping policy is not working. It works on all of the XP machines, it works on some of the Vista machines, but not others. It works on my machine, but I don't think it's a problem of access rights because when I log onto to one of the affected machines with my credentials, it still doesn't work. The odd thing is, I've looked through the event log and I can't find any errors. I've run the results and I see no problems; as far as I can the policy is definitely being applied, but I have no errors at all. I'm stumped.
|
|
#
¿
Jun 8, 2009 19:15
|
|
|
Mierdaan posted:Are you using the new Vista/Server2008 Group Policy Preference Objects, or old-school logon scripts? If the former, and the Vista computers have UAC turned on, you'll need to follow this KB to make it work.
|
|
#
¿
Jun 10, 2009 19:39
|
|
|
Mierdaan posted:Same behavior for all users? Does local admin vs not make any difference? Here's some new info: the other machine I thought was affected is a laptop, and I just realized he wasn't on a wire. When I had him reboot connected via wire it worked fine. So I think at the moment I'm down to this one machine. It's brand new (refurbed, but a new installation). I even took it off the domain and put it back on. I've tried gpupdate, both /force and /sync (over and over).
|
|
#
¿
Jun 10, 2009 21:26
|
|
|
The laptop turned out not to be affected. The one that is is a desktop and is wired only; sorry for the confusion.
|
|
#
¿
Jun 15, 2009 17:46
|
|
|
pyrotherm posted:Does anyone here know if you can install RSAT on Windows7 RC? quote:Remote Server Administration Tools for Windows 7 can be installed on computers that are running the Enterprise, Professional, or Ultimate editions of Windows 7.
|
|
#
¿
Aug 14, 2009 21:38
|
|
|
IT Guy posted:gently caress, another issue. We have some software that updates daily for a user and doesn't work unless the user is a local admin. Trying to cut this poo poo out because users are downloading spyware/malware. What is my best way to get the software working without a local admin? http://www.scriptlogic.com/products/privilegeauthority/ I don't like things like this, but I needed it for our shipping department. I just gave her a new machine with Windows 7, and installed the latest UPS software, and the drat thing wants to update every other day (not really an exaggeration), which needed admin privileges. I used this so that only the updater application will run with the admin privileges and it has worked great since. Right now it's based on path or file name, which is obviously subject to abuse if the application in a location that is writable by the user, but they're looking into a hash option. The only other thing I don't like about this is that is somehow uses group policy, but it applies its own settings to a GPO which are not viewable in Group Policy Management, they are only viewable in their own application. It's a bit weird.
|
|
#
¿
Jul 7, 2010 18:58
|
|
|
Authenticated Users is basically any user at all. The difference between Authenticated Users and Everyone is that Everyone includes stuff like the "null user" that can be used to query things across the network. There is probably a little more to it, so yes you should google it, but I think it's basically a slightly more secure "Everyone."
|
|
#
¿
Jul 8, 2010 19:58
|
|
|
I'm having a problem with software installation via GPO that I can't nail down. The software in question is NSClient++ (Nagios monitoring agent for Windows). It already comes as an MSI. The MSI installs just fine via the GPO. The MSI updates an existing older version of the software just fine via GPO. The problem occurs when I manually uninstall the software. What I've seen in the past on other software deployments is that in this case, the software will just be reinstalled on the next reboot. What's happening here is that the reinstall is attempted but quickly fails. There are no error messages in the event log, the application doesn't show up in Programs in control panel, the files and service are not created. For all intents and purposes, the install didn't happen, EXCEPT that it does show up in the MSI cleanup tool. It doesn't show up in there after the manual reinstall was done, only after a reboot when it attempts to reinstall it. Removing that entry from the tool does NOT allow it to be successfully reinstalled via GPO. I am at a loss.
|
|
#
¿
Mar 26, 2012 17:39
|
|
|
Docjowles posted:Try turning on verbose logging for the installer service. Can be done via registry edit or group policy. This has helped me in the past finding problems with Java's abortion of an installer I've done this on two different servers now, and no log was created during the installation via GPO; even starting from scratch where there was no installation and uninstallation (that is, the install via GPO was successful, and still no log). I also started a command prompt as the computer account using psexec -s cmd and ran the installer with msiexec (this time, specifying logging options via command line). This was successful for some reason. The log was created and showed no problems, the install worked well.
|
|
#
¿
Mar 26, 2012 19:11
|
|
|
|
| # ¿ Apr 26, 2024 18:16 |
|
|
Okay I figured out what the problem was with logging. The KB articles say that you can use a value of "*" but it turns out that doesn't work! Setting it to "voicewarmup" does though. This is the result of one of my failed reinstallations:quote:
|
|
#
¿
Mar 26, 2012 20:09
|
|