|
I saw this thread title and assumed some lame thread asking how to do something rudimentary with GPOs. Imagine my surprise when I saw the wall of awesome text Bangers knocked out. Voted 5, bookmarked.
|
# ¿ Sep 12, 2008 16:16 |
|
|
# ¿ Apr 25, 2024 00:30 |
|
BangersInMyKnickers posted:Java stuff Will this work fine for a client that already has non-package-deployed java installed?
|
# ¿ Sep 12, 2008 17:36 |
|
BangersInMyKnickers posted:I just have an extreme hatred for lanmanager and lm hashes because of their terrible design and never want them on a system. Glad it's a lazy Friday; I just set our LAN Manager authentication to "Send NTLMv2 response only. Refuse LM & NTLM" and broke a bunch of poo poo Glad nobody was really around to care... Any clue why this would've caused multiple users to get locked out, all of whom are running at least XP Pro SP2?
|
# ¿ Sep 12, 2008 21:30 |
|
BangersInMyKnickers posted:Where was authentication failing to? We have a NetApp filer and access to that became problematic with only NTLMv2 until we applied a firmware update. Network appliances would be the most likely source of trouble, or some clients applied the policy at different times and stopped talking to each other properly. A safer method of switching would be to increment to "Send NTLMv2 response only, refuse LM" and then bump it up to "Send NTLMv2 response only, refuse LM and NTLM" a few days later. If you have something that still wants to authenticate with LM, well... ouch. Also check your domain and forest functional levels for the hell of it. I didn't get time to look closely before backing the change out, but my inclination is that it was Outlook trying to auth via NTLM to Exchange 2007. Though, while our Domain functional level is definitely at 2003, but apparently Forest is at 2000 (we have no other domains, nor non-2003 DCs). I didn't even know that until just now, would that be forcing something to use a lower level of NTLM authentication than v2?
|
# ¿ Sep 12, 2008 21:39 |
|
BangersInMyKnickers posted:I was more asking to make sure you didn't have some old nt4 controllers sitting around or something weird like that. Kerberos is what you should be authenticating with in in a domain unless you are going by the IP instead of hostname, the other machine isn't on the domain, or you ports aren't open right. Then it will default down to NTLM or LM. Any of those apply to you? Nope
|
# ¿ Sep 12, 2008 22:29 |
|
Are the CSEs included in XP SP3 and/or Vista SP1? Do I need to worry about pushing those out separately?
|
# ¿ Sep 17, 2008 15:23 |
|
Got it, thanks. It actually doesn't show as being compatible with XP SP3 in WSUS, so I'm glad I hadn't pushed that out to clients yet...
|
# ¿ Sep 17, 2008 17:01 |
|
If a service is set to disabled on a client, will adding it under Computer Configuration->Preferences->Control Panel Settings->Services, set to Action=Start Service Startup Type=Automatic do what I think it'll do? It hasn't yet and I don't know if I'm impatient or doing something wrong. edit: yes it does, if I actually have 943729 installed instead of just thinking that I do. Mierdaan fucked around with this message at 17:45 on Sep 19, 2008 |
# ¿ Sep 19, 2008 17:11 |
|
BangersInMyKnickers posted:You're not doing something weird like having workstations on a wireless network so there is no established network connection until a user logs in, are you? That could cause the symptoms you are describing where the machine receives the policy but the next time it reboots and the machine policy executes there is no established network connection at that point. Isn't this what having the computer authenticate with machine credentials when there's no user logged on is supposed to get around?
|
# ¿ Sep 26, 2008 21:55 |
|
BangersInMyKnickers posted:Yes, but I have seen shops that don't do this and people log in to local accounts or with cached credentials so they don't realize there is something wrong. Ahh. Click the checkbox, people!
|
# ¿ Sep 26, 2008 22:02 |
|
ozmunkeh posted:GpNetworkStartTimeoutPolicyValue Hmm, interesting timing. I was just coming in here to post a question about GPO-created drive preferences. I just switched our users over to having them created this way instead of via the old logon script method, and we're having sporadic complaints of "I logged in but I have no drives mapped" from end users. A logoff/logon, or a reboot tends to fix it, so I know it's no problem with the GPO itself, and no events are logged in the client's event log to indicate why the drive mappings aren't created... they just silently fail for reasons I don't understand. These aren't wireless clients, they're hardwired and don't really have any problems contacting either of our two DCs, so I'm a bit unsure about what to check as I'm not a Group Policy wizard. Any thoughts? Is the KB ozmunkeh linked a good option to start with?
|
# ¿ Apr 1, 2009 21:00 |
|
Are you using the new Vista/Server2008 Group Policy Preference Objects, or old-school logon scripts? If the former, and the Vista computers have UAC turned on, you'll need to follow this KB to make it work.
|
# ¿ Jun 10, 2009 16:49 |
|
Same behavior for all users? Does local admin vs not make any difference?
|
# ¿ Jun 10, 2009 20:17 |
|
Are you using 802.1x authentication on the wireless network? My google-fu is failing me right now but I seem to remember that the delay involved there can cause GP processing to fail over a wireless connection.
|
# ¿ Jun 10, 2009 21:37 |
|
Any clue why I can't RDP into a Server 2008 terminal services server with NLA flipped on using an account from a trusted domain? Flipping off NLA or connecting using an account from the TS server's native domain with NLA enabled works fine. I get a "The Local Security Authority cannot be contacted" error in the first situation. My google-fu is failing me here.
|
# ¿ Sep 1, 2009 20:29 |
|
sanchez posted:I've still never really seen a convincing argument for not doing this. It's probably not the best idea, but things seem to work fine with the internal and internet domains of an org matching. It's not anything you should lose too much sleep over, no. However, if you're in a position to make that decision early-on, do you a) make the choice with potential problems later on b) make the choice with no potential problems later on There's just no good reason to NOT use .local or whatever. That's really the argument.
|
# ¿ May 10, 2010 15:56 |
|
da sponge posted:It's annoying with Direct Access and the NRPT (name resolution policy table). You need entries for each entity with your FQDN that has to be accessible to DA clients on public IPs. *15 minutes of technet reading later* Oh, yeah, I could see that being a problem.
|
# ¿ May 11, 2010 16:03 |
|
SmellsOfFriendship posted:The resultant set of policy tool is really useful though. I kinda hate RSOP since it uses the old layout for Group Policy options; am I missing some easy way to get GP options displayed in the same way that GPMC displays them?
|
# ¿ May 10, 2011 13:43 |
|
Honey Im Homme posted:The problem is if I run this script as a GPO login script the printers don't get mapped and every login provides the popup with "Debug, client name: %CLIENTNAME%". Does anyone have any ideas how I can get around this, or an alternative method of mapping printers like this? It sounds like when this is run via a GPO it's not converting the %CLIENTNAME% environment variable into a real value? See this article on pulling the local machine name with WMI.
|
# ¿ Oct 19, 2011 22:42 |
|
Can't you set an initial homepage with a preference item for your given version of IE?
|
# ¿ Nov 1, 2011 15:06 |
|
Yeah you could create a security group for your "cautious" users, make the GPO only apply to that group and have it take higher priority than your default user screensaver GPO. Or you guys could just hit Win+L when you get up from your desk.
|
# ¿ Jan 26, 2012 18:21 |
|
babies havin rabies posted:It must be really nice to have users who are conscious of security Somewhere in SHSC's history there was a guy who posted about his job, where everyone had laptops. If IT walked by your laptop and it was unlocked, they posted a note reminding you to lock it. There was no second note - IT would confiscate your laptop and you'd have to get it back from your manager after explaining why you couldn't follow simple instructions.
|
# ¿ Jan 26, 2012 19:07 |
|
skipdogg posted:Don't worry about having too many GPO's. Just name them well so they're easy to organize. I rather have things seperate and NEVER EVER EVER touch DDP. One guy that worked here before me messed up the DDP and managed to lock everyone out of the domain controllers or some poo poo. Very early in my career, I took a look at what was even set in DDP. Finding nothing important, I unlinked it
|
# ¿ Mar 14, 2012 01:11 |
|
This isn't a group policy question, but all the AD nerds hang out in here. Why can't I add users/groups from a trusted forest to a universal security group in my domain? But when I go to add objects to a universal security group, I don't see the trusted forest at all; just my own: DNS is set up with conditional forwarders and is working fine - I can verify the trusts and they check out just fine.
|
# ¿ Jun 6, 2012 20:03 |
|
InfiniteDonkey posted:I was part of a 4 domain (three 2003 ad's and one 2008 ad) merge a couple of year back. The 2008 ad was going to be where everything was going to be migrated, so we set up new file servers, exchange, MOC, etc, in it. The funny thing was, that we could only add the users from the trusted domains into domain local groups, universal groups didn't even see the other domains. Huh. That's exactly the case for me as well. What the hell is going on with that?
|
# ¿ Jun 6, 2012 20:44 |
|
|
# ¿ Apr 25, 2024 00:30 |
|
Before I dig into it, is anyone else having problems with group policy preference drive mappings in Windows8 RTM? edit: oh hey I guess not. Mierdaan fucked around with this message at 17:44 on Aug 30, 2012 |
# ¿ Aug 30, 2012 17:41 |