Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Locked thread
Mierdaan
Sep 14, 2004



Pillbug

I saw this thread title and assumed some lame thread asking how to do something rudimentary with GPOs. Imagine my surprise when I saw the wall of awesome text Bangers knocked out. Voted 5, bookmarked.

Adbot
ADBOT LOVES YOU

Mierdaan
Sep 14, 2004



Pillbug

BangersInMyKnickers posted:

Java stuff

Will this work fine for a client that already has non-package-deployed java installed?

Mierdaan
Sep 14, 2004



Pillbug

BangersInMyKnickers posted:

I just have an extreme hatred for lanmanager and lm hashes because of their terrible design and never want them on a system.

Glad it's a lazy Friday; I just set our LAN Manager authentication to "Send NTLMv2 response only. Refuse LM & NTLM" and broke a bunch of poo poo Glad nobody was really around to care... Any clue why this would've caused multiple users to get locked out, all of whom are running at least XP Pro SP2?

Mierdaan
Sep 14, 2004



Pillbug

BangersInMyKnickers posted:

Where was authentication failing to? We have a NetApp filer and access to that became problematic with only NTLMv2 until we applied a firmware update. Network appliances would be the most likely source of trouble, or some clients applied the policy at different times and stopped talking to each other properly. A safer method of switching would be to increment to "Send NTLMv2 response only, refuse LM" and then bump it up to "Send NTLMv2 response only, refuse LM and NTLM" a few days later. If you have something that still wants to authenticate with LM, well... ouch. Also check your domain and forest functional levels for the hell of it.

Test this stuff on individual systems first for the love of god.

I didn't get time to look closely before backing the change out, but my inclination is that it was Outlook trying to auth via NTLM to Exchange 2007.

Though, while our Domain functional level is definitely at 2003, but apparently Forest is at 2000 (we have no other domains, nor non-2003 DCs). I didn't even know that until just now, would that be forcing something to use a lower level of NTLM authentication than v2?

Mierdaan
Sep 14, 2004



Pillbug

BangersInMyKnickers posted:

I was more asking to make sure you didn't have some old nt4 controllers sitting around or something weird like that. Kerberos is what you should be authenticating with in in a domain unless you are going by the IP instead of hostname, the other machine isn't on the domain, or you ports aren't open right. Then it will default down to NTLM or LM. Any of those apply to you?

Nope

Mierdaan
Sep 14, 2004



Pillbug

Are the CSEs included in XP SP3 and/or Vista SP1? Do I need to worry about pushing those out separately?

Mierdaan
Sep 14, 2004



Pillbug

Got it, thanks. It actually doesn't show as being compatible with XP SP3 in WSUS, so I'm glad I hadn't pushed that out to clients yet...

Mierdaan
Sep 14, 2004



Pillbug

If a service is set to disabled on a client, will adding it under Computer Configuration->Preferences->Control Panel Settings->Services, set to

Action=Start Service
Startup Type=Automatic

do what I think it'll do? It hasn't yet and I don't know if I'm impatient or doing something wrong.

edit: yes it does, if I actually have 943729 installed instead of just thinking that I do.

Mierdaan fucked around with this message at 16:45 on Sep 19, 2008

Mierdaan
Sep 14, 2004



Pillbug

BangersInMyKnickers posted:

You're not doing something weird like having workstations on a wireless network so there is no established network connection until a user logs in, are you? That could cause the symptoms you are describing where the machine receives the policy but the next time it reboots and the machine policy executes there is no established network connection at that point.

Isn't this what having the computer authenticate with machine credentials when there's no user logged on is supposed to get around?

Mierdaan
Sep 14, 2004



Pillbug

BangersInMyKnickers posted:

Yes, but I have seen shops that don't do this and people log in to local accounts or with cached credentials so they don't realize there is something wrong.

Ahh. Click the checkbox, people!

Mierdaan
Sep 14, 2004



Pillbug

ozmunkeh posted:

GpNetworkStartTimeoutPolicyValue

Hmm, interesting timing. I was just coming in here to post a question about GPO-created drive preferences. I just switched our users over to having them created this way instead of via the old logon script method, and we're having sporadic complaints of "I logged in but I have no drives mapped" from end users.

A logoff/logon, or a reboot tends to fix it, so I know it's no problem with the GPO itself, and no events are logged in the client's event log to indicate why the drive mappings aren't created... they just silently fail for reasons I don't understand. These aren't wireless clients, they're hardwired and don't really have any problems contacting either of our two DCs, so I'm a bit unsure about what to check as I'm not a Group Policy wizard.

Any thoughts? Is the KB ozmunkeh linked a good option to start with?

Mierdaan
Sep 14, 2004



Pillbug

Are you using the new Vista/Server2008 Group Policy Preference Objects, or old-school logon scripts? If the former, and the Vista computers have UAC turned on, you'll need to follow this KB to make it work.

Mierdaan
Sep 14, 2004



Pillbug

Same behavior for all users? Does local admin vs not make any difference?

Mierdaan
Sep 14, 2004



Pillbug

Are you using 802.1x authentication on the wireless network? My google-fu is failing me right now but I seem to remember that the delay involved there can cause GP processing to fail over a wireless connection.

Mierdaan
Sep 14, 2004



Pillbug

Any clue why I can't RDP into a Server 2008 terminal services server with NLA flipped on using an account from a trusted domain? Flipping off NLA or connecting using an account from the TS server's native domain with NLA enabled works fine. I get a "The Local Security Authority cannot be contacted" error in the first situation. My google-fu is failing me here.

Mierdaan
Sep 14, 2004



Pillbug

sanchez posted:

I've still never really seen a convincing argument for not doing this. It's probably not the best idea, but things seem to work fine with the internal and internet domains of an org matching.

It's not anything you should lose too much sleep over, no. However, if you're in a position to make that decision early-on, do you

a) make the choice with potential problems later on
b) make the choice with no potential problems later on

There's just no good reason to NOT use .local or whatever. That's really the argument.

Mierdaan
Sep 14, 2004



Pillbug

da sponge posted:

It's annoying with Direct Access and the NRPT (name resolution policy table). You need entries for each entity with your FQDN that has to be accessible to DA clients on public IPs.

*15 minutes of technet reading later*

Oh, yeah, I could see that being a problem.

Mierdaan
Sep 14, 2004



Pillbug

SmellsOfFriendship posted:

The resultant set of policy tool is really useful though.

I kinda hate RSOP since it uses the old layout for Group Policy options; am I missing some easy way to get GP options displayed in the same way that GPMC displays them?

Mierdaan
Sep 14, 2004



Pillbug

Honey Im Homme posted:

The problem is if I run this script as a GPO login script the printers don't get mapped and every login provides the popup with "Debug, client name: %CLIENTNAME%". Does anyone have any ideas how I can get around this, or an alternative method of mapping printers like this?

It sounds like when this is run via a GPO it's not converting the %CLIENTNAME% environment variable into a real value? See this article on pulling the local machine name with WMI.

Mierdaan
Sep 14, 2004



Pillbug

Can't you set an initial homepage with a preference item for your given version of IE?

Mierdaan
Sep 14, 2004



Pillbug

Yeah you could create a security group for your "cautious" users, make the GPO only apply to that group and have it take higher priority than your default user screensaver GPO.

Or you guys could just hit Win+L when you get up from your desk.

Mierdaan
Sep 14, 2004



Pillbug

babies havin rabies posted:

It must be really nice to have users who are conscious of security

Somewhere in SHSC's history there was a guy who posted about his job, where everyone had laptops. If IT walked by your laptop and it was unlocked, they posted a note reminding you to lock it. There was no second note - IT would confiscate your laptop and you'd have to get it back from your manager after explaining why you couldn't follow simple instructions.

Mierdaan
Sep 14, 2004



Pillbug

skipdogg posted:

Don't worry about having too many GPO's. Just name them well so they're easy to organize. I rather have things seperate and NEVER EVER EVER touch DDP. One guy that worked here before me messed up the DDP and managed to lock everyone out of the domain controllers or some poo poo.

Very early in my career, I took a look at what was even set in DDP. Finding nothing important, I unlinked it

Mierdaan
Sep 14, 2004



Pillbug

This isn't a group policy question, but all the AD nerds hang out in here. Why can't I add users/groups from a trusted forest to a universal security group in my domain?



But when I go to add objects to a universal security group, I don't see the trusted forest at all; just my own:


DNS is set up with conditional forwarders and is working fine - I can verify the trusts and they check out just fine.

Mierdaan
Sep 14, 2004



Pillbug

InfiniteDonkey posted:

I was part of a 4 domain (three 2003 ad's and one 2008 ad) merge a couple of year back. The 2008 ad was going to be where everything was going to be migrated, so we set up new file servers, exchange, MOC, etc, in it. The funny thing was, that we could only add the users from the trusted domains into domain local groups, universal groups didn't even see the other domains.

Huh. That's exactly the case for me as well. What the hell is going on with that?

Adbot
ADBOT LOVES YOU

Mierdaan
Sep 14, 2004



Pillbug

Before I dig into it, is anyone else having problems with group policy preference drive mappings in Windows8 RTM?

edit: oh hey I guess not.

Mierdaan fucked around with this message at 16:44 on Aug 30, 2012

  • Locked thread