|
Can anyone point me to a primer on Group Policy/Preferences (is there even a difference?). I figured it's about time I learn dat shizz.... *edit* Online, print, dont care about the format. Mr. Clark2 fucked around with this message at 17:10 on Aug 13, 2013 |
#
¿
Aug 13, 2013 17:05
|
|
|
|
| # ¿ Apr 16, 2024 21:05 |
|
|
Just wanted to say thanks to whoever recommended PDQ for remote software installs. I've been testing it all day and it's working like a charm. Now I just need to convince my boss to drop $225 on it.
|
|
#
¿
Aug 13, 2013 23:03
|
|
|
What are you all using for remote user assistance/screen viewing type duties? I seem to remember MS small business server having something built in (though it's been awhile since I've used it and could be misremembering), but cant seem to find anything equivalent in server 2008 or AD. I know that remote desktop is available, but I often have the need to view the user's screen at the same time as them, while they're logged in. We've been muddling along with join.me, but walking people through that, as easy as it is, has become tiresome.
|
|
#
¿
Oct 17, 2013 19:19
|
|
|
EAT THE EGGS RICOLA posted:In the same domain? msra /offerra will give you Windows Remote Assistance. Thanks for this info, I knew it existed but couldnt think of the name. Set up a GPO to enable it, works like a charm 
|
|
#
¿
Oct 18, 2013 23:56
|
|
|
Orcs and Ostriches posted:Another question. Is Nagios still the go-to monitoring solution? That'll probably be my next project, so I'm wondering where else (if anywhere) I should look? I'm using Opsview (a Nagios fork), I found it much easier to set up and configure but YMMV.
|
|
#
¿
Jan 7, 2014 23:33
|
|
|
You might want to set up wireshark on the different servers and sniff some traffic to see if you can notice a difference.
|
|
#
¿
Feb 26, 2014 17:58
|
|
|
I reset password, do my thing, then call and leave them a voicemail asking them to call me to get their new, temporary password, then walk them through changing it to one of their choosing.
|
|
#
¿
Mar 11, 2014 00:41
|
|
|
Docjowles posted:When I did user facing IT I never wanted to know their password. In reality 99% of the time it's not actually a big deal but I just didn't want the liability of being able to say I knew the pw for the head of HR or whatever. Since without fail it was the name of their grand kid or their college team's mascot or something with the number 1 after it. Doesn't take a rocket scientist to know what they will change it to when you leave. At least once a month I'll have a user try to tell me their password followed by some variation of "It's the same one I use for everything!". Luckily for them, I'm a professional and an honest man.
|
|
#
¿
Mar 11, 2014 19:55
|
|
|
Riso posted:There's barely a reason to not outsource email until you have at least 100 people. We have approximately 300 users and still outsource email. gently caress Exchange right in it's rear end.
|
|
#
¿
May 15, 2014 19:35
|
|
|
What are y'all using for MDM? We're curently planning a deployment of approximately 100 ipads for students and need software to remotely manage them. We'd like it to be as close to 0 touch as possible. I know about the big ones like Mobile Iron and Maas360 but I'm interested in hearing about how these things actually work in a production environment and peoples experience with them.
|
|
#
¿
Jul 11, 2014 16:43
|
|
|
I'm looking for something completely cloud-based, I dont feel like managing more hardware and software than I already have to. Checking out Airwatch now, it's looking the best so far. Since I have essentially 0 experience with this, I have one quick question...can I lock down a device to the point where the user will be unable to delete an app? These are going to be deployed to teenage students, and I can guarantee that the first thing they're going to try and do is to delete poo poo just to mess around. These will all be company owned devices so I'm not worried about hurting their feelings or messing with their personal apps.
|
|
#
¿
Jul 11, 2014 19:41
|
|
|
We really just need the ability to: Add/remove apps remotely Disable camera, imessage, email and other apps Restrict ability to install apps Remote wipe Prevent user from changing settings Restrict the device to only join specific wifi networks Ability to physically locate the device on a map Some reporting would be nice Geofencing would be nice but isnt a necessity Dont really need all the content management/protection stuff that the more business oriented solutions seem to offer, we really just need to keep from from screwing them up, and easy, remote fixing when they eventually do screw them up. I'm pretty much the entire IT dept. so managing these things from my desk without having to touch them is paramount. Also, is there some equivalent to WDS and an 'image' like on the PC side? Like when one of these kids screws up the ipad, I can just revert it to a known, clean image. Preferably remotely. Sorry if these are dumb questions but I dont have any experience with ios devices in the enterprise, only for personal usage.
|
|
#
¿
Jul 11, 2014 22:04
|
|
|
In one of our buildings we have roughly 20-25 laptop users. When these machines are here and plugged into the network via an ethernet cable, both the wireless adapter and the wired interface both pull an IP address via DHCP (currently handled by some lovely Adtran box, it was like that when I got here, working on fixing that in the near-future). Is there some way of stopping the wireless interface from requesting/getting an IP address when the cable is plugged in? Short of asking these users to switch the wifi interface off when they're here, thats not really an option.
|
|
#
¿
Aug 1, 2014 18:11
|
|
|
MrMoo posted:That is how it should work, what is the problem you are trying to actually solve? The wifi interface taking up an IP address when it doesnt need to. When I ping the machines, I get replies from the IP assigned to the ethernet interface, the users are able to work, so there is no real problem per se, but...maybe I'm just sperging over it unnecessarily.
|
|
#
¿
Aug 1, 2014 19:15
|
|
|
Thanks Ants posted:It shouldn't be an issue. Just set your DHCP lease time on your wireless network to a non-crazy duration. Nope, no problems. Like I said, it's probably just me sperging over nothing. I was just hoping that there was something I could do quickly via GPO or similar. I've found a script that will do this, but since it's not causing any problems, I'm just going to leave well enough alone and double check the lease time on the wifi
|
|
#
¿
Aug 1, 2014 22:50
|
|
|
On a windows 2k8R2 server with no TPM is there a way to use Bitlocker to encrypt the drive that does NOT require user intervention when the server reboots? If not Bitlocker, something else? The server has a few shares on it, so any encryption would have to be done so that it doesnt impact users. I ask because this server is in a location about an hour away so having someone sit there and enter a password/hardware key isnt really feasible and a couple weeks ago someone drove their car through the front of the building, so obviously it's not the most physically secure location.
|
|
#
¿
Nov 14, 2014 20:55
|
|
|
I'm working on setting up software restriction policies in my domain at work. I followed that NSA .pdf file and I've got the GPO set up as a user policy, and I'm whitelisting. I've got the GPO applied to a set of test users and for the most part things are working correctly, with one very large problem...Internet Explorer launches, stays on screen for about 3-5 seconds and then closes. The weird part is that nothing is getting written to the event log when this happens, either under Application or the IE section. When I try to launch any other .exe from a denied location, I see the appropriate event get written to event viewer, so I know that much is working. My current theory is that iexplore.exe is trying to spawn some process from a denied location, but I havent had a chance to test that yet (weekend work is for suckas). I've whitelisted iexplore.exe but still no dice. Any other ideas? This is on Win7 Pro, users are all non-admin accounts. 
Mr. Clark2 fucked around with this message at 17:58 on Feb 7, 2015 |
|
#
¿
Feb 7, 2015 17:56
|
|
|
Thanks, I'll have a look at those things on monday. One other thing I noticed when looking at the shortcut that launches IE... it has "Start in" set to %homedrive%%homepath% whereas shortcuts that work all have start in set to their own directory in ProgramFiles. %HomeDrive% is a network share where the user has r/w access. These are all x86 machines so far, we only have a couple on x64, I'll have to add one of those to my test group. *Update* Well, this is getting weirder. Tested the GPO with a completely different user today and found that when it's applied on her workstation, IE does the same open, then quit thing. Walked her over to another computer (in the same OU), she logs in...and IE launches. Ran the GP results wizard and see that the same GPOs are being applied and the machines are members of the same groups. I'm stumped at this point 
Mr. Clark2 fucked around with this message at 22:07 on Feb 9, 2015 |
|
#
¿
Feb 7, 2015 20:49
|
|
|
Anybody had experience with rolling out the new Skype for Business ™ yet? My boss has a huge hard on for this software and has tasked me with rolling out to about 150 workstations and laptops. We're using PDQ deploy to do remote installs so normally this isnt a problem but I cant even find a proper installer. I can find Lync installers all day long but the only Skype for Business installers I can find are trial versions that will apparently expire on May 1st. And to make it even better, the one I found isnt even a .msi file but an .exe. I've got about 150 endpoints that this needs to go on in a couple different offices so walking around with an installer on a USB drive aint gonna cut it.
|
|
#
¿
Apr 22, 2015 01:58
|
|
|
At a remote office I'm going to be migrating DHCP duties from the current DHCP server, our router, to the win2k8 r2 server that is located in the same office. I've put together a checklist of things to do to make the change but I'm wondering if I should delete all the DNS records for clients in this subnet just before I switch on the new DHCP service. Currently DNS records at this location are kinda...screwy (duplicates, and it looks like there may be AD replication issues, but thats a whole other problem), and I'd like the machines to pull fresh addresses from the new server and then update DNS with the new address. The subnet isn't changing, it's staying 192.168.30.x/24. It's only about 35 workstations at this location so we're not talking a large number of addresses. Am I overthinking this and is this step completely unnecessary?
|
|
#
¿
May 1, 2015 01:37
|
|
|
devmd01 posted:Turn on DNS scavenging and secure dynamic DNS updates, that should fix your "screwy" DNS records. You don't have to delete the DNS records when you switch to the new dhcp server, everything will self resolve eventually once you have DNS scavenging and secure dynamic DNS updates turned on. Muchas gracias senor!
|
|
#
¿
May 1, 2015 21:19
|
|
|
Zero VGS posted:loving finally, as of today Microsoft actually figured out how to let Skype for Business users add Skype-name-only Skype contacts (as in early skype accounts created with no Microsoft account). Let me know if you find one. A few weeks ago I spent pretty much an entire day looking for a standalone installer with no luck. Ended up installing Lync, and after a poo poo-ton of Office 2013 updates it just kinda 'turns into' Skype for Business. MS deciding to deploy a business app in this manner is pretty boneheaded but what do I know.
|
|
#
¿
May 30, 2015 16:46
|
|
|
Zero VGS posted:Nope, there's a tab to download Skype for Business in the OWA portal, but when you click it the fine print says "lol just install Office 365 it'll be in there!" Tried this but when I try to deploy the extracted file, I get a "Application to be patched is not installed". This is both on a machine with Lync 2013 and without.
|
|
#
¿
Jun 3, 2015 01:29
|
|
|
GreenNight posted:3rd party Windows apps. Java, Flash, etc. Someone on IRC mentioned Ninite Pro which looks pretty good. We're using PDQ Deploy, works pretty well in our environment (about 200 workstations), not sure how well it would scale to large environments. That and removing flash/java from machines that dont absolutely require it 
|
|
#
¿
Jul 18, 2015 16:31
|
|
|
More GPO chat: I'm testing a GPP that installs printers based on security group membership using item level targeting. I've got it set up as a computer side preference, and in my testing so far it's working...with one small issue: the printers get installed properly but a standard user account is unable to delete the printers, you get an "access denied" message when trying. If the same user adds the same printer manually, they can delete it afterwards, so the behavior only applies to the printers that are pushed out via group policy. Any ideas why this is happening?
|
|
#
¿
Dec 23, 2015 02:24
|
|
|
Dr. Arbitrary posted:Weird Group Policy issue. Anything showing up in event viewer? (windows logs--Application)
|
|
#
¿
Dec 23, 2015 02:26
|
|
|
Until recently I created my reference image on a physical machine and had no problems deploying this image to workstations using MDT. I have recently switched to using a VM to create the reference image using a copy of win 7 pro downloaded from Microsoft's VLSC. I can create and capture the image without issue but I'm running up against a problem with licensing. We purchase each workstation with an OEM license for windows 7 pro. I image the machines with the same edition of windows as what we purchase with the machine, but the newly created reference image will not activate. When I try to activate it, I get a DNS error saying that it cant find the server. Running slmgr /ato generates the same error. So it looks like the new reference image is not pulling the OEM key from the BIOS, and is instead trying to activate using an internal KMS, which we do not currently have. Older reference images that I've created from a physical machine do not have this problem, they deploy and activate with no fuss. Is there some way to get the new reference image to use the OEM key from the BIOS to activate? Hopefully this is all kosher as googling for answers gives me conflicting information.
|
|
#
¿
Jan 7, 2016 22:18
|
|
|
skipdogg posted:If you're using Volume License media, you should be using a Volume License Key to activate windows. If you're not providing the key as part of your imaging process, the Windows client is looking for a KMS server and not finding it as you've noticed. I'll have to double check when I'm back at work tomorrow, but I think the keys that we were provided are MAK and not VLK. Not sure of the distinction, this licensing seems needlessly complex and confusing. I reimage machines pretty frequently and burning a MAK every time I do so (then having to call and obtain more keys) seems like it would be quite limiting. The MS document available here: https://www.microsoft.com/en-us/licensing/learn-more/brief-reimaging-rights.aspx seems to suggest that what I'm doing is allowed.
|
|
#
¿
Jan 8, 2016 02:34
|
|
|
Noticed something odd the other day. When I create users using ADUC and fill in the "Home Folder" field with \\server\\share\username, as soon as I click the apply button, the corresponding directory is automatically created at \\server\share\username. If I use powershell to create users using New-ADUser -HomeDirectory (I can never remember, are these parameters or properties?), the path gets set correctly, but no folder gets created. I also tried using Set-ADUser -HomeDirectory, and again, the path gets set on the object, but no folder is created? I've confirmed that the user context the script ran in had permissions to create the folder so it's not a permissions issue. Is this by design, or is there something screwy in my environment that I need to fix?
|
|
#
¿
Jan 30, 2016 18:06
|
|
|
Received an agency-wide email earlier informing everyone that a coworker from another department passed away last night after a long bout with some terminal disease. My first thought, "Hmmm, guess I can disable his AD account now" 
|
|
#
¿
Feb 11, 2016 21:56
|
|
|
We currently have 4 remote locations that we're trying to 'bring into the fold' as it were. The locations all have 1-2 PCs each and standard residential cable internet access. We would like to be able to: setup a VPN, deploy a single VOIP phone at each location, manage the network, provide some protection (IDS/IPS, content filtering) and have some monitoring and reporting capabilities. To this end, we're looking at Meraki gear. It looks like we would need a Z1 at each of the remote sites, and then something like an MX64 back at our main location. Anyone here have any experience with this setup and Meraki gear in general? I know that they pretty much turn to bricks if you dont keep them licensed, but it's not really my money and they look like they'll do everything we're looking for.
|
|
#
¿
Apr 6, 2016 02:31
|
|
|
Moey posted:This. Do you know if the Z1 will do site to site VPN to non-Meraki gear? We currently have a Watchguard at our corporate HQ and I'm thinking of rolling out the Z1 to our small branch offices. I know that the MX stuff will do it, and I'm just wondering if I'm going to have to get one of those at HQ just to handle the VPNs or if the Watchguard will be able to link up with them. Thanks.
|
|
#
¿
Apr 7, 2016 15:45
|
|
|
A question for anyone successfully using MDT to perform an upgrade from Windows 7 pro to Windows 10 pro: Where did you get the Win10 media to import into MDT? I've used the official MS media creation tool to download .iso files, but they dont import into MDT. I found different .iso files on some MS 'techbench', those will import into MDT but then my task sequence fails with various vague error messages that I have so far been unable to solve.
|
|
#
¿
Jun 17, 2016 17:53
|
|
|
Redownloaded and imported the x64 image and surprisingly, it worked this time...at least in my test VM  Redownloading the x86 iso now, got my fingers crossed.
|
|
#
¿
Jun 17, 2016 21:52
|
|
|
Swink posted:The media creation tool won't give you the correct media. You need the VL media as it contains the required WIM files. The version I got from MS tech bench seems to work but now I'm running into what looks to be driver problems. For those of you doing this, did you make a new deployment share just for Win10? I stuck my Win10 images/drivers/task sequences on the same deployment share as all my Win7 crap but I fear that may be causing me problems. All instructions that I'm finding online are starting clean in a lab environment, I'm not finding much about running it in production.
|
|
#
¿
Jun 18, 2016 01:08
|
|
|
Wrath of the Bitch King posted:I advise following this model, if you can: Thanks, that got me sorted. I've gone ahead and ordered his "Deployment Fundamentals Volume 6".
|
|
#
¿
Jun 29, 2016 21:17
|
|
|
How are you guys handling start menu layout in Win10 Pro? I dont know who at MS thought it was a good idea to include a bunch of bullshit 'apps' (xbox, minecraft, twitter) in the default menu and then not give you a way of managing it via GPO. I know that there is a GPO to define a start menu layout, but that has it's own drawbacks...you have to set it up on a refernece machine, need a separate file for x86 and x64, users cant add items, etc.
|
|
#
¿
Jul 1, 2016 21:01
|
|
|
GreenNight posted:I powershell them out in my capture image. Any scripts you'd care to share? Right now I'm doing in-place upgrades so I wish I had some way of doing it programmatically, but when I start doing clean installs some scripts would be helpful.
|
|
#
¿
Jul 1, 2016 21:36
|
|
|
BaseballPCHiker posted:There are also a ton of Windows 10 specific GPOs that you can use to lock down the store, using metro apps, location services, etc. Yeah, I saw those while poking around yesterday but most of them are actually for Win10 Enterprise/Education editions only...even though there's no mention of that in the description of the GPO :\
|
|
#
¿
Jul 1, 2016 22:00
|
|
|
|
| # ¿ Apr 16, 2024 21:05 |
|
|
orange sky posted:Oh god this thread is triggering me I've been fighting with the Win10 apps in the Enterprise edition this is the dumbest loving thing who puts xbox apps in an enterprise software? Holy poo poo. Glad to see it's not just me *update* Banged out a quick ps script to remove all the included apps and ran it as admin, success! Reboot, log in as a standard user...they're all back. gently caress me :\ Mr. Clark2 fucked around with this message at 23:21 on Jul 1, 2016 |
|
#
¿
Jul 1, 2016 22:13
|
|