|
Apologies if there's a better thread for this; it's in an enterprise context but not quite enterprise-scale itself. I'm in the running for a position that manages a computer lab of some 150–200 computers in a university setting. I had assumed it would be more or less a matter of keeping things running smoothly and making incremental improvements within a framework decided higher up the IT food chain. Turns out that's not the case at all. This division basically has its own IT department independent of the organization's actual IT department, which has basically left them to roll their own everything. What's more, the person I'd be replacing, who had been there for years and years, doesn't seem to have known what he was doing—and wasn't interested in learning. The most glaring evidence of that, to me, is the fact that imaging is done one-by-one with flash drives So, a massive overhaul is needed. I've been led to believe I'll have significant latitude to make changes, but my experience with setting up something like this from the ground up is, uh, thin. I've definitely got some studying to do, but I'd like to start getting a sense of what constitutes best practices in this sort of environment rather than blindly muddling through. I don't have a complete picture of the place's assets and needs yet, but the gist is that the lab is currently sort of a hodgepodge of iMacs and Dell all-in-ones of various vintages, most of them older than any reasonable replacement cycle would involve. Many of the iMacs are currently dual-booting Windows, with Windows making up the vast majority of their use. The student body is only a few thousand, and I think they use Active Directory to authenticate users. I'm not sure what sort of server resources are available to this department. Sorting out deployment and administration seems like it should be my first order of business (after getting a better picture of what the hell's going on over there). What tools should I be looking at for this sort of use case?
|
# ¿ Jun 28, 2018 20:21 |
|
|
# ¿ Apr 24, 2024 07:11 |
|
Internet Explorer posted:That all sounds fairly normal for a university. There's usually 100 different departments all doing their own "IT." The people who work for them (generally, don't murder me university folks) are comfortable in their ways and don't try to push the envelope, often times because of the bureaucracy involved. My current job is at a different university, so I can definitely attest to people being comfortable and set in their ways—frankly, I myself spent too long content with my current position. The extent to which IT functions are fragmented among different entities at the other place did come as a shock, though. Where I am now, there are a few servers managed by random professors, and we're not all the way there yet on centralizing hardware and software purchasing, but most technology-related issues do involve a single university-wide IT department. The place I'm waiting to hear from actually does have a relatively big IT department that ostensibly plays that sort of role, but in practice it seems to have a rather narrower focus, leaving a bunch of other departments to fend for themselves. I'm big on documentation, so whatever I do will be meticulously recorded, but it's an open question how much I can get coworkers to play ball. As things stand now, they don't seem to have any kind of ticketing system, knowledge base, version control, etc. I'd like to see all of that implemented, but I won't be in a position to make that call for anyone but myself and maybe a subordinate or two, so it'll be a lot of leading by example. Thankfully, the new place does have Deep Freeze, which I have experience with, so that's one piece already in place. How about SCCM? It offers integration with several of the tools discussed so far, so is there any downside to having it in the mix? I get the impression that it's a step up in complexity, but I need more than just an imaging solution anyway. It sounds like it's arguably overkill for the number of devices I'd be managing, but I'm eager to learn, and I'd like to have scalability in mind from the outset. I don't want to keep that job 'til I die, and I don't want that job to stay what it has been, either.
|
# ¿ Jun 28, 2018 22:41 |
|
Thanks Ants posted:Does Windows have a documented printer discovery method like macOS does? For example, if someone connects a Mac to our Wi-Fi network then I am advertising the printers into that VLAN by using the various mDNS helper services that access points, switches, firewalls etc. have baked into them now. I can't say for sure, but if it's possible it's probably a bit of a pain, because PaperCut (which is dope, by the way) relies on discovery apps for Windows and Android, but macOS and iOS clients just see the printers with AirPrint. Presumably they'd avoid the hassle of developing those apps if they could. Toast Museum fucked around with this message at 13:15 on Dec 5, 2018 |
# ¿ Dec 5, 2018 13:13 |
|
Thanks Ants posted:I'd be fine with PaperCut if this were a BYOD thing, but it's for guest users who might not be able to install an app. I'm really only focused on Windows as Macs are covered with AirPrint. Currently we are resorting to the print-by-email feature for guest printing but it's poo poo and the experience is massively different between each vendor. Do you mean email-to-print built into your printers? If so, at the risk of sounding like a PaperCut shill, it does also feature email- and web-based printing, so users would have a consistent experience regardless of which device they printed to. It also supports Google Cloud Print, but I've found that to be a hassle on the client side. As a caveat, we didn't have much of a use case for those features, so I only tried them a couple times before pushing our users to the app. They seemed fine, but I'm not in a position to totally vouch for them.
|
# ¿ Dec 5, 2018 16:35 |
|
I'd like to do a dumb thing as correctly as possible. I manage the computers for one business unit in a moderately large organization. My unit's devices aren't part of the organization's Active Directory infrastructure, and joining it is untenable for dumb political reasons. I have no access to the organization's networking infrastructure beyond maybe getting a static IP assigned to a device. Given these constraints, is it possible for me to create a new AD forest for my unit? My main goal is to join the devices I manage to a domain so I can push computer policies to them. I don't need any kind of interaction between this new forest and the organization's extant forest. DNS seems like the sticking point. I don't have any control over the organization's DNS servers, and I don't want to gently caress with DNS for anyone outside my unit. My unit does have its own DNS subdomain, for what that's worth. What are my options here?
|
# ¿ Dec 14, 2018 20:32 |
|
skipdogg posted:So these machines are all just workgroup machines, no domain at all? That's an odd scenario. Maneki Neko posted:Sounds like a terrible university setup or something to me. YUP For a variety of goofy historical reasons, the IT unit that's supposed to manage the enterprise only manages about 40% of its devices, and there are at least five other IT departments supporting individual business units. Since nobody trusts the enterprise IT unit, I'm under orders to keep them from being able to manage my unit's machines. On top of that, the guy I'm replacing was some special kind of fuckup who managed to make it to retirement without learning a goddamn thing about how to do his job, so everything to do with management is ad-hoc as hell. Thank you both for the software recommendations, and everyone else for the AD setup suggestions. I'll have to mull it over this weekend.
|
# ¿ Dec 15, 2018 01:34 |
|
BangersInMyKnickers posted:lol the central IT people are going to have your head one day If this place made more sense, totally. As it is, they know that everyone is doing their own thing, and they don't seem to be making any effort to change that. I hate this square peg/round hole poo poo, and if it were up to me, I'd have gotten on board with their AD/Jamf situation on my first day. I got overruled, so I'm just trying to keep the wheels on the bus until something better comes along. Edit: FISHMANPET posted:University IT is a wild beast. I don't, but I bet it's exactly the same shitshow as wherever you have in mind. Toast Museum fucked around with this message at 19:57 on Dec 17, 2018 |
# ¿ Dec 17, 2018 19:54 |
|
AlternateAccount posted:Uhhh... wtf does AD put into attributes that have never been set? And why can't I just assign one $null? Get-ADUser returns an ADUser object. The Properties parameter doesn't select the properties you specify; it just adds them to the object the command returns, so your second line is really asking whether the user object exists. It does, so you're getting $False. What you want is (Get-ADUser TESTUSER -Properties EmployeeNumber).EmployeeNumber -eq $Null or (Get-ADUser TESTUSER -Properties EmployeeNumber | Select -ExpandObject EmployeeNumber) -eq $Null Toast Museum fucked around with this message at 06:10 on Apr 26, 2019 |
# ¿ Apr 26, 2019 06:05 |
|
Thanks Ants posted:Strongly recommend you get linked up with https://www.eduroam.org/about/institutions/. Faculty and students can then go to any participating school/college/university globally and will connect to the same Wi-Fi network with the same credentials that they use at the school that employs them / they attend. I'll second that. My institution got on board a couple years ago, and it's quite handy.
|
# ¿ May 16, 2019 20:24 |
|
I've got an MDT issue I haven't been able to pin down yet. After the last reboot before the task sequence ends (literally all that's left is to display the summary and officially finish the sequence), the task sequence doesn't resume. All prior steps in the sequence appear to have been applied correctly. If I restart the computer myself at that point, the task sequence picks up where it left off and finishes. Anyone seen this behavior before?
|
# ¿ Sep 12, 2019 19:37 |
|
The Fool posted:Was there a password change or domain join? Any other changes to the account that MDT is using to deploy? It logs in and sits at the desktop. There's no password change and no domain ().
|
# ¿ Sep 12, 2019 20:14 |
|
Toast Museum posted:I've got an MDT issue I haven't been able to pin down yet. After the last reboot before the task sequence ends (literally all that's left is to display the summary and officially finish the sequence), the task sequence doesn't resume. All prior steps in the sequence appear to have been applied correctly. If I restart the computer myself at that point, the task sequence picks up where it left off and finishes. Anyone seen this behavior before? The Fool posted:Was there a password change or domain join? Any other changes to the account that MDT is using to deploy? Toast Museum posted:It logs in and sits at the desktop. There's no password change and no domain (). Some additional detail: a shortcut to LiteTouch.wsf is placed in the startup folder, but for some reason, on this one reboot, it doesn't run*. If I click the shortcut, the script runs, and the task sequence completes. If I restart the computer, the script runs, and the task sequence completes. So far, I can't figure out why the script doesn't run on startup for this single reboot. I tried adding Windows Defender exclusions for the shortcut in Startup, for c:\MININT, and for wscript.exe, but no dice. These computers aren't domain-joined, but looking at local group policy, there don't appear to be any relevant local policies configured. I haven't yet found anything in the event logs indicating that the script or executable were blocked. * I guess it's also possible that it's running and doing nothing at that point, but I don't have any indication of that.
|
# ¿ Sep 13, 2019 18:08 |
|
The Fool posted:You have a pause in your task sequence somewhere. That is causing the shortcut to be created. The act of rebooting or running the shortcut resumes the task sequence. Isn't that shortcut the mechanism by which the task sequence resumes after any planned reboot? I'm talking about a shortcut in Startup, not the "Resume Task Sequence" shortcut that gets put on the desktop if you have a pause step in the sequence. In any case, the culprit appears to have been another item I was placing in the startup folder, a script which checked certain Explorer preferences and then restarted Explorer if any changes were made. Since it didn't restart Explorer on subsequent reboots, the task sequence was able to continue after that one reboot. That also explains why nothing about this was showing up in the MDT logs.
|
# ¿ Sep 16, 2019 18:05 |
|
More MDT issues: My deployment share includes drivers for a few recent models of iMac. To deploy to those machines, WinPE needs to include a storage driver for the SSD. The trouble is that when WinPE does include that driver, the Gen 1 Hyper-v VM I've been testing with tries to use it and bluescreens immediately. I tried including the driver Hyper-v normally uses in the WinPE image, but it didn't seem to make a difference. Anyone seen something like this? Is there a way to force WinPE to use certain drivers on a given machine, or am I stuck with using a separate winPE image for VMs?
|
# ¿ Sep 24, 2019 14:51 |
|
The Fool posted:The answer is yes, you can filter drivers by almost any criteria you can think of, it just takes a bit to set up. Thanks. To be clear, the question isn't about how to limit which drivers get included in the WinPE image. I've got a separate folder for WinPE drivers, organized by make and model. I've only included drivers identified as necessary for WinPE by the manufacturers in those folders, and the selection profile pointing to those folders is set to inject only network and storage drivers into WinPE. The trouble I'm having is that if I include the storage drivers, WinPE bluescreens on my test VM. If I exclude them, I can deploy to the VM just fine, but then I can't deploy to Macs (different bluescreen from WinPE). A Dell laptop I'm also testing with works just fine either way.
|
# ¿ Sep 24, 2019 15:35 |
|
The Fool posted:If it's bluescreening during the PE stage and not after imaging/first restarts, you could try using a real computer or virtualbox instead of Hyper-V for your testing. Or you may just need to maintain two different PE images. Yeah, it's bluescreening immediately upon trying to boot to WinPE (System thread exception not handled, AppleSSD.sys; no specific stop code given). On the bright side, injecting drivers is the only significant customization I'm doing to WinPE, so the driverless image should work fine for Hyper-v as long as I don't have to edit bootstrap.ini or something.
|
# ¿ Sep 24, 2019 20:06 |
|
nielsm posted:We're deploying a new application replacing an old, and the design for the new application really wants several hundred AD groups to control access. The old application had no AD integration and used internal user management. Each user may need to be member of between 3 and 20 of these new groups. Am I right in thinking this is a potential problem due to how the user's Kerberos ticket will grow? Isn't this the sort of thing AD LDS is for?
|
# ¿ Nov 22, 2019 15:49 |
|
nielsm posted:I don't know, is it? As far as I understand, since an LDS instance is not part of an AD forest, there can't be any trust relationships, and group memberships couldn't really be verified by the LDS server. I haven't actually used AD LDS, so it's entirely possible that I'm just confused about what it's for and what it can do. If I understand correctly, it allows app-specific modifications to the AD schema and AD objects without altering AD DS itself. Will anything besides this one app care about these new groups? If not, it sounds like you'd be able to populate the AD LDS instance from AD DS, create app-specific groups and assign memberships within AD LDS, and have the app query that instance rather than AD DS.
|
# ¿ Nov 23, 2019 05:21 |
|
While we're on the subject of video conferencing apps, I've got a weird Webex issue. A few times a day, the Windows client will launch itself for no apparent reason. I'm not seeing anything in the event logs, nor does there appear to be a scheduled task launching it. Anyone else run into this?
|
# ¿ Mar 28, 2020 00:47 |
|
GreenNight posted:I haven't heard of that and we've just deployed it to 300 users. Maybe re-install? I'm not opposed to reinstalling if I stay stumped, but I'm hoping I can figure out what the gently caress first. I mean, the app isn't running when this happens, so something is starting it.
|
# ¿ Mar 28, 2020 00:54 |
|
When it comes to Office add-ins, am I missing something, or are the main options 1) centralized deployment or 2) give everyone access to the add-in store? (Add-ins can be added to a SharePoint app catalog, but Office for Mac can't access it, so that's a non-starter.) Is there really no way to make a curated portion of the add-in store/AppSource available to users?
|
# ¿ Aug 5, 2020 16:26 |
|
Huh, I'll be damned."Windows 10 Volume Licensing Guide posted:Qualifying Operating Systems Edit: interestingly, macOS is a qualifying operating system, so it's kosher to install Enterprise on a Mac without buying it a Pro license first.
|
# ¿ Aug 28, 2020 19:58 |
|
I've got a couple questions about Centralized Deployment for Office add-ins that seem pretty basic, but I don't have admin rights to go check for myself:
|
# ¿ Nov 13, 2020 20:18 |
|
Is it possible to add a Microsoft 365 account to a local group via unattend file? Edit: that probably could've been clearer. I mean an Azure AD user in an enterprise setting. Toast Museum fucked around with this message at 18:59 on Nov 3, 2021 |
# ¿ Nov 3, 2021 18:55 |
|
Sorry, I'm running on a couple hours of sleep. Basically, I'm trying to find a way to compensate for deficiencies in an MECM task sequence that I'm not in a position to change. By the end of the task sequence, the target computer has been reformatted and mostly configured, but it's not domain-joined, and the only available accounts are the built-in Administrator account and an unused local standard account. Since the "add a work or school user" option appears to be unavailable from these accounts, I'm supposed to manually run sysprep to trigger the OOBE. During the OOBE, I sign in with Azure AD credentials, from which I can add other users as needed. I'm not interested in going through the OOBE manually every time, so I've made an unattend file. The only part of the OOBE that I haven't been able to automate away yet is that initial AzureAD sign-in.
|
# ¿ Nov 3, 2021 22:14 |
|
Internet Explorer posted:Just to make sure I understand what you're asking, Azure AD Hybrid Join, or normal Azure AD Join? Azure AD user, or hybrid user that is also in AD? Hybrid Identity* for users, non-hybrid Azure AD Join for the computers in question. *In case that term is narrower than I realize, what I mean is that users are synced between on-prem AD and Azure AD via Azure AD Connect.
|
# ¿ Nov 4, 2021 00:33 |
|
Internet Explorer posted:Yeah, sorry, I couldn't remember the term for that. So I am pretty sure you can do what you're asking. I assume you don't need these laptops on the domain, so legacy AD just kind of exists for backend infrastructure and you're not using Kerberos auth for anything? I'm having a hard time wrapping my head around your use case, but yes, you should be able to do it. This article mentions Azure AD users specifically. incoherent posted:all your users should be sync'd between your prem AD and Azure ad. You might be thinking about white-glove (now called pre-provisioning) autopilot. Yeah, the use-case seems weird because the situation is kinda dumb.
|
# ¿ Nov 4, 2021 14:03 |
|
Thanks Ants posted:It worked fine in our limited testing, but we took one look at how it was licensed and just dismissed it outright. Yeah, Universal Print sounded neat to me until I got to the pay-per-job part. In other news, I just learned about this fun example of two-digit years causing problems in a way I hadn't considered. Exchange Server posted:Log Name: Application
|
# ¿ Jan 4, 2022 14:52 |
|
Rocko Bonaparte posted:Generally, I want to be able to use a graphical Linux desktop without a lot of latency but I can't blow up my issued laptop with it. Doing remote sessions has just enough trouble that it's not worth it. So I wanted to try a VM. I would do a lot of I/O so I don't want to use VirtualBox. Depending on the exact experience you're looking for, maybe GUI apps via WSL2 can get the job done?
|
# ¿ Jan 5, 2022 23:51 |
|
Personally, I'd want to keep poking at that issue with the intermittent network share connection until I was certain there's no way to fix it. It definitely sounds like it would be the most straightforward solution, if it can be made to work.
|
# ¿ Feb 17, 2022 07:15 |
|
WattsvilleBlues posted:And so I shall! Bear with me to explain some context first. The nesting in that JSON seems weird to me, but I haven't really messed with SharePoint lists, so maybe that's normal. After some quick poking around, it looks like the text and background colors are specified using predefined classes (e.g. sp-css-color-GoldFont and sp-css-backgroundColor-BgGold). The easiest solution would be to swap in other predefined classes corresponding to colors you like better. This page claims to be a complete list of the predefined classes, with examples of each.
|
# ¿ Mar 6, 2022 01:49 |
|
nielsm posted:Not entirely sure where to ask this, but: What sort of changes are you trying to make? I don't typically have to run PowerShell elevated to deal with AD, but I'm mostly doing lookups or simple modifications like enabling/disabling accounts or resetting passwords, so maybe I'm just not using the bits that require elevation.
|
# ¿ Apr 28, 2022 20:00 |
|
|
# ¿ Apr 24, 2024 07:11 |
|
Are any of the security settings user-configurable? If not, is it possible to just hide the app from them altogether?
|
# ¿ Jun 16, 2022 23:11 |