|
nexxai posted:I have a question about best practice when it comes to deploying upgraded applications through Group Policy. Generally if you are going from version to version of the same software and the MSI package knows how to handle upgrading old version, you don't need to mark the new version of the software as an upgrade of the old. Just remove the old package from the GPO and choose "Allow installs to remain" or whatever the dialog is, then apply the new package to the GPO. The installer will take care of purging the old version and you'll be all set. The upgrade functionality is useful when you are replacing a software package from one company with a completely different one and the installer package is not aware of the other product. Example of this was converting my domain from Adobe Reader to Foxit. Adobe was currently in place, and if I also applied Foxit it would install right along side and fight for who was the default PDF handler. So I set Foxit to be an upgrade of the Adobe package and on the next reboot, Adobe Reader was uninstalled and Foxit went on. At that point, the Adobe package is depreciated and only sticks around for as long as you have a chance of systems coming online with that GPO install that needs to get stripped off. If your images are all updated to remove the old product, you can completely remove it from your GPO at that time.
|
#
?
Jul 2, 2010 16:36
|
|
|
|
| # ? Jun 10, 2024 21:02 |
|
|
BangersInMyKnickers posted:Yeah, being able to control that slider is one that that drives me insane. It doesn't appear in the registry because I've watched the UserAccountControlSetting.exe as I change the setting and I don't see any noticeable registry or config file writes. My solution so far has been to manually set it to full prompt mode and remove the UAC control panel applet through policy, but that is more of a hack than I prefer. I can't even figure out where that setting is defined in the Technet documentation. gently caress you, Microsoft. http://technet.microsoft.com/en-us/library/ee679793%28WS.10%29.aspx Isn't that Slider <-> GP settings table just what you're looking for? I guess you can just leave everything except one setting to its default to move the slider up. v  v
|
|
#
?
Jul 2, 2010 16:53
|
|
|
Lacc posted:http://technet.microsoft.com/en-us/library/ee679793%28WS.10%29.aspx Ha, I just assumed that that the policy extensions would have pushed those down to my Vista workstation. Time to upgrade 
|
|
#
?
Jul 2, 2010 16:56
|
|
|
Lacc posted:http://technet.microsoft.com/en-us/library/ee679793%28WS.10%29.aspx This is perfect.
|
|
#
?
Jul 2, 2010 17:31
|
|
|
BangersInMyKnickers posted:Generally if you are going from version to version of the same software and the MSI package knows how to handle upgrading old version, you don't need to mark the new version of the software as an upgrade of the old. Just remove the old package from the GPO and choose "Allow installs to remain" or whatever the dialog is, then apply the new package to the GPO. The installer will take care of purging the old version and you'll be all set. The upgrade functionality is useful when you are replacing a software package from one company with a completely different one and the installer package is not aware of the other product. Example of this was converting my domain from Adobe Reader to Foxit. Adobe was currently in place, and if I also applied Foxit it would install right along side and fight for who was the default PDF handler. So I set Foxit to be an upgrade of the Adobe package and on the next reboot, Adobe Reader was uninstalled and Foxit went on. At that point, the Adobe package is depreciated and only sticks around for as long as you have a chance of systems coming online with that GPO install that needs to get stripped off. If your images are all updated to remove the old product, you can completely remove it from your GPO at that time. Secondary question: can you see any reason why leaving the old ones there would cause problems? I only ask because I do it that way right now, and since it seems to work, I'd rather not fix something that ain't broken. But if it could somehow cause future problems that I just can't contemplate right now, I'll remove the older ones.
|
|
#
?
Jul 2, 2010 17:40
|
|
|
nexxai posted:Perfect. So long as the install package source is still there, it shouldn't be a problem. I did like that for a long time with Java until they started making the packages so they would do in-place upgrades.
|
|
#
?
Jul 2, 2010 17:47
|
|
|
Ok, I remembered what pissed me off really badly the first time I tried to enforce UAC on workstations: If a user has local admin rights they can override it through the control panel applet. The slider (or checkbox in Vista) isn't greyed out like in every other thing group policy controls. The policy refresh will reset it, but when I submitted a ticket to Microsoft about it, their response was "If they have local admin rights they can do whatever they want on the system anyway so gently caress off" which is a complete bullshit answer because it is inconsistent with how they do policy for everything else, and leaves the easy as poo poo gui tool enabled instead of making them do it through regedit to try to circumvent the policy.
|
|
#
?
Jul 2, 2010 17:52
|
|
|
BangersInMyKnickers posted:Ok, I remembered what pissed me off really badly the first time I tried to enforce UAC on workstations: If a user has local admin rights they can override it through the control panel applet. The slider (or checkbox in Vista) isn't greyed out like in every other thing group policy controls. The policy refresh will reset it, but when I submitted a ticket to Microsoft about it, their response was "If they have local admin rights they can do whatever they want on the system anyway so gently caress off" which is a complete bullshit answer because it is inconsistent with how they do policy for everything else, and leaves the easy as poo poo gui tool enabled instead of making them do it through regedit to try to circumvent the policy. And the same local admin users who fancy themselves knowledgeable about computers - you know the ones that, upon sitting down at a new computer, immediately change the Windows 7 start menu to classic, the theme to classic, turn off indexing, and every other useful feature invented since windows 3.1 - will immediately turn off UAC because they find it intrusive. I had a software vendor's tech install software on one of our 2008 R2 servers one time through a webex session. First thing he did was turn off UAC as I watched. When I told him not to do that, he said that their software ends up prompting a lot. Well who's fault is that?
|
|
#
?
Jul 2, 2010 18:25
|
|
|
Erwin posted:And the same local admin users who fancy themselves knowledgeable about computers - you know the ones that, upon sitting down at a new computer, immediately change the Windows 7 start menu to classic, the theme to classic, turn off indexing, and every other useful feature invented since windows 3.1 - will immediately turn off UAC because they find it intrusive. This is my co-worker, a sysadmin who think he knows a lot about computers. I spend most of my day fixing poo poo he breaks. He was hired because he knew the right people, not because he actually is capable of doing his job. He has Windows 7, UAC turned off of course. Aero disabled, taskbar back to classic and start menu as classic as he can get it. He wonders why he is the only one whose computer locks up solid on a daily basis.
|
|
#
?
Jul 2, 2010 18:41
|
|
|
God drat Adobe Reader. So, I'm in the middle of a complete GPO restructure, starting from complete scratch. One thing I can't find is to allow users to delete shortcuts that are in the All Users Desktop profile. As of right now it prompts for credentials for an admin. I haven't got the GPO setup to install Adobe Reader yet so that is still a manual job. When I goto install it, it prompts for credentials as it should, then when done, it leaves a shortcut on the desktop that users can not delete without further credentials. The shortcut is in the All User profile under Desktop. It has to be something simple that I am missing.
|
|
#
?
Jul 5, 2010 14:35
|
|
|
I'm guessing you just want to get rid of it instead of letting your users delete it if they want. User Configuration > Preferences > Windows Settings > Shortcuts Action: Delete Name: Adobe Reader 9 Location: All Users Desktop
|
|
#
?
Jul 5, 2010 15:21
|
|
|
Ideally I would want to let users have permission to delete icons/shortcuts that aren't in their own desktop folder in case down the road other programs happen to do this without opening any security holes or disabling UAC. Basically as it stands now, our GPOs cause more problems then they fix. I'm trying to fix this so that they reduce administration like they are meant to do.
|
|
#
?
Jul 5, 2010 16:26
|
|
|
gently caress, another issue. We have some software that updates daily for a user and doesn't work unless the user is a local admin. Trying to cut this poo poo out because users are downloading spyware/malware. What is my best way to get the software working without a local admin?
|
|
#
?
Jul 6, 2010 15:51
|
|
|
IT Guy posted:gently caress, another issue. We have some software that updates daily for a user and doesn't work unless the user is a local admin. Trying to cut this poo poo out because users are downloading spyware/malware. What is my best way to get the software working without a local admin? Does it update daily itself, or you push out a new version with GP? When I worked at a public school district, I became good at getting software to work without admin rights. The first thing to do is update the user to Windows 7 if you can. If not: Fire up process explorer, then fire up the software and see where it writes (or let it update and see where that writes). Then give the user write access to those locations. If the location is a horrible place like c:\windows and the software creates a file when it runs and deletes it when it exits, a good trick is to run the software, set the file as read-only so the software can't delete it, then exit.
|
|
#
?
Jul 6, 2010 15:57
|
|
|
Erwin posted:Does it update daily itself, or you push out a new version with GP? It updates itself when you open the program, likely it is updating a database file inside its install directory. Never really got into it yet but I'll try that process explorer trick.
|
|
#
?
Jul 6, 2010 16:00
|
|
|
Lacc posted:I'm guessing you just want to get rid of it instead of letting your users delete it if they want. No, this will run with the user's credentials and they do not have the ability to modify that directory. You need to do it as a computer assigned policy so it will run with system credentials. Or use subinacl to modify the permissions on the public desktop folder so users have delete rights to it.
|
|
#
?
Jul 6, 2010 16:06
|
|
|
BangersInMyKnickers posted:No, this will run with the user's credentials and they do not have the ability to modify that directory. You need to do it as a computer assigned policy so it will run with system credentials. subinacl is so loving useful it baffles me that it isn't included in all server installs by default
|
|
#
?
Jul 6, 2010 16:10
|
|
|
BangersInMyKnickers posted:No, this will run with the user's credentials and they do not have the ability to modify that directory. You need to do it as a computer assigned policy so it will run with system credentials. derp. After all this time working with group policies I still manage to mix User and Computer configurations somehow.
|
|
#
?
Jul 6, 2010 16:15
|
|
|
IT Guy posted:gently caress, another issue. We have some software that updates daily for a user and doesn't work unless the user is a local admin. Trying to cut this poo poo out because users are downloading spyware/malware. What is my best way to get the software working without a local admin? http://www.scriptlogic.com/products/privilegeauthority/ I don't like things like this, but I needed it for our shipping department. I just gave her a new machine with Windows 7, and installed the latest UPS software, and the drat thing wants to update every other day (not really an exaggeration), which needed admin privileges. I used this so that only the updater application will run with the admin privileges and it has worked great since. Right now it's based on path or file name, which is obviously subject to abuse if the application in a location that is writable by the user, but they're looking into a hash option. The only other thing I don't like about this is that is somehow uses group policy, but it applies its own settings to a GPO which are not viewable in Group Policy Management, they are only viewable in their own application. It's a bit weird.
|
|
#
?
Jul 7, 2010 18:58
|
|
|
Briantist posted:I haven't used this a lot yet, but it has been working well so far: I've been able to do something similar with the runas /savecred /user:administrator command. Basically you throw that in to a script that invokes the program you want to elevate, run it for the first time and it will prompt for credentials. After the the first run, the credentials as saved for the user's profile that ran the program so long as the password to your local admin account hasn't changed, then you just need to type it back in. It's a dirty hack, but it works if you have a program that won't work after easing up registry/file permissions.
|
|
#
?
Jul 7, 2010 19:08
|
|
|
Here's another one: I've rearranged our AD design structure to look like this: domain.local -Corporate Structure --Central Office ---Computers ---Groups ----Security ----Distribution ---No GPO ---Resources ---Servers ---Users --Branch ---Computers ---Groups ----Security ----Distribution ---No GPO ---Resources ---Users --Global ---Groups ----Security ----Distribution ---Users I've made a "Global Corporate Policy" GPO that contains pretty much all the defaults that we want set for all our users and their specific workstations. I've now come across some computers that we are going to be setting up for public use at some of our branch locations that will have a general user and the computer needs to be locked down hard so no damage can be done to the network. Should I be creating a new sub-OU in each computer folder for each branch/location labeled "Locked Down" or something similar and then block inheritance to our Global Corporate Policy. Or, should I be using security filtering for the GPO to target these machines? If the method is security filtering, I have a question regarding that. Let's say I create a security group for these locked down computers and put these computers into that group. If I create a GPO with both computer and user variables, will the user part of the GPO be applied to my general user if it is only the computers in the security group? The default filtering is Authenticated Users. Who is actually in this group, is it both Domain Users and Domain Computers? Just wondering how the authenticated users group actually works. (I have not Googled this as I should have, yet).
|
|
#
?
Jul 8, 2010 16:01
|
|
|
Authenticated Users is basically any user at all. The difference between Authenticated Users and Everyone is that Everyone includes stuff like the "null user" that can be used to query things across the network. There is probably a little more to it, so yes you should google it, but I think it's basically a slightly more secure "Everyone."
|
|
#
?
Jul 8, 2010 19:58
|
|
|
Do you need the public computers to be on your domain? We have a few machines like this, we just have them as stand alone machines running MS Steadystate.
|
|
#
?
Jul 9, 2010 18:09
|
|
|
I know people have mentioned editing the Remote Assistance files to enable auto-accept, but does anyone know of a way to get the same functionality for a Vista/7 client?
|
|
#
?
Jul 14, 2010 11:39
|
|
|
aophof46 posted:Do you need the public computers to be on your domain? We have a few machines like this, we just have them as stand alone machines running MS Steadystate. I think SteadyState no longer works with 7. It was temporarily available using Guest Mode in one of the betas, but then removed for the RTM. http://social.answers.microsoft.com/Forums/en-US/w7security/thread/1652ef33-6173-4c08-b677-d90bc0123d5f
|
|
#
?
Jul 14, 2010 17:24
|
|
|
IT Guy posted:Here's another one: User settings apply to user objects computer settings apply to computer objects. google gpo loopback processing if you want to define both.
|
|
#
?
Jul 14, 2010 17:31
|
|
|
IT Guy posted:Here's another one: I would just make a Kiosks/Locked down OU either in each site OU or just a general one a level above it. Blocking inheritance is sorta a last-ditch thing and in general I would avoid doing it. Instead, use the application order of policies and remember that the last one applied will take priority, so assuming you have global policy defined in the OU above it, any settings you define in a GPO that are contradictory to that an apply directly to your kiosks/lockdown OU will take priority and be applied. E: You could probably throw both the computer objects and the kiosk user account in that same OU, but honestly I would consider just a local account if this is going to be something that just surfs the web. Then you won't even have to worry about having access to domain resources. BangersInMyKnickers fucked around with this message at 22:50 on Jul 14, 2010 |
|
#
?
Jul 14, 2010 22:47
|
|
|
ytisomauq posted:I think SteadyState no longer works with 7. It was temporarily available using Guest Mode in one of the betas, but then removed for the RTM. This is correct, but the the steadystate download supplies a policy template that you can import that will give you 90% of the functionality.
|
|
#
?
Jul 14, 2010 22:48
|
|
|
I've been successfully using group policy to deploy software but have been messing around with my test PC so much that it seems it isn't getting the software installed any more. Is there a way to force group policy to redeploy the applications?
|
|
#
?
Jul 16, 2010 12:06
|
|
|
Caged posted:I've been successfully using group policy to deploy software but have been messing around with my test PC so much that it seems it isn't getting the software installed any more. Is there a way to force group policy to redeploy the applications? Try gpupdate /sync, and as always look for hints in the event log if something is screwing up.
|
|
#
?
Jul 16, 2010 14:56
|
|
|
I'm getting "Group Policy dependency (Network Location Awareness) did not start. As a result, network related features of Group Policy such as bandwidth estimation and response to network changes will not work." which I guess then sets off the domino effect of nothing else working properly. The system is running inside VMware and I've tried NAT and bridged networking with no real change. Anyone had issues with this before? The host system is on a gigabit LAN and no network intensive processes are running.
|
|
#
?
Jul 16, 2010 16:54
|
|
|
Caged posted:I'm getting "Group Policy dependency (Network Location Awareness) did not start. As a result, network related features of Group Policy such as bandwidth estimation and response to network changes will not work." which I guess then sets off the domino effect of nothing else working properly. You made sure that the stated service is set to automatically start under services.msc, right?
|
|
#
?
Jul 20, 2010 02:02
|
|
|
Yeah it's set to run automatically and is always showing as started when I get to services.msc I'll keep prodding the network settings.
|
|
#
?
Jul 20, 2010 11:24
|
|
|
At work we've got a logon script (.vbs) which is showing it's age (created in ~2002 and the creators are long gone). It's linked to each individual user and is in desperate need of having the crud removed and reimplemented using GPP. My main problem is around mapped drives, UAC and administrators. We're a dev shop so there's no way I can strip off admin permissions in a hurry. The current logon script only maps drives to the standard user token and brief testing with GPP shows me that this is still the case. The first thing I've found on the topic is this unsupported work around from Microsoft. A while later I have also come across this which (despite my experiences) states that GPP will map drives up correctly. Up until now we've had few users on Vista/7 and I've just left them up to their own devices in regards to getting drives to map properly to the admin token. The smarter of the staff have sussed out the creation of a scheduled task to run at logon using highest priveliges and map the drives up using a bat file. How do you handle the requirements to map drives to the standard and the admin token? Perhaps my experiences with GPP are different to what others receive.
|
|
#
?
Jul 20, 2010 13:11
|
|
|
^ When I was looking at that issue, I came across a blogger who suggested that the login script creates a scheduled task to run immediately after creation that maps the drive as the current user level. I cant seem to find the blog that I read that from. Dont know if it's suitable in your situation. We are going with the EnabledLinkedConnections method. Question: The startup script description say that all scripts will run before the login screen is presented to the user. Is this the case at all? It is definitely not the case in my org. Swink fucked around with this message at 13:55 on Jul 20, 2010 |
|
#
?
Jul 20, 2010 13:46
|
|
|
Any thoughts on mapping shared drives and printers at login via GPO vs doing it through a login script? We took over a domain where they do it all through GPO, which occasionally results in drives not being mapped (and the old guys never thought to show the users how to manually map a share, so they kept rebooting until it showed up  ). In a domain we built ourselves, it's all done through a login script, and that seems to be pretty reliable. Any thoughts?Also useful for comparison, is that our existing domain has one shared drive that a few people map, whereas the new domain has about 10 shares, and everybody maps one or more of them (based on security group).
|
|
#
?
Jul 20, 2010 14:18
|
|
|
Is there anything in the client event logs on the machines that are failing to map via GPO? It seems to be the way of the future, so I've started to use it where possible, never had a problem as long as the CSE update is installed.
|
|
#
?
Jul 20, 2010 17:59
|
|
|
This probably came up before, but what monkeying around do I need to do to get printer drivers to install without an elevation prompting in Win7? I set the user print policy to trust our print server as a driver source and not give elevation prompts, and it works right for Vista clients, but Win7 doesn't like it. What a stupid pain in the rear end.
|
|
#
?
Jul 22, 2010 19:45
|
|
|
BangersInMyKnickers posted:This probably came up before, but what monkeying around do I need to do to get printer drivers to install without an elevation prompting in Win7? I set the user print policy to trust our print server as a driver source and not give elevation prompts, and it works right for Vista clients, but Win7 doesn't like it. What a stupid pain in the rear end. In order to get this to work, I had to disable the "Point and Print" restrictions on both the User and Workstation level, then use Group Policy Preferences (user context) to connect to the shared printers. Also, make sure that the "Run in logged-on user's security context (user policy option)" option is enabled on each printer definition. Without if configured like this, connecting to printers would stall in the background...and I'm pretty sure it was something UAC-related. It was a total pain in the rear end and required a lot of trial and error to get this working.
|
|
#
?
Jul 22, 2010 22:13
|
|
|
|
| # ? Jun 10, 2024 21:02 |
|
|
sanchez posted:Is there anything in the client event logs on the machines that are failing to map via GPO? It seems to be the way of the future, so I've started to use it where possible, never had a problem as long as the CSE update is installed. I did some more thinking and digging, and found the GPO stuff in 2008 that does drive mappings. The way this domain was doing it before was by running login scripts that would 'net use' the drive in question. Now to update all our clients to SP3 so I can use this 
|
|
#
?
Jul 23, 2010 21:50
|
|