|
permanoob posted:I was pushing out some proxy settings to a small test group here at work and things just aren't working out so I wanted to turn them off. I went in and turned off all the proxy settings last night and figured I'd let it go overnight and come back in to a proxy-less test group this morning. Hmm nope. They policy puts the setting in place.. it doesn't remove the setting when you remove the policy. Something like a proxy setting is really just editing a registry key on the local machine. When you remove it, it doesn't force that setting anymore...but it also doesn't know what the setting was before and can't reverse it.
|
# ? May 10, 2011 19:24 |
|
|
# ? Jun 10, 2024 21:41 |
|
FISHMANPET posted:Hahaha, that assumes that anybody in IT has any access to the webapps everybody uses. Only way to test is to let it out into the wild, and wait for the silence, because nobody bugs us unless their computer is on fire or something. As a result of that little debacle I now have to put together a comprehensive testing plan/dependencies matrix for changes/updates to any desktop application. As in, "if I update Flash Player it will affect internal site x, y, external site a, b, so I need to get the teams responsible for those sites to test update compatibility." Realistically though, it's probably been long overdue for an enterprise our size with continuous massive expansion plans.
|
# ? May 10, 2011 19:38 |
|
devmd01 posted:Test the poo poo out of 10.x before deploying it, the new way it handles pdf opening fucks up royally if you have IE lockdown settings enabled such as "do not save encrypted pages to disk." Yeah, I was playing around with that setting for a while but then I found out it breaks PDFs embedded on encrypted payroll/banking websites and turned it off. Oh well.
|
# ? May 10, 2011 19:47 |
|
skipdogg posted:They policy puts the setting in place.. it doesn't remove the setting when you remove the policy. I didn't remove the policy. I changed it to have no proxy settings and left it in place in hopes it would remove the settings with the next policy update.
|
# ? May 10, 2011 20:17 |
|
Help! My Group Policy has worked fine for years doing My Documents folder redirection. Redirects local files to \\fileserver.blah.local\USERS\%USERNAME% Now, however, since Wednesday is has started appending \My Documents onto the end of the path, creating this folder in people's profiles on the server where it can and then sending their My Documents link on their local machines to this new, usually empty, folder. I have no idea why, nothing has changed, and other than the \My Documents bit it's exactly the same as the servers on my other sites that're working fine, but I can find no way to manually change the path, it adds the \Username\My Documents bit to it automatically.
|
# ? Jun 10, 2011 09:47 |
|
Cthulhuite posted:Help! Is it set to "Redirect to the following location" or "Create a folder for each user under the root path"?
|
# ? Jun 13, 2011 13:34 |
|
BangersInMyKnickers posted:Is it set to "Redirect to the following location" or "Create a folder for each user under the root path"? I played around with it and managed to get it fixed. It was set to the latter which appends the \My Docs bit. If I set it to "following location", put in the one I wanted with the %USERNAME% part at the end, it automatically switched it to the other and then kept the path I put in. If that makes sense.
|
# ? Jun 13, 2011 16:59 |
|
I'm installing a program that reads config settings from HKCU\Software\bla\bla\Login I didn't find out a failsafe way to add registry settings to Current User when using SCCM to push out the package, so I figured I'd just make a Group Policy to add that registry setting to users with the package. The setting is pretty simple code:
The login script seems to stop and they get an empty command prompt window just sitting there. How on earth can this policy cause this?
|
# ? Jun 22, 2011 12:39 |
|
Got a question about GPP drive mapping. How do clients (specifically XP) react/behave if the same share/drive letter combo is mapped multiple times via different GPOs? I've got a user that occasionally (once every few months) loses access to one of her mapped drives; it still shows up in explorer, but when you browse to it no files/folders are displayed. If you disconnect the drive and then remap it everything goes back to normal, but eventually the problem comes back. I'm wondering if having the multiple drive maps being applied is part of the problem or if it's something else. Both preferences are using the Create action (rather than Update or Replace) and are doing inclusive drive mapping.
|
# ? Jun 23, 2011 19:04 |
|
I'm having an issue with a profile that I have for what amounts to a public kiosk type user. Currently I am using a mandatory profile on a windows 2008 domain, everything has been working fine, but I needed to apply a few new GPO's that are not working with the mandatory profile. The reason why I have stuck with mandatory profiles is to ensure that nothing is left behind when the next user logs on. Is there a better way to do this in 2008?
|
# ? Jun 24, 2011 21:08 |
|
chizad posted:Got a question about GPP drive mapping. How do clients (specifically XP) react/behave if the same share/drive letter combo is mapped multiple times via different GPOs? That sounds like more of an offline files issue. If offline files is enabled, next time that happens try forcing a sync and see if the files show up again.
|
# ? Jun 27, 2011 12:24 |
|
For those of you in environments where it should not be run (in my case, lab computers using an autolog account), how are you blocking things like DropBox? Group Policy Software Restriction? Firewall? I would rather the installer not run, instead of the program not running. And I have no problem with people going to the DropBox site. Users just forget to unlink their account when they get up and leave the computer. Software Restriction for everything in %APPDATA%\DropBox\* was one idea, but was similar to the firewall option (can't block ports) in that they can install it to a different directory, or I have to keep the file hash up to date. Can I just ban any exe from running in %APPDATA%? Is there a reason I would want anything to run from %APPDATA%?
|
# ? Jun 27, 2011 16:34 |
|
quackquackquack posted:For those of you in environments where it should not be run (in my case, lab computers using an autolog account), how are you blocking things like DropBox? Group Policy Software Restriction? Firewall? We rolled out (are still rolling out, rather) full whitelisting via AV product (Sophos), so nothing runs anymore (in theory) unless it's preapproved. Before that, I'd set SRP to only allow execution from Program Files/Windows, disallowed running any executables/links from user folders.
|
# ? Jun 28, 2011 05:14 |
|
I need a way to prevent users from changing file permissions and ownership. It seems like I should be able to do this through GPO>computer config> Windows settings > Security Settings > File System. Then add the files, in this case its the users personal storage and then assign permissions. However, the user that the network drive belongs has not been effected by these changes. The changes were applied to Creator Owner
|
# ? Jun 28, 2011 15:54 |
|
quackquackquack posted:For those of you in environments where it should not be run (in my case, lab computers using an autolog account), how are you blocking things like DropBox? Group Policy Software Restriction? Firewall? We use Deep Freeze for our public machines.
|
# ? Jun 28, 2011 16:01 |
|
mute posted:We rolled out (are still rolling out, rather) full whitelisting via AV product (Sophos), so nothing runs anymore (in theory) unless it's preapproved. Windows Vista and higher can use a executable hashes to whitelist, not just names or directories.
|
# ? Jun 28, 2011 16:39 |
|
I used DeepFreeze in the past, and I was not a fan, even after it was up and running decently. I would assume a new version of an exe would have a new executable hash?
|
# ? Jun 28, 2011 16:52 |
|
I've only had a brief play with applocker but I believe you can block by name, hash, publisher and other goodies. Can adjust on a per user basis as well. It would be well worth looking at.
|
# ? Jun 29, 2011 08:07 |
|
Drumstick posted:I need a way to prevent users from changing file permissions and ownership. It seems like I should be able to do this through GPO>computer config> Windows settings > Security Settings > File System. Then add the files, in this case its the users personal storage and then assign permissions. However, the user that the network drive belongs has not been effected by these changes. The changes were applied to Creator Owner User Configuration -> Admin Templates -> Windows Components -> Windows Explorer -> Remove Security tab.
|
# ? Jun 29, 2011 09:11 |
|
Thanks! that was exactly what I was looking for
|
# ? Jun 29, 2011 18:39 |
|
What is the order of precedence for GPO operations? Say we have a domain-wide setting that causes issues with certain websites, and I need to remove that setting for just the users of those webapps. I'd obviously use gpo filtering to get the right people, but if I set a "do not use" for the setting in a user gpo, will that override the "use" setting in the domain computer gpo?
|
# ? Jul 5, 2011 12:48 |
|
If it's deeper in your tree, yes.
|
# ? Jul 5, 2011 12:55 |
|
devmd01 posted:What is the order of precedence for GPO operations? If it's user vs computer, check the specific wording of the GPO. Some of them specify.
|
# ? Jul 5, 2011 13:10 |
|
Is there a way to disable wifi while the wired connection is active without having to use any vendor specific software like Lenovo's access connections?
|
# ? Jul 12, 2011 16:35 |
|
I can't think of a good way to do it without additional software. What exactly are you trying to achieve here? Someone might be able to think of a different way to approach it.
|
# ? Jul 12, 2011 17:02 |
|
We're getting ready to roll out wifi in all our offices. We want to be able to automatically disable the wifi when the machine is docked or plugged into the LAN so it's not pulling two DHCP leases and we always know which connection it's using and all that.
|
# ? Jul 12, 2011 18:04 |
|
My best suggestion would be to have wifi allocate from a different IP block (it should probably by vlanned off from the rest of the network anyway) and set up the adapter priority so the wired connection takes priority. I believe that should happen automatically anyway because Windows gives priority to the connection with the higher link speed.
|
# ? Jul 12, 2011 18:37 |
|
Maybe it's been posted here before, but any advice on a base set of policies for my quickly impending Win 7 rollout? I've setup a policy to set Win 7 Aero as the default theme for a newly created profile (otherwise nobody will ever be using it). I also enabled rdesktop and poked a hole in the firewall it, and disabled the ability for users to shutdown or put their computers to sleep. I'm going to look into disabling the some of the "Solve PC issues" popup about setting up a backup. I also probably need to do something about setting the wired network as a Work/Domain network (or does being on a domain take care of that?) Are there any other policies I should use to keep the computer from nagging users about things that are my problem?
|
# ? Jul 25, 2011 04:34 |
|
chizad posted:Is there a way to disable wifi while the wired connection is active without having to use any vendor specific software like Lenovo's access connections? My Win7 Dell laptop does it by default. I think that's a Windows 7 feature and not part of the Dell toolset, since I only have the drivers installed. My boss swears up and down that the wifi is still enabled, but an ipconfig shows no address on the wireless.
|
# ? Jul 25, 2011 05:22 |
|
FISHMANPET posted:Maybe it's been posted here before, but any advice on a base set of policies for my quickly impending Win 7 rollout? Off the top of my head, the most important thing you should manage is Windows Update. Even if you don't run a WSUS server you can control how much UI the updater shows and when it runs.
|
# ? Jul 25, 2011 06:58 |
|
FISHMANPET posted:Maybe it's been posted here before, but any advice on a base set of policies for my quickly impending Win 7 rollout? I haven't done my Win 7 rollout yet, but on XP I disable showing the last user name that logged in so that users learn their user names. I also disable the desktop clean-up wizard. How about forcing a password-protected screen saver after X minutes?
|
# ? Jul 25, 2011 16:51 |
|
Cpt.Wacky posted:I haven't done my Win 7 rollout yet, but on XP I disable showing the last user name that logged in so that users learn their user names. I wish I did that. Don't be me. Make them type their user IDs.
|
# ? Jul 25, 2011 20:35 |
|
BangersInMyKnickers posted:My best suggestion would be to have wifi allocate from a different IP block (it should probably by vlanned off from the rest of the network anyway) and set up the adapter priority so the wired connection takes priority. I believe that should happen automatically anyway because Windows gives priority to the connection with the higher link speed. Also lol if you're not setting your WLAN in some kind of jail.
|
# ? Jul 25, 2011 20:46 |
|
Cpt.Wacky posted:I haven't done my Win 7 rollout yet, but on XP I disable showing the last user name that logged in so that users learn their user names. I also disable the desktop clean-up wizard. How about forcing a password-protected screen saver after X minutes? Can anyone help me out with this setting? I want our screens to lock after 30 mins, but nothing I set seems to work.
|
# ? Jul 26, 2011 02:55 |
|
Swink posted:Can anyone help me out with this setting? I want our screens to lock after 30 mins, but nothing I set seems to work. On XP or 7? For XP we have: User -> Policies -> Admin Temp -> Control Panel -> Personalization: - Enable screen saver (Enabled) - Password protect the screen saver (Enabled) - Screen saver timeout (Enabled, number of seconds…) Haven't tested it on 7 yet, but it should work there as well.
|
# ? Jul 26, 2011 03:33 |
|
Not sure if this is the correct thread for this. In AD I need to know the names under account options for passwords for the following: User must change password at next logon User cannot change password Password never expires I need to set these through a csv but I cannot seem to find the name for those fields.
|
# ? Jul 26, 2011 15:38 |
|
The default AD management tools don't give you a great way to query those account flags. PowerShell is probably the easier method to do what you are describing (I think, I'm a little confused on exactly what you are asking for). Anyway, the get-QADUser and set-QADUser commands will let you manipulate user objects like that. This might give you something to work with. http://powershell.com/cs/forums/p/2419/3270.aspx
|
# ? Jul 26, 2011 16:26 |
|
BangersInMyKnickers posted:The default AD management tools don't give you a great way to query those account flags. PowerShell is probably the easier method to do what you are describing (I think, I'm a little confused on exactly what you are asking for). Whoops, sorry, I really was not clear at all. I will be getting a csv within the next week for all the new students for this school year. The old admin used to set those fields in the csv when we added those users from what I can tell. Unfortunately I have no documentation, and he was fired so I cannot ask him. From what I can tell, he used ADManager from ManageEngine to import a csv of the student data that was given to us from our student registration databases. I just need to make sure that User Must change password is unchecked, and user cannot change password and password never expires is checked and it looks as if he set those through there. I could be wrong, this is new territory for me.
|
# ? Jul 26, 2011 16:35 |
|
Drumstick posted:Whoops, sorry, I really was not clear at all. I will be getting a csv within the next week for all the new students for this school year. The old admin used to set those fields in the csv when we added those users from what I can tell. Unfortunately I have no documentation, and he was fired so I cannot ask him. At least some of what you're after is in userAccountControl - when I was playing around with it a while ago (pretty much doing the exact opposite of what you're after) there was very little information on what the values did, so I figured it out by twiddling the settings and seeing what effect that had.
|
# ? Jul 27, 2011 06:56 |
|
|
# ? Jun 10, 2024 21:41 |
|
thebmw posted:
Turns out this was the one I was missing. (works in 7, btw). Thanks
|
# ? Jul 27, 2011 13:01 |