|
What the gently caress Microsoft, no way to enable "File and Print Sharing" through GPO. Not sure that would ever be needed. Oh wait, because I want the admin shares! Does anybody know of a way to do this? I've found this a few places but I'm not sure it does what I want it to, and it seems a little suspect.
|
![]() |
|
![]()
|
# ? Jun 10, 2024 15:55 |
|
Swink posted:Turns out this was the one I was missing. (works in 7, btw). Thanks This is the same thing we have company wide (except for 7 mins, not 30). Works like a charm.
|
![]() |
|
FISHMANPET posted:What the gently caress Microsoft, no way to enable "File and Print Sharing" through GPO. Not sure that would ever be needed. Oh wait, because I want the admin shares! This hosed me for a while too. Computer > Policies > Admin Templates > Windows Firewall > Domain Profile All of what you need should be in here.
|
![]() |
|
Forgive me if this has already been covered, but is there any easy way to log incoming RDP connections in a Server 2008 environment?
|
![]() |
|
Swink posted:This hosed me for a while too. Yeah, the administrative shares are always present. The firewall will the normal thing stop you, so get that set up (if you're doing it on Vista/7, set firewall through Computer\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security. It is a whole lot more powerful and flexible than the XP firewall was to configure. Also bear in mind that if you don't have a password set for the admin account, remote access to the admin shares is disabled. mono posted:Forgive me if this has already been covered, but is there any easy way to log incoming RDP connections in a Server 2008 environment?
|
![]() |
|
Is it possible to manage the system PATH variable of machines using a policy?
|
![]() |
|
chemosh6969 posted:Is it possible to manage the system PATH variable of machines using a policy? With any PATH issue, be wary of append vs replace ![]()
|
![]() |
|
Actually you can do it directly with the GPO extensions under Computer, Preferences, Windows Settings, Environment...
|
![]() |
|
I am helping set up some computers for a small tennis club that in my opinion has a network that is far too complex. I'm sure I'm missing some very simple step here and I was wondering if I could get some help. I'm not experienced with AD stuff at all, so this has been more of a learning experience than I expected. Server 2k3 c:\users Each user has their own subdirectory called *username* in this folder. In theory this is supposed to be a folder only the user and administrators can access. Right now if you browse the network neighborhood, you can see everyone else's files. Additionally the login script that is in place puts the new Windows 7 machines in the users\ root directory instead of their own username subfolder. As it is configured right now each user in their profile has their home directory defined as \\server\users\username In addition the login.bat file has a line that is: net use h: \home (or something very close to that) I really have been googling around for an answer to this issue, but I think I'm just not either looking in the right places or something. Thanks
|
![]() |
|
n8r posted:I am helping set up some computers for a small tennis club that in my opinion has a network that is far too complex. I'm sure I'm missing some very simple step here and I was wondering if I could get some help. I'm not experienced with AD stuff at all, so this has been more of a learning experience than I expected. http://support.microsoft.com/kb/274443 will get you on the right track for security. You'd have to post the login script so we can see what's going on for the Win 7 issue.
|
![]() |
|
n8r posted:I am helping set up some computers for a small tennis club that in my opinion has a network that is far too complex. I'm sure I'm missing some very simple step here and I was wondering if I could get some help. I'm not experienced with AD stuff at all, so this has been more of a learning experience than I expected. Is C:\users the profile path or the home directory path? You should really be setting the home directory in the Profile tab in the User object in AD, instead of in a login script, that way it will be cohesive per user.
|
![]() |
|
Under the profile tab the home directory is h: is \\server\users\*username*\ The login script also contains this entry: net use h: \home Is that redundant?
|
![]() |
|
n8r posted:Under the profile tab the home directory is h: is \\server\users\*username*\ Firstly, it should be %USERNAME%, not *username*. Secondly, they probably set the H:\ drive to map to \home in a half-assed way of giving them access to each other's files. Unless you want this to happen, I'd remove it. I'm guessing whoever set this up originally isn't an IT person, but some kind of finance guy or CPA?
|
![]() |
|
This was all setup by a fairly expensive local networking company, but because they're expensive nobody wants to call them out. I do all the computer stuff for my company, but we're very small and we don't even use AD/Domains/Etc. The way they have the home drive mapped is via login script: net use h: \home Each user has their home directory defined as H: \\server\users\usernamehere
|
![]() |
|
So we have a recently setup RDS farm. In conjunction with this, we've set up desktop and folder redirection. We're running into a problem on the RDS sessions where users lose permissions to their personal folder when trying to access said filder in an "Open File" dialogue. Example: quote:User is in an RDS session, in their Gmail account making an email and they want to attach a spreadsheet. They click "Attach a File" and it pops open the "Open" window. The default view is opening to a seemingly random nested folder on the server's App Data folder. Normally, where you'd have the option to click on Desktop on the left, it's not there.
|
![]() |
|
So I have run into a situation similar to what Morganus_Starr mentioned a few pages ago. We are migrating users from local XP to a 2008 RDS farm. People access a lot of different websites with varying levels of security and what have you. The easy way to fix this is to tell them to add it to trusted sites. This works just about 100% of the time. The problem is we would have to do this for each user. The easy answer here is the GPO for internet security zones. The problem with that is it locks out usage of adding more trusted sites. Not a big deal except that we have several people who need access to sites that just they use and are pretty proficient at adding them without asking us. I dug into this a little while ago and found that the recommended solution was a vb script that adds the site via registry. I put the script together and it appeared to work perfectly. It added the sites into the list with no issues...or so I thought. It seems it will only run for admins but fails to throw any sort of error or log an event for the failure to function for any other user. So now I'm open to ideas if anyone has them.
|
![]() |
|
What registry location is it doing the writing to? There are two locations you can set up trusted sites through, HKLM and HKCU. The latter is what you want and will work with a restricted account. The former needs admin rights and sounds like your situation.
|
![]() |
|
I'll check this and verify but I'm almost positive it's on HKCU
|
![]() |
|
The one thing I can think of is that if you already have a GPO defining trusted websites users could have having problems getting write access to that key because of the overwrite nature of how that stuff gets applied (but admin rights could override that). Anyway, post the script and I'll poke at it or see if I can think up an alternative.
|
![]() |
|
Does anyone know of an IM client that supports multiple protocols, something like pidgin, but can be locked down and controlled via group policy? And so help me god if anyone says Lync I might murder you.
|
![]() |
|
BangersInMyKnickers posted:The one thing I can think of is that if you already have a GPO defining trusted websites users could have having problems getting write access to that key because of the overwrite nature of how that stuff gets applied (but admin rights could override that). Anyway, post the script and I'll poke at it or see if I can think up an alternative. Here's the short version of the script, most of it is just copy paste repeat: quote:On Error Resume Next I tried removing the "On error resume next" for the troubleshoot but it still gives me nothing.
|
![]() |
|
couldcareless posted:Here's the short version of the script, most of it is just copy paste repeat: I would redo the whole lot using group policy preferences and see how you get on. There's some policies linked at the root of our domain doing a similar thing and they seem to work.
|
![]() |
|
Mully Clown posted:I would redo the whole lot using group policy preferences and see how you get on. There's some policies linked at the root of our domain doing a similar thing and they seem to work. Yeah, I agree with this. A good first step to test would be to log in with one of these restricted user accounts and try to manually create registry keys and values in that location and see if it works. If that goes fine, go ahead with just using the policy preferences. They're very nice for this kind of thing without having to step in to the ugly world of VB script.
|
![]() |
|
I'll give it a shot. Thanks for the advice.
|
![]() |
|
I'm trying to use the group policy software installation to install Crystal Reports Runtimes for Visual Studio 2010 throughout our company. We've tested single installs to certain computers just by logging in as an admin user and running the MSI without problems, so now we want to deploy to everyone. I had no problems setting up the policy and on the next reboot the software starts installing (which takes 5-10 minutes). Eventually the user can login and... there's no CR2010 Runtime. Computer reboots again and it starts installing again only to come up with nothing. I checked the event log and sure enough there's a bunch of errors. Tracing them back I get an error for not being able to edit the registry entry for HKLM\Software\BusinessObjects\CrystalReportsSomethingSomething\Whatever We do have group policies to lock down the registry, but my understanding was that any installs done via the policy should be done as the computer's system account... which shouldn't be locked down. The Software Installer policy is setup for the computers, and not the users. I'm not sure what to do to force it to run with admin rights. Google only seems to result in a bunch of other users bitching about Crystal Reports being poo poo... which they are, but that doesn't help me. Any tips?
|
![]() |
|
is there a way to prevent a user from deleting users in AD? One of the techs deleted a user today, but he does still need the ability to removed computers.
|
![]() |
|
Frozen-Solid posted:I'm trying to use the group policy software installation to install Crystal Reports Runtimes for Visual Studio 2010 throughout our company. We've tested single installs to certain computers just by logging in as an admin user and running the MSI without problems, so now we want to deploy to everyone. I had no problems setting up the policy and on the next reboot the software starts installing (which takes 5-10 minutes). Eventually the user can login and... there's no CR2010 Runtime. Computer reboots again and it starts installing again only to come up with nothing. Some installation packages are just poorly written and don't work right when run either under a system context or when run silently. I've run in to both, and the only solution I've ever found is to either repackage the installer in some other wrapper or script it up with a user context. Drumstick posted:is there a way to prevent a user from deleting users in AD? One of the techs deleted a user today, but he does still need the ability to removed computers. Remove those techs from domain admins and set up a security group specifically for them and use the Delegate Rights wizard to assign them just the granular permissions they need.
|
![]() |
|
BangersInMyKnickers posted:Some installation packages are just poorly written and don't work right when run either under a system context or when run silently. I've run in to both, and the only solution I've ever found is to either repackage the installer in some other wrapper or script it up with a user context. I'm guessing there's also no magic way to do either of those. ![]() Sounds like this might be a job for the intern. Crystal Reports is such a mess I don't really trust repackaging the installer and messing something up, and adding it to the login script has it's own issues as well. Bleh.
|
![]() |
|
Here's the test I usually do: First, just attempt to run the installation silently from an elevated user context to see if that works. msiexec /i whatever.msi /qn and see if it works. If it doesn't, then your software probably doesn't like silent installs. The one workaround I managed with similar crappy software was to tie the install to a system startup script in policy that ran msiexec /qb! which shows the process bar but no cancel option. It liked that enough to work. Then to test with a system account, use psexec /s to get a command prompt with system credentials to test the installer. The log options will probably be important to use here, start with /le I've had good luck with using this to capture changes from installers and re-packing them in a MSI that isn't poo poo http://www.appdeploy.com/tools/repackager/
|
![]() |
|
evil_bunnY posted:With any PATH issue, be wary of append vs replace I'm pretty sure that's what's going on here. I was checking the PATH of a machine I had looked at the week before, which was fine, and now it doesn't even have the variable. On other machines with PATH, they are getting two locations appended over and over.
|
![]() |
|
Just came in here to say thanks for the help. I set the preferences like you suggested and it works like a charm. I have another one for you. I'm trying to make .TIFFs open with Windows Photo Viewer (our servers aren't setting it to default for some reason, I'm suspecting it's due to our old fax system that used to be on it and has since been removed). This should be pretty simple in preferences and in fact I see where it can be done. The issue I have, though, is Windows Photo Viewer doesn't have an .exe to point to in order to set the "Open With". Any ideas aside from installing some other form of TIFF viewer on the servers?
|
![]() |
|
couldcareless posted:Just came in here to say thanks for the help. I set the preferences like you suggested and it works like a charm. Start > Run > regsvr32 shimgvw.dll
|
![]() |
|
Try pointing at this: rundll32.exe C:\WINDOWS\System32\shimgvw.dll,ImageView_Fullscreen %1
|
![]() |
|
Login script help request. I am finishing up some stuff for my lab before fall the semester starts and I am trying to use a login script that points to a different script on a share that I will modify when I want to deploy software. The thing with my lab is that it is currently using Deep Freeze and cannot be in an Active Directory environment(until I have funds for a DC). Here is what I have so far: net use \\shared\storage\scripts /user:ad.campusdomain.blah\someuser password pushd \\shared\storage\scripts deepfreeze.bat deepfreeze.bat is currently: MsiExec.exe /norestart /qn /x {AC76BA86-7AD7-1033-7B44-AA1000000001} \\shared\storage\SumatraPDF\sumatrapdf1.7.exe /s /register /opt IF %ERRORLEVEL% NEQ 0 then exit /b %ERRORLEVEL% This works correctly from an elevated cmd prompt and using an elevated psexec -s but will not work when it is tied to a startup script(using local policy computer\policy\windows\startup scripts) What am I doing wrong? ![]()
|
![]() |
|
Make sure that the domain computers security group has access to the share and the NTFS permissions so it can open your script. That is typically the most common mistake because the computer objects aren't a part of the domain users security group.
|
![]() |
|
BangersInMyKnickers posted:Make sure that the domain computers security group has access to the share and the NTFS permissions so it can open your script. That is typically the most common mistake because the computer objects aren't a part of the domain users security group. Do I need to have Domain Computers have permission all the way up the share? (example:\\shared\storage\scripts do the permissions need to be added at \\shared or just at \\shared\storage\scripts?) And would that apply to non domain computers? The computers connecting to that share are just in a workgroup. Finally why doesn't not having Domain Computers have permission to that share not break GPO software installs?
|
![]() |
|
If you're in a workgroup situation and you are allowing read access to Everyone, then it should work as well (but you can't do username/pass authentication). I was assuming a full AD environment. You don't need read permissions all the the way up the folder structure, just in the target folder you'll be opening the script from and on the network share itself. Use psexec /s cmd to launch command line sessions with the system account and then do a dir to the target script with the UNC name to make sure the system account can access it.
|
![]() |
|
BangersInMyKnickers posted:If you're in a workgroup situation and you are allowing read access to Everyone, then it should work as well (but you can't do username/pass authentication). I was assuming a full AD environment. You don't need read permissions all the the way up the folder structure, just in the target folder you'll be opening the script from and on the network share itself. I tried the the DIR thing with a psexec /s cmd and I would get "login failure" with the everyone group having read/execute access. But from the same command prompt I would run the startup script and it would work without issue. This is probably an issue with the shared campus network storage not liking workgroup computers accessing it.
|
![]() |
|
If you're pretty sure the script is executing, the next step you should take is to add >> c:\debug.txt to each line of your script to see if you can generate some error codes to tell you what is going on when it is executing.
|
![]() |
|
![]()
|
# ? Jun 10, 2024 15:55 |
|
Power Plans are pissing me off... I defined a custom power plan via GPP, and set it as active, and that works just fine. I don't want users to change the active plan, which is fine, because everywhere on the internet says standard users can't change power plans. But my test standard user can change the power plan... So I use an admin template to set the custom power plan as the default via the GUID of the power plan. Which worked fine on one machine, but once I got around to my second machine, the power plan had a different GUID on that machine, so the admin template didn't work. How am I supposed to do this?
|
![]() |