|
madsushi posted:Correct, no SMB2 support in 10.6. Should still work though, falling back to SMB, just like Windows XP would. Is the time on your Mac and the time on the 2008r2 server 5 minutes apart or more? Nope, times were in sync. madsushi posted:There are also third party tools for OSX that add support for SMB2 (DAVE, I think) So, I changed a total of 3 GPO settings both on the Domain controller and the file server. I changed: Microsoft network server: Digitally sign communications (always) Disabled Microsoft network server: Digitally sign communications (if client agrees) Enabled Network security: LAN Manager authentication level: LM & NTLM; use NTLMv2 session if negotiated Still, my Mac OS X clients could not mount SMB (authentication error). They could however, mount NFS. This wasn't acceptable in our environment though. I even tried setting up a FreeBSD VM and it couldn't mount either. I ended up giving DAVE a try like you said and loving magically it works. We're just going to change our GPOs back to normal and purchase licenses for Dave for our Mac OS X 10.6 users. Thanks for the help.
|
# ? Apr 3, 2012 15:09 |
|
|
# ? Jun 10, 2024 21:30 |
|
Group Policy Management Improvements in Windows Server "8" Beta Remote policy refresh!
|
# ? Apr 10, 2012 03:10 |
|
Swink posted:Group Policy Management Improvements in Windows Server "8" Beta Awesome.
|
# ? Apr 10, 2012 03:29 |
|
Swink posted:Group Policy Management Improvements in Windows Server "8" Beta Best news of the day! I've already got a batch script setup to do this using PsTools but having this integrated into the Group Policy console will be great.
|
# ? Apr 10, 2012 06:33 |
|
Swink posted:Remote policy refresh!
|
# ? Apr 10, 2012 10:35 |
|
Ran across this the other day and thought others could benefit from it (it's from the horse's mouth.) It's also from 2007 though, so who knows.
|
# ? Apr 11, 2012 22:00 |
|
I'm having some WMI filter issues, trying to have a policy that applies only to servers using the following:code:
Obviously the easiest way is to just look on the client and see what's getting applied, but I don't have access to one right now.
|
# ? Apr 13, 2012 00:08 |
|
Caged posted:I'm having some WMI filter issues, trying to have a policy that applies only to servers using the following: It looks correct to me. I would test it out on a client. I use the exact same WMI filter and it doesn't affect any of our client windows OS's, including Windows 7. Also, it probably isn't the cause but you should be typing it in proper format (uppercase clauses): code:
IT Guy fucked around with this message at 03:02 on Apr 13, 2012 |
# ? Apr 13, 2012 02:59 |
|
So, my help desk is just so loving retarded and I can't do anything about it. She keeps changing C:\ permissions when a program won't work properly instead of escalating the issue to me so I can assess and modify GPOs if necessary. For example, she just added full access for "Authenticated Users" on the C:\ root and then she went into program files, took off inheritance and added the username with full access. No matter how much I openly mock and ridicule her for being a dumb oval office, she still does what she wants. I need a GPO that basically resets the default security descriptors on the C:\ drive and any other folders she may have unlinked inheritance on. Is there a good way to do this? Edit: She's doing this on individual workstations by the way, not servers (thank gently caress). IT Guy fucked around with this message at 16:38 on Apr 16, 2012 |
# ? Apr 16, 2012 16:34 |
|
Take a look under Computer Configuration > Windows Settings > Security Settings > File System. You should be able to define whatever permissions you want. And IIRC, policies under Security Settings reapply themselves periodically so when she inevitably tries to go behind your back her bullshit will get overwritten the next day.
|
# ? Apr 16, 2012 17:20 |
|
Docjowles posted:And IIRC, policies under Security Settings reapply themselves periodically so when she inevitably tries to go behind your back her bullshit will get overwritten the next day. That's what I was hoping for. Thank you.
|
# ? Apr 16, 2012 17:21 |
|
Caged posted:Obviously the easiest way is to just look on the client and see what's getting applied, but I don't have access to one right now. Then psexec into a client and do a "wmic os get producttype". Or run a remote rsop.msc
|
# ? Apr 25, 2012 10:57 |
|
Anyone know if it's possible to pin things to the Windows 7 taskbar using GPO's? I can't seem to find the setting and after a little googling I think it's not possible.
|
# ? Apr 25, 2012 22:39 |
|
It's not easy but possible http://blogs.technet.com/b/deploymentguys/archive/2009/04/08/pin-items-to-the-start-menu-or-windows-7-taskbar-via-script.aspx No, doesn't work VV peak debt fucked around with this message at 23:12 on Apr 25, 2012 |
# ? Apr 25, 2012 22:48 |
|
Couldn't you just use GPOs to make a shortcut here: C:\Users\%username%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
|
# ? Apr 25, 2012 22:51 |
|
Noghri_ViR posted:Anyone know if it's possible to pin things to the Windows 7 taskbar using GPO's? I can't seem to find the setting and after a little googling I think it's not possible. I like the script from The IT Bros as it's easier to use: http://theitbros.com/copy-taskbar-icons-windows-7-sysprep. They use it for MDT but I see no reason you couldn't add a modified version of this script to a startup script GPO.
|
# ? Apr 26, 2012 01:59 |
|
Hiyoshi posted:I like the script from The IT Bros as it's easier to use: http://theitbros.com/copy-taskbar-icons-windows-7-sysprep. They use it for MDT but I see no reason you couldn't add a modified version of this script to a startup script GPO. This is the one that I use too.
|
# ? Apr 26, 2012 17:52 |
|
I'm having a hard time giving an AD group rights to run as a service with group policy without breaking other things. We have a group, DOMAIN\robots, in which there are accounts for services and other automation tasks. When you set a service to run as a domain account it gives that user rights to run as a service on that machine, until GP refreshes and it needs to start the service again. So, I enabled Computer -> Windows Settings -> Security Settings -> Local Policies/User Rights Management -> log on as a service and added the DOMAIN\robots group. I also did the same for Log on as a batch job, Back up files and directories, and Restore files and directories (for various backup services/scripts). Now, apparently when you enable these settings, it disables what would be considered default. In other words, it removes these rights for [builtin]\administrators. So I added [builtin]\administrators to those settings. But then, I couldn't install Windows updates on the one 2003 R2 server we've got floating around (required for 3rd-party software), but updates worked fine on everything else (2008 R2). So, I added [builtin]\administrators to all the settings as per this KB: http://support.microsoft.com/kb/951244/ . That didn't work, so I unlinked the GPO and updates went fine, but services wouldn't start as the domain accounts. The weird thing is, this all happened in the test environment and none of these changes made it to production. All of the services start fine in the production environment. With this GPO unlinked, test and prod both have the same output from gpresult, but services won't start in the test environment. What else could affect this?
|
# ? Apr 27, 2012 19:28 |
|
Maybe I'm just not seeing it but is there a way to create a local user/local admin through GPOs? I want to roll out a GPO that enables the disabled by default local admin account on Windows 7 machines and make sure it exists on Windows XP machines and be able to change the password for the local admin account.
|
# ? May 2, 2012 13:29 |
|
IT Guy posted:So, my help desk is just so loving retarded and I can't do anything about it. How stupid can some people be...
|
# ? May 2, 2012 14:05 |
|
Wicaeed posted:
When my boss hired her, she didn't even know how to change NTFS security. But since she was so dumb my boss sent her to a week long course called "Windows 7 boot camp" and when she came back she picked up all kinds of bad habits from the course. Another thing she likes to do is restart as many services she can in "services.msc". Like, she'll start from the top and just restart all the services going down. I don't understand it. I don't blame the course though, I'm sure the course didn't tell her to do this but rather showed her where to find these types of things in Windows 7.
|
# ? May 2, 2012 14:18 |
|
IT Guy posted:When my boss hired her, she didn't even know how to change NTFS security. But since she was so dumb my boss sent her to a week long course called "Windows 7 boot camp" and when she came back she picked up all kinds of bad habits from the course. Another thing she likes to do is restart as many services she can in "services.msc". Like, she'll start from the top and just restart all the services going down. I don't understand it. What...no....how is she still employed? On a separate topic, how can you set the SNMP trap destination/string in Windows Group Policy? There is a registry string I have set to automatically add to Windows Server that configures this, but currently it only sets itself on 2008 R2 servers and not 2003.
|
# ? May 2, 2012 14:25 |
|
Wicaeed posted:What...no....how is she still employed? A combination of my boss doesn't give a poo poo and having connections to get the job. But back on topic. I think I resolved my original question about the local admin, I was looking at Windows Settings when it appears to be in the Preferences.
|
# ? May 2, 2012 14:30 |
|
IT Guy posted:Maybe I'm just not seeing it but is there a way to create a local user/local admin through GPOs? GPP can do that for you.
|
# ? May 2, 2012 14:38 |
|
Wicaeed posted:What...no....how is she still employed? Do your older servers have the Group Policy Preferences Client Side Extensions installed? That's a prereq for anything under the Preferences tree to apply to a machine.
|
# ? May 2, 2012 16:16 |
|
I've trawled through this thread (should probably just buy plat to get search back) and not found much - I seem to remember someone here did a pretty definitive guide on how to do Roaming Profiles properly (with folder redirection). I have a 2008 R2 server and Windows 7 clients, what do I need to do to get this working properly? Is there a current 'best practices' way of handling this?
|
# ? May 12, 2012 20:07 |
|
http://www.grouppolicy.biz/2010/08/best-practice-roaming-profiles-and-folder-redirection-a-k-a-user-virtualization/ This is pretty solid info. I personally don't do folder redirection anymore but that's mostly due to my particular environment
|
# ? May 13, 2012 03:48 |
|
Caged posted:I've trawled through this thread (should probably just buy plat to get search back) and not found much - I seem to remember someone here did a pretty definitive guide on how to do Roaming Profiles properly (with folder redirection). I have a 2008 R2 server and Windows 7 clients, what do I need to do to get this working properly? Is there a current 'best practices' way of handling this? BangersInMyKnickers (the OP of this thread) made a thread titled "How to Make you're Roaming Profiles Not Suck." I used it to setup redirected profiles at work, the thread has fallen into archives, and it alone is tempting me to buy plat. Though if anybody with plat has archives access and would like to repost the OP in this thread that would be awesome. I have the link at work, so if nobody finds it by then I can post it on Monday.
|
# ? May 13, 2012 07:58 |
|
Bingo, that's the thread I'm after. I'll wait for you to dig the link out, it might be time to upgrade my account.
|
# ? May 13, 2012 17:46 |
|
Here's that OP, all credit to Bangers.quote:I mentioned roaming profiles is some other thread, and a bunch of people's heads started spinning around and spraying vomit in revulsion. And some of that is rightly earned; their out of the box configuration can be absolutely lovely. But with the right combination of offline files, folder redirection, and group policy it can be the ideal blend of portability, speed, and centralized backup locations.
|
# ? May 13, 2012 18:16 |
|
I've got that all setup, but once a user's profile is redirected, the first login on a machine takes a long time. I'm not talking about the first time the roaming profile gets copied into the redirected location, but I think it's caching the profile locally before it presents the desktop. I want it to show the desktop immediately, and then cache the files in the background. Unless it's doing that and the first logon to a machine is slow for another reason.
|
# ? May 13, 2012 21:31 |
|
Excellent stuff, I'm working my way down that guide (the post by BangersInMyKnickers and the one on GroupPolicy.biz, which I found before asking so it's nice to know I was looking in the right place anyway) and things are going well so far. Couple of questions though, when it's mentioned that Downloads or Saved Games aren't redirected, does that mean you leave them as part of the roaming profile, or that you redirect them to C:\Users\whatever so they stay local to the machine? Surely leaving Downloads as part of the roaming profile takes us back to the bad old days of massive profiles, or have I missed something? Also (and a really loving minor point), I'm getting Windows themes settings move with the user successfully, but not the login picture thing. Is there an elegant way to move this around as well or should I just enforce a corporate image and tell everyone to suck it up? Anything but a flower would be nice. Thanks Ants fucked around with this message at 03:31 on May 14, 2012 |
# ? May 14, 2012 03:24 |
|
Caged posted:Couple of questions though, when it's mentioned that Downloads or Saved Games aren't redirected, does that mean you leave them as part of the roaming profile, or that you redirect them to C:\Users\whatever so they stay local to the machine? Surely leaving Downloads as part of the roaming profile takes us back to the bad old days of massive profiles, or have I missed something? You choose what folders get directed. I redirect everything but Saved Games and App Data, which stays in the roaming profile (not that anything in a corporate offer uses Saved Games). I don't want to redirect App Data because I don't think anything good would happen if multiple things try to modify app data. I'd imagine if you didn't have roaming profiles but did redirected profiles, the registry hive and whatever you don't redirect would stay on the local machine, but at that point just setup a roaming profile for the rest because there's no reason not to, and it makes your users' lives easier.
|
# ? May 14, 2012 03:43 |
|
Anecdotally, I've had bad experiences redirecting AppData. We have some apps that read/write frequently to very large files stored in AppData\Roaming (don't ask me man, I didn't code it) and performance TANKED when I tried to redirect it; one operation went from seconds to 5 minutes. Maybe it was just that one lovely app, or I did it wrong, but if you decide to do AppData definitely roll it to a small test group first. It seems like it can go wrong in more ways than the relatively straightforward My Documents etc.
|
# ? May 14, 2012 04:01 |
|
FISHMANPET posted:You choose what folders get directed. I redirect everything but Saved Games and App Data, which stays in the roaming profile (not that anything in a corporate offer uses Saved Games). Thanks for the heads up re: AppData though, think I'll leave that in the profile for now. Edit: Just re-read and saw the bit about "exclude from roaming profile". Now it all makes sense. That'll teach me to try and figure this out at 4am. Thanks Ants fucked around with this message at 04:21 on May 14, 2012 |
# ? May 14, 2012 04:13 |
|
I wouldn't redirect the desktop either. I had some major issues with Java based programs and redirecting the desktop. The bug has existed since 2002 and no one's bothered to fix it http://bugs.sun.com/view_bug.do?bug_id=4787931 I've found most people don't store much on there, so performance gains from redirecting the desktop were minimal.
|
# ? May 14, 2012 04:31 |
|
quote:Now go to User Configuration\Policies\Network\Offline Files and configure things as you see fit. No. Turning on encryption for offline-files means dealing with certificates. I didn't know this and had two domains configured with encryption and suddenly people couldn't access their files because something or other had expired. Not encrypting offline files fixed it and I never looked into it again. And redirecting AppData sucks.
|
# ? May 16, 2012 15:11 |
|
Holy hell, there's no way to set a default printer with the 2008 R2 printer GPO deployment thing is there? I guess I'm going to have to script it. Got everything working perfectly, even with the pushprintersettings.exe workaround for XP clients.
|
# ? May 17, 2012 18:10 |
|
I resorted to having the default printer pushed via a Preference, don't really seem to lose out on much doing it this way.
|
# ? May 17, 2012 18:18 |
|
|
# ? Jun 10, 2024 21:30 |
|
Just wrote my first custom ADM template and feeling pretty loving awesome about it. <3 Group Policy. LmaoTheKid posted:Holy hell, there's no way to set a default printer with the 2008 R2 printer GPO deployment thing is there? I guess I'm going to have to script it. I see an option in the User\Preferences\Control Panel Settings\Printers when you setup a shared printer you can set it as the default. Not sure if that will work for you or not.
|
# ? May 17, 2012 19:54 |