|
I guess i'm going to upload the pictures into active directory. Thanks everyone for your input and advice.
|
#
?
May 26, 2012 10:37
|
|
|
|
| # ? May 21, 2024 15:12 |
|
|
At the end of our deployment process (MDT), I want to expire the local Administrator account's password. If you're curious about the reasoning, in MDT the local Administrator account is set to autolog while it runs the Task Sequence (unlike SCCM, which uses the SYSTEM account). This means you have to either specify the Administrator password in the customsettings.ini file, or type it in when running the Task Sequence. I'm trying a simple vbscript, but not having any l luck: code:I'm a real novice when it comes to vbscript, but all the various sites I looked at seemed to agree this was the code to do it. Win7-64.
|
|
#
?
May 29, 2012 14:53
|
|
|
I'm still kind of unsure about Config Manager 2012 licensing for servers. We have 4 ESX hosts with about 100 server VMs. We need either 50*$1323=$66k Standard Server MLs or 4*$3607=$14k Datacenter Server MLs in order to use SCCM to control windows updates on servers (which is pretty much the only thing we used SCCM2007 for)?
|
|
#
?
May 29, 2012 18:13
|
|
|
When I give a user individual access to shared folders on a Server 2008 file server, they are immediately granted access. When I give a new group access to the same shared folders, the users' group membership doesn't grant them access unless I reboot the server. What service(s) can I restart to avoid a full reboot?
|
|
#
?
May 29, 2012 19:27
|
|
|
adocious posted:When I give a user individual access to shared folders on a Server 2008 file server, they are immediately granted access. When I give a new group access to the same shared folders, the users' group membership doesn't grant them access unless I reboot the server. Isnt this a windows thing? It happens in 2003 too, but you have the user log off of windows on their workstation and then sign back on, then they have access. Dont reboot the server. It's a "Group membership is applied at logon time" sort of thing. Or maybe I'm crazy.
|
|
#
?
May 29, 2012 19:41
|
|
|
That's the one. I was looking through a blog, and apparently there is a way to get group membership to update without needing a log-on/log-off, but was really unpleasant looking.
|
|
#
?
May 30, 2012 09:14
|
|
P.S. STILL COMPLETELY DEVOID OF MERIT
|
zapateria posted:I'm still kind of unsure about Config Manager 2012 licensing for servers. That sounds about right. Just remember that you can use the entire SC2012 suite for that price.
|
|
#
?
May 30, 2012 11:34
|
|
|
I'm trying to make sure we're up to date on Microsoft licencing. It appears that for both 2003 and 2003 R2 server, you only required 2003 CALs. Did they change this with 2008 and 2008 R2? Are there only 2008 CALs or are there 2008 and 2008 R2 CALs? If we run 2008 R2 servers and 2003 R2 servers, what CALs do I need (2008 are backwards compatible, right?)?
|
|
#
?
May 30, 2012 16:36
|
|
|
Our CALs are backwards compatible, and as far as I remember that's universally true, but check with your microsoft rep to be sure.
|
|
#
?
May 30, 2012 16:57
|
|
|
Yeah, 2008 CALs are backwards compatible. But if you have 5 2003 servers, and 5 2008 servers and 30 workstations you will need 60 total licenses. 30 for the 2003 access, and 30 for 2008.
|
|
#
?
May 30, 2012 19:19
|
|
|
Spermy Smurf posted:Yeah, 2008 CALs are backwards compatible. Holy poo poo, really? Also, is there "2008 R2 CALs"?
|
|
#
?
May 30, 2012 19:30
|
|
|
Spermy Smurf posted:Isnt this a windows thing? It happens in 2003 too, but you have the user log off of windows on their workstation and then sign back on, then they have access. Dont reboot the server. You're not crazy, they have to log off and log back on to access the share.
|
|
#
?
May 30, 2012 23:21
|
|
|
Serfer posted:Ok, I've been beating myself up a little, and I'm trying to use SCCM to deploy a large piece of software, but we don't have distribution points in every office (lack of disk space at remote locations is what it boils down to). We do however have software shares in every office that contain some of the software I would like to deploy. It's become painstakingly obvious that I can't tell an SCCM program entry to run something from a UNC or drive letter because the system account can't access the share, and I can't really have it run under the user account due to UAC issues. Is there some trick to being able to run software from a share that I'm missing, or is it basically impossible, and I should break down and setup DP's in every office? Even for big office deployments I just do it from a centralized site all over the world. Anyways, that was at my last company. If it's UAC causing problems, just create a batch script with the first line that disables uac, second line installs app, third line re-enables UAC.
|
|
#
?
May 31, 2012 04:58
|
|
|
InfiniteDonkey posted:Have any of you used the thumbnailPhoto attribute in Active Directory to store user photos? If you have exchange 2010 SP1, it adds it automatically (after SP1) is installed. I have a free app that puts the pictures in so the pictures appear in Outlook 2010. I'll let you know the name tomorrow, as it's installed on my work PC. It's pretty lightweight and straightforward. I believe the software developers are a microsoft partner or something. edit: Here is the software: http://www.codetwo.com/freeware/active-directory-photos/ quackquackquack posted:At the end of our deployment process (MDT), I want to expire the local Administrator account's password. Try executing a net user command with the expire switch to last year. http://support.microsoft.com/default.aspx?scid=kb;es-xl;251394&sd=tech edit: I will not double reply again. lol internet. fucked around with this message at 18:21 on May 31, 2012 |
|
#
?
May 31, 2012 05:02
|
|
|
Spermy Smurf posted:Yeah, 2008 CALs are backwards compatible. Not quite right. In the example you've outlined you would require 30 Device CALs. If you had less than 30 users you'd of course opt for User CALs instead. The Core and Enterprise CALs are well worth a look at as well. http://www.microsoft.com/licensing/about-licensing/client-access-license.aspx#tab=1
|
|
#
?
May 31, 2012 10:14
|
|
|
Serfer posted:Ok, I've been beating myself up a little, and I'm trying to use SCCM to deploy a large piece of software, but we don't have distribution points in every office (lack of disk space at remote locations is what it boils down to). We do however have software shares in every office that contain some of the software I would like to deploy. It's become painstakingly obvious that I can't tell an SCCM program entry to run something from a UNC or drive letter because the system account can't access the share, and I can't really have it run under the user account due to UAC issues. Is there some trick to being able to run software from a share that I'm missing, or is it basically impossible, and I should break down and setup DP's in every office? I missed this before Is there a problem with giving the system account permissions to the share? I don't have SCCM, but I use psexec, and only give our admin group and system accounts access to the software share.
|
|
#
?
May 31, 2012 10:34
|
|
|
After a lot of Google fu, I've found that you can use server 2008 CALs with server 2008 R2. Just an FYI for anyone following this.
|
|
#
?
May 31, 2012 12:45
|
|
|
Mully Clown posted:Not quite right. In the example you've outlined you would require 30 Device CALs. If you had less than 30 users you'd of course opt for User CALs instead. Yes, you would need 30 device CALs for 2008, and 30 more for 2003 access. Total of 60. You cant use 30 2008 CALs for 2008 and 2003. Once downgrade rights have been applied to those 30 CALs for 2003 server access, you cant un-downgrade them when you feel like accessing 2008 servers. I'm being audited by Microsoft right now, I'm off on 4 Office 2002 Suites. Who knew that everything is downgrade compatible except for Office suites? 
|
|
#
?
May 31, 2012 13:23
|
|
|
Yesterday I deployed some software with SCCM 2012. I used the “Applications” section instead of packages, and deployed a custom built msi file. The software installed fine on the clients and is up and running, but in SCCM it still shows all of the machines in the “In Progress” stage with “No additional information” listed in the asset details on each machine. I’ve run the summarization a few times, rebooted the clients, and used SCCM client center to force software inventories, but its still just stuck In Progress. Is this just my crappy MSI not reporting that it’s done, or is there something else to it?
|
|
#
?
May 31, 2012 16:41
|
|
|
jlboan posted:Yesterday I deployed some software with SCCM 2012. I used the “Applications” section instead of packages, and deployed a custom built msi file. The software installed fine on the clients and is up and running, but in SCCM it still shows all of the machines in the “In Progress” stage with “No additional information” listed in the asset details on each machine. I’ve run the summarization a few times, rebooted the clients, and used SCCM client center to force software inventories, but its still just stuck In Progress. Is this just my crappy MSI not reporting that it’s done, or is there something else to it? Try another MSI of a small program to test. (7zip?) Sounds like perhaps the MSI is erroring out and half installing? What are you using as the command? "msiexec.exe /i /qn installer.msi" ? Also, try running the command on a local machine from the command prompt with the /l (log) switch. Have a look at logs after the msi is installed, it should tell you if it completed successfully or not. I've never used SCCM 2012 but I'd imagine Applications and Packages in general are no different in terms of deployment really. Applicaiton is just more specific, whereas packages can have multiple applications. (If you deploy from packages, you'll be asked to select a application) lol internet. fucked around with this message at 18:22 on May 31, 2012 |
|
#
?
May 31, 2012 18:20
|
|
|
lol internet. posted:Try executing a net user command with the expire switch to last year. Unfortunately, there does not appear to be an option to force a password change on next logon, only to expire the entire account.
|
|
#
?
Jun 1, 2012 14:52
|
|
|
Is there any reason you can't put a second setup account that has local admin into your image, then delete it or disable it when you're done? Either that, or maybe you need to enable password expiration for the account? http://www.sevenforums.com/tutorials/73210-password-expiration-enable-disable.html Powershell to get the account: gwmi -class Win32_UserAccount -Filter "Name='Administrator'" | fl Caption, PasswordExpires http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/a6a40db3-350d-4599-8480-28835714ed34 may also help. It appears PasswordAge (as is PasswordExpired) is a settable property, so you may be able to just set it to some time in the past AND ALSO set password expires to true. Urit fucked around with this message at 15:59 on Jun 1, 2012 |
|
#
?
Jun 1, 2012 15:50
|
|
|
It's the way MDT works. It' configures autolog with the Administrator account, and uses that account to perform all of the actions. It looks like you are right. I made a second user and put it in the administrators group, and the script worked against that account. The vbscript also worked on a 2008R2 box, but that was joined to the domain. The reason I want to do this: some of our computers, once imaged, go to different areas that have their own IT staff, while some are managed by our internal IT staff. We don't want the computers to go out with a standard password that people never end up changing, and everyone ends up knowing. If I can expire the password at the end of the Task Sequence, the first person to turn it on and log in to the Administrator account is forced to change the password. I can think of a few workarounds for this, I'll just have to determine which one makes most sense.
|
|
#
?
Jun 1, 2012 16:01
|
|
|
You're right about password expiration needing to be enabled on the account before I can expire it. I'll use Powershell and WMI, because they make way more sense to me than vbscript. Thanks
|
|
#
?
Jun 1, 2012 16:28
|
|
|
So this is a thorn in my side and I'm hoping that someone else has run into this problem before and has a good solution for it... My company has a lot of employees in the field who have company laptops and connect via Cisco VPN. Those laptops are joined to the domain. Everything works great most of the time except when these field users need to change their password, either because they forgot it and need it reset, or because it has expired (every quarter). The cached credentials on their system cause problems. As soon as they connect to the VPN, Windows starts using those cached credentials (as far as we can tell, for mapped network drives) and then their account gets locked pretty quickly. In theory if you do it quickly enough you can CAD and Change Password but that doesn't always work. I feel like I'm missing something really stupid and obvious here, but I'm not the only one because the IT director, senior sysadmin, and CTA also can't seem to come up with a solution. The ugly work around is to have them stop in at a branch office and plug in to our network (MPLS cloud), but that's less than ideal. Any ideas?
|
|
#
?
Jun 2, 2012 21:39
|
|
|
jlboan posted:Yesterday I deployed some software with SCCM 2012. I used the “Applications” section instead of packages, and deployed a custom built msi file. The software installed fine on the clients and is up and running, but in SCCM it still shows all of the machines in the “In Progress” stage with “No additional information” listed in the asset details on each machine. I’ve run the summarization a few times, rebooted the clients, and used SCCM client center to force software inventories, but its still just stuck In Progress. Is this just my crappy MSI not reporting that it’s done, or is there something else to it? Always include logging in your msi command lines, it will save you dozens of hours of heartache. I've never seen stuff get stuck in progress, so I'm inclined to say it's the msi. Also, if I'm not mistaken, forcing a software inventory won't do much, most information is sent during hardware inventory. Related: The technical documentation for 2012 is available for download. 2000+ pages of light reading. Also breaks down the new log files if you've been trying to find that information. http://www.microsoft.com/en-us/download/details.aspx?id=29901 Sudden Loud Noise fucked around with this message at 16:15 on Jun 3, 2012 |
|
#
?
Jun 3, 2012 16:02
|
|
|
Spermy Smurf posted:Yes, you would need 30 device CALs for 2008, and 30 more for 2003 access. Total of 60. You cant use 30 2008 CALs for 2008 and 2003. Once downgrade rights have been applied to those 30 CALs for 2003 server access, you cant un-downgrade them when you feel like accessing 2008 servers. There is a reason microsoft offers certification exams in licensing their products. It's loving complicated
|
|
#
?
Jun 4, 2012 08:42
|
|
|
Powdered Toast Man posted:So this is a thorn in my side and I'm hoping that someone else has run into this problem before and has a good solution for it... edit to add: if they just forgot their new one, reset it, then have them login with VPN and then lock/unlock the machine while they're on, that'll also update the cached credentials. It might lock them out if something is persistent enough but it's a quick process and hopefully someone will be on the phone with them to watch their account. wyoak fucked around with this message at 14:50 on Jun 4, 2012 |
|
#
?
Jun 4, 2012 14:48
|
|
|
Powdered Toast Man posted:So this is a thorn in my side and I'm hoping that someone else has run into this problem before and has a good solution for it... We ran into this quite often with our road warriors. We put in a Juniper SSL VPN appliance and when their password expires I make them login to that. They can change it there to something we don't know, then use the Cisco client to connect, then the machine updates it's cached pw in the background. It's not elegant at all, but it is what it is.
|
|
#
?
Jun 4, 2012 17:24
|
|
|
Anyone using any kind of standalone patch management software? Before I get into it, SCCM is off the table and is not an option. All I need to do is run agentless scans against servers, report on patch status, and then have the ability to schedule and deploy patches as needed. I'm only worried about Windows patches, but 3rd party patches are fine too. Looking at the following software: Shavlik/VMWare Protect Essentials GFI LanGuard SolarWinds Patch Manager/ Eminentware I used Shavlik in the past and I know it does what I need it to do, provided VMware hasn't changed the product too much. It's also the most expensive option. I have the money for it, but if GFI or SolarWinds would do the job better for a lower price, I'm good with that as well.
|
|
#
?
Jun 4, 2012 20:41
|
|
|
If price is that important, then WSUS is free.
|
|
#
?
Jun 4, 2012 21:55
|
|
|
What's wrong with WSUS? And for that matter if you've got a pile of money why is SCCM off the table? Political reasons?
|
|
#
?
Jun 4, 2012 21:55
|
|
|
Is there any way to make the VPN connect before/during login? That would fix it right up, I'm sure. We've tried the whole "connect via VPN then quickly change your password" thing and it's unreliable at best. I'm trying to come up with a standardized procedure that works every time.
|
|
#
?
Jun 4, 2012 23:16
|
|
|
FISHMANPET posted:What's wrong with WSUS? Nothing is wrong with WSUS, we have a WSUS infrastructure in place, but it doesn't meet the objectives of the project I'm working on. Price isn't that important, I will gladly pay VMWare their 20 grand, but if I can get similar functionality for a lower price, I obviously would have to consider it. We've always been in a situation where we have plenty of money to throw at a problem, but never enough manpower. Headcount is frozen for the foreseeable future. SCCM is off the table for a few reasons... mostly manpower related. We're short on manpower right now with other deliverables and getting System Center rolled out properly in the timeframe we have isn't feasible. It's on the roadmap for next year. I need a 1 year solution to make the auditors happy. So if anyone is familiar with GFI LanGuard or SolarWinds Patch Manager/ Eminentware please share your experience.
|
|
#
?
Jun 4, 2012 23:37
|
|
|
jesus christ i'm loving done with SMP, gently caress Symantec.. i've taken our upgrade to symantec management platform 7.1 95% of the way, someone take it the remaining 5% please
|
|
#
?
Jun 4, 2012 23:58
|
|
|
devmd01 posted:jesus christ i'm loving done with SMP, gently caress Symantec.. In my previous job we had to delay our Windows 7 deployment for months because Symantec literally could not figure out how to make a 64bit msi. They are the worst tech company that I have ever dealt with.
|
|
#
?
Jun 5, 2012 06:29
|
|
|
Powdered Toast Man posted:Is there any way to make the VPN connect before/during login? That would fix it right up, I'm sure. If users can't be bothered to change their passwords ahead of the actual expiration date you might be up a creek - you could look at implementing DirectAccess if you're a Windows 7 shop, but that's a pretty big rollout depending on what you've already got in place.
|
|
#
?
Jun 5, 2012 15:29
|
|
|
spidoman posted:Always include logging in your msi command lines, it will save you dozens of hours of heartache. I've never seen stuff get stuck in progress, so I'm inclined to say it's the msi. Only one Windows Installer instance can run at a time, so if there are any Microsoft Updates or things being pushed out via GPO that are using Windows Installer or MSIs it will cause any other MSI instances to run indefinitely even in /q(n) mode. It's not smart enough to exit and send a return code - it just sits there. If you run it interactively it will give you a dialog box saying another installation is in progress until you click OK. It apparently waits for you to click OK on this dialog even when running non-interactively. EDIT: I guess this is more of an issue with updates that start installing during another install. We do see 1618 errors when trying to start installing something while another install is running in the background. Megiddo fucked around with this message at 15:27 on Jun 6, 2012 |
|
#
?
Jun 5, 2012 18:52
|
|
|
Maybe someone can shed some light on this for me. I've set up a standard image using the WAIK but instead of using WDS to deploy it I just have a flash drive with a batch file which runs diskpart, applies the WIM image (stored right on the Flash drive), etc. That all works fine (we are a relatively small organization). But I'd like to go the next step and automate renaming and joining the domain. Actually I'd really like to go touchless. I want to use the serial number for the computer name. Right now what I've come up with is: 1. A batch script which calls Powershell to enable running scripts, then calls 2. A Powershell script which renames the computer after getting the serial number from wmi-getobject, sets the HKLM/../RunOnce regkey to run #3, then reboots 3. A Powershell script which joins the domain, then reboots (you can't rename and join the domain without rebooting twice through PS, it seems) This actually works somehow, except for a couple problems: 1. I still have to open cmd.exe with admin privileges and run my BAT file 2. The second PS script won't actually run with admin privileges even if you're logging in as local admin, so it won't work. 3. Even if I manually run the second PS script with admin privileges, in which case it does what it's supposed to do, I still need to supply domain admin credentials 4. I'd like for the computer description to say the model number (Dell Optiplex 790 or whatever) but have no idea how I could script that. Am I barking up the wrong tree trying to do it this way (I have some experience with bash and perl, but I'm a PS neophyte and honestly it's pretty different, so I don't know if I'm even using the right tool)? Should I just set up WDS instead? Is there a lot of work involved in setting WDS up?
|
|
#
?
Jun 6, 2012 23:34
|
|
|
|
| # ? May 21, 2024 15:12 |
|
|
Stop trying to reinvent the wheel. Look at MDT (with or without WDS).
|
|
#
?
Jun 7, 2012 01:27
|
|