|
IT Guy posted:I have a GPO that installs Google Chrome Frame on all client machines. I also have a GPO that prevents users from enabling or disabling addons. Perhaps this is what you're looking for: Workstation Settings> Administrative Templates> Windows Components> Internet Explorer> Security Features> Add-ons> "Deny all add-ons unless specifically allowed in the Add-on list" I've never tested this setting myself through
|
#
?
Oct 31, 2012 07:18
|
|
|
|
| # ? Jun 10, 2024 22:18 |
|
|
frogbert posted:Perhaps this is what you're looking for: I saw that, I just didn't really understand how to use the addon list. But I'll look further into it, thanks.
|
|
#
?
Oct 31, 2012 13:49
|
|
|
e: Pulling request because we just pushed for a big team meeting, and I found out the web guy is an enterprise-level web developer. That changes the picture rather drastically.
TannhauserGate fucked around with this message at 17:43 on Nov 13, 2012 |
|
#
?
Oct 31, 2012 22:01
|
|
|
TannhauserGate posted:Outlook/Exchange...volunteer No don't! Just use Google Apps for everything. If you're not getting paid, you do not want to manage anything locally, ESPECIALLY Exchange, ESPECIALLY since it sounds like you have no experience with it. And if you still use Outlook to connect to Google Apps, I will come smack you.
|
|
#
?
Oct 31, 2012 22:09
|
|
|
office365 would work too for such a small department, then they can still use outlook.
|
|
#
?
Oct 31, 2012 23:28
|
|
|
Agreed. Dreamhost offers free hosting for non-profits. Get that and use the Google Apps integration with it. If you volunteer to manage exchange and outlook for tech illiterates then you will end up drinking yourself to death.
|
|
#
?
Oct 31, 2012 23:29
|
|
|
e: Per above.
TannhauserGate fucked around with this message at 17:43 on Nov 13, 2012 |
|
#
?
Nov 1, 2012 00:13
|
|
|
A small update to the problem I was discussing last week: We disabled several GPO at the forest-level that didn't seem to be doing anything (or at least, had redundant settings). The problem has not reoccurred since then as far as we can tell, so it looked to be just a dumb conflict with poorly-structured GPOs. There may have been some XP-era WMI setting that caused the conflict, but since the problem seems to have gone away and the group policy setup is a bit messy anyway, we're not terribly concerned with sanitising the disabled GPOs and bringing them back online -- we haven't lost any functionality by disabling them. Thank you for all of your help, I learned a little bit more about Group Policy through it. I now know enough about it to be able to fill a business card-sized bit of paper, which is an improvement.
|
|
|
#
?
Nov 2, 2012 01:54
|
|
|
Wooo! One small step for IT, one giant step for everyone's sanity! Today, my boss gave me the "ok" to disable outlook stationary and themes via GPO. gently caress all my users, thank gently caress.
|
|
#
?
Nov 2, 2012 19:49
|
|
|
IT Guy posted:Wooo! One small step for IT, one giant step for everyone's sanity!
|
|
#
?
Nov 2, 2012 21:05
|
|
|
I apparently wasn't thinking when I was initially setting up a domain I'm building out for a customer and just realized I may have hosed myself. I know you're not supposed to do it for a variety of reasons, but habits are hard to break and I set the DNS name to companyname.local rather than something like ad.companyname.com. I know this messes with mDNS for Bonjour/Zeroconf, but I'm not sure what else, so I have two questions: 1. How bad is this? If it's basically "iTunes sharing won't work right" then I really don't care. 2. How much pain is changing a domain's DNS name? I see it's possible, but if it is important the question would be try to change or tear down/rebuild? All that's currently bound is two 2012 servers, a Win8 laptop, and five XP desktops. Everything else only interacts with the domain loosely for DHCP/DNS for now. wolrah fucked around with this message at 19:39 on Nov 19, 2012 |
|
#
?
Nov 19, 2012 19:30
|
|
|
It's not best practice but it's not the end of the world. My old company used .local and had no problems. Everything I've ever read about renaming an AD domain, on the other hand, is that it is literally the worst thing you can do.
|
|
#
?
Nov 19, 2012 19:54
|
|
|
If you can kill it now and change it then I would before you get too far down the line
|
|
#
?
Nov 19, 2012 20:35
|
|
|
Besides messing up mDNS there is this http://www.networking4all.com/en/ssl+certificates/faq/change+san+issue/
|
|
#
?
Nov 20, 2012 05:18
|
|
|
IT Guy posted:Wooo! One small step for IT, one giant step for everyone's sanity! Sneak in remove the high priority exclamation point from outlook while you're in there. It cant be truly hidden (if the user was so inclined to go into the sender options), but its a small step in the right direction. e: do not apply this to management.
|
|
#
?
Nov 20, 2012 10:30
|
|
|
On the subject of Outlook & GPOs, is it possible to disable user access to Out of Office replies? Its against our policy to use them but people do anyway. My boss wants to take away the ability completely.
|
|
#
?
Nov 22, 2012 01:18
|
|
|
Swink posted:On the subject of Outlook & GPOs, is it possible to disable user access to Out of Office replies? Its against our policy to use them but people do anyway. My boss wants to take away the ability completely. What version of exchange? http://blogs.technet.com/b/exchange/archive/2011/09/08/configure-automatic-replies-for-a-user-in-exchange-2010.aspx
|
|
#
?
Nov 22, 2012 05:36
|
|
|
wolrah posted:I know you're not supposed to do it for a variety of reasons, but habits are hard to break and I set the DNS name to companyname.local rather than something like ad.companyname.com. You can rename it easily enough if you've another server. Quite possibly, you can install Server in a VM on another machine, use it for the renaming and then delete it, all before needing to activate Windows. I've renamed twice and both times everything went smoothly. Also, I never bother with the ad. part. I just use companyname.com and I've never had issues. I've just had to add a www cname in DNS. That said, I don't exactly manage complex environments. It's nice when the login in is reallylongusername@companyname.com for both AD and Gmail.
|
|
#
?
Nov 23, 2012 16:51
|
|
|
Has anyone had any luck getting RDP 8.0 to work when connecting to Server 2008 R2? I've got a desktop at home on Windows 7 talking to a Windows 8 client over RDP 8.0 successfully, I've been following the guide here: http://support.microsoft.com/kb/2592687 But I don't have "Enable Remote Desktop Protocol 8.0" as an option in Group Policy Management. Am I missing an ADMX template file or something?
|
|
#
?
Nov 28, 2012 00:46
|
|
|
Caged posted:Has anyone had any luck getting RDP 8.0 to work when connecting to Server 2008 R2? I've got a desktop at home on Windows 7 talking to a Windows 8 client over RDP 8.0 successfully, I've been following the guide here: Without having read about this at all, those settings may only be exposed when looking at GPMC.msc in Server2012. Nitr0 posted:What version of exchange? Yep 2010. Link posted refers to setting OOF on behalf of users, I want it completely disabled. I want the feature removed. When users try and set an OOF message, I want a big hammer to stretch out and break thier fingers. After a fair bit of Googling, it's starting to look like this isnt possible. Swink fucked around with this message at 05:57 on Nov 28, 2012 |
|
#
?
Nov 28, 2012 05:54
|
|
|
Double!
|
|
#
?
Nov 28, 2012 05:57
|
|
|
Caged posted:Has anyone had any luck getting RDP 8.0 to work when connecting to Server 2008 R2? I've got a desktop at home on Windows 7 talking to a Windows 8 client over RDP 8.0 successfully, I've been following the guide here: Yeah, you have to take the admx file from Windows 7 update, it's something like TerminalServer-WinIP.admx or something, I can't look it up at the moment. If you start local group policy (not domain group policy) you can see it there (assuming you have the windows 7 update installed). Otherwise you'll need to copy the file to your domain template store, if you want to enable it domain wide, you'll have to do that anyway.
|
|
#
?
Nov 28, 2012 06:41
|
|
|
I haven't found an answer to this from my googling. The latest server version we have deployed is 2008 R2, which is our domain controller. We run a mix of mostly windows 7 with a few XP machines here and there. I'm currently running Windows 8 on my work computer to see how it does in a corporate environment. Will there be any kind of update for Server 2008 R2 that will add specific GPOs for Windows 8? (i.e. disable the store, etc) or is the only option to upgrade to Server 2012?
|
|
#
?
Nov 28, 2012 20:02
|
|
|
somethingwicked posted:I haven't found an answer to this from my googling. The latest server version we have deployed is 2008 R2, which is our domain controller. We run a mix of mostly windows 7 with a few XP machines here and there. I'm currently running Windows 8 on my work computer to see how it does in a corporate environment. https://blogs.technet.com/b/craigf/...Redirected=true You will need to perform the changes in the GPOs from a Windows8/Server2012 machine for some of them to function properly.
|
|
#
?
Nov 28, 2012 21:39
|
|
|
Serfer posted:Yeah, you have to take the admx file from Windows 7 update, it's something like TerminalServer-WinIP.admx or something, I can't look it up at the moment. If you start local group policy (not domain group policy) you can see it there (assuming you have the windows 7 update installed). Otherwise you'll need to copy the file to your domain template store, if you want to enable it domain wide, you'll have to do that anyway. Got it thanks, dumped them into the central store and enabled it. Going to give the clients time to install the RDP 8.0 updates from WSUS and reboot and see where we're at. Wish Microsoft mentioned that on the page where they talk about enabling it on Windows 7. It's like they got distracted halfway through.
|
|
#
?
Nov 29, 2012 01:21
|
|
|
I'm trying to setup a software restriction for iTunes. A lot of our computers already have it installed and we're not interested in removing it, we just want to prevent users from using it. So, I can create a software restriction but the options are either path or hash? If I do hash, it only works for that version, there could be many other versions out there. If I do path, it could be installed in other paths? I've done path for now in addition to stopping a process named "itunes.exe" (which if they're smart they could rename the executable). Is there any better way to do this?
|
|
#
?
Jan 4, 2013 21:12
|
|
|
IT Guy posted:I'm trying to setup a software restriction for iTunes. A lot of our computers already have it installed and we're not interested in removing it, we just want to prevent users from using it. So, I can create a software restriction but the options are either path or hash? If I do hash, it only works for that version, there could be many other versions out there. If I do path, it could be installed in other paths? If you're running Windows 7 you could look into AppLocker and do a publisher rule http://technet.microsoft.com/en-us/library/dd723678%28v=ws.10%29.aspx
|
|
#
?
Jan 4, 2013 21:30
|
|
|
Nebulis01 posted:If you're running Windows 7 you could look into AppLocker and do a publisher rule Exactly what I wanted. It will still roll out to XP clients if they have the GPO extensions update, right? Edit: Never mind, it looks like it won't roll out to XP, I'll have to use SRP for that. IT Guy fucked around with this message at 21:43 on Jan 4, 2013 |
|
#
?
Jan 4, 2013 21:41
|
|
|
Don't forget if you use AppLocker to start the related service, I tore my hair out for a while before I found that out.
|
|
#
?
Jan 4, 2013 22:59
|
|
|
Caged posted:Don't forget if you use AppLocker to start the related service, I tore my hair out for a while before I found that out. Haha, yeah I saw it on a blog before I even made the GPO. I wouldn't have figured it out otherwise. The GPO is working great for us, lots of angry calls!
|
|
#
?
Jan 8, 2013 14:40
|
|
|
We’ve got a program that needs to be updated. This program is a document management system, and absolutely critical to the day-to-day functioning of our business. It’s also less than popular with a large swath of my users, because it requires more thought than the seventeen levels of directories we had before. Because it keeps a somewhat large local cache that has to be converted when a new version is released, forcing the update to happen at logon or kicking it off during the day is a no-go. Additionally, over half of my users have a laptop that they take home in the evenings. The solution I’ve come up with is to distribute a desktop shortcut that requires absolutely zero further interaction from the user, and let them kick it off when it’s convenient for them. I’ll email them to tell them that they need to double-click that strange new icon. The shortcut points at a batch file, which is just the command line to kick off the MSI installer with the appropriate options (which I can’t figure out how to preconfigure with a simpler transform file). The only issue is that the shortcut has to be run as an administrator. Is there a way to configure a shortcut, placed on the AllUsers Desktop, to run as admin? Because a number of “critical line-of-business” programs were last updated when supporting Windows 98 was still a valid concern, all users have local admin. Failing that, is there a command-line switch that I can feed MSIExec to tell it to install the app as an admin? Right now it will fail because the command line that gets spawned doesn’t have access to update the app for all users.
|
|
#
?
Feb 7, 2013 06:08
|
|
|
Wizard of the Deep posted:Is there a way to configure a shortcut, placed on the AllUsers Desktop, to run as admin? You could try preconfiguring a scheduled task, and let the shortcut point to it. Personally i would use something else to deploy the software, noone is going to run it unless the old version stops working.
|
|
#
?
Feb 7, 2013 10:08
|
|
|
Wizard of the Deep posted:We’ve got a program that needs to be updated. This program is a document management system, and absolutely critical to the day-to-day functioning of our business. It’s also less than popular with a large swath of my users, because it requires more thought than the seventeen levels of directories we had before. Because it keeps a somewhat large local cache that has to be converted when a new version is released, forcing the update to happen at logon or kicking it off during the day is a no-go. Additionally, over half of my users have a laptop that they take home in the evenings. We use Appsense Application Manager to give elevated permissions to specific legacy apps. Have a look at http://www.appsense.com/media/9574177/am_urm_edition_us.pdf I appreciate that you are not going to want to purchase an expensive solution to crack this fairly simple problem though, so this probably doesn't help you at all.
|
|
#
?
Feb 7, 2013 13:08
|
|
|
Ifan posted:You could try preconfiguring a scheduled task, and let the shortcut point to it. It's a client/server package, so it will stop working when we update the server. My users will run it if they want to be able to do their job. I guess I need to buckle down and get it deployed via a scheduled task, then. Thanks!
|
|
#
?
Feb 7, 2013 14:18
|
|
|
Wizard of the Deep posted:We’ve got a program that needs to be updated. This program is a document management system, and absolutely critical to the day-to-day functioning of our business. It’s also less than popular with a large swath of my users, because it requires more thought than the seventeen levels of directories we had before. Because it keeps a somewhat large local cache that has to be converted when a new version is released, forcing the update to happen at logon or kicking it off during the day is a no-go. Additionally, over half of my users have a laptop that they take home in the evenings. Make a vbscript that functions as "run as" and simply point it at the batch you need to run as admin. Once you have ironed out the vbscript, package it into a .exe with autoit so the credentials you are using in the script don't become easily accessible. http://www.autoitscript.com/site/autoit/downloads/ That should do it, for free. I use this for these exact situations.
|
|
#
?
Feb 7, 2013 15:23
|
|
|
Wizard of the Deep posted:It's a client/server package, so it will stop working when we update the server. My users will run it if they want to be able to do their job. Yep, the shortcut you point on their desktop just has to trigger the task to start. As long as the task is registered with elevated credentials to run elevated, the user should be able to trigger it. Just remember to remove it afterwards. Fun fact: Stuxnet used scheduled tasks to gain elevated privileges on Windows 7. A bug allowed users to edit the xml file for the task. Regular users could just enable the elevate flag in the file and the task would run elevated 
|
|
#
?
Feb 7, 2013 18:14
|
|
|
I have a 2008 terminal server that hosts a crappy application that our workers need to run via remote app. It works fine, except the session locks after about 30 minutes of inactivity, bringing focus to the locked remote app session, which is quite annoying. I've gone to every user and computer policy setting on the TS and could not find any setting that was set to this time interval. It's probably something stupid, but does anyone know what I'm missing here?
|
|
#
?
Feb 7, 2013 19:10
|
|
|
Could it be that there is no policy setting for locking the screen and that the 30 minutes are simply the default settings? If you go to Display Properties, can you change the timeout manually?
|
|
#
?
Feb 7, 2013 19:16
|
|
|
Might be a local policy. Have you tried running a report to see which settings are applied?
|
|
#
?
Feb 7, 2013 19:32
|
|
|
|
| # ? Jun 10, 2024 22:18 |
|
|
There are some settings that are configured on the terminal server itself, too. It can probably be overwritten (down to a per-user basis, if need be) by a GPO, but it'd require some testing. I haven't touched our terminal server in almost a year, but I can glance tomorrow.
|
|
#
?
Feb 20, 2013 03:03
|
|