|
FYI I just found out about this (month old or so) but if you use IE Maintenance, microsoft removed this from GPME without telling anyone http://www.grouppolicy.biz/2013/04/missing-internet-explorer-maintenance-option-from-gpmc-with-windows-7-2008-r2/ only affect machines with IE10 installed, so if you administer from your workstation you'll need to log into your DC to edit the GPOs.
|
#
?
Apr 17, 2013 20:46
|
|
|
|
| # ? Jun 10, 2024 13:43 |
|
|
Is there a way I can update a software deployment policy and not have it re-install the application? I want to change the location of the installer MSI for a certain program.
|
|
#
?
May 31, 2013 02:36
|
|
|
Swink posted:Is there a way I can update a software deployment policy and not have it re-install the application? I want to change the location of the installer MSI for a certain program. I would think that if you only update the policy, and do not delete it, the uninstall won't happen. Worst case you would have to clear the "uninstall program when policy is removed" checkbox during the edit. But this is a clear case for a test environment.
|
|
#
?
Jun 1, 2013 12:42
|
|
|
Looking at the policies I'm editing, I cant avoid the action of giving a certain group a 'new policy' - even though its functionally the same as a previous one. I'll just have to let the installation run again. It should only reinstall the msi, which shouldnt case any issues except for the delay in startup.
|
|
#
?
Jun 2, 2013 23:40
|
|
|
Anyone know how to show when a GPO was unlinked or un-enforced in Windows Server 2003?
|
|
#
?
Jun 7, 2013 19:13
|
|
|
Corvettefisher posted:Anyone know how to show when a GPO was unlinked or un-enforced in Windows Server 2003? Here's a technet article: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9aee58d4-6fce-4e6c-b931-d4bca99fd77c/ You might be out of luck because it seems to need "Directory Service Access" auditing enabled, and it is disabled on the DC by default it seems?
|
|
#
?
Jun 10, 2013 16:52
|
|
|
So I'm trying to put in some per computer trusted sites, but I don't want to lock it down so user's can't also add their own trusted sites. I used this method: http://nefaria.com/2009/10/adding-trusted-sites-for-ie-via-the-registry/ I also had to use this to allow users to add sites to Trusted Sites on their own: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/cd9e1fc2-e209-49f4-ae4a-78222969c6b2/ But now I can't change the security level for a zone. Well, I can change it, but as soon as I reopen the window it's set back to some default. It's not defaulting to Medium security, it's some custom level. I could find a GPO that would force it to low, but I'd rather make it so user's can actually change it. I can't seem to come up with anything to put into Google to change this, so I was hoping somebody here might have some suggestions.
|
|
#
?
Jun 17, 2013 16:00
|
|
|
I just did all the trusted sites by going: User Configuration Administrative Templates Windows Components Internet Explorer Internet Control Panel Security Page -> "Site to Zone assignment list" Enable it then add example.domain.com and set it to Zone 2 for trusted sites Read the explain tab for the lowdown. But it is much faster and more reliable than all the usual Internet Explorer Maintenance bullshit.
|
|
#
?
Jun 17, 2013 19:39
|
|
|
Edit: that awful app sure is something awful!
|
|
#
?
Jun 17, 2013 19:41
|
|
|
Doesn't doing the site to zone assignment prevent users from changing trusted sites themselves? If it does would I be able to use "Security Zones: Do not allow users to change policies" to allow users to add sites?
|
|
#
?
Jun 17, 2013 22:39
|
|
|
How do people normally handle laptop users? I've tried the user virtualisation thing (roaming profile, folder redirection, offline cache) and it simply does not work how it should when devices aren't on the network all the time. Network is very basic, shares are set up as per MS documentation on the subject, and it's a support nightmare. The scary message about not being able to find a profile on logon doesn't help fill people with confidence, and then it's easy to fill up the offline cache and make your laptop useless until you can get it back to a network. I've also had it fail to detect that it wasn't connected to the corporate LAN and refuse to pull files out the offline cache before. I'm tempted to just say gently caress it and put our laptop users back to a non-roaming profile and use CrashPlan Enterprise or something to make sure that we don't lose data if a laptop dies. It's what I've used before and seems to work fine.
|
|
#
?
Jun 18, 2013 01:59
|
|
|
We use folder redirection and offline files, but not roaming profiles. Finding old XP machines that have an offline cache pointing to a server that was decommissioned 2 years ago is a nightmare (solution: CSCCMD), but we standardised a huge amount of our environment before we started deploying Windows 7 so we very rarely see sync issues any more. Haven't really run into filling up the offline cache, I guess that depends on how much data your average user uses, but we just encourage them to use the VPN whenever they have an internet connection anyway so they're rarely fully offline for very long.
|
|
#
?
Jun 18, 2013 02:10
|
|
|
On this topic, how do you disable Offline Files on an 2008R2 RDS server? The 'disable offline files GPO' is only valid for 2003 servers and there doesnt seem to be a replacement. Edit - we use folder redirection but not roaming profiles.
|
|
#
?
Jun 18, 2013 08:15
|
|
|
Caged posted:How do people normally handle laptop users? We don't give a gently caress about their data, anything of worth they are working on should be saved to the file servers. Helpdesk gives a minimal best-effort recovery in the case of OS corruption, but beyond that...
|
|
#
?
Jun 18, 2013 14:27
|
|
|
I haven't see this posted yet, even though it's been out for a while, but this is probably the best guide I've ever seen when it comes to taming the beast that is Google Chrome: http://www.nsa.gov/ia/_files/app/Deploying_and_Securing_Google_Chrome_in_a_Windows_Enterprise.pdf
|
|
#
?
Jul 4, 2013 14:39
|
|
|
Thats great! where is the firefox one?
|
|
#
?
Jul 5, 2013 07:58
|
|
|
For anyone using Google Apps with Outlook and using Apps Sync on a domain with Roaming Profiles, I've put some words together about how I handled it: https://docs.google.com/document/d/14I-f3Ar9_aSku8GEw95UV0Z_txwwJz8WpfKUqoyw0bQ/edit?usp=sharing The document is public and anyone can comment with a Google account, so if you want to add any revisions then feel free. Share it around, copy it etc.
|
|
#
?
Jul 22, 2013 01:18
|
|
|
I just wanna run this by someone else to see if it makes sense. I've got a group of computers, some XP, some Windows 7. I have users that need local admin on those computers. I've created them admin accounts seperate from their regular user accounts. I don't want them to be able to login to the Windows 7 machines with their admin accounts, just put the username in the UAC box (Win XP I don't have a choice, the admin user will have to login). So I want to make a GP that will put these user accounts in the allowed logon group, and also in the Administrators group on those machines. But then I also want a policy that will change the login script to be shutdown -l (or whatever command logs you off) on just the Win 7 machines for just the Admin users. So I'll need a GP applied to the machines with loopback that's only applied to my Admin group, and also has a WMI query to limit it to Win 7 machines, and that will change the logon script. Does that make sense? Have I missed something?
|
|
#
?
Aug 5, 2013 18:53
|
|
|
Just use item level targeting on the allowed logon group to only target WinXP. I haven't touched GP preferences in a while so I don't remember if you have to split the policy into two to keep the admin group modification universal but either way it should work a lot better than a loopback applied logon script
|
|
#
?
Aug 7, 2013 01:29
|
|
|
Currently Administrators is in Allowed login, so I'd have to reengineer that if I'm understanding you correctly. And if a user's in the Administrators group but not the Allowed Logon group they'll still be able to elevate?
|
|
#
?
Aug 7, 2013 02:29
|
|
|
After a bit of poking around, denying local logon prevents using the account to elevate. Looks like the common solution is what you suggested in the first place, run a script that forces the account to log off as soon as it logs on. You think there'd be support for this since Microsoft's best practice is not to log in with an admin account and elevate only when you need to.
|
|
#
?
Aug 7, 2013 12:06
|
|
|
crap post.
alanthecat fucked around with this message at 23:19 on Aug 7, 2013 |
|
#
?
Aug 7, 2013 23:14
|
|
|
I'm applying the login script to a set of computers, not the users, so I need to loopback.
|
|
#
?
Aug 7, 2013 23:17
|
|
|
FISHMANPET posted:I'm applying the login script to a set of computers, not the users, so I need to loopback. Yeah, I thought a little more. I was imagining the GPO on a user OU, with the WMI for Windows 7 and item targeting on the group. Your way looks to be neater. Someone says: Computer Configuration / Windows Settings / Security Settings / Local Policy User Rights Assignment to set Deny logon locally for this account. I can't test it, but it's in response to Deny Interactive Logon not suiting. alanthecat fucked around with this message at 23:25 on Aug 7, 2013 |
|
#
?
Aug 7, 2013 23:21
|
|
|
My boss has done...something to GP. When I make a new GPO and then edit it from either a Win7 or Server2008 machine, and then navigate to Policies--Administrative Templates I no longer see the categories that I'm used to seeing (Control Panel, Network, Printers, etc.). Instead I see Google, Internet Explorer, RSS Feeds and All settings. However, If I create a new GPO on our ancient 2003 server, I see all the categories that I'm used to seeing. When I then edit this same policy object on a newer version of Windows, under Admin Templates I see "Classic Administrative Templates (ADM)" which then contains all the categories I'm used to seeing. For obvious reasons I'd like to create GPOs using a more modern version of Windows, any way that I can fix this?
|
|
#
?
Sep 17, 2013 22:27
|
|
|
I'm setting up GPOs for bitlocker and I've run into a problem that's driving me loving crazy: I want to be able to kick off the bitlocker setup for fixed drives, and lock it down so that no one can make any changes. I also want to force fixed drives to automatically unlock. It seems like I'm able to do either or, but not both. Does anyone have any experience with this? Google has been completely unhelpful. I'm at home now so I don't have access to the setting names in the GPO, so I'll grab that tomorrow, but any help would be hugely appreciated.
|
|
#
?
Sep 18, 2013 00:17
|
|
|
Mr. Clark2 posted:My boss has done...something to GP. When I make a new GPO and then edit it from either a Win7 or Server2008 machine, and then navigate to Policies--Administrative Templates I no longer see the categories that I'm used to seeing (Control Panel, Network, Printers, etc.). Instead I see Google, Internet Explorer, RSS Feeds and All settings. Did he create a PolicyDefinitions folder and forget to pull the new ADMX/L files in? \\YOURDOMAIN.DONTUSELOCALEVER\sysvol\policies\policydefinitions
|
|
#
?
Sep 18, 2013 00:25
|
|
|
incoherent posted:Did he create a PolicyDefinitions folder and forget to pull the new ADMX/L files in? Yep, you nailed it. Inside the policydefnitions folder I'm only seeing 3 *.admx files. How can I get the rest of the needed ones in there?
|
|
#
?
Sep 18, 2013 17:20
|
|
|
Drag em in from the newest windows OS on your network (7/8/R2/2012). Here is a helpful KB re: how to import them in. http://support.microsoft.com/kb/929841 e: if you're still using FRS for replication, install them into the PDC, or primary DC so it gets populated out. Look into migrating your sysvols to DFSR. incoherent fucked around with this message at 01:48 on Sep 19, 2013 |
|
#
?
Sep 19, 2013 01:42
|
|
|
I am not a book posted:I'm setting up GPOs for bitlocker and I've run into a problem that's driving me loving crazy: I found the solution, I was trying to force the fixed drive to require a recovery password and disallow a recovery key, apparently the correct configuration is to require a recovery password and allow a recovery key. Thanks MS!
|
|
#
?
Sep 23, 2013 04:14
|
|
|
You what to know what's a nightmare? Deploying Photoshop Elements via GPO. gently caress this, I'm just going to install it manually.
|
|
#
?
Oct 28, 2013 16:59
|
|
|
So I just got a new job at a brand new call center, and while my title is Senior Manager, besides managing my team I've also had to throw together our VOIP system, set up the network and a bunch of other misc tech related stuff, because hey, you used to do tech support before, right? We had a computer guy for two days, but after he hosed up setting up a network for 40 stations, twice, he was let go. So until I have time to vet a replacement(and pending some draconian recruitment process I'm not touching with a 10' pole), I'm stuck doing everything. Which is why I'm here. I need to set up a domain controller to keep some control over what the people here do on their computers. We'll be running 40 or so workstations using Windows 7 once we're in full operation. I've messed around with AD and group policies before, but never from the ground up and never from the tech side. The OP says Windows Server 2003, but has that changed? Do I want 2012 instead? Or 2008? I've tried googling, but I keep hitting what looks like marketing drones from MS shelling out the same spiel.
|
|
#
?
Nov 7, 2013 21:02
|
|
|
Is this a brand spanking new company, no Active Directory anywhere else? Parent company? Nothing? Creating a new AD Forest isn't terrible, there are some design decisions you should think about before setting it up though. I managed IT for a large call center environment for the better part of 5 years. We had an Avaya guy for the phone poo poo, but if it's Windows related, I can definitely help out.
|
|
#
?
Nov 7, 2013 21:16
|
|
|
Check the date on the OP, that's why it mentions Server 2003  If you're buying all new licenses no reason to go with anything but the latest and greatest, 2012 R2.
Docjowles fucked around with this message at 21:27 on Nov 7, 2013 |
|
#
?
Nov 7, 2013 21:23
|
|
|
skipdogg posted:Is this a brand spanking new company, no Active Directory anywhere else? Parent company? Nothing? Brand spanking new. We have a parent company, but we won't be sharing any systems with them. The phone system is hosted on a linux server, so it won't be integrated at all beyond the client software we run on the workstations. Normally I wouldn't go into production without having all the infrastructure in place, but there's a bunch of time sensitive stuff breathing down our neck, so we've already gone live.
|
|
#
?
Nov 7, 2013 21:24
|
|
|
LmaoTheKid posted:You what to know what's a nightmare? Deploying Photoshop Elements via GPO. gently caress this, I'm just going to install it manually. I haven't tried it with Photoshop Elements, but AppDeploy Repackager may be useful to you. I used it to help set up a .msi for deploying Spark. I've only used it with a premade recipe file, but if you point it to the setup file I believe it should work similar to setting up a ThinApp application if you've used that before.
|
|
#
?
Nov 7, 2013 21:31
|
|
|
Go at least with 2008, I've played around a bit with 2012 and it works and I liked it and it has more features than 2008. Active Directory is pretty easy, it's also pretty easy to set it up wrong and ruin your life. We're actually in the process of moving from eDirectory to Active Directory and it's been pretty smooth. Yaos fucked around with this message at 21:46 on Nov 7, 2013 |
|
#
?
Nov 7, 2013 21:35
|
|
|
Cynic Jester posted:Brand spanking new. We have a parent company, but we won't be sharing any systems with them. The phone system is hosted on a linux server, so it won't be integrated at all beyond the client software we run on the workstations. Normally I wouldn't go into production without having all the infrastructure in place, but there's a bunch of time sensitive stuff breathing down our neck, so we've already gone live. You have a golden opportunity to create an AD domain name that actually conforms to best practice, they are unicorns, make the most of it. sanchez fucked around with this message at 21:49 on Nov 7, 2013 |
|
#
?
Nov 7, 2013 21:46
|
|
|
sanchez posted:You have a golden opportunity to create an AD domain that actually conforms to best practice, they are unicorns, make the most of it.  Funny story, we found a ton of people on a domain we already have setup (most of the organization is on eDirectory, with one small part on AD) with domain admin for no good reason. No wait, I lied, it's because a company somehow managed to make a program that requires domain admin to run it. I have no idea how they managed to screw it up that badly, but they did it. Yaos fucked around with this message at 21:52 on Nov 7, 2013 |
|
#
?
Nov 7, 2013 21:49
|
|
|
|
| # ? Jun 10, 2024 13:43 |
|
|
Yaos posted:What sucks is doing best practices for everything except you have to do local admin for a lovely program that requires admin to run and requires UAC to be off. So close. I haven't used it yet, but there's a workaround involving a shortcut to a scheduled task that might help you out there. I might be using it myself this week.
|
|
#
?
Nov 7, 2013 22:06
|
|