|
Orcs and Ostriches posted:Just gonna throw this out there to see if anyone has seen something similar. I had a similar problem with browsing to DFS namespace shares. It was caused by having drive indexing turned off on the file server. Turning it back on fixed the issue. I'm not sure if you can index a NAS though.
|
#
?
Oct 1, 2013 23:26
|
|
|
|
| # ? May 14, 2024 00:31 |
|
|
So here's a thing that's happening and I don't even have the Google Fu to try and search for a solution. On new accounts, when the "force password change on next logon" box is checked, the user can't login, with the error that there's an incorrect password. Unchecking the box allows the user to login with that password. I have a sneaking suspicion that the users aren't in the Domain Users group but I'm not even sure if that matters.
|
|
#
?
Oct 2, 2013 06:05
|
|
|
Let's say I have Bob in the Accounting OU, and Dave in the Sales OU. I need to map a share to both Bob and Dave, but not anyone else in Sales or Accounting. What's the best way to do that, apply a drive share mapping GPO to both groups and filter out anyone who isn't Bob and Dave?
|
|
#
?
Oct 2, 2013 18:15
|
|
|
The only enterprise thing here is that it's a DFS deployment folder target that has disappeared, strange one: My Software folder (at d:\pcadmin\software) has disappeared from one of two servers that host the DFS. I can create new folders in d:\pcadmin but when I try to rename them Software, they quickly (not instantly -- a second or two) change back to the old name. If I try to go directly to d:\pcadmin\software I get a typical folder not found message, same if I use command prompt. I don't know why this happened: I work in this place once/week and it happened the day after I was last in, judging from backups. Windows Server Backup (it's 2008r2) also isn't able to restore to the original location. I can just give it a new name and DFS will hide that but I'd like to know what happened so it doesn't happen again...
|
|
#
?
Oct 2, 2013 18:20
|
|
|
Bob Morales posted:Let's say I have Bob in the Accounting OU, and Dave in the Sales OU. I need to map a share to both Bob and Dave, but not anyone else in Sales or Accounting. What's the best way to do that, apply a drive share mapping GPO to both groups and filter out anyone who isn't Bob and Dave? Item-level targeting on a security group containing Bob and Dave?
|
|
#
?
Oct 2, 2013 18:48
|
|
|
Bob Morales posted:Let's say I have Bob in the Accounting OU, and Dave in the Sales OU. I need to map a share to both Bob and Dave, but not anyone else in Sales or Accounting. What's the best way to do that, apply a drive share mapping GPO to both groups and filter out anyone who isn't Bob and Dave? Is this a permissions thing? If users don't have permissions to a drive map target, the mapping won't appear, so you don't have to worry about drive maps appearing for things people don't have access to. I'd just put it in your users OU and only give the security group that those two users are a part of access to it.
|
|
#
?
Oct 2, 2013 20:42
|
|
|
Caged posted:Is this a permissions thing? If users don't have permissions to a drive map target, the mapping won't appear, so you don't have to worry about drive maps appearing for things people don't have access to. Yea, I ended up just adding the users to it, seemed like there might be a better way.
|
|
#
?
Oct 2, 2013 20:52
|
|
|
Could also scope the GPO to only those two users. That would probably be the way I did it.
|
|
#
?
Oct 2, 2013 21:00
|
|
|
I hate that there are so many different ways to solve this relatively simple issue. But yeah, security filtering would be a better option since it doesn't involve the filtering being hidden away in a properties tab to reduce head-scratching later.
|
|
#
?
Oct 2, 2013 21:52
|
|
|
This seems pretty easy, assuming you're not already using this for their personal drive:
|
|
#
?
Oct 2, 2013 22:11
|
|
|
So I've been slowly converting my library of random utility scripts over from vbscript to powershell as they need updates, and has anyone else noticed that file system related stuff is a LOT slower in powershell than it was in VBScript using the file system object? For operations on more complex file/folder structures I'm seeing powershell being 2-3 times slower. 
|
|
#
?
Oct 2, 2013 22:13
|
|
|
IT Guy posted:Could also scope the GPO to only those two users. That would probably be the way I did it. This is the correct answer. It would be better to create an AD group though so if you need to add a different user, you can just add them to the group instead of editing the GPO.
|
|
#
?
Oct 3, 2013 03:11
|
|
|
Demie posted:Likewise, I am trying to add local accounts using Microsoft-Windows-Shell-Setup - UserAccounts - LocalAccounts - LocalAccount. It adds the accounts all right, but it doesn't make the profiles, so you get a profile error when you try to log in. Am I supposed to make the profiles separately, or is there a classier way to make local accounts besides unattend.xml? How are other people automating local account creation? I found the answer to my own question. I was applying an IE10 custom installer made with the IEAK, but I was using the MSI copy instead of the EXE for some reason. The MSI corrupts the default profile, so new users don't get one. I remade the package and tried the copy that has loose files (EXE with INS and other files), works perfectly. ALSO, When you use this component with an untouched WIM off the DVD, it makes the accounts. But when you use it with a captured image, it doesn't do anything. That being said, the NET USER command works great either way, as do the separate commands which add those users to groups and set their passwords to never exprire (forgot them). Thanks to TWBalls for nudging me in that direction. Demie fucked around with this message at 03:11 on Oct 12, 2013 |
|
#
?
Oct 12, 2013 03:02
|
|
|
Quick poll: We've been running into issues with Lumension patch deployment, it's rebooting laptops despite the "Don't reboot" options turned on and according to them it's a known bug. Our desktop guy is at his wits end, and we're all sick of combining Symantec AV, MacAfee endpoint crypto, Lumension, etc. We really need a management suite. What's everyone using? I hear raves about Kaseya, SCCM, and KACE. How are Altiris, LanDesk, Zenworks, whatever? We need PCI compliance including good AV and centrally managed endpoint crypto, remote desktop, patch / software deployment, and all the other standard stuff. I doubt I will use it on servers since I already have vCOPS Advanced, but you never know. We're using WSUS for Microsoft updates on servers and laptops currently, if that makes any difference.
|
|
#
?
Oct 15, 2013 17:28
|
|
|
System Center Config Manager 2012 is where it's at if it fits your deployment scenario. KACE supposedly isn't too bad, it's matured quite a bit since I last looked at it. Some of those other solutions are going to be very expensive though. SCCM isn't terribly expensive, especially if you have an Enterprise Agreement with Microsoft. This is how we manage about ~3500 computers SCCM - Inventory and App Deployment Solar Winds Patch Manager - overlays on top of WSUS, 3rd Party Updates, easy to use, etc Sophos - Endpoint A/V (has lots of options and they can do endpoint crypto as well) TeamViewer - Remote Assistance when needed. You can go 100% SCCM though if you're a big Windows environment and can get the training/knowledge to properly implement everything. SCCM will do A/V, manage endpoint crypto via bitlocker, manage your patching, and do remote assistance. Kaseya (when I last looked at them) is really geared toward the MSP environment and didn't really fit well in managing an enterprise to be honest, and it was expensive. We barely utilize what SCCM is capable of doing. I last looked at this stuff about 2 years ago though, so I'm probably way out of date on some of my opinions.
|
|
#
?
Oct 15, 2013 18:35
|
|
|
I've been running SCCM at my company on '07 and upgraded to '12 SP1. The great thing about SCCM is that it is a very powerful management tool in a primarily Windows environment but the downside is it takes quite a bit of effort to get it 100% up and running to do the things you want. Once you get it going it makes life much easier from a desktop standpoint. I use it for application deployment, Windows updates, 3rd party updates (with the help of Shavlik SCUPdates), Remote Assistance, Endpoint Protection AV and generating automated report for my boss. I'm currently working on using it for our OS deployment/refresh. Even with all that I'm still not using all of its capabilities but I'm a 1 man Windows team so if I had the time I would. SCCM doesn't handle encryption but if you're in a largely Windows environment and you have an EA with Microsoft, you can get a license for the Desktop Optimization Package (MDOP) which lets you manage BitLocker through AD. I haven't had a chance to play with it myself though.
|
|
#
?
Oct 15, 2013 19:13
|
|
|
Bitliocker is supported on OSD as long as you have TPM chips in your hardware. I can't remember if you have to integrate MDT first, but it can definitely do it on fresh deployments and probably refreshes too. Not that we've actually used it yet...
|
|
#
?
Oct 16, 2013 03:04
|
|
|
Hey everyone, do you like building your fully up to date images with convenient Build and Capture task sequences?! Well good news! Thanks to MS13-081 that's no longer possible! http://support.microsoft.com/kb/2894518 That's right, it's impossible to install this update in a task sequence. Hope you have a way to exclude certain patches from certain machines. We don't!
|
|
#
?
Oct 16, 2013 06:44
|
|
|
Yeah agreed that this is an annoyance. We just excluded it from WSUS then manually patched the WIM files offline with DISM. Not the best solution but it works for us today.
|
|
#
?
Oct 16, 2013 08:34
|
|
|
MyLightyear posted:Yeah agreed that this is an annoyance. We just excluded it from WSUS then manually patched the WIM files offline with DISM. Not the best solution but it works for us today. That'll probably be our solution. Meanwhile, I realized that until we get our new image out every machine that we try to image with our current image will fail at the patch step. Alternatively, shouldn't it be possible to boot into WinPE during a task sequence, patch the offending files manually and then restart into windows again? Yup! Running a dism in WinPE to modify the OS on the C: drive seems to work. Sudden Loud Noise fucked around with this message at 20:43 on Oct 16, 2013 |
|
#
?
Oct 16, 2013 13:53
|
|
|
I have a problem that's making my head hurt. I'm not a Windows admin guy, but I've been told by my boss to uninstall IIS and install Apache on a new development server running Windows Server 2008 R2. I removed IIS through the server manager > role management screen (component management?). (I apologise if some of the terms are slightly off, I'm currently working in Italy so I also have to struggle through Italian documentation and Italian language installs) I tried to install Apache and it's throwing an error about not being able to bind to port 80. I check with netstat -ano and the System (PID 4) is listening on that port. I telnet into localhost on port 80 and it says Microsoft-HTTPAPI/2.0 is listening on port 80. Google suggests that it's "Web Deployment Agent Service" which came bundled with IIS and doesn't get removed when that gets disabled. All results tell me to go to Services and switch it off, but it doesn't exist in services, even after I've looked through for possible Italian-ised versions. I check the service in the command prompt (msdepsvc) and there's no result. Does anybody know what the hell is happening? I setup Apache for port 8080 for the time being but if this happens again on the production server then I'm screwed. Edit: Someone cottoned me on to "SQL Server Reporting Services", stopped that and port 80 has opened up again. Whoops. Sulla Faex fucked around with this message at 16:39 on Oct 16, 2013 |
|
|
#
?
Oct 16, 2013 16:17
|
|
|
I'm having a hell of a time getting windows updates integrated into a Windows 7 WIM for deployment with WDS. I used WSUS Offline to download all the updates for Windows 7 x64 and checked the box to include C++ runtimes and .NET Frameworks. During the setup process it stops to say "Windows could not configure one or more system components. To install Windows, restart the computer and then restart the installation." Hitting Shift-F10 gets me a command prompt where I can start notepad and on the log files in C:\Windows\Panther. setupact has a lot of errors saying "ERROR - .NET 4.0 is not installed" I found this page that talks about the problem, but when I search for the "New component" listed in the log (for example Microsoft-Windows-PowerShell-Gac-Installation-8IP) I can't find anything about which update is causing the problem. The specific KB he mentions on that page is an MSU instead of CAB like he shows so I assume MS fixed that one since DISM won't let me remove MSUs from a WIM. spidoman posted:Hey everyone, do you like building your fully up to date images with convenient Build and Capture task sequences?! I'm removing this update in the hopes that it's the problem, but I doubt it. I do love how it takes DISM 20 minutes to unmount and half the time it complains about a failed unmount due to applications still having files open.
|
|
#
?
Oct 16, 2013 23:44
|
|
|
Oh my god, I was digging through our Group Policy stuff today and our original IT consultants did one monolithic Group policy for domain security. They the. Limited the scope to Dolain Users and didn't add Domain Computers (there was a lot of Computer settings in there). Fixed that up really quickly. And finally figured out why Java Updates weren't being disabled (that setting is in a different part of the registry on 32 bit machines). Good day all around.
|
|
#
?
Oct 17, 2013 00:01
|
|
|
LmaoTheKid posted:And finally figured out why Java Updates weren't being disabled (that setting is in a different part of the registry on 32 bit machines). Share this black magic with me (if it actually works) so I can beat someone over the head with it.
|
|
#
?
Oct 17, 2013 00:10
|
|
|
FISHMANPET posted:Share this black magic with me (if it actually works) so I can beat someone over the head with it. http://trekker.net/archives/how-do-i-disable-java-updates-with-group-policy/ There's a link on there for the 32 bit java on a x64 machine. That's what was killing me because all of our clients are 64 bit now but they all run 32 bit java. I checked my registry after a gpupdate and it changed the flag to a 0 and disabled it. I almost got drunk for finally figuring that one out.
|
|
#
?
Oct 17, 2013 00:14
|
|
|
LmaoTheKid posted:http://trekker.net/archives/how-do-i-disable-java-updates-with-group-policy/ Thanks. I'd been implementing the registry edits on my images, so a good portion of our systems here already have that disabled. This ought to take care of the rest. As much as I'd like to
|
|
#
?
Oct 17, 2013 02:16
|
|
|
for the JRE package installer, I have extracted the MSI and I install it with JAVAUPDATE=0 JU=0 AUTOUPDATECHECK=0 The updates won't disable unless you do ju=0, which takes away the update tab on the control panel. But that's good because users can't even enable updates. Of course, this would only help you on fresh installs, but it's useful to know.
|
|
#
?
Oct 17, 2013 14:43
|
|
|
What are you all using for remote user assistance/screen viewing type duties? I seem to remember MS small business server having something built in (though it's been awhile since I've used it and could be misremembering), but cant seem to find anything equivalent in server 2008 or AD. I know that remote desktop is available, but I often have the need to view the user's screen at the same time as them, while they're logged in. We've been muddling along with join.me, but walking people through that, as easy as it is, has become tiresome.
|
|
#
?
Oct 17, 2013 19:19
|
|
|
In the same domain? msra /offerra will give you Windows Remote Assistance.
|
|
#
?
Oct 17, 2013 19:22
|
|
|
Is there a non poo poo AOL IM client with a MSI installer that I can deploy for a few machines that doesn't poo poo toolbars and bullshit everywhere?
|
|
#
?
Oct 17, 2013 20:26
|
|
|
Well there's Pidgin, but that's not an MSI, and some people consider it rather ugly and irritating to use.
|
|
#
?
Oct 17, 2013 21:37
|
|
|
McGlockenshire posted:Well there's Pidgin, but that's not an MSI, and some people consider it rather ugly and irritating to use. I think I might just get them all on Skype. For some stupid reason they use IM as a paging system instead of email and REFUSE to adapt. It's a good thing the boss there is cool and they bring in a lot of money because normally my answer would just be "send an email".
|
|
#
?
Oct 17, 2013 21:47
|
|
|
LmaoTheKid posted:I think I might just get them all on Skype. For some stupid reason they use IM as a paging system instead of email and REFUSE to adapt. It's a good thing the boss there is cool and they bring in a lot of money because normally my answer would just be "send an email".
|
|
#
?
Oct 17, 2013 22:07
|
|
|
EAT THE EGGS RICOLA posted:In the same domain? msra /offerra will give you Windows Remote Assistance. Yup. we use Remote assistance (advance options for helpdesk) to remote assist users in the domain. Handy, but the app has a tendency to pop under and I have to tell the user to look for the blinking orange icon. We added a Helpdesk security group to a GPO and they're all fasttracked to send a help request.
|
|
#
?
Oct 17, 2013 22:09
|
|
|
nexxai posted:If they're so tied to using some sort of IM, why not keep it all in house and set up an OpenFire server and deploy Spark to those who need it? It takes about 20 minutes to set up and go, and then you can be sure that no one outside of your company can snoop on your internal conversations? Yeah seconding this. Last I checked Spark doesn't have an official MSI installer but I was able to roll my own easily enough.
|
|
#
?
Oct 17, 2013 22:13
|
|
|
Docjowles posted:Yeah seconding this. Last I checked Spark doesn't have an official MSI installer but I was able to roll my own easily enough. 3rding. Openfire served us well until we went to Lync.
|
|
#
?
Oct 17, 2013 23:18
|
|
|
Thanks, I'll check that out.
|
|
#
?
Oct 18, 2013 00:16
|
|
|
Mr. Clark2 posted:What are you all using for remote user assistance/screen viewing type duties? I seem to remember MS small business server having something built in (though it's been awhile since I've used it and could be misremembering), but cant seem to find anything equivalent in server 2008 or AD. I know that remote desktop is available, but I often have the need to view the user's screen at the same time as them, while they're logged in. We've been muddling along with join.me, but walking people through that, as easy as it is, has become tiresome. For 3rd party stuff, dameware works great for this exact thing. We're getting into teamviewer for off-domain nonsense, and it works great too, but it's a pain to deploy it with configurations.
|
|
#
?
Oct 18, 2013 14:33
|
|
|
Here is a quick and easy guide to upgrading SCCM 2012 to 2012 R2. I haven't tried it yet though: http://myitforum.com/myitforumwp/2013/10/18/upgrading-configmgr-2012-to-r2/
|
|
#
?
Oct 18, 2013 15:41
|
|
|
|
| # ? May 14, 2024 00:31 |
|
|
Would I be ok installing Openfire on our backup Domain Controller/catch all machine in our DR site? It's a pretty burly machine with 32 gigs of RAM. We will be moving offices in feb and I'm trying to not add too many services here in our main office. Every site has it's own AD controller, this one is mor eof an emergency backup and LDAPS auth point for Mimecast.
|
|
#
?
Oct 18, 2013 15:45
|
|