|
lol internet. posted:Started a new job last week, first thing is to re-implement SCCM 2012. Just for a little background, I set up my company's SCCM 2007 environment and upgraded us to 2012 about a year ago. I hated 2007 and almost didn't bother with 2012. I can't speak for every change but setting up Automatic Deployment Rules has become much easier to put together. There's still a lot of manual hands on required for sending out updates but I think that's kind of the point. It gives you control to say who gets what when using Device and User Collections. If you're looking for "set and forget" then I would stick with WSUS but that doesn't mean you shouldn't look at all the other tools SCCM 2012 give you. If you already have the license and the time to set it up its really worth a look. Remote administration has more then paid for itself in my environment along with Package/App deployment (we're a small IT team supporting local and overseas locations with no local IT). There's also a lot of great automated reporting tools with pretty manager pleasing graphs if you have a report hungry manager.
|
# ? Dec 9, 2013 20:08 |
|
|
# ? May 14, 2024 07:40 |
|
If you ever have to install the operating system of a machine and you're not using SCCM's OSD, you're missing out.
|
# ? Dec 9, 2013 20:18 |
|
When you re-direct My Documents to a network share or whatever, does it become convulted to actually access the My Documents folder to get the users poo poo out of there so you can put it on the network?
|
# ? Dec 9, 2013 22:33 |
|
You don't need to copy anything manually, you can have the policy copy the current contents onto the network when it's first applied.
|
# ? Dec 9, 2013 22:35 |
|
The first time the computer sees the Redirect Policy, it will copy everything to the redirected folder. And it'll just be a folder you define in the policy. For example, mine goes to \\fileserver\users\%username%\My Documents. You have to define a rule for each folder you're directing. I've got everything but AppData and Saved Games redireted, so when I go to \\fileserver\users\%username% I see most of their folders there. The only thing that stays local (or roaming in our case) is AppData, Saved Games, and anything else that gets dumped into the root of the user profile (like a DropBox folder).
|
# ? Dec 9, 2013 23:12 |
|
Quick CAL question. Do I need to buy a server CAL for any accounts that are used for runas services accounts only?
|
# ? Dec 10, 2013 00:02 |
|
ghostinmyshell posted:Quick CAL question. Do I need to buy a server CAL for any accounts that are used for runas services accounts only? I asked this a while ago, not sure if it was this thread or not. The way it was answered was only "real" accounts need a CAL. A real user. Everything that is used for administration, automation, etc., does not require a CAL.
|
# ? Dec 10, 2013 00:08 |
|
kiwid posted:I asked this a while ago, not sure if it was this thread or not. The way it was answered was only "real" accounts need a CAL. A real user. Everything that is used for administration, automation, etc., does not require a CAL. I thought this too, but wanted to make sure since we ran the MAPI tool as instructed and it's just pulling real data from AD and people are freaking out. I don't think there's any way to designate it one of those accounts other than the description, which is what I do anyway.
|
# ? Dec 10, 2013 00:21 |
|
Be careful re-directing favorites. IE likes to query the favorites whenever you type in a URL.
|
# ? Dec 10, 2013 00:24 |
|
kiwid posted:I asked this a while ago, not sure if it was this thread or not. The way it was answered was only "real" accounts need a CAL. A real user. Everything that is used for administration, automation, etc., does not require a CAL. This is true. We ran it by our Microsoft licensing rep when he was in a few weeks ago. He specifically said if we had 10 users but 5000 service accounts, we only need 10 CALs.
|
# ? Dec 10, 2013 05:40 |
|
hihifellow posted:Be careful re-directing favorites. IE likes to query the favorites whenever you type in a URL. Meh, if the typical user here could even use the URL bar, that might be a problem. As it stands now, most people here just type addresses straight into google (or whatever search site their toolbars are taking over as homepage). Advanced users will type URLs into the search bar. Everyone else will complain their favourite sites aren't desktop shortcuts. Seriously though, that shouldn't cause too much stress on the file server unless it's already overloaded. And for us, at least, the benefits of not storing favourites locally far outweigh any performance hit. Too bad they just don't cache it all after the first query though.
|
# ? Dec 10, 2013 06:28 |
I also posted in the PHP thread in COBOL because I'm utterly confused and not sure if it's an Apache, PHP, or GP issue. I need to get the user's domain login info (just username/domain) to get their official username. I know this can be faked but it's all inside a Domain on a private network that should be pretty well locked down so if the clients are happy with that then I'm happy with that. I try to output headers from PHP and it's not showing the login information I'm hoping for. Is this the normal way to get the info? Is it a problem with GP not broadcasting HTTP headers to trusted sites? Has my website not been made trusted yet? The original post from the PHP thread: quote:How can I get REMOTE_USER info without requiring the user to log in using mod_auth_sspi? I've been googling like crazy but I'm stuck on a hurdle which is just a basic understanding of how the web server gets the user domain login info automagically, without requiring a manual login. I've found a thousand different solutions that don't really explain it and just assume that you've already got REMOTE_USER somehow. Sulla Faex fucked around with this message at 16:01 on Dec 10, 2013 |
|
# ? Dec 10, 2013 15:58 |
|
I need to recreate some functionality for a client that's currently implemented in an old-as-dirt vbscript, specifically creating new computer accounts in a given OU in AD. One of the things they're doing is setting the new account's userAccountControl value to 4096, which I believe flags the account as being a trusted computer within the current domain (ADS_UF_WORKSTATION_TRUST_ACCOUNT). All the details I can find about this is Windows 2000-vintage. Am I correct in thinking that if I use something more modern (New-ADComputer in PS for instance) that this flag gets set automatically? The documentation for that cmdlet refers to a few other flags with similar names (ADS_UF_ACCOUNTDISABLE and ADS_UF_DONT_EXPIRE_PASSWD for instance), but not this one. Is this flag deprecated, or do I need to explicitly set it somehow?
|
# ? Dec 10, 2013 23:17 |
|
You shouldn't need to explicitly set that flag. "This user account control bit indicates that this is a machine account of an ordinary computer or member server in the domain. This flag should never be set for a user account." from here
|
# ? Dec 10, 2013 23:40 |
|
skipdogg posted:You shouldn't need to explicitly set that flag. Thanks for the confirmation. I just created a test account with the tool I'm using (basically just a wrapper around the .NET api) and looked at the value, and it comes back as 0x1020. The other set bit is for password never expires. I doubt it matters much one way or the other, but that should be easy to change if it does.
|
# ? Dec 11, 2013 00:06 |
|
That's expected with a computer account. A computer account password technically doesn't ever expire (by default) but they usually are changed every X days depending on the settings of the domain.
|
# ? Dec 11, 2013 00:18 |
|
Has anyone tried doing WDS + MDT with Windows 8.1 yet? Does it work well? If so, any good tutorials/documentation out there? (I've never done this before or used sysprep)
|
# ? Dec 11, 2013 18:21 |
|
kiwid posted:Has anyone tried doing WDS + MDT with Windows 8.1 yet? Does it work well? If so, any good tutorials/documentation out there? (I've never done this before or used sysprep) Here you go! http://mdtguy.wordpress.com/2013/11/09/deploy-windows-8-1-with-mdt-2013-and-the-adk-8-1/ That link is extremely basic but a quick Google search shows a few people who made in depth deployment guides for Windows 8.1.
|
# ? Dec 11, 2013 18:27 |
|
What's a cheap/free backup option for a physical domain controller/file server? The server is a used PowerEdge 2950 with used HDD's - 2x 500gb for the OS and 2x 1Tb for network shares. I don't trust the drives. Both are RAID-1 arrays. I'd like to backup the OS (Server 2012) and data to an external drive or something relatively cheap. RTO is a matter of days. Priority is being able to recover the OS and data. Should I just use Windows Server Backup or is something cheap/free better? I've never really had to set up this stuff before until now.
|
# ? Dec 11, 2013 22:08 |
|
What is the OS? Whoops, 2012, missed that. Is BackupAssist in your price range?
|
# ? Dec 11, 2013 22:09 |
|
We use BackupAssist for 2003 r2 and 2008 r2 servers and it works brilliantly. I've even had to do a server restore once and that actually worked surprisingly well.
|
# ? Dec 11, 2013 22:26 |
|
3rding BackupAssistant... If you backup using the "Imaging Engine" it actually utilizes the Windows Server Backup API to perform the backups. So all the backups are full volume images and shadow copied with multiple dates available to restore (depending on backup destination space). And they are in the same format WSB uses. So you can restore them using the Server backup console, or even the Windows installer disc if you are doing a "bare metal" backup.
|
# ? Dec 11, 2013 22:42 |
|
$250 sounds cheap enough to me. Just need to get a storage target, but one of the investors for this project is an investor in this company: http://www.droboworks.com/Products.asp Anyone have any experience with these things?
|
# ? Dec 11, 2013 22:54 |
|
Drobo are pretty much universally hated I'm pretty sure. Just visit some of the storage threads in SH/SC. I'd go with a QNAP. edit: GreenNight posted:Here you go! also thanks kiwid fucked around with this message at 14:59 on Dec 12, 2013 |
# ? Dec 11, 2013 22:57 |
|
A small business that I help out has a couple of Synology DS1512+ boxes, one as live file storage and the other as a backup target. BackupAssist plays well enough with them for me to be happy.
|
# ? Dec 11, 2013 23:48 |
|
SCCM2012 question here. I got a pretty basic SCCM 2012 (non r2) setup. 1 Server, with all roles. I've worked with SCCM 2007 in the past. I noticed in 2012, any OSD task sequences need to have the option "Copy contents to distribution point" in order to actually work. (When deploying the task sequence, it gives you the option to "Access Content Directly") 1. Does this mean for regular application deployment to existing clients, that doesn't have to be checked off to deploy? 2. I've installed cumulative updates 1, 2 and 3 for SCCM 2012. When pushing out the SCCM client updates, can I just push out CU3? Or do I need to go CU1 > CU2 > CU3 lol internet. fucked around with this message at 04:16 on Dec 12, 2013 |
# ? Dec 12, 2013 04:05 |
|
A follow-up to my question earlier on this page. The decom process they want us to implement is unjoin domain, delete VM, disable computer account and move to a different OU. Since the VM is going to be deleted immediately afterwards, is there any value in explicitly taking it out of the domain first?
|
# ? Dec 12, 2013 05:36 |
|
lol internet. posted:SCCM2012 question here. I got a pretty basic SCCM 2012 (non r2) setup. 1 Server, with all roles. I can answer #2, you only need to install CU3. It includes all the updates of CU1 and CU2. This is also true of CU for SQL and Exchange.
|
# ? Dec 12, 2013 05:38 |
|
We're probably switching from SCCM to CAE\Radia for client imaging. Anyone have any experience? It seems terrible.
|
# ? Dec 12, 2013 19:47 |
|
Has anyone used SCSM 2012 as a ticketing system in their environment? I ended up with a new IT manager and he wants me to go all in on the System Center 2012 suite since it looks like we're licensed for it. I'm going to try to get SCOM up first but I know he wants me to at least TRY SCSM for ticketing and change management. Any suggestions for guides would be awesome too.
|
# ? Dec 13, 2013 00:27 |
|
I looked at SCSM and was instantly intimidated. I guess it's aimed at shops that are very up on ITIL, have strict SLAs to adhere to, do recharging of resources etc. It integrates with Operations Manager / Orchestrator so you can do stuff like automatically open tickets when services die, close them when they come back up or escalate if the thing's still down after a couple of minutes. The UI looks like a cluttered mess and resembles the bad old days of Remedy etc. But it can capture a huge amount of information. I'm sure it has its uses but it just isn't the lightweight, aesthetically well desiged, fast ticketing system that I would want to use.
|
# ? Dec 13, 2013 01:27 |
|
Caged posted:I looked at SCSM and was instantly intimidated. I guess it's aimed at shops that are very up on ITIL, have strict SLAs to adhere to, do recharging of resources etc. It integrates with Operations Manager / Orchestrator so you can do stuff like automatically open tickets when services die, close them when they come back up or escalate if the thing's still down after a couple of minutes. I think he's most interested in the SCOM/Orchestrator integration which I can understand. Thankfully he gave his blessing to ditch SCSM if its too cumbersome and just go with something like TrackIT so I'm not too worried if it turns out to be a monster of a project.
|
# ? Dec 13, 2013 02:30 |
|
Alrght those in the know, help me deal with some somewhat political bullshit that's going on in my workplace: Long story short: Our company has been the victim of some rather large security breaches in the near past. This was caused by myriad of factors, including over-privileged accounts, sloppy firewall rules and no auditing. We have an overzealous IT Manager who somehow got put in charge of everything security related after said breaches. He is under the impression that the best way to deal with security between different data center sites (both Linux and Windows servers running in each, with authentication to AD) is to create a different domain with a different set of credentials for each physical site. Because he can't 100% know that the network is secure between each site, he reasons that this is the only way to prevent users from crossing network boundaries and affecting another data center. Currently we have servers in 4 different data centers, and with his approach he would need to create 7 (!!!!!) different domains for our data centers. His main (and somewhat valid, I grudgingly admit) point of concern is overly privileged (Domain Admin) accounts accessing servers (domain controllers) in other physical sites ie If a domain admin account becomes compromised, all of your Domain Controllers are compromised across all of your sites. My suggestion to this is to simply control who has access to Domain Administrators (and audit that poo poo regularly), which he does not think is a valid approach. Another suggestion was to create a site-specific domain administrators role, but the same applies to that example as well (the users being assigned that role would probably have that role assigned for all of our sites, negating any effectiveness). He doesn't really seem to understand that the administrative and hardware (best practice says redundant domain controllers for each domain) overhead for this approach is extremely large, almost bordering on unrealistic. And we have a relatively small enterprise network. How do my fellow Sysadmins approach similar security concerns?
|
# ? Dec 13, 2013 04:01 |
|
Slap your boss? If you're concerned that traffic between sites isn't secure, then secure that. And enforce secure passwords and don't give everybody domain admin.
|
# ? Dec 13, 2013 04:51 |
|
FISHMANPET posted:Slap your boss? Hahah, it's not really that the sites aren't secure, it's that they want their own employees to be prevented from compromising multiple sites. No. Really. It's been a problem on the mainland in the past. Go on. Just guess where this company is based out of. They pay their employees jack poo poo and then act surprised when they steal from them.
|
# ? Dec 13, 2013 05:00 |
|
Then don't give the employees Domain Admin? Making people domain admins is the lazy way of giving them administrative access, so that might be a good place to start.
|
# ? Dec 13, 2013 05:02 |
|
FISHMANPET posted:Then don't give the employees Domain Admin? This. Oh my christ, this. When I started at my current company everyone who even looked at something resembling a server had Domain Admin access. Not only that, but someone got the bright idea to change the DA permissions to have the same access as Enterprise AND Schema(!) Admin groups because they didn't feel like adding and removing themselves from those groups as needed. It took me and another new admin months to correct the issue but it was worth the effort. Give a short presentation on how you plan to isolate permissions and how much you'll save on time, money and administrative overhead compared to his idea. You might be able to save yourself from that nightmare scenario if you can give him a quantifiable case. Even if its the right answer, "You are loving crazy" doesn't work with managers.
|
# ? Dec 13, 2013 14:49 |
|
Even if you can't get him to do that, at least try to convince him to make the domains subdomains of the main org. Seven separate domains sounds like an administrative nightmare on top of the time wasted keeping them straight.
|
# ? Dec 13, 2013 14:56 |
|
Sacred Cow posted:This. Oh my christ, this. When I started at my current company everyone who even looked at something resembling a server had Domain Admin access. Not only that, but someone got the bright idea to change the DA permissions to have the same access as Enterprise AND Schema(!) Admin groups because they didn't feel like adding and removing themselves from those groups as needed. It took me and another new admin months to correct the issue but it was worth the effort. This is my main project for next year, we currently have something like 60 accounts with full Domain Admin privs, everyone in IT from help desk to me have DA permissions and a couple dozen service accounts and that's getting changed next year. The auditors are tearing us a new one over how many people have the 'keys to the kingdom'. People are going to bitch but I have the all powerful "The auditors said" backing me up. I plan on having less than 5 people with full Domain/Enterprise Admin access across the entire company. Getting the right permissions delegated is going to take forever, but we have to figure it out.
|
# ? Dec 13, 2013 19:17 |
|
|
# ? May 14, 2024 07:40 |
|
Anyone ever been audited before? What's the outcome normally? My company is getting audited. Missing a lot of licenses it looks like.
|
# ? Dec 18, 2013 02:48 |