|
Thanks guys. I'll give packer a look but I think I'm going to play around with WSIM first. This is me just doing a straight sysprep so it's probably inadequate for my needs anyway.
|
#
?
Apr 24, 2014 15:02
|
|
|
|
| # ? May 14, 2024 02:00 |
|
|
If I create a group policy but do not link it to an OU will it still take effect on the groups, users, and computers included in the security filtering?
|
|
#
?
Apr 24, 2014 19:24
|
|
|
Nope, it has to be applied to the object you want to modify.
|
|
#
?
Apr 24, 2014 19:56
|
|
|
FISHMANPET posted:Nope, it has to be applied to the object you want to modify. Ok i created a test OU and linked the GP to that OU but I am not seeing a change. I am trying to create a public desktop shortcut by using a GP, however no shortcuts are being created.
|
|
#
?
Apr 24, 2014 20:05
|
|
|
Simpleboo posted:Ok i created a test OU and linked the GP to that OU but I am not seeing a change. I am trying to create a public desktop shortcut by using a GP, however no shortcuts are being created. On your test pc, you can go to a cmd prompt and run gpupdate /force to force the gpo and if it still doesnt work run gpresult >gp.txt to see if there are errors.
|
|
#
?
Apr 24, 2014 20:11
|
|
|
Simpleboo posted:Ok i created a test OU and linked the GP to that OU but I am not seeing a change. I am trying to create a public desktop shortcut by using a GP, however no shortcuts are being created. Assuming the shortcut is being applied via a computer preference option, is your test computer in the test OU? Is it a member of any delegated groups in the GPO? (Authenticated Users includes domain PCs) Make sure the location specified in the preference option is "All Users Desktop" and not just "Desktop".
|
|
#
?
Apr 24, 2014 21:28
|
|
|
GreenNight posted:gpresult >gp.txt Or gpresult -h poopyfarts.htm
|
|
#
?
Apr 24, 2014 22:05
|
|
|
After a little play I got the shortcut to appear on the test PC and the other PC I was working on, but now I have a question about how GPs work; Do GPS linked to a parent OU propogate automatically to child OUs? If not how would I propogate them?
|
|
#
?
Apr 24, 2014 22:20
|
|
|
Propagate automatically unless blocked by a policy inheritance block on the OU, except if the GPO is set to explicit. You can check the inherited GPO tab to see all GPOs affecting an OU, and the order they will apply in. Gyshall posted:Or gpresult -h poopyfarts.htm  Don't forget to run cmd as admin or you'll only get user policy
|
|
#
?
Apr 24, 2014 22:41
|
|
|
Gyshall posted:Or gpresult -h poopyfarts.htm or rsop.msc if you want a pretty mmc like I do
|
|
#
?
Apr 25, 2014 00:45
|
|
|
Martytoof posted:or rsop.msc if you want a pretty mmc like I do typical habs fan
|
|
#
?
Apr 25, 2014 01:03
|
|
|
Gyshall posted:typical habs fan 
|
|
#
?
Apr 25, 2014 01:56
|
|
|
Has anyone ever used MS App-V with SCCM 12? My company just signed a new EA and we discovered MDOP is included so we want to get the most out of our license. We're looking to control our limited licensed software like Project, Visio and Adobe Pro by granting and removing access to the virtual app on a as needed basis. It seems like this is the right tool but looking at the documentation makes it seem like it can be a beast to deploy and manage. Getting MDOP was timed perfectly too. My boss recently tasked me with encrypting all our laptops with BitLocker and now I have an MBAM license 
|
|
#
?
Apr 25, 2014 22:25
|
|
|
Sacred Cow posted:Has anyone ever used MS App-V with SCCM 12? My company just signed a new EA and we discovered MDOP is included so we want to get the most out of our license. Lucky you, I was stuck using WinMagic SecureDoc with Win7 Professional licenses 
|
|
#
?
Apr 26, 2014 03:17
|
|
|
Stealthgerbil posted:Is there any way to give a user the ability to start, stop, and reboot a virtual machine in server 2012 Hyper-V? Also maybe even restore from a set snapshot. I was messing with the authorization manager and figured out how to create a user that can only do those functions but they have access to every virtual machine. I am not sure how to make it apply to only one virtual machine. AppController is the best way to handle this but it requires System Center Virtual Machine Manager. If you're already using VMM AppController is a simple web portal for "End Users" to do everything you're asking about (not 100% on the restore checkpoint but pretty sure). If you wanted to REALLY go the long way, Windows Azure Pack would be the recommendation. It gives the "End User" an azure style portal allowing them to do anything you could do in Azure including requesting new VMs, DBs, Websites, etc. It's pretty cool but I don't personally think it's ready for wide spread enterprise use yet for various reasons.
|
|
#
?
Apr 27, 2014 00:04
|
|
|
Sacred Cow posted:Has anyone ever used MS App-V with SCCM 12? My company just signed a new EA and we discovered MDOP is included so we want to get the most out of our license. We do a fair bit of App-V for customers at work but I'm not on the SCCM side. I can tell you that there is a certain art to sequencing App-V Packages that is different from the black art of packaging. Once you wrap your head around it you can do some pretty cool stuff. Aside from that with SCCM 2012 you can uninstall software, hence "controlling" access to it. Metering is a really good tool for determining who needs to lose their Adobe Pro install, then it's just a matter of dropping them in the Uninstall collection. MBAM is the only way to do bitlocker! Finally, check out UEV (User Experience Virtualization), it's a clever semi-re-invention of roaming profiles and is included in MDOP.
|
|
#
?
Apr 27, 2014 00:09
|
|
|
Hi guys, the boss has asked me a question about windows networking and policies and I’m afraid this one is out of my depth. He just wants to know if the solution he has in mind is possible or if it’s the best way to do something. Essentially there is a base network that contractors/technicians can log onto. Around the country there are other networks of non-PC devices that technicians must be able to access remotely to apply patches etc. For each network of non-PC devices, there is one gateway/maintenance computer (running Windows 7) that has access to these devices. There is already a VPN tunnel that allows technicians to connect from the home network to this gateway machine on the remote network in order to apply these patches (the gateway machine already has access to these non-PC devices). The gateway machine is only used by these technicians so we can do whatever we want with that machine. What we need to do is setup a system whereby technician access to the remote machines is restricted on the base network. We’d create an application where a technician requests access to a certain gateway machine with certain resources (i.e. access to non-PC devices A and B and C for applying patches), a manager approves or denies that request, and then the technician is automatically given the ability to log into that remote machine using a VPN tunnel, and that machine, upon login, automatically gives him access to those resources. He was suggesting that all machines be on the same domain, possibly one sub-domain per remote network, with one gateway machine per subdomain which is accessed through a VPN tunnel. And for permissions create policies that can be managed automatically through an application so that users can be granted access to remote desktop into gateway machines on the subdomain, and also for the access to specific non-PC devices through that gateway machine. As is probably pretty clear, I’m not confident with this stuff. I won’t have to design/build it, he just wants to know if it is possible this way or if it’s the best way to do it. Thanks.
|
|
|
#
?
Apr 27, 2014 11:49
|
|
|
I've seen something similar done using firewalls that had to be logged in to with a telnet session before rules would be applied that would let the user access devices behind the firewall (shop machines running whatever embedded software) but there was no middle man approving connections, just two-factor auth. I think the easiest way you can get this done is a remote user account assigned to each technician that's managed by an enterprise password management system; the technician would have to request approval to retrieve the account's password, which is then changed by the system after a set amount of time. I can't recommend anything since I haven't been in an environment that used one for 6 years now, but anything that touts SOX compliance should work.
|
|
#
?
Apr 27, 2014 12:13
|
|
|
I think a password management system would work for managing authority access, but how would you manage distinct roles? I.e. if each target network has different non-PC devices and the technician has to request access to them individually (or as a group or whatever -- he doesn't necessarily get access to every device on the subdomain network), can the domain controller manage that as well?
|
|
|
#
?
Apr 27, 2014 15:48
|
|
|
Is it not as simple as having the maintenance PCs on the domain and only allowing remote desktop logon to the specified users? Then maybe it's possible to control Windows Firewall per user to block the IPs of the devices that a technician shouldn't be allowed access to. I did a quick search and it wasn't totally clear.
|
|
#
?
Apr 27, 2014 16:50
|
|
|
Sulla-Marius 88 posted:I think a password management system would work for managing authority access, but how would you manage distinct roles? I.e. if each target network has different non-PC devices and the technician has to request access to them individually (or as a group or whatever -- he doesn't necessarily get access to every device on the subdomain network), can the domain controller manage that as well? On re-reading your first post I realised this is actually very easy; just put the technician accounts in the remote desktop users group on each remote PC then just apply a GPO on the accounts that locks down outgoing ports to only the non-PC devices using the firewall. If you're lucky the devices can have their password managed by the password management system as well, since they're usually platform independent. I don't think you can get more granular without a custom application. You could do it with powershell and a .net frontend if you wanted a GUI, but it sounds like your needs would be met by auditing software on the gateway PCs.
|
|
#
?
Apr 27, 2014 19:38
|
|
|
Thanks for the replies. Can these rules be applied directly to users programatically, on an ad hoc basis? It's been a while since I've had access to AD or anything like that, and I've never done this level of granulation or automation. But the following would be possible in a Windows domain environment like I described above? Blanket block all non-PC devices on the network for everybody. For each non-PC device on the network, have a pre-defined exception that will allow access to an (as-of-yet) unspecified account. A technician requests access to a specific gateway machine and to certain non-PC devices subordinate to that gateway machine (the boss will create this UI etc). When it's granted, powershell identifies the user account in AD and grants it access to the gateway machine. Powershell also applies the associated non-device exception GPOs to the same account only. I need to be sure that the above will work using at the DC/firewall level, such that access to machines and then to non-PC devices can be handled fluidly on a per-user basis. The UI and all that is secondary, we just need to know if this is how this problem is usually solved or if we're barking up the wrong tree and we need to start looking at managing access through a custom firewall/proxy system. Sulla Faex fucked around with this message at 10:02 on Apr 28, 2014 |
|
|
#
?
Apr 28, 2014 08:55
|
|
|
You can do all of that except for poking holes in the firewall for certain users. Even when I was working with user-authed proxy firewalls all they did was allow the connecting IP through to whatever they were granted access to beforehand. There may be third party firewalls you can run on the gateway PC that can apply rules to individual users but Windows' firewall can't, but if you go third party you probably lose the ability to adjust the firewall through PS.
|
|
#
?
Apr 28, 2014 12:57
|
|
|
Zaepho posted:We do a fair bit of App-V for customers at work but I'm not on the SCCM side. I can tell you that there is a certain art to sequencing App-V Packages that is different from the black art of packaging. Once you wrap your head around it you can do some pretty cool stuff. I'll take a look at how to sequence App-V stuff. This is my first time diving into it so I'll have to see how this differs from SCCM app deployments. Thanks for the head up on UEV. Its on my list of things to test but I'll probably have to wait until things slow down towards the end of the year. Also, thank loving god for MBAM. My manager's original plan for deploying BitLocker was to send out a package with code:
|
|
#
?
Apr 28, 2014 15:09
|
|
hihifellow posted:You can do all of that except for poking holes in the firewall for certain users. Even when I was working with user-authed proxy firewalls all they did was allow the connecting IP through to whatever they were granted access to beforehand. There may be third party firewalls you can run on the gateway PC that can apply rules to individual users but Windows' firewall can't, but if you go third party you probably lose the ability to adjust the firewall through PS. Hm. We're checking to see if the client needs multiple users logged in to the gateway machine at the same time. Current hope is that either they don't or that they can handle a few VMs on the gateway machine running Win7. That way we'd just set the firewall to block all in/out traffic, and have an admin-controlled task scheduled batch 'service' that regularly checks with the central server for user access and then manages the creation and destruction of ad hoc rules for the IP addresses specified. If they're happy with that it'd be perfect; keeping it simple means less chances of gently caress ups.
|
|
|
#
?
Apr 28, 2014 16:29
|
|
|
Anyone know whether you can lock down dnscmd.exe to just modifying records? I want to create a logon script that adds or modifies CNAMEs under the subdomain usr.mydomain.local so I can easily find where they are logged in. That is to say, it'll create a CNAME of [username].usr.mydomain.local to the PC's actual hostname for easy kajigging. Seems like dnscmd.exe will do everything I want, but it looks like it has other options that I'm not really sure I'm articulating my question correctly, so hopefully someone knows what the hell I'm blabbing about. edit: Nevermind, it looks like I can lock all that dumb stuff down. Hooray! some kinda jackal fucked around with this message at 00:24 on Apr 29, 2014 |
|
#
?
Apr 29, 2014 00:08
|
|
|
Why do you want to do this with DNS? You could just use a script to put that info into their ADS object. http://deployhappiness.com/find-out-what-computer-a-user-logged-into/
|
|
#
?
Apr 29, 2014 12:06
|
|
|
Riso posted:Why do you want to do this with DNS? Echoing this. Sounds like a terrible idea. Either use ADS above or something like Systernals psloggedon.exe.
|
|
#
?
Apr 29, 2014 15:01
|
|
|
Not really sure why it's all that awful an idea. Would make it a one-step process to mstsc to a user's machine. Thanks for the advice though, I'll see what I can set up.
|
|
#
?
Apr 29, 2014 15:18
|
|
|
I'm struggling to get a straight answer from a ton of Googling, but is it possible to convert distribution groups into security groups in Office 365?
Thanks Ants fucked around with this message at 23:07 on Apr 29, 2014 |
|
#
?
Apr 29, 2014 22:46
|
|
|
Ran into an interesting setup today. Imagine a bunch of folders on a file share: Marketing Accounting HR .. .. Instead of users being in an AD group named 'Marketing', and then having permissions assigned to the Marketing folder to the 'Marketing' AD group, there's a 'MarketingShareRead' and 'MarketingShareWrite' group with people in it, and then those groups are given permissions to that folder.
|
|
#
?
Apr 30, 2014 14:52
|
|
|
Bob Morales posted:Ran into an interesting setup today. Imagine a bunch of folders on a file share:
|
|
#
?
Apr 30, 2014 15:10
|
|
|
That's exactly how we do permissions on our file server cluster. Everyone gets H:\ mapped to the dfs namespace root, then from there folder redirections for Marketing, Accounting, etc for their specific shared disks off the SAN. Each folder from there is given Foldername_RO/Foldername_FA groups in AD for assigning permissions. Most of the time the RO group isn't needed so we don't create one unless the request specifies it.
|
|
#
?
Apr 30, 2014 15:28
|
|
|
Bob Morales posted:Ran into an interesting setup today. Imagine a bunch of folders on a file share: Big company with specific permission needs, that's how we do it.
|
|
#
?
Apr 30, 2014 16:12
|
|
|
We have corporate wide shared folders that users can request created, and often times they'll request certain people only have read access to it. Definitely not uncommon.
|
|
#
?
Apr 30, 2014 16:27
|
|
|
Bob Morales posted:Ran into an interesting setup today. Imagine a bunch of folders on a file share: As other stated, its pretty much textbook rights permissions (right out of microsofts own documentation). I know it looks goofy, but it helps. Someone setup the shares correctly on the first time. Take pictures. I doubt you'll see this unicorn again.
|
|
#
?
Apr 30, 2014 16:54
|
|
|
Bob Morales posted:Ran into an interesting setup today. Imagine a bunch of folders on a file share: We do this but slightly different. We constantly have people from other departments supporting the main department so we have an example setup like so: Shares: Accounting Marketing Trading AD Groups: Accounting (mail enabled security) Accounting Support Read (security) Accounting Support Write (security) Marketing(mail enabled security) Marketing Support Read (security) Marketing Support Write (security) Trading (mail enabled security) Trading Support Read (security) Trading Support Write (security) If a user's main department is trading but they assist accounting, they get put into the Trading and Accounting Support groups.
|
|
#
?
Apr 30, 2014 17:55
|
|
|
incoherent posted:
My company used to do it this way. I miss it so much
|
|
#
?
Apr 30, 2014 17:56
|
|
|
We have a clustered file server. It has an 8TB disk, which failed yesterday. I brought it back online using Failover Cluster Manager, but now it's saying "Full chkdsk needed on volume *blah*". Am I right in thinking that a) this is going to need to be done while the server is offline and b) it's going to take forever? If so, is there any way I can calculate how long it will be offline for?
|
|
#
?
May 1, 2014 06:45
|
|
|
|
| # ? May 14, 2024 02:00 |
|
|
I suspect this data isn't on a SAN and you can't clone the volume to try and scan and/or bring that online while you scan the original volume? 8TB is going to take a loooong time to scan.
|
|
#
?
May 1, 2014 07:36
|
|