|
Microsoft updated their Group policies for 8.1/2012 R2 today. http://www.grouppolicy.biz/2014/07/windows-8-1-update-windows-server-2012-r2-update-administrative-templates-admxadml-pack/ Drop them in your central store on your "pdc" (shouldn't be a problem on modern DCs with DFSR though) and replicate through your org. Also gives you a chance if you're not in a 8.1 environment to turn off all that bullshit...for future generations.
|
#
?
Jul 9, 2014 01:22
|
|
|
|
| # ? May 14, 2024 07:29 |
|
|
Bleh, was hoping for more GPO toys to play with but I've already got 2012 r2 DCs I yanked the adm's from.Swink posted:I'm got a few DCs In Branch offices that I want to replace with RODCs. Is there any issue with demoting them and then re promoting as RODCs, or is it better practice to introduce an entirely new server? Shouldn't be an issue to just demote/promote. If you want to do it as cleanly as possible you can wait until the demoted DC is no longer listed as a replication partner and is gone from the service entries in DNS before promoting it back in but I doubt AD is going to throw a fit over a DC suddenly becoming an RODC.
|
|
#
?
Jul 9, 2014 02:34
|
|
|
Back on my topic of NPS and certificates for PEAP -- I generated a CSR, for my NPS server to use when acting as a RADIUS authenticator for my Merakis, to submit to a CA, but the FQDN is dc02.domain.local. I gather that CAs won't be handing out .local SSLs soon so this could be an issue going forward. I also read that it doesn't really matter what the FQDN is on the cert as far as NPS and PEAP are concerned but somehow I have a hard time believing that because then honestly I could just export the cert from my Exchange server and throw that in place or something. Fishy. I checked the technet requirement for certs to use with PEAP: http://technet.microsoft.com/en-ca/library/cc731363(v=ws.10).aspx And I guess technically it doesn't say that the FQDN has to match the servername, but.. Since this is going to involve some BYOD which may not be joined to the domain, I don't want to use an in-house enterprise CA, so I'm opting to go the public CA route. Any thoughts?
|
|
#
?
Jul 9, 2014 03:59
|
|
|
Martytoof posted:Back on my topic of NPS and certificates for PEAP -- I generated a CSR, for my NPS server to use when acting as a RADIUS authenticator for my Merakis, to submit to a CA, but the FQDN is dc02.domain.local. I gather that CAs won't be handing out .local SSLs soon so this could be an issue going forward. I use a certificate from an internal CA for NPS for WPA2 Enterprise wireless clients - never had a problem with a non domain joined machine. Clients just get prompted to accept the certificate the first time they connect and then won't get bothered again. Keep in mind that some wireless cards (I'm looking at you, Centrino!) are going to have trouble connecting to WPA2 Enterprise networks, or at least in my experience they've been problematic, and that's regardless of the certificate.
|
|
#
?
Jul 9, 2014 04:31
|
|
|
Hmm. Interesting. I'm not really all that familiar with certificate services so I'm leery of introducing them to this network, but it's interesting to note that it might be an easy solution.
|
|
#
?
Jul 9, 2014 04:52
|
|
|
Why not spin up a few VMs and play around with it in a lab environment to get a feel for it? AD CS isn't really that scary. There are definitely some best practices for doing it securely, though. It's recommended that your production root CA be offline and only be used to sign intermediate CAs, which you run online and then use to sign end user certificates.
|
|
#
?
Jul 9, 2014 04:58
|
|
|
Thalagyrt posted:Why not spin up a few VMs and play around with it in a lab environment to get a feel for it? AD CS isn't really that scary. There are definitely some best practices for doing it securely, though. It's recommended that your production root CA be offline and only be used to sign intermediate CAs, which you run online and then use to sign end user certificates. I stood up a 2 tier CA for my company a few months ago (offline root, 2 subordinate CAs) and its not hard as it is tedious. I just followed the TechNet labs and documented any changes I needed to make in my lab before deploying. Its really worth looking into for Enterprise WiFi and beyond. 2008R2 lab 2012R2 lab edit - Hooray for spare servers! Sacred Cow fucked around with this message at 17:31 on Jul 9, 2014 |
|
#
?
Jul 9, 2014 13:20
|
|
|
Setting up a CA is worth it if you have more than a couple of things that use SSL certificates, if only to get rid of the nagging about self signed certs.
|
|
#
?
Jul 9, 2014 14:16
|
|
|
Sacred Cow posted:I guess I'll ask this here while I'm at it. My company wants to run an isolated network with RDS and about 6 thin clients. We're looking at some micro-servers and I'm wondering if an i7 with 16GB of RAM would be enough to run a VMWare box with AD DS, DNS, DHCP and RDS. Users would only be running Office products and maybe Adobe Standard. Remember the golden rule about RDS: They're all going to want to watch youtube in HD, simultaneously. You're going to need a lot more ram (you've just budgeted 2.6GB of ram for each user...and that not counting core windows server services!) and I would not put this on a consumer grade machine. You're going to have 6 users hammering on this, and you'll need 32 gigs if you want to do this all. In other words, get a proper server.
|
|
#
?
Jul 9, 2014 16:48
|
|
|
incoherent posted:Remember the golden rule about RDS: They're all going to want to watch youtube in HD, simultaneously. Thankfully this wont be connected to the internet. I talked with my supervisor and apparently we have a spare 1U HP server available for this project. Just need to scrounge up a little more RAM and I'll be all set. They wanted to spend as little money as possible so I at least got that check box marked.
|
|
#
?
Jul 9, 2014 17:30
|
|
|
This new MS security webcast format on ustream sucks poo poo.
|
|
#
?
Jul 9, 2014 19:10
|
|
|
I need a sanity check here, as I'm having issues finding good information online. This probably should be in the group policy thread, but this thread gets more eyeballs on it. Long story short, there has been some internal reorganization, and I need to grant 3 non domain admin users the ability to login and manage their local domain controllers. They're the IT/User admins for their business unit, but we're limiting their permissions as much as possible. There is no way around this, yes I am aware of different ways to deal with this. Personally I would love to spin this BU off to it's own subdomain, but that's not happening anytime soon. The Edict is they must be able to logon to the local domain controllers in their local offices both at the console and over RDP. They'll need to patch, troubleshoot and reboot their DC's. The problem is, I want to limit these users to ONLY be able to logon to those 4 domain controllers in their sites. I have 20 DC's total, and they have no business logging into the other 16, so default groups like Account Operators, Server Operators, etc is out. Modifying the Default Domain Policy to allow the BU_Admins group I created the logon locally right will also give them unnecessary permissions. So I'm testing and trying to figure out how to best accomplish my goals. It seems my 'best' course of action is: 1: Create Security group for the 4 DC's they need access too. BU_DomainControllers, add 4 domain controllers to that security group 2: Create new GPO to give the BU_Admins the User Right Assignments to - Allow Log on Locally - Allow Log on through remote desktop services - Shut down the system - Force shutdown from a remote system 3: Filter above GPO to only the BU_DomainControllers security group 4: Apply new GPO to Domain Controllers OU The only problem with this, is any changes made to URA's overwrite the previous ones, so I need to make sure the permissions line up with the DDP permissions and anytime the DDP changes I would have to update the new GPO.... I could move their domain controllers to a different OU, but that's not best practices either.. Am I off base here? Better suggestion?
|
|
#
?
Jul 9, 2014 21:29
|
|
|
1. Don't edit the Default Domain Policy. Create a new one. 2. What exactly do they need to do? Could they just install Remote Administrator Tools and manage from their workstations instead? (They should.) Sounds like a clusterfuck regardless.
|
|
#
?
Jul 9, 2014 21:36
|
|
|
Gyshall posted:1. Don't edit the Default Domain Policy. Create a new one. 1: Yeah, the DDP is hosed though from before my time... lots of things manually specified... it's a mess 2: They need to manage their users and computers, modify DNS, manage their DHCP servers (running on the DC's) and be able to logon to the local domain controller. I have the User, DNS, and DHCP permissions all taken care of... I haven't been able to find good information on giving a subset of users access to a subset of domain controllers.. plenty of info out there on how to give a non domain admin group access to all domain controllers... We (corp IT) have no onsite presence in their locations so the decision was made above my paygrade they need to be able to logon to the DC's in their locations to troubleshoot, patch, reboot, etc. RSAT covers most of it, except the actual logging onto the server. quote:Sounds like a clusterfuck regardless. A bit..... I don't expect this exercise to last through the end of the year before the business unit wants corp IT to take things over again.
|
|
#
?
Jul 9, 2014 21:45
|
|
|
SCCM 2012 R2 question. I'm trying to uninstall Lync 2010, and install Lync 2013 Basic (What a lovely version name.) I basically have 2013 packaged with 2010 as the superseded application. I'm using msiexec.exe /X PRODUCT_GUID /qb /norestart to uninstall 2010 and created the MSP for Lync 2013 with the SETUP_REBOOT=Never property. Basically the uninstall\install works fine but it's prompting users to restart still. They basically get a 1 hour countdown, with the option to restart now or hide. Is there anyway to properly test packages for reboot situations outside of SCCM I might not know about, I normally do my testing in a VM with snapshots of the before change? Every time I make a change and start pushing it to someone, having them prompted to reboot is not ideal. I somewhat have a feeling it has to do with the superseeding option as I've worked with Office and the customization wizard, and I've never had an issue with the uninstall. Also, just to note, the uninstall and 2013 install is done before the prompt, so I don't think it's the uninstall forcing the reboot. Any ideas would be appreciated, not really new to SCCM or packaging but I find this issue a bit baffling.
|
|
#
?
Jul 10, 2014 00:01
|
|
|
I just deployed Lync 2013 to my users from SCCM and during testing I found that the MSP file wasn't actually taking anything I had put into it including the restart suppression switch. I found out you need to download the latest Office Customization Tool to fix the issue Here After I followed the install instructions and recreated the MSP file, everything worked as intended.
|
|
#
?
Jul 10, 2014 00:46
|
|
|
Sacred Cow posted:I just deployed Lync 2013 to my users from SCCM and during testing I found that the MSP file wasn't actually taking anything I had put into it including the restart suppression switch. I found out you need to download the latest Office Customization Tool to fix the issue What the heck are the chances of that. I thought I was going crazy today, but as a side note for those SCCM users, is there anyway to really test if a app will reboot on a user? I mean.. whenever I test on myself, it's all fine and dandy, but when it goes to a user, it just happens to reboot, then I need to come back and re-test some more. Obviously I should have a "test" group I should push out to first before everyone, but even then, having a machine reboot on a person is a pain in the rear end.
|
|
#
?
Jul 10, 2014 01:40
|
|
|
lol internet. posted:Thanks! I personally have a laptop with our base image at my desk that I reimage every time I have to test a deployment. My work laptop has had so many installations and reg edits that I know it can't be trusted for deployment tests. I've heard of people using VMs (if you have Windows 8(.1) Pro or better you should already have Hyper-V) but I'm personally not a fan.
|
|
#
?
Jul 10, 2014 12:23
|
|
|
lol internet. posted:Thanks! It's completely possible that an installation will want a reboot in some cases but not in others, mostly due to applications being open and locking files. To get a 100% certain answer on whether an installation will _ever_ reboot you'd have to open up the MSI in an MSI editor and check the reboot conditions. If it doesn't have any, or all of its condition can be safely taken care of by pskilling certain processes then you're fine. Mind that even with an msiexec REBOOT=Suppress the installer will still return a 3010 code to SCCM so SCCM will still believe it'll need a reboot. But, don't sweat it that much. SCCM will only reboot without user interaction if nobody is logged in. If somebody is, the countdown will go down to 0:00 and be stuck there until somebody confirms the prompt.
|
|
#
?
Jul 10, 2014 12:49
|
|
|
Sacred Cow posted:I personally have a laptop with our base image at my desk that I reimage every time I have to test a deployment. My work laptop has had so many installations and reg edits that I know it can't be trusted for deployment tests. I've heard of people using VMs (if you have Windows 8(.1) Pro or better you should already have Hyper-V) but I'm personally not a fan. Been using Virtualbox since it's free and they have snapshot\restore feature to do testing, but there was no way to test the msi reboots. Anyways, in regards to the link you posted about the updated office customization tool, is that the correct link? It seems to provide GPO files. Were you referring to this tool: http://www.microsoft.com/en-us/download/details.aspx?id=36778 edit: err wait, do I just drop the "admin" folder into the "%LYNC_INSTALL_SOURCE%\admin" folder? lol internet. fucked around with this message at 15:16 on Jul 10, 2014 |
|
#
?
Jul 10, 2014 14:54
|
|
|
This was on the Certification thread, I don't know if it's been posted here before, but here's a p. good blog post: http://blogs.msdn.com/b/mssmallbiz/...-cloud-sql.aspx However, as mentioned in that thread, the most useful document in there is the complete, 8700 page (!) Technet reference for server 2012/R2 with working links: http://ligman.me/TMBaEy HTH!
|
|
#
?
Jul 10, 2014 15:28
|
|
|
lol internet. posted:Been using Virtualbox since it's free and they have snapshot\restore feature to do testing, but there was no way to test the msi reboots. Anyways, in regards to the link you posted about the updated office customization tool, is that the correct link? It seems to provide GPO files. Were you referring to this tool: http://www.microsoft.com/en-us/download/details.aspx?id=36778 That's exactly why I don't like using VMs for testing deployments. Hardware always gave me different results and ended up biting me in the rear end a few times. The link I posted earlier has both the ADMX files and the admin tools (OPAX files) updates for Office 2013 as one package. All you need to do is copy the admin folder like you've describe and you'll be good to go. Its important to remember that you need to either import or recreate the MSP file.
|
|
#
?
Jul 10, 2014 16:11
|
|
|
Very curious what other companies (the bigger the better) use to keep HR information in AD up to date -- job titles, managers, etc. It's something we struggle with. I know some previous companies I've worked for have had HRIS apps that tie into AD, but there's nothing like that here. So, how do you process new hires and promotions? Do you just get an email a week later from HR? Do you have an automated system that ties into AD and gives HR the power to create and change this info? I'd love to hear about what a working system looks like.
|
|
#
?
Jul 10, 2014 17:13
|
|
|
KS posted:Very curious what other companies (the bigger the better) use to keep HR information in AD up to date -- job titles, managers, etc. It's something we struggle with. I know some previous companies I've worked for have had HRIS apps that tie into AD, but there's nothing like that here. In-house script/program with an approval method, linked to PS commands which alter AD. Large company (5000+).
|
|
#
?
Jul 10, 2014 17:29
|
|
|
Straight outta SAP for us for promotions, office changes, stuff like that. New hires are still just automated e-mails, but that should be hooked into FIM soon enough.
|
|
#
?
Jul 10, 2014 17:40
|
|
|
CLAM DOWN posted:In-house script/program with an approval method, linked to PS commands which alter AD. Large company (5000+). I'd be interested to see how that is structured if you are allowed to share anything about it. We're starting to get big enough that it's a pain for HR to hand us paper forms for new hire and then have someone do enter all that info in manually. I know their are some 3rd party apps out there but I've never heard good things about them and flat out refuse to just give someone in HR full AD access.
|
|
#
?
Jul 10, 2014 17:49
|
|
|
BaseballPCHiker posted:I'd be interested to see how that is structured if you are allowed to share anything about it. We're starting to get big enough that it's a pain for HR to hand us paper forms for new hire and then have someone do enter all that info in manually. I know their are some 3rd party apps out there but I've never heard good things about them and flat out refuse to just give someone in HR full AD access. I'm really sorry but I can't share anything about it  If you're just doing things manually by paper now, I highly recommend looking into Powershell's AD cmdlets, you can even design a basic form with .NET in Powershell to allow you to input this stuff, it could simplify your life a lot.
|
|
#
?
Jul 10, 2014 17:52
|
|
|
I've worked a little bit with powershell's AD cmdlts to generate some useful reports but dont really have any experience with .net. Any useful links or reading suggestions?
|
|
#
?
Jul 10, 2014 18:00
|
|
|
BaseballPCHiker posted:I've worked a little bit with powershell's AD cmdlts to generate some useful reports but dont really have any experience with .net. Any useful links or reading suggestions? I started with very basic with text input boxes to feed my scripts things, starting with learning from links like these: http://technet.microsoft.com/en-us/library/ff730941.aspx http://blogs.technet.com/b/stephap/archive/2012/04/23/building-forms-with-powershell-part-1-the-form.aspx After learning and practicing the basics a ton I now can make pretty complex GUIs in Powershell with .NET Winforms and it's really useful and powerful.
|
|
#
?
Jul 10, 2014 18:06
|
|
|
Jeoh posted:Straight outta SAP for us for promotions, office changes, stuff like that. New hires are still just automated e-mails, but that should be hooked into FIM soon enough. Can I ask how you guys sync SAP with Active Directory?
|
|
#
?
Jul 10, 2014 18:16
|
|
|
Gyshall posted:Can I ask how you guys sync SAP with Active Directory? Arcane loving wizardry, as far as I know. I know we just pull certain data out of SAP into a MSSQL database every night, and we use that as a cache for AD and the other applications. But not sure on the specifics.
|
|
#
?
Jul 10, 2014 18:42
|
|
|
Running SAP always seems to involve arcane wizardry and a small army of expensive consultants. No commercial off the shelf HRIS software answers so far. Surprising!
|
|
#
?
Jul 10, 2014 18:46
|
|
|
KS posted:Very curious what other companies (the bigger the better) use to keep HR information in AD up to date -- job titles, managers, etc. It's something we struggle with. I know some previous companies I've worked for have had HRIS apps that tie into AD, but there's nothing like that here. Oracle has an account that updates the Org information in AD, which then gets pushed to the GAL in Exchange. People are super touchy about their titles and org status. There's basically a process that kicks off around 3AM that gets all the changes from the Oracle system for the night, then updates the appropriate user in AD. It's keyed on the EmployeeID field in AD. No employeeID, no Oracle update. My understanding is it's some kind of script someone wrote years ago... probably VB or batch. We want to expand this to create some dynamic distribution lists based on certain critera (Office, Business Unit, Dept), and that is probably going to be a bitch... I'm thinking powershell and a nightly CSV dump from Oracle. I would love to get FIM setup, but I have no time for that this year.
|
|
#
?
Jul 10, 2014 18:53
|
|
|
KS posted:Running SAP always seems to involve arcane wizardry and a small army of expensive consultants. Glad I'm not the only one who has had this experience.
|
|
#
?
Jul 10, 2014 18:54
|
|
|
It's like that for all the big business applications. When the company I work for was acquired we switched from SAP to Oracle, and the army of contractors didn't go away, just changed names and specialties. It was a shame too, we just dropped almost 20M on upgrading our SAP environment a few months before we got acquired.
|
|
#
?
Jul 10, 2014 19:01
|
|
|
If the SAP guys can export the data you need to an MSSQL DB you can query that quite easily:code:
|
|
#
?
Jul 11, 2014 12:56
|
|
|
What are y'all using for MDM? We're curently planning a deployment of approximately 100 ipads for students and need software to remotely manage them. We'd like it to be as close to 0 touch as possible. I know about the big ones like Mobile Iron and Maas360 but I'm interested in hearing about how these things actually work in a production environment and peoples experience with them.
|
|
#
?
Jul 11, 2014 16:43
|
|
|
Tasked with updating phone numbers in AD, since a lot are missing etc. Sure, I can script that out, no problemo. 1> There's no actual list of names and AD accounts. Accounts are firstname.lastname but PLENTY of people's logins don't match whatever is in the HR system that contains the required info to update. Nicknames, etc, and no way to cross reference and check. 2> Apparently a list of users and their desk phone numbers doesn't exist anywhere in the loving company. I feel like if you're big enough to have a PHONE GUY, and we are, that guy probably would want this info. gently caress's sake.
|
|
#
?
Jul 11, 2014 17:14
|
|
|
Feeling your pain.. I'm the main AD guy where I work and I get asked once or twice a month to do bulk updates to folks user accounts or group membership.. Sure, no problem, send me the data.. I get data that takes me 5 or 6 hours to massage into a useable format to run a script that takes 3 minutes.
|
|
#
?
Jul 11, 2014 17:25
|
|
|
|
| # ? May 14, 2024 07:29 |
|
|
I was asked to add everyones pictures to AD so it gets used in Outlook and Lync. They gave me 400+ pictures and each one a huge fuckoff 40 meg tif on a terabyte drive.
|
|
#
?
Jul 11, 2014 17:39
|
|