|
Potato Salad posted:Aaaaaaaaaaaaaaaand it's up! The test group of users is already giving positive feedback to the "I don't have to scroll through thirty folders to find my poo poo" feature. Once you go ABE you don't go back ~ Swink posted:How can I work ABE into my org when I want to hide folders that are not relevant to the user, but still give them the option to acess them if necessary? Do you have an example of what you need to do? Just set up security groups for read/write access and add users as needed.
|
#
?
Jan 27, 2015 15:12
|
|
|
|
| # ? May 13, 2024 22:44 |
|
|
Anyone have any recommendations on MSI building software? I've been using Orca for a bit but feel like there's got to be some paid software out there that will work better.
|
|
#
?
Jan 27, 2015 23:31
|
|
|
I really liked advance installer when I was using the free tier to build installers for internal use. If you go pro or better you have a lot more features to work with. http://www.advancedinstaller.com/
|
|
#
?
Jan 28, 2015 01:47
|
|
|
Swink posted:How can I work ABE into my org when I want to hide folders that are not relevant to the user, but still give them the option to acess them if necessary? Give them access if they need it? Depending on the stakes you could share a superuser account and audit it 
|
|
#
?
Jan 28, 2015 02:12
|
|
|
incoherent posted:I really liked advance installer when I was using the free tier to build installers for internal use. If you go pro or better you have a lot more features to work with. Honestly I've just flat out used Orca or this. Never tried Advanced Installer but it looks easier and cheaper than Flexera. Regardless, Orca is free even if it is a bit outdated/granular and it gets the job done when it comes to creating custom transforms.
|
|
#
?
Jan 28, 2015 02:22
|
|
|
I just had to license installshield (the equivalent of the ent version of advance installer) for my developers and it is needlessly expensive as gently caress. It wasn't my battle to fight, but I know there are better options out there.
|
|
#
?
Jan 28, 2015 02:40
|
|
|
Swink posted:How can I work ABE into my org when I want to hide folders that are not relevant to the user, but still give them the option to acess them if necessary? Are you talking about hiding folders from view for security reasons or convenience reasons? As written, this is coming off as a bit of a weird use case for you to mediate as "Access as Necessary" is a situation subjective to the user. If this is about convenience, the preference has to be available to the user. Favorites in the file explorer, for example, would help Bob in Sales, who has access to forty folders for the purposes of collaboration but uses only three of them 99% of the time. If this is about security -- like, keeping people from poking around in folders that they technically have access to but don't have any business dicking around in on a day-to-day basis -- the solution is in re-arranging your folder structure and user groups. Example: Sue in Sales, like Bob, only uses ~3 folders day-to-day. Every once in a while, though, someone in accounting fucks up and members of both teams have to do some digging to find out what happened. Sue thus needs to be able to access the Accounting share every once in a while, but you, Swink, are nervous about her spending time there regularly, snooping on the day-to-day business of Accounting. Solution: messier. When you say "not relevant to the user" is that from a convenience or security / confidence standpoint? What precisely is "necessary?"
|
|
#
?
Jan 28, 2015 04:21
|
|
|
Swink posted:How can I work ABE into my org when I want to hide folders that are not relevant to the user, but still give them the option to acess them if necessary? If they need access to a folder, you add them to the security group that has access to the folder.
|
|
#
?
Jan 28, 2015 04:25
|
|
|
Dumb question about wim files. I noticed there are "images" within them (ie. 1-1, 2-2.) Is this actually referring to a partition table?
|
|
#
?
Jan 28, 2015 16:42
|
|
|
lol internet. posted:Dumb question about wim files. I noticed there are "images" within them (ie. 1-1, 2-2.) Is this actually referring to a partition table? Yeah, 1-1 is that small 300 meg partition that Windows tends to have and 2-2 is your main C partition.
|
|
#
?
Jan 28, 2015 17:22
|
|
|
Is there literally any good reason to have domain profile firewall enforced on Windows desktops?
|
|
#
?
Jan 28, 2015 21:49
|
|
|
Maybe laptops if users go out of the office, but we have the windows firewall disabled via GPO for everyone internally.
|
|
#
?
Jan 28, 2015 21:53
|
|
|
NevergirlsOFFICIAL posted:Is there literally any good reason to have domain profile firewall enforced on Windows desktops? If a virus or intrusion occurred on the domain and there's no domain firewall you're going to get hosed.
|
|
#
?
Jan 28, 2015 22:07
|
|
|
Think of each workstation is a sovereign, hostile nation in your domain. They'll go gandhi on you at the drop of a hat.
|
|
#
?
Jan 28, 2015 22:10
|
|
|
My predecessors disabled the Windows firewall long ago to get everything working, and I've always been afraid of turning it back on and dealing with the backlash. Though at this point there's far less janky bullshit that we're running; it probably wouldn't go too badly. Maybe I'll do it in the fall when everyone comes back and are pissed off anyways.
|
|
#
?
Jan 28, 2015 22:22
|
|
|
We use Sophos web appliance and it's been working well. It's been a few years since an infection.
|
|
#
?
Jan 28, 2015 22:24
|
|
|
Back when Conficker and other Worms were going around, we were one of the few hospitals (owned by our parent company, can't say for others) that weren't affected because I insisted on having Windows firewall enabled. I'm not sure why you wouldn't have it enabled. It's an extra layer of protection and it's really easy to allow/disallow something through GPO.
|
|
#
?
Jan 28, 2015 22:32
|
|
|
GreenNight posted:Maybe laptops if users go out of the office, but we have the windows firewall disabled via GPO for everyone internally. This is what we do. I'm sure managing a firewall in/out list is best practices, but it's a pain in the rear end and an administrative burden. Tab8715 posted:If a virus or intrusion occurred on the domain and there's no domain firewall you're going to get hosed. Odds are it's going to be attacking ports you already have to have open for Windows to work on a domain anyway, so I really don't see it as much of a preventative aid to be honest.
|
|
#
?
Jan 28, 2015 22:45
|
|
|
skipdogg posted:This is what we do. I'm sure managing a firewall in/out list is best practices, but it's a pain in the rear end and an administrative burden. I'm sure it's an enormous administrative burden for small-IT Departments. The security gains aren't significant especially when you already have anti-virus and some kind of Network Security Appliance. I could understand turning it off but I've been at hundreds of small businesses and it's usually not the hard to figure out what rule you need to modify for whatever application.
|
|
#
?
Jan 28, 2015 23:08
|
|
|
Network security appliances protect you at the border of your network, AV protects you agains known threats. Someone could have your whole network infected pretty quickly by plugging in a USB device with a payload not currently known by your AV solution. skipdogg posted:This is what we do. I'm sure managing a firewall in/out list is best practices, but it's a pain in the rear end and an administrative burden. It's more about competence than best practices, what ports do workstations need to have open inbound to operate on a domain? Legitimate services can be used to perform denial of service, remote access obtained etc without even worrying about Malware at all.
|
|
#
?
Jan 29, 2015 04:49
|
|
|
I'm working on setting up a group policy to create/enforce a couple of HKLM registry settings, specifically for Lync client-side conversation history settings. I'm pretty drat sure I have it set up correctly in group policy preferences under computer configuration, but it fails to apply in my test ou on Windows 7 and 8.1 machines:Event Viewer posted:The description for Event ID 4098 from source Group Policy Registry cannot be found. <blah blah blah> Unfortunately my google-fu has failed me, since this is a fairly generic error. Any ideas? I'd rather not have to resort to a REG IMPORT startup script. The policy is below:  e: god dammit I figured it out right after I hit post, you don't need the hive name in the key path. Hopefully this helps someone else! devmd01 fucked around with this message at 16:53 on Jan 29, 2015 |
|
#
?
Jan 29, 2015 16:48
|
|
|
TWBalls posted:Back when Conficker and other Worms were going around, we were one of the few hospitals (owned by our parent company, can't say for others) that weren't affected because I insisted on having Windows firewall enabled. I'm not sure why you wouldn't have it enabled. It's an extra layer of protection and it's really easy to allow/disallow something through GPO. I had to clean conficker off this network once, early in my career here. Not fun. It did act as the catalyst for me being allowed to buy antivirus software though so that was good. Staying here till 3am manually scrubbing it off every PC and server was not good though. I went the nuke route, three different 3rd party conficker nuking tools run on every PC, then shut the PC down. I'm only allowed to buy stuff after disaster strikes and I say "Told you so".
|
|
#
?
Jan 29, 2015 16:58
|
|
|
devmd01 posted:I'm working on setting up a group policy to create/enforce a couple of HKLM registry settings, specifically for Lync client-side conversation history settings. I'm pretty drat sure I have it set up correctly in group policy preferences under computer configuration, but it fails to apply in my test ou on Windows 7 and 8.1 machines: How did you figure out that's what it was?
|
|
#
?
Jan 29, 2015 17:00
|
|
|
Tab8715 posted:How did you figure out that's what it was? Honestly I have no idea.  Something clicked in my brain that "parameter is incorrect" meant "bad input," whacked the hive off of the key path, refreshed on my test machine, and bingo.
|
|
#
?
Jan 29, 2015 17:41
|
|
|
BaseballPCHiker posted:Anyone have any recommendations on MSI building software? I've been using Orca for a bit but feel like there's got to be some paid software out there that will work better. WIX is great since you can check in the MSI build XMLs with the rest of your code. The devs at a software company i worked for absolutely loved it. nANT would build all the code run all of the tests, and build the installers and drop them for final testing and acceptance and bam out the door they would go. once it was setup and running it was easy to distribute stuff as well as easy to update installer processes. http://wixtoolset.org/
|
|
#
?
Jan 29, 2015 17:55
|
|
|
Thanks everyone. Like others said I have it disabled because as a small company, small-IT dept it's a pain in the rear end with not a whole lot of value that I can see.
|
|
#
?
Jan 29, 2015 22:00
|
|
|
Curious, what wasn't working when you had it enabled?
|
|
#
?
Jan 29, 2015 22:02
|
|
|
Tab8715 posted:Curious, what wasn't working when you had it enabled? In this case it wasn't affecting anything - I was troubleshooting office 365 proplus click-to-run install and disabling firewall was one of the troubleshooting steps. Went to disable firewall to find out domain profile was enforced by gpo. It ended up not being related.
|
|
#
?
Jan 29, 2015 22:20
|
|
|
NevergirlsOFFICIAL posted:In this case it wasn't affecting anything - I was troubleshooting office 365 proplus click-to-run install and disabling firewall was one of the troubleshooting steps. Went to disable firewall to find out domain profile was enforced by gpo. The gently caress? Was this an official Microsoft step?
|
|
#
?
Jan 29, 2015 22:39
|
|
|
Tab8715 posted:The gently caress? Was this an official Microsoft step? as a troubleshooting step this is fine. It tells you IF the firewall is a factor. You can then choose to fix the issue with the firewall since you now know it's a firewall issue. Pretty typical process of elimination troubleshooting in my book.
|
|
#
?
Jan 29, 2015 23:35
|
|
|
I phoneposted an extremely vague question about access based enumeration earlier this week, thanks to the people who had a crack anyway and here's my proper attempt: I have users at two sites that maintain their own shared folders. I want to combine all the folders from both sites into a single DFS share. For convenience for the users, I want to use ABE to hide the folders that don't belong to the local site. Otherwise they'd be scrolling through twice as many folders. I know ABE can do this, but in certain instances users from one site need to be able to access folders belonging to the other site. Is there a way I can hide them from display, but still allow them to be accessed if required?
|
|
#
?
Jan 30, 2015 06:58
|
|
|
I still think the answer is no. ABE means if you have access you can see it, if you don't have access you can't see it. It's pretty binary. You're looking for a scenario where they would have access but it's hidden anyway. How are you envisioning them seeing the folder when they do want access? It sounds like the best bet would be to have two folders in DFS, and have each site's folders be in their site folder. It doesn't sound like there's a lot of reason to combine everything together into a single namespace.
|
|
#
?
Jan 30, 2015 07:16
|
|
|
FISHMANPET posted:I still think the answer is no. Not quite; you can turn on group defined ABE, which will show/hide folders to certain groups by a defined list, independent of NTFS rights. The option is on the third tab of the DFS folder properties in the DFS console. Edit: Technet article hihifellow fucked around with this message at 13:10 on Jan 30, 2015 |
|
#
?
Jan 30, 2015 13:04
|
|
|
Trying to do some WMI filtering on GPOs and I've got a question because I keep running into syntax errors doing what I'm trying to do (possibly because you can't do it!) I've got a few filters setup that look at Win32_OperatingSystem and others that look at Win32_ComputerSystem (specifically using name like "blah"). I'd also like to setup a few filters that look at both computer name AND operating system to apply a GPO, is there anyway to do that, or am I going to have to drill into item level targetting (please god no)
|
|
#
?
Jan 30, 2015 18:58
|
|
|
Has anyone experienced problems doing mount -t cifs from a Linux system to a member server on a 2012R2 domain (both DCs and functional level is 2012 R2)? This issue has cropped up for us since upgrading domain controllers last week and I'm not sure what's going on.
|
|
#
?
Jan 31, 2015 00:02
|
|
|
MF_James posted:Trying to do some WMI filtering on GPOs and I've got a question because I keep running into syntax errors doing what I'm trying to do (possibly because you can't do it!) WQL can't query more than one class at a time, so no. Honestly I'd try to avoid WMI filters, querying WMI can greatly increase GPO processing time.
|
|
#
?
Jan 31, 2015 01:30
|
|
|
CLAM DOWN posted:Has anyone experienced problems doing mount -t cifs from a Linux system to a member server on a 2012R2 domain (both DCs and functional level is 2012 R2)? This issue has cropped up for us since upgrading domain controllers last week and I'm not sure what's going on. SMB 3.0? you can force it down I believe via powershell. i'd natively mount NFS where I can though, only because i'm a computer janitor.
|
|
#
?
Jan 31, 2015 01:50
|
|
|
incoherent posted:SMB 3.0? you can force it down I believe via powershell. i'd natively mount NFS where I can though, only because i'm a computer janitor. I'm trying to figure out a way to support this on the Linux side rather than changing the domain. I know a big change in 2012 R2 was eliminating the ability to use SMB 1, and I'm not sure if that's affecting the Linux mount attempts. This worked literally right up until the DC upgrades so something has changed on that site but I'm just not sure. NFS isn't an option for me unfortunately.
|
|
#
?
Jan 31, 2015 02:05
|
|
|
It's not gone, you just have to enable it. For some reason all my installs have it installed by default but i'm not on a 2012 Domain/forest.
|
|
#
?
Jan 31, 2015 02:21
|
|
|
|
| # ? May 13, 2024 22:44 |
|
|
Also: Microsoft Pushes windows server to 2016. Thank god, I don't think anyone is ready for that fast of a iteration of windows server.
|
|
#
?
Jan 31, 2015 03:24
|
|