|
Gyshall posted:Real life applications (seeing environments and how they're set up and not set up well) Labs, trial & error in those labs, books, whitepapers, labs, a few conferences, certifications. Same. Don't be afraid to ask people who know more then you questions. If you're lucky enough to work with nice Senior Admins/Engineers (or even better, a PFE), pick their brain when they're not busy. Add some MS/TechNet blogs to your feeds if you're specializing in a particular application too.
|
# ? Apr 1, 2015 19:55 |
|
|
# ? May 29, 2024 22:37 |
|
Tab8715 posted:For the experienced Windows Admins how'd did you guys learn it all? Read all my posts in shsc and do the opposite.
|
# ? Apr 1, 2015 20:01 |
|
Tab8715 posted:For the experienced Windows Admins how'd did you guys learn it all? Been doing it 10+ years. You pick things up along the way. I read books, blogs, keep up to date, keep certified, etc, but a lot of it just comes from doing it for so drat long. edit: for the record I don't know it all, not even close. No one can know everything. I learn new poo poo all the time.
|
# ? Apr 1, 2015 20:20 |
|
Tab8715 posted:For the experienced Windows Admins how'd did you guys learn it all? Talking like I knew poo poo until someone made me domain admin so I could put up or shut up. MCSA/E classes are pretty good at teaching you windows adminning too.
|
# ? Apr 1, 2015 20:58 |
|
Coworkers/mentors, labs/practice, on the job experience, books, classes, certs. In that order.
|
# ? Apr 1, 2015 20:59 |
|
Gyshall posted:Real life applications (seeing environments and how they're set up and not set up well) Labs, trial & error in those labs, books, whitepapers, labs, a few conferences, certifications. Don't forget "seeing something interesting and reading about it on the toilet."
|
# ? Apr 2, 2015 04:11 |
|
Tab8715 posted:For the experienced Windows Admins how'd did you guys learn it all? keep learning, mess with stuff, break stuff and learn to fix it without resorting to slicking the drives or restoring backups. Learn google fu. Learn AD and IIS like its your offspring.
|
# ? Apr 2, 2015 16:26 |
|
So I'm looking for ways to lock down a computer so that nothing can be saved locally. Bosslady wants people to be unable to save anything to a device to reduce our legal risk (healthcare org, so working under HIPAA) and without going third party software the most I've found is removing C: from the list of drives and redirecting documents/desktop/etc, but there's still some folders that people will have to be able to write to so that Windows and any software they run can function and I don't know if that would satisfy legal. I've brought up things like deepfreeze or VDI but got shot down (though VDI with a "in the future it would be nice") so I'm looking for other options.
|
# ? Apr 2, 2015 22:21 |
|
hihifellow posted:So I'm looking for ways to lock down a computer so that nothing can be saved locally. Bosslady wants people to be unable to save anything to a device to reduce our legal risk (healthcare org, so working under HIPAA) and without going third party software the most I've found is removing C: from the list of drives and redirecting documents/desktop/etc, but there's still some folders that people will have to be able to write to so that Windows and any software they run can function and I don't know if that would satisfy legal. How locked down are you looking for? A while ago my company needed me to put up timesheet only kiosks and used this to get it done. It's basically a huge document with every GPO you would need to set to get a "Steady State" environment. edit - spelling from phone posting Sacred Cow fucked around with this message at 02:03 on Apr 3, 2015 |
# ? Apr 2, 2015 22:31 |
|
Sacred Cow posted:How locked down are you looking for? A while ago my company needed me to put up timesheet only kiosks and used this to get it done. It's basically a huge document with every GPO you would need to set to get a "Stead State" environment. Basically looking for only able to print and save data to network drives. I'll start with this though, thanks.
|
# ? Apr 3, 2015 00:56 |
|
hihifellow posted:So I'm looking for ways to lock down a computer so that nothing can be saved locally. Bosslady wants people to be unable to save anything to a device to reduce our legal risk (healthcare org, so working under HIPAA) and without going third party software the most I've found is removing C: from the list of drives and redirecting documents/desktop/etc, but there's still some folders that people will have to be able to write to so that Windows and any software they run can function and I don't know if that would satisfy legal. There's a group policy setting that will lock out one drive from a user writing to it. If they try to save a file, they will see it appear, but if you refresh, it's gone. It never actually gets written. I am using this for public access workstations; My Documents and other folders are redirected.
|
# ? Apr 3, 2015 15:49 |
|
hihifellow posted:Basically looking for only able to print and save data to network drives. I'll start with this though, thanks. Yeah you can do all of that with Group Policy. I'd recommend making an OU and recreating your domain structure (Computers/Users/etc.) in that OU, then block inheritance on that OU. Make a couple of test users and place a couple of test VMs within that OU, and then go to town. Once you're done setting up Group Policies, deploy them company wide. I use this same setup at our healthcare clients - HIPPA Hitech is a bitch but pretty easy to do this way. Also helps a ton with HIPPA if you go strictly thinclient, FWTIW
|
# ? Apr 3, 2015 16:08 |
|
Gyshall posted:Also helps a ton with HIPPA if you go strictly thinclient, FWTIW I am quite literally doing this as I sit here now -- not for HIPPA, but NIST standards. My boss only looked at me funny when he walked by to find me running Crystal Disk and three youtube videos simultaneously on our demo Wyse client. The VM (vsphere 5.5) performs gorgeously even without graphics acceleration on two virtual cores provided on a 2.4Ghz Ivy Bridge host. Color me impressed.
|
# ? Apr 4, 2015 00:05 |
|
Tab8715 posted:For the experienced Windows Admins how'd did you guys learn it all? I don't tout myself as experienced but TechNet Virtual Labs have been really helpful when we upgraded to Server 2012.
|
# ? Apr 4, 2015 22:24 |
|
Cosmic D posted:I don't tout myself as experienced but TechNet Virtual Labs have been really helpful when we upgraded to Server 2012. Holy poo poo. This is cool. For myself, I can setup a Domain Controller (AD/DNS/DHCP) make users, add printers, throw in a few GPOs but afterwards I'm kind of at loss. It seems incredibly easy and I could honestly spend a majority of my time getting really ingrained with GPOs but most of my environments have only been a few dozen users. I've never had anything break either aside from DNS flaking out which 99% of time a restart has fixed.
|
# ? Apr 4, 2015 22:33 |
|
I'm not sure if this is the right place to ask but is anyone dealing with OSX in an Active Directory environment? All Yosemite. Basically, I'd like an easier way to admin them without having to go to each machine. AdmitMac looks ok but apparently it's not very good? Mainly, I'd love an easy way to run login scripts, mount the home directory, and push printers. E: this is for ~5 machines, but it may grow eventually.
|
# ? Apr 7, 2015 17:27 |
|
I have no idea of the capabilities, but I hear a lot of mention of Casper. I know it does a lot of package deployment for software management but maybe it does that other stuff too.
|
# ? Apr 7, 2015 17:55 |
|
FISHMANPET posted:I have no idea of the capabilities, but I hear a lot of mention of Casper. I know it does a lot of package deployment for software management but maybe it does that other stuff too. holy moly that looks like overkill but I'll do some digging and see what I can find.
|
# ? Apr 7, 2015 17:59 |
|
LmaoTheKid posted:I'm not sure if this is the right place to ask but is anyone dealing with OSX in an Active Directory environment? I actually constantly wonder the same thing. The Mac's are such a pain in the rear end to admin, and there is only 6 of them in my 100 computer environment. Looking forward to more responses.
|
# ? Apr 7, 2015 18:40 |
|
Lower their support expectations. If they want to be a special flower so be it, they're on their own. Support their email, printing, and access to the intranet resources needed for their Jon function, and that's it. Worked well for when I had to admin 7 macs out of 4000+ windows workstations. Then again, I didn't mind so much because all of the Mac users were hot.
|
# ? Apr 7, 2015 19:38 |
|
devmd01 posted:Lower their support expectations. If they want to be a special flower so be it, they're on their own. Support their email, printing, and access to the intranet resources needed for their Jon function, and that's it. Worked well for when I had to admin 7 macs out of 4000+ windows workstations. Then again, I didn't mind so much because all of the Mac users were hot. My problem is that at like a dozen of our all Windows clients it's the owners themselves that have macs, same owners with a tons of outlook calendars and other poo poo that never meshes right with Mac Outlook.
|
# ? Apr 7, 2015 19:43 |
|
socialsecurity posted:My problem is that at like a dozen of our all Windows clients it's the owners themselves that have macs, same owners with a tons of outlook calendars and other poo poo that never meshes right with Mac Outlook. I have them use mail.app which supports ActiveSync, even though it's a little finicky at times. Or I tell them to use OWA and deal with it.
|
# ? Apr 7, 2015 19:46 |
|
I have a few schools that are AD/Mac OSX integrated. We offer two approaches to this depending on the level of integration the client wants: 1) Separate Mac OSX and Windows VLANs/infrastructure - ie. have the Mac OSX be the directory "slave" with OpenDirectory importing information from Active Directory, Mac clients are managed and supported via centralized Mac OSX server but bound to AD or OpenDirectory. Almost all users are flagged as mobile accounts within OSX. Gives you "single sign on" to all things Apple/Active Directory. We recommend this for any org with 20+ apple and/or 20+ windows users and/or if they have mixed (10.6+) OSX clients and/or 2003 servers 2) AD is the only directory service, forest/domain functional level at 2008 R2+, domain name is not .local (see below) all up to date/newer clients and servers. This is pretty much bullet proof for connecting any Mac OSX device, I've found. I still like to have an OSX server around for mass configuration/whatever the hell the group policy analog for OSX is called these days. Another thing to keep in mind - if your internal domain name ends with .local, you're going to have A Bad Time (TM) getting everything working correctly, since .local is treated as a Bonjour mDNS record.
|
# ? Apr 7, 2015 19:58 |
|
I used to deal with about 50 post production workstations in higher ed with an AD backend. If you only have 6 machines, I'd probably just use Apple Remote Desktop and bind them to AD for authentication. ARD allows you to do bulk changes and scripts to make your life easier. And now that Mac OS Server is much cheaper, you can do a ton with Profile Manager, which has the added benefit of MDM for iOS devices.
|
# ? Apr 7, 2015 20:39 |
|
Casper is really good, and priced accordingly. For 99% of tasks you just need something that can do basic profile management and a bit of self-serve, so look at deploying Simian onto Google App Engine (or use Munki on your own servers). For the biggest time-saving look at DeployStudio, it's free and awesome.
|
# ? Apr 7, 2015 21:20 |
|
Has anyone ever configured a single domain between AD, Azure and Office 365?
|
# ? Apr 9, 2015 01:18 |
|
Tab8715 posted:Has anyone ever configured a single domain between AD, Azure and Office 365? I have, it should be a fairly easy process using the Directory Sync tool. Got any specific questions or problems?
|
# ? Apr 9, 2015 01:32 |
|
Update on the Mac question: it's cheaper to just get a Mac mini and do the server upgrade and use all the nifty stuff it has. Refurb 2014 Mac mini with 8 gigs of ram should be Just Fine for cached updates and profile manager. Thanks everyone!
|
# ? Apr 9, 2015 02:19 |
|
LmaoTheKid posted:Update on the Mac question: it's cheaper to just get a Mac mini and do the server upgrade and use all the nifty stuff it has. Refurb 2014 Mac mini with 8 gigs of ram should be Just Fine for cached updates and profile manager.
|
# ? Apr 9, 2015 14:48 |
|
Tab8715 posted:Has anyone ever configured a single domain between AD, Azure and Office 365? AADSync is pretty easy to setup if you just want domain sync between AD and Office 365 (like 15 minutes of setup if you read the docs first). If you want SSO, that's a bit more work. Maneki Neko fucked around with this message at 18:36 on Apr 9, 2015 |
# ? Apr 9, 2015 18:33 |
|
socialsecurity posted:My problem is that at like a dozen of our all Windows clients it's the owners themselves that have macs, same owners with a tons of outlook calendars and other poo poo that never meshes right with Mac Outlook. Unless it's changed in recent years, Mac Outlook is the complete loving worst. Like it appears to have been an attempt to actively sabotage Mac users and drive them back to Windows. Using Mail.app or even Thunderbird + Lightning or something will deliver a better experience.
|
# ? Apr 9, 2015 18:46 |
|
Docjowles posted:Unless it's changed in recent years, Mac Outlook is the complete loving worst. Like it appears to have been an attempt to actively sabotage Mac users and drive them back to Windows. Using Mail.app or even Thunderbird + Lightning or something will deliver a better experience. Entorage is crap, yes, as is most of Mac office. However, I played with 2016 the other day and so far I'm impressed.
|
# ? Apr 9, 2015 18:58 |
|
Docjowles posted:Unless it's changed in recent years, Mac Outlook is the complete loving worst. Like it appears to have been an attempt to actively sabotage Mac users and drive them back to Windows. Using Mail.app or even Thunderbird + Lightning or something will deliver a better experience. Mac Outlook 2011 is a pretty okay wrapper onto OWA, and isn't terrible for most things. Delegation and alternate mailboxes are problematic. Mac Outlook 2016 is coming along very nicely, and is pretty much a genuine MAPI/RPC client for OSX. Still in beta, so I can't say anything about stability, but the feature set looks pretty complete.
|
# ? Apr 9, 2015 19:06 |
|
Mac Outlook 15 is still poo poo. It's a barely-polished version of Outlook 2011 and there is a hell of a lot it doesn't support. I really wish they would stop those loving popups about being redirected to Office 365 every time a delegate is added, I've no idea how it passed testing. OWA works better in a lot of cases.
|
# ? Apr 9, 2015 19:41 |
|
Maneki Neko posted:AADSync is pretty easy to setup if you just want domain sync between AD and Office 365 (like 15 minutes of setup if you read the docs first). If you want SSO, that's a bit more work. Yea, I setup on-prem AD to Azure AD Premium it was much easier than I expected to be but this is leading my to another question. Is there way you could completely move AD to Azure AD and use that to auth to O365? I'm a little confused how this would be configured from a top-down, you'd have to have some kind of local device. For the on-prem environment I'm not sure if you'd have a RODC-to-AzureAD, ADFS or just a P2P-VPN-to-Azure? Would I need to spin up a separate VM in Azure, connect that to that Azure-AD then have that sync with O365? I'm guessing there's probably multiple ways to configure this...
|
# ? Apr 10, 2015 03:39 |
|
Docjowles posted:Unless it's changed in recent years, Mac Outlook is the complete loving worst. Correct, 2011 is and always will be garbage, just because it can't use ActiveSync and has to use "Web Services" for a protocol. You may as well use "mail.app". It's aggravating because the patches come through so frequently, yet they don't address any problem that people want fixed. Another good vote here for Outlook 2016, it's a big improvement and I'd be tempted deploy it in preview if I had control over our o365 services. I should note that I haven't messed with calendars or appointments that much; we have plenty of problems with that on Windows, so that wouldn't even be good info. Thanks Ants posted:OWA works better in a lot of cases. Well yeah, I don't expect that to change. Demie fucked around with this message at 03:57 on Apr 10, 2015 |
# ? Apr 10, 2015 03:54 |
|
Tab8715 posted:Yea, I setup on-prem AD to Azure AD Premium it was much easier than I expected to be but this is leading my to another question. I'm not getting what you're asking... moving AD to Azure AD? Unless you're federated, O365 is already authenticating to Azure AD. AAD Sync just copies data from on prem AD to Azure AD. You don't even need on premise AD for O365, your users would exist only in the Azure AD instance backing your O365 account. Azure AD in it's current form cannot replace on premise AD if that's what you're getting at.
|
# ? Apr 10, 2015 04:05 |
|
skipdogg posted:I'm not getting what you're asking... moving AD to Azure AD? I'm try to test the scenario of eliminating on-premise Active Directory by doing a one-time Azure Active Directory Synchronization on the on-prem AD to Azure AD. Once the sync is over the local AD Server would be eliminated ideally. Basically, the scenario I'm try to accomplish is push everything to the cloud as much as possible.
|
# ? Apr 10, 2015 04:26 |
|
If you're willing to lose all the on premise AD stuff you could do that. You can't use Azure AD in it's current form to handle other parts of AD like joining computers to the domain, security groups (to secure on premise resources), and letting other applications authenticate to it. (Though with Azure AD Premium SSO/SAML could be setup pretty easily) I know there's new things like Workplace Join coming, but I'm not sure if their road map is to have a replaceable version of on premise AD that exists in the cloud. I don't think it is although I can ask. My company has a O365 TAM and I just finished a session with an Azure PFE a couple days ago. We're rolling Azure AD Premium out to our users right now (mainly Azure MFA, with some SAML SSO coming this summer). We just bought the EMS licenses to go with our existing E3 licenses. We pay Microsoft so much money... so so much money.
|
# ? Apr 10, 2015 04:34 |
|
|
# ? May 29, 2024 22:37 |
|
Tab8715 posted:I'm try to test the scenario of eliminating on-premise Active Directory by doing a one-time Azure Active Directory Synchronization on the on-prem AD to Azure AD. Once the sync is over the local AD Server would be eliminated ideally. Windows 10 will support the ability to authenticate natively against Azure AD instead of an onprem ad, so you could look at that when it comes out. Things like GPO would be replaced with Intune, etc. Hopefully this is something they talk a bit more about at Ignite, as I could see this making sense for some of our customers assuming there's some sort of proxy mechanism to translate the 80 hojillion little one off apps that hook into AD. Maneki Neko fucked around with this message at 17:27 on Apr 10, 2015 |
# ? Apr 10, 2015 17:24 |