|
On another note, where does one start to encounter directory replication latency?
|
#
?
Aug 12, 2015 04:43
|
|
|
|
| # ? May 30, 2024 04:39 |
|
|
Moey posted:Speaking of patching, is there a good solution that you folks advise for managing patches on remote computers? For in house stuff, WSUS fits my needs, but we have a ton of laptops floating around that do not connect back to our network too often. We're using SCCM for patching, but laptops are always a challenge. It's hard to decide if you want A:) Patches apply during maintenance windows, when the laptop is probably turned-off and outside the WAN, or B.) You just push updates at all times, so 100+ updates try to install while the user is forcing the laptop to power-off. There are some advanced configurations to get it past the WAN at least.
|
|
#
?
Aug 12, 2015 15:35
|
|
|
Tab8715 posted:On another note, where does one start to encounter directory replication latency? Just curious but have you ran the active directory replication status tool and had everything check out? Might be well beneath your problem but that would have been the first place I would have started.
|
|
#
?
Aug 12, 2015 21:09
|
|
|
Sickening posted:Just curious but have you ran the active directory replication status tool and had everything check out? Might be well beneath your problem but that would have been the first place I would have started. It's more a general questions, when does a directory become so large that it actually becomes an issue?
|
|
#
?
Aug 13, 2015 01:47
|
|
|
I'll write up a decent post, I'm just finishing up here.. it's my last day. So I'm going to nuke my own laptop and disable my accounts on the client's network because I actually don't trust these monkeys to do it. Your first two questions I can go into a bit of detail on, but the last one is easy and fun. Tab8715 posted:It's more a general questions, when does a directory become so large that it actually becomes an issue? There is a cool page (I think it's cool  ) about AD's scalability limits.https://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 A lot of this comes down to the RID pool, which is a pile of unique identifiers used when creating objects in the directory. That's a whole post in itself.. but suffice to say there is a couple of billion and there is even more magic MS can pull here if you get stuck. The PFE was explaining how he's received calls about the RID pool running out (there are reasons for this other than creation of objects, such as a restore were you've invalidated a large section of the RID pool but not then done other things you should) and MS can actually unlock a final bit to give you another billion or so RIDs while you frantically plan your migration. An AD Lead I know works on an account in the Middle East with over 750k user objects. Hundreds of DCs. Topology in Active Directory is handled automatically by your friend and mine, the KCC. The KCC has a friend called the ISTG (which was a PFE interview question, explain the algorithm that the ISTG uses to select the bridgehead.. I screwed my face up at that one). So the links between AD sites are automatically generated.. but if you're running a directory of hundreds of thousands of users you'll probably have some administrative input to make sure you fastest WAN links are being utilized, etc. But yeah.. assuming you do this and have suitable WAN links between your sites then there is no functional limit. You can read about the Jet database AD is built on and the literal decades of enhancement and tweaking Microsoft have done to their industry leading AAA platform.. it's serious software
|
|
#
?
Aug 13, 2015 02:10
|
|
|
The odds of running into a RID pool limit are pretty low though. The only time I've seen it in 15 years was with a webhosting company that was creating/deleting thousands of users a day on it's shared windows solution (Single domain).
|
|
#
?
Aug 13, 2015 16:10
|
|
|
So im doing a rollout in one of the largest districts in the nation. Im in their hq building thats 20 some odd stories high and houses a few thousand people. The head computer janitor/IT type we've been liasioning with doesn't know how to push settings from a server to a client or deploy drivers. He has himself and his techs walk floors and touch everything. Oh and we wanted to set up share folders and we're asking for paths and he's like oh I just share the whole drive. God bless
|
|
#
?
Aug 13, 2015 20:30
|
|
|
In my team meeting today I learned about someone in some department that has a separate OU for each computer, and a separate group policy for each OU. It's amazing how huge the gulf between "best practices" and "trash garbage solution that somehow works at the end of the day" is.
|
|
#
?
Aug 13, 2015 20:56
|
|
|
Is there a way to disable the WebDAV cache? I'm trying to figure out how fast WebDAV uploads/backups could be to one server. Copying a file to the WebDAV server results in Windows showing 200-500 MB/sec as the file copy dialog finishes nearly instantly. Meanwhile, the actual file is in the local location of C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV, and is slowly uploading to the server in the background. Monitoring my network connection shows ~10MB/sec traffic, but of course that covers everything my system is doing. I just wanted to benchmark just the WebDAV copy.
|
|
#
?
Aug 14, 2015 16:06
|
|
|
MDT 2013 Update 1 and MDOP 2015 are out. One of the more interesting bits about MDT is that they moved from ImageX to DISM for the for imaging processes... but this also means there's no status percentage on deploying/creating an image. There are some bugs (MDAC support), but it seems pretty good so far.
|
|
#
?
Aug 18, 2015 17:47
|
|
|
dox posted:MDT 2013 Update 1 and MDOP 2015 are out. OH hay, MBAM is slightly less terrible it looks like from the release notes. 
|
|
#
?
Aug 18, 2015 18:46
|
|
|
A new out of band security bulletin has been published: https://technet.microsoft.com/en-us/library/security/ms15-093.aspx It's an Internet Explorer RCE with active exploits but no public disclosure. Probably want to patch all workstations ASAP.
|
|
#
?
Aug 18, 2015 22:12
|
|
|
Is anyone deploying Win8.1 via MDT and including a recovery partition (required for bitlocker)? Are you able to let me in on how you're doing it?
|
|
#
?
Aug 19, 2015 06:46
|
|
|
I just made my first powershell script and I'm very proud of myself. I needed to change all references to \\oldserver\ to \\newserver\ in all files in a directory. I can just hold onto this script basically forever now and just change the filepath, oldtext, newtext variables whenever I need to.
|
|
#
?
Aug 19, 2015 18:21
|
|
|
Swink posted:Is anyone deploying Win8.1 via MDT Why would anyone want to do such a thing?
|
|
#
?
Aug 19, 2015 18:42
|
|
|
What's the best way to deal with the copier leases being up and 10 printers between 100 users being changed all in one day?
|
|
#
?
Aug 19, 2015 18:53
|
|
|
Bob Morales posted:What's the best way to deal with the copier leases being up and 10 printers between 100 users being changed all in one day? Use the universal print drivers and keep the IP addresses the same is what we did.
|
|
#
?
Aug 19, 2015 18:54
|
|
|
Windows 10 RSAT dropped today, DHCP is missing https://www.microsoft.com/en-us/download/details.aspx?id=45520
|
|
#
?
Aug 19, 2015 22:41
|
|
|
How does everyone handle driver management for boot images in SCCM? We use Dell laptops, and I normally pick up the cab files for the task sequence. But adding to the boot image, there's always a subset of drivers that fail to inject and I have to peel them out one by one. I only attempt to inject the network and storage drivers, yet there's always a few in every Dell cab that just doesn't work.
|
|
#
?
Aug 19, 2015 23:13
|
|
|
Bob Morales posted:What's the best way to deal with the copier leases being up and 10 printers between 100 users being changed all in one day? Hire me GreenNight posted:Use the universal print drivers and keep the IP addresses the same is what we did. Universal print drivers are almost universally poo poo. They'll function for basic use, printing emails, web pages, docs, but if youre in an environment where you use alot of specialized finishing than they can be iffy. It's almost always better to install device specific drivers. Youre fleet should be a single manufacturer and at most 2-4 models unless you have industry specific requirements, ie healthcare/law and scanning. It's not hard to deploy specific drivers, lol if you cant push from a server and have to touch user terminals. 10 printers (multifunction or otherwise) isn't poo poo. I have 34 to do tomorrow. I did 20 today. I have a thousand plus scheduled across the next two months. Absolutely keep the ip adresses the same, grab all that poo poo before the copier company gets there, print out or know any pin code poo poo you got and export your adress books to csv or have a user write them down. Have the smtp info rdy. If you wanna post the financials of your deal or cost per clicks ill tell you if youre getting hosed Ask me about massive mfp deployments. Or don't because they are gay.
|
|
#
?
Aug 20, 2015 01:50
|
|
|
Waroduce posted:Hire me What are you talking about? I used the Toshiba universal drivers and they found each individual copier and had all the specialized settings built in. Same driver across a a half models and each one specific functions and it all worked perfectly. Didn't have to touch any of the workstations or change anything on the server.
|
|
#
?
Aug 20, 2015 02:18
|
|
|
Walked posted:How does everyone handle driver management for boot images in SCCM? We use Dell laptops, and I normally pick up the cab files for the task sequence. Generally speaking, I'd grab just the network driver out of the CAB and inject that in the boot image. But for Dell specifically they have WinPE CABS that are just network and storage drivers. And RE: Universal drivers. When I dealt with printers the old printers were HP and the new ones were Xerox. I wouldn't use the HP Universal driver for the Xeroxes or the Xerox Global driver for the HPs. And actually speaking of the Xerox one specifically, it was worse than model specific drivers for a lot of the (financial) documents some people were printing. We also had a couple of Ricoh copiers and the Ricoh Universal driver was pretty good. So I don't think you can universally say Universal is good or Universal is bad, it depends on the vendor. FISHMANPET fucked around with this message at 02:25 on Aug 20, 2015 |
|
#
?
Aug 20, 2015 02:21
|
|
|
Really? I need to see if I can track down the WinPE Cab then. Thanks!
|
|
#
?
Aug 20, 2015 03:54
|
|
|
All your Dell CAB prayers have been answered: http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065
|
|
#
?
Aug 20, 2015 03:59
|
|
|
Rhymenoserous posted:Why would anyone want to do such a thing? Surface Pro3 rollout of course.
|
|
#
?
Aug 20, 2015 05:27
|
|
|
Bob Morales posted:What's the best way to deal with the copier leases being up and 10 printers between 100 users being changed all in one day? You're not pushing printers via GP/AD?
|
|
#
?
Aug 20, 2015 05:31
|
|
|
LmaoTheKid posted:You're not pushing printers via GP/AD? We are. And we're using the Toshiba Universal driver. Turns out it was a nightmare last time (I wasn't here then) because they changed IP addresses too.
|
|
#
?
Aug 20, 2015 13:40
|
|
|
Bob Morales posted:We are. And we're using the Toshiba Universal driver. Turns out it was a nightmare last time (I wasn't here then) because they changed IP addresses too. The only nightmare is if they have scan to email setup, then you need to manually re-populate that in each individual printer.
|
|
#
?
Aug 20, 2015 13:44
|
|
|
GreenNight posted:The only nightmare is if they have scan to email setup, then you need to manually re-populate that in each individual printer. Usually you can just export/import that crap
|
|
#
?
Aug 20, 2015 14:00
|
|
|
Bob Morales posted:Usually you can just export/import that crap Depends if it's the same model. We lease them and 4 years later it was new models and the new models wouldn't accept the export of the old ones. PITA.
|
|
#
?
Aug 20, 2015 14:06
|
|
|
Man; I'm losing my loving mind with trying to get our latest batch of Dell laptops to image properly with SCCM. Task sequence, boot image, everything works fine. Works on old Dell laptops, works within VMWare. But on the M3800 - it just sits there on "Configuration Manager is looking for policy". I've tried deploying the task sequence to all systems as a test; I've deployed it to unknown computers, and I've manually added a computer record by MAC to All Systems. Still happens. Only this model of Dell exhibits the issue. Connected to the same VLAN/network as the DP. The only thing I have to go on is there is no SMSPXE.log on the site server; so I'm reinstalling WDS on there and installing CU1 to see if I can get at least some more logging information as to whats going on. Sigh. Mostly ranting, but any ideas are welcome. edit: Re-installing WDS + CU1; deleted out task sequence deployments, and all records of problematic computer. Fired right up and imaging fine. SCCM is awesome except when it annoys me. Walked fucked around with this message at 14:47 on Aug 20, 2015 |
|
#
?
Aug 20, 2015 14:37
|
|
|
Bob Morales posted:We are. And we're using the Toshiba Universal driver. Turns out it was a nightmare last time (I wasn't here then) because they changed IP addresses too. Oh. Maybe that's a Toshiba specific thing? We use Xerox here and all I did was add the new IP port and driver and it just updated for everyone. I don't use the universal driver though.
|
|
#
?
Aug 20, 2015 15:03
|
|
|
Me again, that rear end in a top hat with no domain controllers. Does anyone use Onelogin? Apparently it is a service that will let me plug in my Office365 tenant, and it will essentially sync all our O365 logins and put them into a hosted LDAP/RADIUS server. That sounds incredibly helpful because then people could just use their email address / password to log into our VPN, Wi-Fi, and anything else that Azure AD doesn't directly support with SAML/SSO.
|
|
#
?
Aug 21, 2015 03:14
|
|
|
Rhymenoserous posted:Swink posted: If imaging Win 8.1 using MDT is wrong I don't wanna be right...  We do zero-touch imaging with MBAM on the devices and it works a treat
|
|
#
?
Aug 21, 2015 03:18
|
|
|
Zero VGS posted:Me again, that rear end in a top hat with no domain controllers. Yup. I use it. It's pretty neat. Anything you want to know?
|
|
#
?
Aug 21, 2015 04:03
|
|
|
skipdogg posted:Yup. I use it. It's pretty neat. Anything you want to know? Sure, uh, does it have writeback capabilities? Like could I disable a user in it and have it disable every Salesforce/O365/etc. account at the same time? I assume it uses some kind of software on the workstation side? I dunno, I set up a demo with them Monday, guess I'll hassle them about it, I was just making sure there weren't any immediate horror stories.
|
|
#
?
Aug 21, 2015 05:05
|
|
|
johnnyonetime posted:If imaging Win 8.1 using MDT is wrong I don't wanna be right... Can you show me how you partition the disk for the recovery partition + OSDisk? Even just the xml would start me in the right direction. Bitlocker doesn't even need to be part of the LTI, just as long as the requirements for bitlocker are met.
|
|
#
?
Aug 21, 2015 05:09
|
|
|
Question about approach: We have a set of developers who have run their user accounts as local admin for the longest time; I've been pushing a cultural change away from this and finally have some traction. Needless to say; theyre develoeprs and do need local admin from time to time, and I'd like to find a way to bridge that gap. So; I'd like to create a second account for developers (similar to how I have a second domain admin account) and add that to local administrators on their local workstations. No big; totally cool. The only issue is - I want to prevent them from logging into that account and using it for day-to-day use. Deny Logon Locally prevents them from using that group account for escalated actions. Any other thoughts? I've thought about setting a logon script for those users which is basically "sleep 20; shutdown -l" so they cant effectively use it; but that's not quite elegant, either.
|
|
#
?
Aug 21, 2015 13:13
|
|
|
Walked posted:Question about approach: Log into the admin account, open GPEdit User Configuration, then you can set local group policy for that account. You can do fun things like removing the desktop and task bar so all they can do is ctrl-alt-delete to log back out. Or just make a group policy to launch a login script that can't be interrupted which logs them back out. I haven't done it since Windows XP so I'm not sure what the best practice is these days.
|
|
#
?
Aug 21, 2015 13:49
|
|
|
|
| # ? May 30, 2024 04:39 |
|
|
Zero VGS posted:Sure, uh, does it have writeback capabilities? Like could I disable a user in it and have it disable every Salesforce/O365/etc. account at the same time? So now I'm actually in front of a computer, here goes my OneLogin thoughts: The Good: OneLogin is a really cool service, and I really like the folks that work there. Support has been good and everyone I've dealt with has been great. They've been very receptive to change/feature requests. I really want the company to succeed. The service is easy to use and manage and I think it's reasonably priced. The Bad: From a 50,000 foot view they're a smaller player in a increasingly competitive field. Okta is their main direct competitor, but many other bigger established companies are getting into the same field. Salesforce bought someone and is working on the space, Microsoft Azure AD Premium, and traditional SSO companies like Ping Identity, Centrify, and others also are moving into the space. It's not hard to setup a cloud service and run a hosted SAML/SSO product. I bring this up because the management in my company had concerns about the long term viability of the company. You probably aren't too worried about this, but we're over 3K users and my Sr. Management shys away from newer companies. I mean we couldn't get them to sign off on Veeam. Now those concerns were first brought up over 2 years ago and OneLogin is still kicking and doing well. They've had 2 decent sized outages that I remember, the first one they did a really poor job of communicating what exactly was going on. The second one they communicated better, but it was an internal error that brought the service down for several hours. Other than that the service has been solid. Being honest with myself though, I see them getting bought by a larger company sooner or later, I'm not sure if they can compete long term (5+ years) in the market, especially once Microsoft gets Azure AD Premium's poo poo together. To answer some of your questions: Writeback: User account modifications in your cloud based applications is usually handled by the OneLogin provisioning API once you set it up. We have OneLogin handling all our Salesforce provisioning and it works great. We do sync with our AD environment, but when a new user is created in AD, they also get created in SalesForce with the appropriate mappings. There's a rule based process in provisioning that automates everything. That alone is worth the price of admission. We only use OneLogin for our SalesForce/RemedyForce implementation, but any other service that has a provisioning API will work as well. O365, Dropbox, Box, Concur, O365, etc. Software: There is a desktop SSO app but it's really for Windows domains. It kinda auths against an IIS server behind the scenes and logs into OneLogin automatically for the user. In your environment people will just go to company.onelogin.com and sign in there and then click the icon to access the SAML enabled apps. Overall I recommend the service especially for someone in your situation. Some of the extras like using OL as a directory, RADIUS endpoint, and the provisioning stuff makes it really cool. Hope this helps.
|
|
#
?
Aug 21, 2015 17:05
|
|