|
NevergirlsOFFICIAL posted:What's the best way for me to have a Windows user account that can READ anything a domain admin can, but cannot make changes to the environment? Are you referring to AD? Because regular domain users already have read access to all the objects.
|
#
?
Feb 18, 2016 22:16
|
|
|
|
| # ? May 14, 2024 03:00 |
|
|
NevergirlsOFFICIAL posted:What's the best way for me to have a Windows user account that can READ anything a domain admin can, but cannot make changes to the environment? What are you trying to accomplish? By default a normal domain user account can read almost all AD attributes. The confidential bit can be used to make certain values hidden from normal users.
|
|
#
?
Feb 18, 2016 22:18
|
|
|
lol internet. posted:Hmm I can seem to boot with USB now after upgrading to Windows 10 ADK. Still can't PXE boot but I read an article that says you need to use IP helpers on the switches to point at the PXE boot on a UEFI\Legacy PXE setup. Will try that next. Is this your first time setting up PXE boot to image on a new VLAN or something? But yeah PXE boot relies on broadcast to receive a 2nd DHCP address from the PXE server (usually SCCM or WDS in a windows environment) so IP helpers need to exist on any VLAN that your DHCP server does not directly sit on.
|
|
#
?
Feb 19, 2016 00:22
|
|
|
Is portal.office.com hosed for everyone else or just me? Been out for a half hour now and I can't even get into the admin portal or the status page, but I have a Microsoft guy pretending there's no issues reported:
|
|
#
?
Feb 19, 2016 01:00
|
|
|
Works For Me(tm)
|
|
#
?
Feb 19, 2016 01:03
|
|
|
They're not aware of any issues looks like
|
|
#
?
Feb 19, 2016 01:07
|
|
|
bigdookie posted:Is this your first time setting up PXE boot to image on a new VLAN or something? But yeah PXE boot relies on broadcast to receive a 2nd DHCP address from the PXE server (usually SCCM or WDS in a windows environment) so IP helpers need to exist on any VLAN that your DHCP server does not directly sit on. No, I've always used PXE boot through the DHCP options 67/66/or 68 whatever but this is the first time I am running into issues trying to PXE with a surface book. mewse posted:They're not aware of any issues looks like lol when does that dashboard never have an issue.
|
|
#
?
Feb 19, 2016 02:01
|
|
|
If you're using DHCP options without modification for UEFI and you're UEFI booting the Surface, then you're for sure offering thr wrong boot image to the surface.
|
|
#
?
Feb 19, 2016 06:12
|
|
|
If you're using Server 2012 R2 as your DHCP server you can follow this article to serve the correct PXE boot file to BIOS or UEFI computers using DHCP Policy and VendorClass: https://wiki.fogproject.org/wiki/index.php?title=BIOS_and_UEFI_Co-Existence
|
|
#
?
Feb 19, 2016 06:22
|
|
|
Number19 posted:If you're using Server 2012 R2 as your DHCP server you can follow this article to serve the correct PXE boot file to BIOS or UEFI computers using DHCP Policy and VendorClass: I'll give that a shot. Although it seemed to not boot even when I removed secure boot.. I'm convinced it's the firmware heh. lol internet. fucked around with this message at 13:14 on Feb 19, 2016 |
|
#
?
Feb 19, 2016 13:01
|
|
|
For like the 12th time, you are offering a BIOS boot image to a UEFI client. it will 100% not work until you offer the UEFI client a UEFI boot image.
|
|
#
?
Feb 19, 2016 17:34
|
|
|
It's not the drat firmware and you don't need to disable secure boot. Here's a screenshot of a working config for MDT based on that tutorial.
|
|
#
?
Feb 19, 2016 17:55
|
|
|
Group Policy question here. We're rolling IE 11 out to certain testers, everybody else stays on IE 9. Previous GPO management used the deprecated "Internet Maintenance" administration. I've created a new GPO replicating all settings to "Comp Config / Policies / Admin Temp / Windows Compon / Internet Explorer" administration. I want this new policy to target IE 11 machines, and the old IE 9 policy to be ignored (just to make sure the old policy isn't doing something I should have covered). I have an AD security group with the IE 11 computers. New policy is targeting these machines, works fine. IE 9 policy has been set to "Read : Deny" for the IE 11 Computers group. The user accounts are still pulling them in, though, so the policy still applies. I cannot filter on user account because users may move around to a computer with IE 9. I've also dicked around with WMI filtering on the IE 9 policy so it filters out computers with IE version 11 installed, but can't get it to work (returns no results and doesn't apply to anybody). What's my best solution here? Shouldn't the Read:Deny prevent the policy from applying to the user account anyway? What else can I throw in there to make sure the IE 9 policy doesn't hit computers in the IE 11 Computers AD group?
|
|
#
?
Feb 19, 2016 21:10
|
|
|
Judge Schnoopy posted:Group Policy question here. My first question would be... why are your users and your computers mixed together? That's going to cause all sorts of hell for group policy unless you want everything to apply to all users/computers... I don't know a way around what you're experiencing because I've never had issues where users are falling into the same OU as computers... Like a sane structure would be forest --> Users OU and at the same level a Computers OU, link any policies that are computer policies to the computers OU and anything that's a user policy to the user OU. Although you are the one with the really hosed AD environment right? That's pretty hosed if you've got all this poo poo falling together...
|
|
#
?
Feb 19, 2016 22:20
|
|
|
MF_James posted:My first question would be... why are your users and your computers mixed together? That's going to cause all sorts of hell for group policy unless you want everything to apply to all users/computers... I don't know a way around what you're experiencing because I've never had issues where users are falling into the same OU as computers... They're not, and I guess maybe I'm just being lazy about fixing the old policy. Old policy is applying to "Authenticated Users" which hits computers and user accounts, and is currently applied to a top-level OU. Sub-OUs are separated by department / branch, so there are 22 OUs with "User" and "Computer" containers. I guess the real answer is to change the scope links from the 4 generic to the 22 specific OUs they should be applying to and avoid linking it to any user accounts. I was hoping for an easy Security Filtering option, but doesn't look like I'll find one.
|
|
#
?
Feb 19, 2016 22:25
|
|
|
Computer configuration settings in GPO's don't apply to users unless loopback processing is on (this is phrased poorly, users still don't apply computer settings) - what scope are the settings in the IE9 group policy applying to? Try not to make GPOs with both user and computer config settings, they're a pain to manage and target correctly. wyoak fucked around with this message at 22:37 on Feb 19, 2016 |
|
#
?
Feb 19, 2016 22:34
|
|
|
^-- also yes, what he said.Judge Schnoopy posted:They're not, and I guess maybe I'm just being lazy about fixing the old policy. Your link order matters, as well, so check this out rq: https://technet.microsoft.com/en-us/library/cc757050(v=ws.10).aspx basically stuff linked at the lowest level will overwrite stuff linked at the highest level, link order matters etc. If you are doing Something at the top-level domain and then doing it in the lowest child OU level, the child OU will win out, but if you are doing it 2 different ways I don't know what exactly will happen (there are a few instances where you can do the same thing 2-3 different ways, after testing, generally there's a correct way to do it) Also, the link order within the OU matters, stuff processed last (so higher link order number iirc) always wins.
|
|
#
?
Feb 19, 2016 22:34
|
|
|
wyoak posted:Computer configuration settings in GPO's don't apply to users unless loopback processing is on (this is phrased poorly, users still don't apply computer settings) - what scope are the settings in the IE9 group policy applying to? The "Internet Explorer Maintenance" settings are a user config. The new GPO I'm making is under computer config, because why the gently caress would it ever be under user config. I think this is causing the root of my frustration in switching over. The old policy was written like poo poo years before I showed up and now I'm trying to clean it up (along with everything else designed in there). Another side effect of the IE 9 GPO : A logoff script that runs a batch file to delete cookies. It runs 3 - 5 times per machine on logoff, except a handful of machines where it doesn't run at all despite the rest of the policy applying. I have no loving idea why this happens. I can't wait to disable it.
|
|
#
?
Feb 19, 2016 22:43
|
|
|
Judge Schnoopy posted:The "Internet Explorer Maintenance" settings are a user config. The new GPO I'm making is under computer config, because why the gently caress would it ever be under user config. I think this is causing the root of my frustration in switching over. The old policy was written like poo poo years before I showed up and now I'm trying to clean it up (along with everything else designed in there). It's largely a function of your environment, if you're a huge campus with computer labs everywhere it might make sense to apply to computer objects (so, say, proxy settings can be different for Bob Smith if he logs in at the library vs the science lab), if you're a typical office environment I'd be more comfortable applying settings to users (so Bob Smith in accounting gets different security settings than John Smith in HR, even on the same loaner laptop because they both forgot their computers that day)
|
|
#
?
Feb 19, 2016 22:57
|
|
|
wyoak posted:To counter...I always apply browser settings to users, why the gently caress would it ever be under computer config? Well, in this specific case, we're doing a slow roll-out to IE 11. A user might go for 11 on their main PC and find a service they use isn't compatible and may need to go use another computer until we can roll them back to 9. Or if they're using 9 on one machine and sit down at the test machine with 11, we don't want the IE 9 policies applying to that computer. Once the rollout is done I guess it won't matter either way. All computers are separated by OU as the users are so linking is no different.
|
|
#
?
Feb 19, 2016 23:03
|
|
|
Judge Schnoopy posted:Well, in this specific case, we're doing a slow roll-out to IE 11. A user might go for 11 on their main PC and find a service they use isn't compatible and may need to go use another computer until we can roll them back to 9. Or if they're using 9 on one machine and sit down at the test machine with 11, we don't want the IE 9 policies applying to that computer. You could switch your IE11 GPO to be user settings and do the same thing with read/apply/deny as you did to the computer groups, but you'd have to test to make sure the new GPO is applying IE9 settings as expected. edit: Actually, you could use loopback with replace on the IE11 GPO and assign it to your test group of computers, that way the IE9 one wouldn't apply on your IE11 machines. You would still have to change it to user configuration though. edit edit: Maybe you wouldn't have to change it - if you turn on loopback with replace, it might just apply an empty set of user configuration settings. wyoak fucked around with this message at 23:21 on Feb 19, 2016 |
|
#
?
Feb 19, 2016 23:10
|
|
|
Two questions: Has anyone successfully used DHCP options to offer the UEFI boot image for PXE booting? We've tried and it doesn't work as there's some additional network communication that the client tries to make when downloading the image. We're using an ISC DHCP server and I haven't found anyone with our problem but I haven't found anyone saying it works either. Second, for anyone that's upgraded to ConfigMgr 1511, have you been able to use the pre-production client stuff? As far as I can tell the only way to specify a client as pre-production is when the upgrade is done via the console. Since that's not possible for installing this upgrade, it appears to not be possible. I've found plenty of articles that tell you how to do it, but they just parrot the instructions from Microsoft, and their screenshots show a blank pre-production client version, so they haven't actually done it either.
|
|
#
?
Feb 20, 2016 00:15
|
|
|
FISHMANPET posted:Two questions: I offer, boot from and run OSD deploys using BIOS or UEFI with no issues. I've been doing it for a while too. Before I had a 2012R2 DHCP server I had two VLANs for PXE boot with different DHCP scopes. It all worked perfectly.
|
|
#
?
Feb 20, 2016 08:18
|
|
|
So whats the best/easiest way to start an application under a running session on the current machine? I am using chef, so powershell or bat or something like that is what I am using. Should I look at something with psexec or is there anything built into Windows 2012 R2 that I can take advantage of? So far I have my application being uploaded, unzipped and an alias placed into the user's startup folder. I have the user automatically being logged in by having registry keys updated. This is pretty much a service account and the app has to ruin in a GUI mode not as an actual service. Or if there are any tricks to getting the account to exit and come back, I don't know what is best.
|
|
#
?
Feb 22, 2016 20:01
|
|
|
lol internet. posted:Are you referring to AD? Because regular domain users already have read access to all the objects. Sorry for not clarifying. Basically I run network detective on an environment to do IT assessments. It pulls AD info but then also get stuff from wmi on various elements like what software is installed on server, antivirus/backup existence, DHCP info, SQL instances installed on servers, all file shares, all network shares etc. I want to get this info without having the ability to also change anything.
|
|
#
?
Feb 22, 2016 21:07
|
|
|
Network Detective is great. I don't think a non-domain admin account, or at the very least an account granted local admin on everything, can get all that Network Detective queries. Have you reached out to their support? They are usually pretty good.
|
|
#
?
Feb 22, 2016 21:11
|
|
|
JHVH-1 posted:So whats the best/easiest way to start an application under a running session on the current machine? I forgot I was looking to do this a while back and ended up figuring out the automatic logout of the user in powershell, so I already had this code: code:
|
|
#
?
Feb 22, 2016 22:21
|
|
|
Wait, are you looking to run software on a user login, or are you looking to have a computer automatically log in to an account on startup? Both can be done in the registry.
|
|
#
?
Feb 22, 2016 22:36
|
|
|
hihifellow posted:Wait, are you looking to run software on a user login, or are you looking to have a computer automatically log in to an account on startup? Both can be done in the registry. Both really. I already have the registry entries to have the account start up automatically, and the deployment can put an alias or script in the startup directory. The only snag was when the software was being deployed and it was already running, so I put in the script to log them out. Its easy to tell the chef recipe to reboot, it just eats up more time before the server is ready which I would like to avoid but as long as the thing works I can live with it. They put a queuing system in at one point, so requests don't get lost they just wait till a new machine is ready.
|
|
#
?
Feb 22, 2016 23:05
|
|
|
Special snowflake user has beaten me in inter-office politics and now gets their way in regards to their PC locking after 15 minutes of inactivity. I must suffer through this until our next audit when inevitably they will flag this and demand I change it back. (Yes I have the special demand in writing stating my objections). There is a GPO at the domain level that sets the lock screen at 15 minutes currently. Is their a way to exclude this one specific computer? If I set something at the OU level that should take effect first if I remember correctly, but will it then be overrided by the domain level GPO? Should I change the domain level GPO and do some sort of security or WMI filtering?
|
|
#
?
Feb 22, 2016 23:05
|
|
|
Use security filtering exclude his computer from that policy. Edit: LSD OU, OU, OU... Local policies first, Then Site, Then Domain, Then OU, Then the next OU farther out on the branch, Then the next OU. They're applied in that order, with conflicts being overridden as they go down the list. If you enforce, it does the same thing in reverse order at the end. LSD OU... OU(e), D(e) S(e) (L maybe?, not sure if you can enforce local policy.) Dr. Arbitrary fucked around with this message at 23:22 on Feb 22, 2016 |
|
#
?
Feb 22, 2016 23:18
|
|
|
Not security filtering, Delegation tab under the GPO settings in the GP Management snapin, you go to Delegation, add the user/group you care about, select the user/group you just delegated to/added to the list, hit advanced, then deny read access to that GPO. e: this might be outdated but this is how I learned to do this
|
|
#
?
Feb 22, 2016 23:24
|
|
|
JHVH-1 posted:Both really. I already have the registry entries to have the account start up automatically, and the deployment can put an alias or script in the startup directory. The only snag was when the software was being deployed and it was already running, so I put in the script to log them out. Okay then. HKCU:\Software\Microsoft\Windows\CurrentVersion\Run will run anything inside on the login of the currently logged in user (if you want to edit this hive without logging in as the user, open ntuser.dat under the user's profile directory in regedit). The entry, or entries, should be String (REG_SZ), name can be anything you want, field should be the full path to the executable. Auto logins are described under this article but it leaves out the DefaultDomain key, which should be filled in with the domain of the account. Task scheduler can add tasks to run under certain user accounts as well, and can be controlled with either powershell commandlets or the schtasks command line utility.
|
|
#
?
Feb 22, 2016 23:28
|
|
|
Dr. Arbitrary posted:Use security filtering exclude his computer from that policy. You can't enforce local policy, domain policy always overrides it. Order always starts at the Site and then works its way down to the OU of the object, overwriting any policies already applied. The inherited order tab (I think I got the name wrong, I don't have the GPO edit MMC in front of me) will show which GPOs take precedence from the top of the tree down to the OU. In Baseball's case I'd set a GPO at the OU level with a scope set to whiny jerk's computer or account that changes the policy to disabled, then they should be able to set whatever they like.
|
|
#
?
Feb 22, 2016 23:37
|
|
|
hihifellow posted:Okay then. HKCU:\Software\Microsoft\Windows\CurrentVersion\Run will run anything inside on the login of the currently logged in user (if you want to edit this hive without logging in as the user, open ntuser.dat under the user's profile directory in regedit). The entry, or entries, should be String (REG_SZ), name can be anything you want, field should be the full path to the executable. That much I had sorted out already. Chef is pretty cool with that, letting you do something like this: code:
|
|
#
?
Feb 22, 2016 23:57
|
|
|
Am I doing something terribly wrong or does Remote Powershell not work by default?
|
|
#
?
Feb 23, 2016 00:05
|
|
|
Tab8715 posted:Am I doing something terribly wrong or does Remote Powershell not work by default? It's only enabled by default on Server 2012, clients need to be configured to accept remote powershell commands.
|
|
#
?
Feb 23, 2016 00:08
|
|
|
Execution Policy also needs to be enabled for unsigned
|
|
#
?
Feb 23, 2016 00:22
|
|
|
FISHMANPET posted:Two questions: Chiming in as another shop that's done it with 2012 R2 policies. This article talks about bind. https://wiki.fogproject.org/wiki/index.php?title=BIOS_and_UEFI_Co-Existence
|
|
#
?
Feb 23, 2016 00:33
|
|
|
|
| # ? May 14, 2024 03:00 |
|
|
Yeah that's the easy part. I can offer the file to the client, which is just a bootstrap, but then it tries to broadcast to do... something. So there's some other setting outside of DHCP that's needed. Every instance I found of people with my same issue ends in them just using an IP Helper.
|
|
#
?
Feb 23, 2016 01:45
|
|