|
Dr. Arbitrary posted:What's crazy is that it's not a normal service like the spooler, it's a custom one. Remove the folder that local group policy is saved in. This is one of the first thing I do before trying to figure out mysteries such as these. To all of you using local group policy in 2016, gently caress you forever.
|
#
?
Jun 9, 2016 22:26
|
|
|
|
| # ? May 13, 2024 23:26 |
|
|
Sickening posted:Remove the folder that local group policy is saved in. This is one of the first thing I do before trying to figure out mysteries such as these. YYUUUUPPPPP We just decommed 50-60 servers and replaced them with new VMs/hosts etc. The amount of times i had to dig around in local policies to figure out why poo poo wasn't working was astounding.
|
|
#
?
Jun 9, 2016 22:32
|
|
|
   Is there an easy way of automating this series of clicks with certreq.exe or PowerShell? I'm a very reluctant Windows admin who spends 99.9% of his time in Linux, so sorry if this is a dumb question. I'm used to automating everything via config management, so this is driving me up the wall. Server 2012 R2, fully patched, WMF 5 installed. For background, I'm trying to enable WinRM over HTTPS on our handful of Windows servers. Some of them do not have valid Server Authentication certificates, so this fails. I can request and get a cert trivially through the Certificates MMC snap in, but gently caress if I can figure out a way to do it from the CLI. I'd also settle for a way to do it via Group Policy if it's not possible to script. Anything but clicking around the GUI every time I bring up a new server. I thought this would be the winning command, but no dice: code:
|
|
#
?
Jun 10, 2016 02:34
|
|
|
What happens if you remove the "-q" from that command line? You might get a better error message. The third screenshot mentions "More information is required to enroll..." so the template might require some additional information (servername probably) that you can't pass on through the command line and that would be asked through the GUI if you remove the -q
|
|
#
?
Jun 10, 2016 09:06
|
|
|
Docjowles posted:I'd also settle for a way to do it via Group Policy if it's not possible to script. Anything but clicking around the GUI every time I bring up a new server. I'm sure it's scriptable, but I usually just use GPOs to handle certificate Auto-Enrollment. Bonus is that it will automagically handle renewals as well. http://windowsitpro.com/security/setting-certificate-autoenrollment-feature-windows-public-key-infrastructure You can also handle all of the WinRM stuff for Powershell Remoting (I assume that's what you're actual end goal is here) via GPO.
|
|
#
?
Jun 10, 2016 14:15
|
|
|
In TYOOL 2016, what are the best practices for setting up a general purpose file server? Our current instance is a 2003 server that we are racing to get rid of. This will be a complete restructuring, so we're looking for the 'correct' way to go about things. Setting up a DFS namespace? HA file shares? I've been reading up on the new file server features in 2012 R2 but I'm mostly looking for real-world input.
|
|
#
?
Jun 10, 2016 15:17
|
|
|
I just buy a FAS
|
|
#
?
Jun 10, 2016 15:45
|
|
|
Spring Heeled Jack posted:In TYOOL 2016, what are the best practices for setting up a general purpose file server? Our current instance is a 2003 server that we are racing to get rid of. This will be a complete restructuring, so we're looking for the 'correct' way to go about things. Setting up a DFS namespace? HA file shares? I like DFS namespaces, because when inevitably the underlying servers/storage/etc changes, there is zero impact to the users. Bonus points since you can add servers to the namespace, replicate the content and then phase out the original server. Scale-out file servers seems like more effort than it's worth except in very specific cases (VM storage for Shared Nothing Hyper-V Clusters and VMM is a really cool use case) Big item for me is Access Based Enumeration. I would stay away from Claims, I haven't seen much adoption so I'm sure the bugs and "Features" aren't all flushed out and fully stabilized yet.
|
|
#
?
Jun 10, 2016 16:15
|
|
|
Zaepho posted:I like DFS namespaces, because when inevitably the underlying servers/storage/etc changes, there is zero impact to the users. Bonus points since you can add servers to the namespace, replicate the content and then phase out the original server.
|
|
#
?
Jun 10, 2016 16:26
|
|
|
Zaepho posted:I like DFS namespaces, because when inevitably the underlying servers/storage/etc changes, there is zero impact to the users. Bonus points since you can add servers to the namespace, replicate the content and then phase out the original server. Yeah, DFS is one of my favourite MS server products, simply because it not only works very well, it makes life way simpler for users which in turn makes my life easier.
|
|
#
?
Jun 10, 2016 17:48
|
|
|
peak debt posted:What happens if you remove the "-q" from that command line? You might get a better error message. If you remove -q, it pops up a dialog asking me to select a server URL or something. The only option is the long-rear end GUID from the output of my previous post. But anyway, if the script requires human interaction, that doesn't really help me which is why I was trying to get it to work with -q. The "more information" thing is only if I'm trying to enroll a new Web Server cert, which I'm not. Zaepho posted:I'm sure it's scriptable, but I usually just use GPOs to handle certificate Auto-Enrollment. Bonus is that it will automagically handle renewals as well. Thanks, I think this will do what I need! For some reason it was not working on a few existing servers, but any new ones that get joined to the domain work right away. I can fix the handful of problem boxes manually.
|
|
#
?
Jun 10, 2016 18:49
|
|
|
Our primary sccm server is hosed, so we had to migrate over to a new one. What is the established way of switching all the client pointers to the new server?
|
|
#
?
Jun 10, 2016 19:42
|
|
|
ElGroucho posted:Our primary sccm server is hosed, so we had to migrate over to a new one. What is the established way of switching all the client pointers to the new server? We went through this at some point. IIRC you can just have it uninstall previous clients as a part of the client install from the new server; its much simpler than trying to reconfigure each endpoint. Yeah: 
|
|
#
?
Jun 10, 2016 19:47
|
|
|
Ok, I'm back with a new idiot question. I cannot get the WMF 5.0 / PowerShell 5 update packages to go out over WSUS. I've gone through adding them to WSUS via the Microsoft Catalog site, for all Server versions we run. They show up, and I've approved them for install. But servers never see them and don't install them. No matter how many times I run windows update and reboot, "$PSVersionTable.PSVersion" returns 4.0 or less. Is there any guide to diagnosing why some update I believe should be installed is being skipped like it doesn't exist?
|
|
#
?
Jun 11, 2016 01:27
|
|
|
I've just inherited a few SBS 2011 servers and a 2008R2 server that have been backing up to external drives that are "Taken offsite and swapped regularly", which in this case means twice a year. Before I can apply fire and migrate to a better setup, I need to get backups in a less hosed state. Does anyone have a recommendation for a good, easy to deploy backup provider that can buy me a few months while I fix other, more urgent matters?
|
|
#
?
Jun 11, 2016 08:20
|
|
|
sloshmonger posted:I've just inherited a few SBS 2011 servers and a 2008R2 server that have been backing up to external drives that are "Taken offsite and swapped regularly", which in this case means twice a year. I've been using Amazon Storage Gateway for my off-site backups with good success. Depending on your bandwidth and cost requirements, it might be a quick easy option for you.
|
|
#
?
Jun 11, 2016 11:25
|
|
|
Or Azure Backup
|
|
#
?
Jun 11, 2016 11:49
|
|
|
If you're not in the USA, be wary of cloud backup services and where your data would be located.
|
|
#
?
Jun 11, 2016 17:41
|
|
|
MF_James posted:Well sounds like you've got a GPO that sets that service as disabled. Turns out this was the problem. Now I'm wondering how the hell it got in there. Being an admin at a huge company is kind of a mindfuck sometimes.
|
|
#
?
Jun 13, 2016 19:53
|
|
|
Dr. Arbitrary posted:Turns out this was the problem. This sounds like one of those "there was a good reason at the time" stories that everyone involved forgot about.
|
|
#
?
Jun 13, 2016 20:05
|
|
|
Maneki Neko posted:This sounds like one of those "there was a good reason at the time" stories that everyone involved forgot about. Yuuuup, Also, give it 3-5 days, everything will explode, and it can be pointed back to this policy that no one remembers making or why, but clearly there was a point because now everything is smoldering ash. (just kidding  )Also, the fact that you can ctrl-F and search the settings of the policies is a huge help when you're walking into a bunch of policies you did not make and you're attempting to figure out stuff just like this.
|
|
#
?
Jun 13, 2016 20:09
|
|
|
Docjowles posted:Ok, I'm back with a new idiot question. I cannot get the WMF 5.0 / PowerShell 5 update packages to go out over WSUS. I've gone through adding them to WSUS via the Microsoft Catalog site, for all Server versions we run. They show up, and I've approved them for install. But servers never see them and don't install them. No matter how many times I run windows update and reboot, "$PSVersionTable.PSVersion" returns 4.0 or less. Is dotnet 4.5 installed? what happens when you manually install the update as a test?
|
|
#
?
Jun 13, 2016 20:49
|
|
|
I have a Windows 10 Pro machine and am logging in using Office 365 credentials (Azure AD Join). Every other day or so when I login using my PIN it fails and tells me to reboot. The following is written into the System event log:quote:The Distinguished Name in the subject field of your smart card logon certificate does not contain enough information to identify the appropriate domain on an non-domain joined computer. Contact your system administrator. Unlocking with my password and then re-locking and using my PIN to unlock works. As far as I know my laptop doesn't have a smartcard but I assume Windows PIN login uses some sort of virtual smartcard hence the reference. Does anyone else have this issue? I am struggling to find anything relevant.
|
|
#
?
Jun 14, 2016 13:07
|
|
|
If you have any Server 2012/2012 R2 domain controllers (or DNS servers) you probably want to patch them now. There an unauthenticated root-level RCE in Windows DNS Server on those platforms:quote:https://technet.microsoft.com/library/security/MS16-071
|
|
#
?
Jun 14, 2016 18:14
|
|
|
I wonder how many public facing Windows DNS servers are out there?
|
|
#
?
Jun 14, 2016 20:04
|
|
|
Moey posted:I wonder how many public facing Windows DNS servers are out there? Knowing how many "windows experts" are out there, a lot. Personally surprised this is only 2012\R2 specific.
|
|
#
?
Jun 14, 2016 20:06
|
|
|
incoherent posted:Is dotnet 4.5 installed? what happens when you manually install the update as a test? Yes. The update happily installs with no problem if I download it from here and run manually: https://www.microsoft.com/en-us/download/details.aspx?id=50395
|
|
#
?
Jun 15, 2016 02:55
|
|
|
Speaking of updates, just a quick heads up that KB3159398 is breaking group policy for a lot of organizations. In my test environment it broke any gpos that used security filtering.
|
|
#
?
Jun 15, 2016 20:13
|
|
|
BaseballPCHiker posted:Speaking of updates, just a quick heads up that KB3159398 is breaking group policy for a lot of organizations. gently caress. That might explain a few things.
|
|
#
?
Jun 15, 2016 20:19
|
|
|
BaseballPCHiker posted:Speaking of updates, just a quick heads up that KB3159398 is breaking group policy for a lot of organizations. Just as a note, a workaround is to give authenticated users read access to those GPOs. Microsoft has not been super clear about how people should do this over the years though. Lots of chatting here: https://www.reddit.com/r/sysadmin/comments/4o78yo/kb3159398_or_kb3164033_seems_to_remove_all/ Maneki Neko fucked around with this message at 20:24 on Jun 15, 2016 |
|
#
?
Jun 15, 2016 20:19
|
|
|
Yeah, we were talking about this in the Small Shop thread, but Enterprise is probably a better place. It's annoying because you have a bunch of people coming out and blaming the users (in this case, us IT guys) for using Security Filtering. Yes, the best practice is to use OUs or GPP with Targeting to limit what policies apply, but OUs is just needlessly complex and GPP with Targeting often has its own set of problems. Plus, there are some things you want to force (via Policy) instead of "set default" (via Preferences). Yes, Microsoft has said since the beginning that Authenticated Users should be left under Security Filtering as removing it removes the user's read rights to that GPO and causes "problems"... but the Group Policy Management console literally shows the following:  It's a dumb bug. Blaming your users for using a setting for the only conceivable reason to use the setting is dumb. [Edit: I guess I should add the current workaround. Go to the Delegation tab and re-add Authenticated Users back. The Security Filtering will still work.]
|
|
#
?
Jun 15, 2016 21:24
|
|
|
The problem appears to be that group policy is read by the computer account first. The computer then decides if the user's security group has the rights to apply the policy. The change to the GPO system involved the Kerberos system and preventing a MitM attack against the GPO authentication system that could result in privilege escalation. I'm guessing that the computer was impersonating the user for the purposes of reading the policy and this update changes that mechanism or causes it to no longer function as it once did, causing the processing of these policies to fail. Adding Read permissions to Authenticated Users on the GPOs gives the computer the ability to see the GPO again and perform the follow up checks it needs to apply the policy if needed. This doesn't affect computer targeted GPOs with security filtering since you'd expect the computer to not need to read the GPO to see if it needs to process it. It can ignore it completely since it's clearly not applicable. edit: Internet Explorer posted:Yeah, we were talking about this in the Small Shop thread, but Enterprise is probably a better place. This just adds more fuel to the "maybe they shouldn't have fired all those QA people" fire. This update either clearly wasn't tested enough to find an obvious use case where it would fail, or this failure was found and workaround was not added to the KB article. Either way, it's a pretty bad gently caress up by MS. Number19 fucked around with this message at 21:28 on Jun 15, 2016 |
|
#
?
Jun 15, 2016 21:25
|
|
|
That's all well and good, but again, Microsoft's communication on issues is awful. They know that people use this setting. Like I said, GPM shows that's... what you use the setting for. There's no other reason for it to even exist. If it is as you said, I would hope that Microsoft would have known that this was going to bite people, and they should have come out before the patch telling people to make the Delegation changes. Or you know, even after. We still get to rely on a lovely forum full of other users to play "figure it out."
|
|
#
?
Jun 15, 2016 21:28
|
|
|
Internet Explorer posted:That's all well and good, but again, Microsoft's communication on issues is awful. They know that people use this setting. Like I said, GPM shows that's... what you use the setting for. There's no other reason for it to even exist. If it is as you said, I would hope that Microsoft would have known that this was going to bite people, and they should have come out before the patch telling people to make the Delegation changes. Or you know, even after. We still get to rely on a lovely forum full of other users to play "figure it out." This is bad communication for sure. It's also actually in some ways making environments less secure as well. In that Reddit thread, a user points out that in some higher security organizations, having every GPO readable by Authenticated Users is undesirable. It gives an attacker who gains a foothold on any domain joined computer the ability to poke through all the policies in SYSVOL, looking for network drives and other potentially sensitive settings that you don't want everyone to see. I think MS is going to have to rethink this update since for many organizations the fix might be worse than the vulnerability.
|
|
#
?
Jun 15, 2016 21:32
|
|
|
Yeah, I saw that comment as well and I agree. Then some dummies were arguing that the Delegation (maybe they misunderstood and meant Security Filtering?) didn't change the NTFS rights on the folder in SYSVOL\Policies, when in fact it obviously does. I liked the comment about Microsoft having $26 billing to buy LinkedIn, but getting rid of a good portion of their QA. Seems about right.
|
|
#
?
Jun 15, 2016 21:42
|
|
|
I've been designing an AD revamp lately and I decided to brush up on my best practices. I found some presentations at a MS conference and one of them by one of the top guys that designs complex ADs for a living outright said "GPO by OU is rigid and inflexible, stop doing it. Use security filtering instead and use OUs for administrative delegation only." Even the experts on this topic can't agree so how in the gently caress are the sysadmins in the field supposed to know how things should be done anymore? As you said, security filtering did exactly what it said on the box, until yesterday when suddenly it doesn't anymore and the silence from MS on the topic is very irritating.
|
|
#
?
Jun 15, 2016 21:48
|
|
|
Yeah, GPO by OU is awful and I will blow my brains out before I do that. The "don't use Security Filtering" is so old at this point, it reeks of ritualistic tribal knowledge that reminds me of the "old Cisco guy" mindset.
|
|
#
?
Jun 15, 2016 21:58
|
|
|
We do GPO by OU somewhat, but it's tiered and not a monster, we also only have like 20 GPOs total and none of them are monsters. We do some security filtering and WMI filtering (yes I know that's not preferable but it was the easiest way) MF_James fucked around with this message at 22:03 on Jun 15, 2016 |
|
#
?
Jun 15, 2016 22:01
|
|
|
"Don't use security filtering" is the GPO version of "don't use autonegotiate"
|
|
#
?
Jun 15, 2016 22:10
|
|
|
|
| # ? May 13, 2024 23:26 |
|
|
MF_James posted:We do GPO by OU somewhat, but it's tiered and not a monster, we also only have like 20 GPOs total and none of them are monsters. When I say I won't do GPO by OU, I don't mean I apply all OUs to the domain level and leave it at that. Things should be tiered and laid out logically. What I am not doing is making an OU called "Marketing Printers" and putting everyone who needs access to the Marketing printers in that. Because that is super rigid. What if a user in the Marketing Printer OU also needs an Administration printer - oh god they can't be in both. This is what both GPP with Targetting and (surprise!) Security Filtering is for. Security Filtering and WMI filtering are both perfectly fine, except for the fact that WMI tends to be unreliable in general. Thanks Ants posted:"Don't use security filtering" is the GPO version of "don't use autonegotiate" Yeah, this is basically what I was getting at. I almost made a Reddit account to yell at people but then I remembered that's why I got a Twitter account I don't use.
|
|
#
?
Jun 15, 2016 22:14
|
|