|
pixaal posted:There's two ways to do GPOs using OUs and using security filters, using both is kind of silly pick one. It might depend on the GPO, I find printers and drives always have exceptions and if you try to do it with OUs you end up with an OU for each user after a few years of making exceptions. This is why I gravitate more towards security filtering. I got to a point even in my very small directory where I had an OU for single users all over and I decided that it was bad design and moved to security filtering. Now my AD is much flatter and organized.
|
#
?
Jun 16, 2016 17:20
|
|
|
|
| # ? May 13, 2024 23:52 |
|
|
Number19 posted:Only policies where you have removed the default Authenticated Users group from security filtering
|
|
#
?
Jun 16, 2016 17:39
|
|
|
pixaal posted:Usually you use security filtering if you just want to dump the GPO at the top highest level (domain root, or building) and add users to a group to get them what they need. While it's nice that everyone in sales needs the sales drive, the CFO also needs the sales drive, and oh now billy the new shipping manager used to work in sales, he'll need access sometimes too! I usually assign printers and drives through preferences.
|
|
#
?
Jun 16, 2016 18:46
|
|
|
Which is perfectly acceptable, just understand that there are differences between deploying things via Policy and deploying things via Preference. Also, in the relatively recent past I have seen (in multiple environments) Preference GPOs with Item Level Targeting increase GPO processing times by a lot. In some scenarios like non-persistent VDI or Remote Desktop Services, that can be a big deal. [Edit: And just to be super clear, I am not saying I don't like GPP (with or without ILT). I like it and use it a lot. There's considerations on going one route vs. the other.] Internet Explorer fucked around with this message at 19:39 on Jun 16, 2016 |
|
#
?
Jun 16, 2016 19:37
|
|
|
Someone at microsoft though this was hosed too and wrote a PS script to scan your GPOs. https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/ To clarify: I think it's a smart move from a security standpoint, but executed terribly.
|
|
#
?
Jun 16, 2016 19:50
|
|
|
Today I got a delivery of a single Axel AX3000 M90 thin client to evaluate which was recommended to me, and after test driving in the office and taking it home it seems pretty radical. Super barebones OS where you only need do an initial setup then it'll boot straight into an RDP session, while it looks like it'll suit us well it can also do;quote:The M90 is a multi-session and multi-environment terminal, supporting up to 6 concurrent sessions:
|
|
#
?
Jun 16, 2016 23:13
|
|
|
BaseballPCHiker posted:I still dont understand fully why Microsoft is doing this. My understanding is that you can add Domain Computers with Read access (instead of Authenticated Users) and it fixes the problem without letting everyone see your GPOs.
|
|
#
?
Jun 17, 2016 00:11
|
|
|
Wiggly posted:My understanding is that you can add Domain Computers with Read access (instead of Authenticated Users) and it fixes the problem without letting everyone see your GPOs. This. Also, the patch was a fix for a privilege escalation attack, which is a considerably larger security issue than the information gathering that allowing (authenticated) users to see your gpo's might be. Just would have been nice if they had warned people ahead of time.
|
|
#
?
Jun 17, 2016 06:47
|
|
|
Any reason not to use VEEAM free edition for two hyperV hosts? It would be replacing a shell script
|
|
#
?
Jun 17, 2016 06:55
|
|
|
Anyone have any experience with AirWatch for laptop mobile management? We just got bought and it looks like we're moving away from our active directory setup and moving towards laptops. I need to figure out some kind of cross platform MDM solution. Meraki kind of sucks for this (we're using it for phones and it works well enough for iPhones but the Android/PC/Mac solutions kind of suck).
|
|
#
?
Jun 17, 2016 16:02
|
|
|
You can get a 30 day trial, sign up and try it out. I'm currently doing the trial myself for MDM of rugged scanner devices.
|
|
#
?
Jun 17, 2016 16:06
|
|
|
As someone who uses Meraki Systems Manager for MDM I can confidently say that it can be a decent fit if you are already a Meraki-heavy environment, but if that isn't the case then you definitely want to look elsewhere. It has enough drawbacks that were I starting over from scratch again I would not consider MSM.
|
|
#
?
Jun 17, 2016 17:52
|
|
|
LmaoTheKid posted:Anyone have any experience with AirWatch for laptop mobile management? I use heavily use airwatch for all my mobile devices,which are surfaces and iOS devices. The best thing about 8.1 and 10 is their MDM support built into the OS. Strongly consider standardising your platform on windows 10, as there are a lot more features to work with. If you think you're getting away from Active directory, just stop right there. I regret not integrating my MDM with my on prem (I was a really EARLY adopter so the LDAP\AD stuff wasn't as solid as it is now) AD as it a pain managing people from two panes of glass. Eventually to full manage a windows device you'll need a AzureAD account configured as well. Cool things: Backs up the bitlocker key in the console Push out standard configurations seamlessly Bake in the MDM configurations into your Windows images using the new windows imaging toolkit. Lame things: Periodically tries to re-run bitlocker encryption to make sure it's encrypted (I think this is a windows limitation with no way to gracefully ask "r u locked?") You need TWO SEPARATE windows mdm apps (one from the store, one that is a win32 app) as each provide different information back to the MDM console Windows Mail app saying my workstation isn't compliant with regards to activesync security requirements, even though my Apple and 8.1 Windows mail apps work just fine. E: also if you're moving wholesale to AW for your iOS devices take the time and effort to enroll your org into Apples Device Enrollment Program. It took a while to get going but I have my VAR and cellphone providers auto sending the hardware to apple to sync to my MDM, bypassing A TON of manual configurations. incoherent fucked around with this message at 18:47 on Jun 17, 2016 |
|
#
?
Jun 17, 2016 18:40
|
|
|
Being a not_Windows guy, I'm still confused as to how you're supposed to domain join roaming laptops that may never even be connected to the company network for weeks at a time without splurging for Enterprise. Azure ADDS isn't a mature thing yet so the only option remaining is DirectAccess which is obviously a no go because, again, Enterprise. Edit: last quote I got on Enterprise was $275/user which is kind of a joke, comes close to increasing our per user cost by 40%. Sheep fucked around with this message at 19:02 on Jun 17, 2016 |
|
#
?
Jun 17, 2016 18:57
|
|
|
Sheep posted:Being a not_Windows guy, I'm still confused as to how you're supposed to domain join roaming laptops that may never even be connected to the company network for weeks at a time without splurging for Enterprise. Azure ADDS isn't a mature thing yet so the only option remaining is DirectAccess which is obviously a no go because, again, Enterprise. VPN?
|
|
#
?
Jun 17, 2016 19:00
|
|
|
I'm still not clear how that works - how do you get something like OpenVPN to both startup and connect prior to the logon process with Windows?
|
|
#
?
Jun 17, 2016 19:02
|
|
|
VPN and Network Access Protction
|
|
#
?
Jun 17, 2016 19:03
|
|
|
Sheep posted:I'm still not clear how that works - how do you get something like OpenVPN to both startup and connect prior to the logon process with Windows? I haven't had to do this since Windows XP days but back then when you hit ctrl+alt+del to log in, you could select to connect to VPN first. you'd use the built-in Windows VPN client. I also seem to recall being able to launch sonicwall netextender somehow... How does it know which programs to allow I haven't the foggiest. Apparently you do a powershell to get your win10 clients access: https://www.experts-exchange.com/qu...gon-screen.html edit 2: see the guy below me Dans Macabre fucked around with this message at 19:06 on Jun 17, 2016 |
|
#
?
Jun 17, 2016 19:04
|
|
|
NevergirlsOFFICIAL posted:I haven't had to do this since Windows XP days but back then when you hit ctrl+alt+del to log in, you could select to connect to VPN first. you'd use the built-in Windows VPN client. You can do similar with Win 10 by creating VPN connection and then clicking the network icon in the lower right before logon
|
|
#
?
Jun 17, 2016 19:06
|
|
|
SneakyFrog posted:VPN and Network Access Protction NAP is fully deprecated now though? Or is this article just unclear? Sounds like it flat out doesn't exist as of Server 2016. Walked posted:You can do similar with Win 10 by creating VPN connection and then clicking the network icon in the lower right before logon Huh, guess I'll go throw something together and see i I can get this to work. Looking forward to the deluge of helpdesk tickets/pushback from users that adding a step to the logon process is going to cause. Edit: sorry for derailing this thread with my dumb Windows issues. Sheep fucked around with this message at 19:11 on Jun 17, 2016 |
|
#
?
Jun 17, 2016 19:09
|
|
|
Sheep posted:NAP is fully deprecated now though? yeah, but if you are new to VPN it runs through the basic concepts pretty well for client machine and account health and what important best practices are.. Ugh I meant NPS my bad.
|
|
#
?
Jun 17, 2016 19:12
|
|
|
incoherent posted:I use heavily use airwatch for all my mobile devices,which are surfaces and iOS devices. The best thing about 8.1 and 10 is their MDM support built into the OS. Strongly consider standardising your platform on windows 10, as there are a lot more features to work with. That's all awesome info and thank you!
|
|
#
?
Jun 17, 2016 19:20
|
|
|
Sheep posted:Being a not_Windows guy, I'm still confused as to how you're supposed to domain join roaming laptops that may never even be connected to the company network for weeks at a time without splurging for Enterprise. Azure ADDS isn't a mature thing yet so the only option remaining is DirectAccess which is obviously a no go because, again, Enterprise. There is a free, very slim version of AzureAD you can use to do cheap SSO which works to manage the windows store for bussness and link your Active directory to your MDM. From what i'm looking at you NEED a fullstop MDM like Airwatch or Meraki in addition to AzureAD. MDM is going to give you the tools you need like configuring wifi, VPN, AV, and bitlocker. VPN is still going to be your go-to thing and its not going away any time soon. If you let your MDM manage the configuration portion it removes all the complexity from your users. e: and if you're a not_windows guy on a not_windows device (like a mac!) there are tools to manage the device as well. In fact Airwatch is mature on the iOS\mac stuff and emerging on the windows stuff (see my post about rough edges).
|
|
#
?
Jun 17, 2016 20:00
|
|
|
FWIW I would not call Meraki Systems Manager a legit MDM solution, at least for Windows devices. The options look decent enough for OS X/iOS and Android is probably kind of meh but the Windows options are pretty slim and it fails in some pretty spectacular ways (application installation is very hit or miss on Windows 10 and we've got an open ticket about it going back to February with no real resolution in sight). Edit also can't push VPN configuration to Windows devices with Meraki 
Sheep fucked around with this message at 20:41 on Jun 17, 2016 |
|
#
?
Jun 17, 2016 20:22
|
|
|
It's there a good utility or process by which I can spoof Win10 validation on a machine (to claim free upgrades), short of actually installing Win10? I have a suite of testbench workstations and... stuff, and I would like to have Win10 in the options box for them but don't really wanna underwrite the upgrade for some of them right now.
|
|
#
?
Jun 20, 2016 15:26
|
|
|
Eikre posted:It's there a good utility or process by which I can spoof Win10 validation on a machine (to claim free upgrades), short of actually installing Win10? Upgrade from Windows 7/8 which is activated and done.
|
|
#
?
Jun 20, 2016 15:55
|
|
|
redeyes posted:Upgrade from Windows 7/8 which is activated and done.
|
|
#
?
Jun 20, 2016 16:07
|
|
|
Currently awaiting order authorisation for way too long: - Server Warranty - SQL Server + Cals - Salesforce Licenses C'est la vie, I love not getting poo poo done
|
|
#
?
Jun 20, 2016 16:54
|
|
|
Play leapfrog. Image Win7 device. Upgrade to 10. Image Windows 10 device. Re-image to 7.
|
|
#
?
Jun 20, 2016 19:20
|
|
|
Speaking of imaging. If I buy let's say 10 Dell laptops that come with OEM key, is there a way for me to create an image (without a key or with some random vlsc key), deploy it, and then have Windows suck the key out from BIOS? I know I was able to do this with MS Surfaces. And to go crazy for a moment how big of a downside would it be to straight up use the Dell OEM image, and customize on top of that using GPO to add/remove programs and settings? Dells don't come with pre-installed AV anymore which I recall being the biggest headache. edit to clarify: I understand I can be "legit" by just using the one VLSC key, since I technically have licenses for all the laptops from oem. But won't I eventually run into an issue where the OS maxes out activations? edit 2: actually I just want to create an image with no key at all and have the key applied on deployment from the bios Dans Macabre fucked around with this message at 21:50 on Jun 22, 2016 |
|
#
?
Jun 22, 2016 21:22
|
|
|
Could you use a VAR to image the computers for you? 10 may be too small a number, but that's what we do when we purchase machines.
|
|
#
?
Jun 23, 2016 01:46
|
|
|
Google get_win8key.exe Some guy made it to suck out the OEM key. Combine it with slmgr.vbs for auto-activate goodness
|
|
#
?
Jun 23, 2016 02:55
|
|
|
nice
|
|
#
?
Jun 23, 2016 13:33
|
|
|
CloFan posted:Could you use a VAR to image the computers for you? 10 may be too small a number, but that's what we do when we purchase machines. What do you do if a user gets a virus and needs machine reimaged?
|
|
#
?
Jun 23, 2016 13:34
|
|
|
Swink posted:Google get_win8key.exe Instead of using 3rd party stuff you can get it using Command Prompt or Powershell CMD wmic path softwarelicensingservice get OA3xOriginalProductKey Powershell (Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey Poweshell is still going to be using WMI but it's whatever works best with what you have. I believe this pulls from BIOS you might want to test it, if not you could have a script run one of the commands against all of your computers compile all the keys into a CSV and have the computers read from that during install, preferably matching the BIOS Serial using against it, using computer name would be asking for trouble. CMD wmic bios get serialnumber Will get you the Serial number. Throwing that into a nice script if you need to shouldn't take long, the CSV file is going to be the only ugly part. This should work with windows XP+ and sever 2008+ (non R2) Powershell can be kind of frustrating on an old OS that doesn't support half the function. You might be able to find something more elegant.
|
|
#
?
Jun 23, 2016 14:48
|
|
|
My boss wants me to do a dry run of a SBS 2008 to 2012 R2/Essentials Experience migration just to confirm that SBS will start the 21 day timer once FSMO roles are transferred. That seems dumb, since MS documentation clearly indicates that it will happen. I guess I will do it instead of punching my own face. Is there any reason to not load this sucker up with every LOB app I need(including 2 or maybe 3 different SQL server instances) *before* transferring the FSMO roles, just to minimize any chance of poo poo loving up and then running into timer-related issues?
|
|
#
?
Jun 23, 2016 15:04
|
|
|
Happiness Commando posted:My boss wants me to do a dry run of a SBS 2008 to 2012 R2/Essentials Experience migration just to confirm that SBS will start the 21 day timer once FSMO roles are transferred. That seems dumb, since MS documentation clearly indicates that it will happen. I guess I will do it instead of punching my own face. Is there any reason to not load this sucker up with every LOB app I need(including 2 or maybe 3 different SQL server instances) *before* transferring the FSMO roles, just to minimize any chance of poo poo loving up and then running into timer-related issues? Only thing i will say about ESSENTIALS that isnt outright swearing and frothing is use the wizards and dont even think for a second you can do anything manually. It almost always fucks up. That being said I did that exact same migration for a client and worked well. Didnt migrate SQL though as i prefer to have that running on a separate machine.
|
|
#
?
Jun 23, 2016 15:16
|
|
|
NevergirlsOFFICIAL posted:What do you do if a user gets a virus and needs machine reimaged? We provided the original PXE image to the vendor, so we can manually reimage if needed. Just saves initial setup time, really. They also asset tag and unbox for us. I guess it may be more trouble than it's worth for small purchases, I subscribe to this thread because we're a mid-sized shop with a small budget 
|
|
#
?
Jun 23, 2016 15:59
|
|
|
SneakyFrog posted:Only thing i will say about ESSENTIALS that isnt outright swearing and frothing is use the wizards and dont even think for a second you can do anything manually. It almost always fucks up. At least with a modern Essentials I'm not limited to Powershell V2 
|
|
#
?
Jun 23, 2016 16:55
|
|
|
|
| # ? May 13, 2024 23:52 |
|
|
Anybody have any experience with Google Apps for Work lining up with Apache DS? This may be a simple question, but there are two things I'm trying to do. Our company LDAP (administered through Apache DS) syncs up with Google Apps for Work on an ad-hoc basis, and there is currently no functionality for self-service password reset as far as I'm aware. This worked with like 30 employees all in one localized office, but we've been expanding and bringing on a lot of remote workers, which kind of exposes the weakness of our current setup. Are there any (preferably open source) solutions that would allow a user to do this over a browser interface? Also (and this isn't as important), is there a way to expose our LDAP server internally as an employee directory? We just have a shared Google Sheets document right now, but it's not ideal.
|
|
#
?
Jul 13, 2016 15:16
|
|
