|
wolrah posted:Ahh, that makes sense. I'll have to look in to that just in general tomorrow, I have a few customers like this one with a single server (that often also like this one was configured somewhat idiotically) so a remote spare DC would be nice. I wish Samba4 was usable so I could run secondary DCs without licensing concerns, but AFAIK its still missing enough to matter and I've been burned by that idea once before (ran a NT4 domain on Samba 3 for a few years, gently caress that). If you're running Windows Server in Azure, the licensing is covered in the per-minute cost of the VM. edit: Reference: https://azure.microsoft.com/en-us/pricing/licensing-faq/
|
#
?
Feb 17, 2017 01:49
|
|
|
|
| # ? May 28, 2024 23:34 |
|
|
Having some issues with WSUS on 2012R2... We have a master server with 7 replicas. I recently enabled Office updates on the master server. This new product selection filtered down to the replica servers when they synced as it should have. My problem is that replica servers show computers needing the office updates ("Needed, Not Approved"), but if I look at the same computer on the master, it does not show the office updates are needed, nor do the updates appear in the Needed Updates selection so I can approve them on the master. Master console:  Replica console:  All the replicas are set to roll back reports to the master. All clients with Office have reported in. All other updates are working 100%, I can approve them on the master, clients will install them and status is correctly reported back. But for some reason the office updates are not working. Anyone have any ideas? Edit: WSUS is such a fickle beast. Look at it wrong and it breaks. Said screw it and just using WSUS Offline to download the needed updates. Only need to update a handful of systems, so that will do for now until I manage to fix WSUS. stevewm fucked around with this message at 20:22 on Feb 17, 2017 |
|
#
?
Feb 17, 2017 18:07
|
|
|
I don't have a replica to test on at the moment, but if the master has the correct sync'd data, what if you just clean up the replicas and re-sync?
|
|
#
?
Feb 17, 2017 20:36
|
|
|
FreelanceSocialist posted:I don't have a replica to test on at the moment, but if the master has the correct sync'd data, what if you just clean up the replicas and re-sync? They both appear to have the same data about the updates. But the master is not seeing the status of the updates from the replica. This is only happening with these new office updates. All other Windows updates correctly show status on both the replicas and master. The replicas show correctly that computers need the updates. But this is not reflected on the master. Strangely however, if I manually search for the updates on the master and approve them, the replicas receive this change on the next sync and will successfully download and install the update! Been pouring through the logs on both replica and master, cannot see any issues. No errors.
|
|
#
?
Feb 17, 2017 20:41
|
|
|
Ugh I'm saddened I even have to ask this, but I can't find the answer, my google-fu is failing me. Client bought office 365 home premium and wants to install it on a few work machines, is there some sort of limitation on that install so that it won't go onto domain machines?
|
|
#
?
Feb 20, 2017 23:49
|
|
|
MF_James posted:Ugh I'm saddened I even have to ask this, but I can't find the answer, my google-fu is failing me. Client bought office 365 home premium and wants to install it on a few work machines, is there some sort of limitation on that install so that it won't go onto domain machines?
|
|
#
?
Feb 20, 2017 23:57
|
|
|
anthonypants posted:There is no such limitation. Alright then, we have some other issue, thanks.
|
|
#
?
Feb 20, 2017 23:58
|
|
|
You're violating the terms of the license by using it commercially, which you probably don't want to assist your client with if you're an MS partner.
|
|
#
?
Feb 21, 2017 00:13
|
|
|
Thanks Ants posted:You're violating the terms of the license by using it commercially, which you probably don't want to assist your client with if you're an MS partner. Not an MS partner, and I'm aware. Already have an email from my boss saved where I brought that up and he said "Just Do It"
|
|
#
?
Feb 21, 2017 00:14
|
|
|
Is there any good way to change the local administrator accounts on domain computers? I don't want to use group policy preferences, but it'd be nice if there was some other group policy or sccm based solution.
|
|
#
?
Feb 21, 2017 19:29
|
|
|
Orcs and Ostriches posted:Is there any good way to change the local administrator accounts on domain computers? I don't want to use group policy preferences, but it'd be nice if there was some other group policy or sccm based solution. This post is so confusing. Why would you give a poo poo which part of group policy you use?
|
|
#
?
Feb 21, 2017 19:46
|
|
|
Because group policy preferences store the password unencrypted or easily unencrypted in sysvol.
|
|
#
?
Feb 21, 2017 19:47
|
|
|
Phone posting but there's an MS toolkit for managing local admin accounts.
|
|
#
?
Feb 21, 2017 19:50
|
|
|
Orcs and Ostriches posted:Because group policy preferences store the password unencrypted or easily unencrypted in sysvol. If that was your concern you probably should have said so. Powershell is basically the best option for doing it all at once. LAPS is the tool they made to do what you are wanting to do but I personally dislike it.
|
|
#
?
Feb 21, 2017 19:51
|
|
|
Sickening posted:If that was your concern you probably should have said so. Powershell is basically the best option for doing it all at once. LAPS is the tool they made to do what you are wanting to do but I personally dislike it. I like laps, but the available management tools leave something to be desired.
|
|
#
?
Feb 21, 2017 20:03
|
|
|
Thanks Ants posted:Phone posting but there's an MS toolkit for managing local admin accounts. https://technet.microsoft.com/en-us/mt227395.aspx
|
|
#
?
Feb 21, 2017 20:05
|
|
|
Besides, you can't input passwords anymore in GPP users, the textbox is greyed out.
|
|
#
?
Feb 21, 2017 20:55
|
|
|
pofcorn posted:Besides, you can't input passwords anymore in GPP users, the textbox is greyed out.
|
|
#
?
Feb 21, 2017 21:18
|
|
|
I like LAPS in that it does exactly what it says it does and nothing else, but it is very no frills
|
|
#
?
Feb 21, 2017 21:33
|
|
|
I don't think I'm going crazy but I cannot for the life of me find MS documentation on the Schema updates for Windows Server 2016 and Active Directory. The docs I find on technet stop with 2012R2
|
|
#
?
Feb 22, 2017 00:06
|
|
|
skipdogg posted:I don't think I'm going crazy but I cannot for the life of me find MS documentation on the Schema updates for Windows Server 2016 and Active Directory. The docs I find on technet stop with 2012R2 Welcome to Microsoft. We never write anything down!
|
|
#
?
Feb 22, 2017 01:34
|
|
|
SEKCobra posted:Most companies just wanna know what sites you are browsing to exactly. This. My company seems to be moving to that misguided security mindset that 100% visibility = 100% security. Gotta see everything all the time to be safe!!
|
|
#
?
Feb 23, 2017 22:28
|
|
|
Anyone happen to know if you can retrieve the Host of a VM using SPF's API? I can retrieve a ton of info about the guest itself except for what host it's on ( https://msdn.microsoft.com/en-us/library/dn470013.aspx )
|
|
#
?
Feb 27, 2017 19:04
|
|
|
So I checked out LAPS, and it's not going to quite cut it for us. Is there anything else out there that lets me actually pick the password it resets the local admin account to, or does it have to be randomized? Because quite frankly, a randomized password reset ever week, unique for 1500 machines is pretty pointless. I might as well just disable the account if I'm never going to be able to get into it.
|
|
#
?
Feb 27, 2017 19:16
|
|
|
Orcs and Ostriches posted:So I checked out LAPS, and it's not going to quite cut it for us. Is there anything else out there that lets me actually pick the password it resets the local admin account to, or does it have to be randomized?
|
|
#
?
Feb 27, 2017 19:26
|
|
|
anthonypants posted:Why is securing the local admin account considered pointless? It's pointless to have it active, because no one (not even me) can get into it. It would be secure if I could set it to a specific password every month, and it would have the plus side of me being able to log into it. If it's effectively random at any given time for any given machine, I might as well just disable the account.
|
|
#
?
Feb 27, 2017 19:29
|
|
|
Orcs and Ostriches posted:So I checked out LAPS, and it's not going to quite cut it for us. Is there anything else out there that lets me actually pick the password it resets the local admin account to, or does it have to be randomized? It stores the credential in AD similar to how it stores Bitlocker keys. What's the problem?
|
|
#
?
Feb 27, 2017 19:30
|
|
|
Wrath of the Bitch King posted:It stores the credential in AD similar to how it stores Bitlocker keys. What's the problem? Hopping on to a working machine to VPN back to my office to RDP into my computer to open up the LAPS tool or powershell prompt to find a password for a given machine just seems like a hassle to log in.
|
|
#
?
Feb 27, 2017 19:32
|
|
|
Yeah, I don't get the problem. You can specify how often the passwords refresh, and if you ever need local admin access, you just look up the password for the computer you need.
|
|
#
?
Feb 27, 2017 19:33
|
|
|
Hopefully you have RSAT on whatever your primary machine is so you can pull the password at your leisure when necessary. Sorry, still not seeing the difficulty. It's easier than having some kind of password vault that you have to fetch things out of, even.
|
|
#
?
Feb 27, 2017 19:35
|
|
|
Yeah, I have RSAT on my machine, but when I'm across the city working on a different computer, that doesn't help me. And I can look up passwords ahead of time, but then I'll be carrying dozens of passwords around with me whenever I go a different site.
|
|
#
?
Feb 27, 2017 19:39
|
|
|
I take it you don't have any sort of domain authentication at these sites? It all requires local for some reason? That's the only setup I can think of where this would be remotely inconvenient.
|
|
#
?
Feb 27, 2017 19:42
|
|
|
Why do you need to use the local administrator account so badly? Why can't you put your own admin account, or admins group, into the local machines' Administrators group using Group Policy?
|
|
#
?
Feb 27, 2017 19:42
|
|
|
Why don't you get one of those computers that can be moved around?
|
|
#
?
Feb 27, 2017 19:43
|
|
|
Thanks Ants posted:Why don't you get one of those computers that can be moved around? http://oldcomputers.net/pics/compaqI.JPG
|
|
#
?
Feb 27, 2017 19:46
|
|
|
It's not extremely common that we need the local admin one, but if there's some sort of network disruption on the device, or the domain login service messes up, the local's all we can do. And if the 40GB hard drives on these 13 year old pieces of poo poo fill up, you can't log in with a domain account either. Laptops are off the wireless too long? Can't authenticate domain accounts either, so unless I'm sitting in front of a network jack, I need the local admin. Like I could set my Enterprise administrator account password to "password" with no expiry. Want to change local admin passwords to something I could remember? Whoah there, hold the loving phone. With that sort of power you need a 25 random digit password every week. Thanks Ants posted:Why don't you get one of those computers that can be moved around? You buying me one? Because work isn't, and I'm not.
|
|
#
?
Feb 27, 2017 19:48
|
|
|
Orcs and Ostriches posted:It's not extremely common that we need the local admin one, but if there's some sort of network disruption on the device, or the domain login service messes up, the local's all we can do. You do a large amount of remote/moving around work, and your company won't spring for a laptop for you? Get a new loving job.
|
|
#
?
Feb 27, 2017 19:50
|
|
|
CLAM DOWN posted:You do a large amount of remote/moving around work, and your company won't spring for a laptop for you? Get a new loving job. Are you hiring?
|
|
#
?
Feb 27, 2017 19:51
|
|
|
Well, based on what you're saying there is no tenable admin password solution for your situation considering the entire infrastructure is broken down dilapidated poo poo. I mean, cached credentials with a domain account should still work even if the domain goes poof, but I digress.
|
|
#
?
Feb 27, 2017 19:51
|
|
|
|
| # ? May 28, 2024 23:34 |
|
|
Orcs and Ostriches posted:.......And if the 40GB hard drives on these 13 year old pieces of poo poo ....... Extrapolating from the above, I'm thinking normal IT logic and workflows might not apply to his situation.
|
|
#
?
Feb 27, 2017 19:53
|
|