|
Zero VGS posted:Something I never knew about PDQ Deploy / Inventory, you don't actually need to renew every year, they told me themselves the licenses are actually in perpetuity and renewing is for upgrades / support. They're already a very good deal but that makes it even easier to sell when you're on a limited budget. It also includes updates to the software library, which is necessary for auto deployments.
|
# ? Feb 21, 2018 22:34 |
|
|
# ? Jun 3, 2024 23:46 |
|
Tab8715 posted:Is there a way to block regular users from Azure AD? It's called a Directory Service for a reason.
|
# ? Feb 21, 2018 23:27 |
|
Jeoh posted:It's called a Directory Service for a reason. It is but we’re typically able to limit users from Administrative Tools.
|
# ? Feb 22, 2018 03:23 |
|
Tab8715 posted:It is but we’re typically able to limit users from Administrative Tools.
|
# ? Feb 22, 2018 03:31 |
|
For what reason do you want to keep dudes out of azure ad console? As in, what exactly is your security concern?
|
# ? Feb 22, 2018 03:40 |
|
peak debt posted:Trip report: We just installed the Spectre updates on our Citrix servers and servers that used to be able to handle 25 users are now struggling with 18. We're now running with a totally safe spare number of servers of exactly zero. If we actually wanted to give people the same experience as before we'd have to go down to maybe 16-17 users per server. All the windows server patches were explicitly opt-in, where-as desktops were op-out. Is your citrix deployment VDI or RDP?
|
# ? Feb 24, 2018 01:28 |
|
3d rdsh? VGPU? Dgpu?
|
# ? Feb 24, 2018 03:13 |
|
Disclaimer: I'm the user. Any ideas why Windows won't accept a new password? I had a temporary one set but when I try to change it, it's not accepting any passwords I'm offering. For example, and I tried literally this, ÇITSMari0! which should meet all of the requirements (and no, I haven't used that password lately - or ever. Just made it up to test.)
|
# ? Feb 26, 2018 19:53 |
|
totalnewbie posted:Disclaimer: I'm the user. Is it possible you are changing your password twice in one day? Some places have a minimum password age requirement to stop people from resetting them a bunch of times in a row to bypass the "not used in the last 12 passwords" requirement to go back to an old password.
|
# ? Feb 26, 2018 20:00 |
|
Internet Explorer posted:Is it possible you are changing your password twice in one day? Some places have a minimum password age requirement to stop people from resetting them a bunch of times in a row to bypass the "not used in the last 12 passwords" requirement to go back to an old password. The old "zero days old" thing. That is probably it.
|
# ? Feb 26, 2018 20:04 |
|
Internet Explorer posted:Is it possible you are changing your password twice in one day? Some places have a minimum password age requirement to stop people from resetting them a bunch of times in a row to bypass the "not used in the last 12 passwords" requirement to go back to an old password. Any idea why that is the default in AD? I feel like it's not a very useful strategy...
|
# ? Feb 26, 2018 22:20 |
|
Internet Explorer posted:Is it possible you are changing your password twice in one day? Some places have a minimum password age requirement to stop people from resetting them a bunch of times in a row to bypass the "not used in the last 12 passwords" requirement to go back to an old password. Yes. This makes a lot more sense than my IT's answer of ¯\_(ツ)_/¯ Thanks!
|
# ? Feb 26, 2018 22:48 |
|
Beefstorm posted:Any idea why that is the default in AD? I feel like it's not a very useful strategy... For exactly the reason I said. To stop people from changing their passwords enough times to get around the password history requirement. totalnewbie posted:Yes. This makes a lot more sense than my IT's answer of ¯\_(ツ)_/¯ My pleasure. Yeah, throws a lot of people for a loop if they haven't been exposed to it before.
|
# ? Feb 26, 2018 23:30 |
|
It is mildly annoying that when I, the administrator, reset someone's password in AD, it does not negate the "Cannot change password more than once every X hours" setting.
|
# ? Feb 27, 2018 10:12 |
|
MF_James posted:It is mildly annoying that when I, the administrator, reset someone's password in AD, it does not negate the "Cannot change password more than once every X hours" setting.
|
# ? Feb 27, 2018 17:02 |
|
Internet Explorer posted:For exactly the reason I said. To stop people from changing their passwords enough times to get around the password history requirement.
|
# ? Feb 27, 2018 17:42 |
|
Potato Salad posted:For what reason do you want to keep dudes out of azure ad console? As in, what exactly is your security concern? Admin information which is available with many of the Get-AzureAD<$whatever> while might not be bad we don’t want users poking around. I found that with a combination of Conditional Access, ADFS and Group Policy we’re able to lock this down but I find it odd to keep them out of the Web UI it’s a simple checkbox. Gucci Loafers fucked around with this message at 18:39 on Feb 27, 2018 |
# ? Feb 27, 2018 18:35 |
|
wyoak posted:You can set the "must change password at next login", that'll let them change it Yeah there is an environment we admin where that doesn't work due to RDP and NTLM auth from a different domain being the only access for most users, admin users have access to the iLO so we have more leeway. I suppose I could get them in with a password, reset it again and check the box so they can then RDP within the environment and I think that would work, but
|
# ? Feb 27, 2018 21:50 |
|
It sure would be cool if Azure AD could be managed to even 10% of how regular AD could be managed.
|
# ? Feb 28, 2018 06:06 |
|
I have a printing conundrum here that maybe someone can give me some pointers for... Our primary business application is run on a remote desktop farm with 2 hosts. The software uses a kind of go-between layer for printers. You define a printer # inside the software and link that # to a local windows printer. The software itself prints to these printer #'s. Because of this any printer the software uses must be installed as a local printer queue on the terminal server host. Additionally, the windows printer name CANNOT change. Otherwise the link between the printer # and the local windows printer will be invalid. This particular point has always ruled out using RDP redirected printers, as redirected printers always have a different name. (RDP redirected printing works, but means you have to fix the printer link on every login because the windows printer name is different) Because of the above points, any new printers I add, I have to install them on both terminal servers. We also have a lot of printers. The result of this is that each terminal server has 90 printers installed and every user sees them all. We are preparing to setup a new terminal server farm, this time with 3 hosts, so this problem will only get worse. Does anyone know of a piece of software that lets a user print over remote desktop to their default printer... BUT also presents the same printer name to the software running on the RDP host?
|
# ? Feb 28, 2018 16:25 |
|
You can use “net use” to redirect a network printer to lpt1, then a windows printer queue set up pointing to lpt1, then you application points to that queue. This would only work if the printers are all the same. I used to do this a lot for printing from old dos applications
|
# ? Feb 28, 2018 16:49 |
|
There are also a lot of printer management applications that do what you're asking, things like Uniprint, ThinPrint, or PaperCut. Or even most manufacturer's print management tools. Citrix has options to configure printers in that way and I assume RDS does as well at this point. If you use a ton of different printers and printer models, it may be worth looking into Uniprint or ThinPrint.
|
# ? Feb 28, 2018 17:04 |
|
Is the software Cognos?
|
# ? Feb 28, 2018 18:25 |
|
Sudden Loud Noise posted:It sure would be cool if Azure AD could be managed to even 10% of how regular AD could be managed. With Azure AD Premium stuffs it seems likely we will get there eventually. That may be a long, long, time.
|
# ? Feb 28, 2018 18:54 |
|
It takes a while to get your head around but it's rapidly developing and changing. It also totally depends on your user base as to whether losing stuff like GPO is a problem or not - EM+S is great for light-touch management where nobody shares a PC and the staff are clued up enough to be able to deal with self-service.
|
# ? Feb 28, 2018 19:09 |
|
Thanks Ants posted:Is the software Cognos? No... SpruceWare.NET. A POS/EDI software designed for commercial lumber yards.
|
# ? Feb 28, 2018 19:13 |
|
stevewm posted:No... This has been mentioned, but it sounds like something like PaperCut will work well for you. It has find me printing, so you could just have one virtual queue, and release it at the printer you want.
|
# ? Feb 28, 2018 20:29 |
|
Beefstorm posted:This has been mentioned, but it sounds like something like PaperCut will work well for you. I set this up at my company. Works great and we have it configured to release jobs by scanning your badge. It’s not hard to set up on top of an existing print server environment.
|
# ? Mar 1, 2018 01:17 |
|
Haven't touched sccm for a couple years. Is pxe booting to uefi for windows 10 a thing now? I am googling it and it appears it is but I wasn't able to find any documentation or guides. Can someone point me in the right direction? Also is anyone using the windows 10 servicing feature? Haven't looked much into yet but wondering if this is the norm. lol internet. fucked around with this message at 05:41 on Mar 1, 2018 |
# ? Mar 1, 2018 05:37 |
|
lol internet. posted:Haven't touched sccm for a couple years. Is pxe booting to uefi for windows 10 a thing now? Servicing is awesome if you have no customization in your task sequence and there are no organizational expectations of communication, control, or reporting. I've resorted to slowly working on reducing the expectation of each of those in the hopes that we can use servicing in like... 2020.
|
# ? Mar 1, 2018 07:40 |
|
lol internet. posted:Haven't touched sccm for a couple years. Is pxe booting to uefi for windows 10 a thing now? Let me save you a huge headache. Just talk your network techs into putting your Distribution Point IP as an IPHELPER (assuming its set to accept PXE requests). Buy them lunch maybe treat them to some beers after work if that's what it takes. Using DHCP Scope Options isn't very reliable especially if you have a mixed BIOS and UEFI environment. If that's not an option, just continue to PXE to BIOS and add UEFI conversion steps in your task sequence. I'm in the process of formalizing our Windows 10 Servicing standard. We use very picky telephony software with custom in-house plug-ins so any major changes to the .NET framework requires a lot of testing. I've convinced my boss to keep our call center computers 1 version behind, move corporate users to CBB and IT at CB. Like with any patching policy you have to set expectation. I have a very strict patching schedule once a month and still get complaints that I'm making people "REBOOT MY drat MACHINE ALL THE GOD DAMNED TIME". Can't wait for laptop users to bitch that their computer is taking 10-15 mins to update.
|
# ? Mar 1, 2018 12:58 |
|
Sacred Cow posted:Let me save you a huge headache. Just talk your network techs into putting your Distribution Point IP as an IPHELPER (assuming its set to accept PXE requests). Buy them lunch maybe treat them to some beers after work if that's what it takes. Using DHCP Scope Options isn't very reliable especially if you have a mixed BIOS and UEFI environment. If that's not an option, just continue to PXE to BIOS and add UEFI conversion steps in your task sequence. Thanks. Since we're on the topics of updates. I guess it's no longer possible to defer feature updates indefinitely if we wanted to? What would happen if we never setup a servicing plan for a machine and used the gpos to point at the sccm server? Would windows 10 just goto the internet for the update or update anyways through the sccm server?
|
# ? Mar 1, 2018 18:33 |
|
lol internet. posted:Thanks. Since we're on the topics of updates. I guess it's no longer possible to defer feature updates indefinitely if we wanted to? What would happen if we never setup a servicing plan for a machine and used the gpos to point at the sccm server? Would windows 10 just goto the internet for the update or update anyways through the sccm server? I believe beginning with 1709 you have to manually approve the upgrade in WSUS or deploy through SCCM. Even if you don't turn off the option to check Windows Updates over the internet, the update will fail telling the user their device is managed and can't install. Just a warning, this is my experience with Enterprise edition. I'm not sure if the same is true if you're using Pro. You also don't have to use Win 10 servicing. You can deploy the update individually like an application. Servicing keeps it from becoming a chore. Its the same as Automatic Deployment Rules with more options.
|
# ? Mar 1, 2018 18:57 |
|
lol internet. posted:Thanks. Since we're on the topics of updates. I guess it's no longer possible to defer feature updates indefinitely if we wanted to? What would happen if we never setup a servicing plan for a machine and used the gpos to point at the sccm server? Would windows 10 just goto the internet for the update or update anyways through the sccm server? You stop getting Security Updates 18 months after the build you're on was released (Semi-Annual Channel - Targeted). Welcome to the treadmill. LTSC is not an option if you use OfficeProPlus (only the VL office will be supported on LTSC) Servicing is best done as an In-Place Upgrade from one build to the next using a task sequence so you can unfuck the mess MS makes by reinstalling all the store apps that you don't want and such. Please yell at your TAM. Eventually they'll figure out that we actually want to use servicing the "right" way but can't because they are being dicks about some of the store app stuff. Totally not bitter and angry though.
|
# ? Mar 1, 2018 20:16 |
|
I have DHCP options to offer either BIOS or UEFI boot files depending on the client (the client actually passes if it's BIOS or UEFI to the DHCP server) because the network team refused to allow IPHelpers but it is possible to do it without them.
|
# ? Mar 2, 2018 05:40 |
|
Zaepho posted:Servicing is best done as an In-Place Upgrade from one build to the next using a task sequence so you can unfuck the mess MS makes by reinstalling all the store apps that you don't want and such. Please yell at your TAM. Eventually they'll figure out that we actually want to use servicing the "right" way but can't because they are being dicks about some of the store app stuff. Is there anyway to not have every feature update reinstalled the store apps? I was reading online if you did a DISM on the win to remove the actual apps, they aren't re-installed at the servicing updates? I guess most people are scripting the images to be removed after the task sequence applies the image? Also, I assume you can apply the feature/service updates directly to the windows 10 image by right clicking on the image > schedule updates like you use to be able to in Windows 7/8. Also how is everyone going about dealing with the semi annual feature updates? Is anyone actually keeping on top of them? Any horror stories? lol internet. fucked around with this message at 10:20 on Mar 6, 2018 |
# ? Mar 6, 2018 09:06 |
|
lol internet. posted:Is there anyway to not have every feature update reinstalled the store apps? I was reading online if you did a DISM on the win to remove the actual apps, they aren't re-installed at the servicing updates? I guess most people are scripting the images to be removed after the task sequence applies the image? Unfortunately you can't stop those apps from installing or at least "advertising" on the Start Menu unless you use Group Policy to standardize the layout. Most of the time the junk apps aren't actually installed. When you click on them they open up the Windows Store and have you confirm that you want to download it which you can prevent by either blocking the Windows Store or only allowing access to your company store using GPO. No, you can not apply feature updates through Schedule Updates. I just tested on both my 1607 image (which weirdly only shows Windows 8.1 updates) and my 1703 image. In fact, when you pick Schedule Updates for any release of Windows 10, it will show updates for ALL versions. My 1703 image is showing updates available for 1511, 1607, 1703 and 1709. Just something to keep in mind if you plan on using that. The only horror story I have is discovering that the old Help Desk team used to deploy Windows 10 by imaging their computers with Windows 7 Pro then using the free upgrade to update it to Windows 10 because they didn't know how to make a new image. I don't know if its just my environment but I can't seem to get those to update past 1511 even if I upgrade the license to Enterprise. They'll be getting "new" computers. FISHMANPET posted:I have DHCP options to offer either BIOS or UEFI boot files depending on the client (the client actually passes if it's BIOS or UEFI to the DHCP server) because the network team refused to allow IPHelpers but it is possible to do it without them. How did you pull that off? I tried following a Fog article on using DHCP Scope Policies but was never able to get that to work.
|
# ? Mar 6, 2018 13:38 |
|
Sacred Cow posted:Unfortunately you can't stop those apps from installing or at least "advertising" on the Start Menu unless you use Group Policy to standardize the layout. Most of the time the junk apps aren't actually installed. When you click on them they open up the Windows Store and have you confirm that you want to download it which you can prevent by either blocking the Windows Store or only allowing access to your company store using GPO. You can remove these junk links by simply disabling the "Microsoft Consumer Experience" either in Group Policy or setting the appropriate registry value. For universal apps that get reinstalled by a feature upgrade, I keep a list of package names for the applications that we don't want and have a script in our upgrade task sequence that iterates through the list running Remove-AppxProvisionedPackage on each one. That's the easiest way to manage them that I found.
|
# ? Mar 6, 2018 14:08 |
|
Sacred Cow posted:Unfortunately you can't stop those apps from installing or at least "advertising" on the Start Menu unless you use Group Policy to standardize the layout. Most of the time the junk apps aren't actually installed. When you click on them they open up the Windows Store and have you confirm that you want to download it which you can prevent by either blocking the Windows Store or only allowing access to your company store using GPO. Computer Configuration > Administrative Templates > Windows Components > Cloud Content > "Turn off Microsoft consumer experiences" or via the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Cloud Content\ DisableWindowsConsumerFeatures (DWORD) = 1 ...efb
|
# ? Mar 6, 2018 14:09 |
|
|
# ? Jun 3, 2024 23:46 |
|
Goddamnit are we kidding here or what, paying an enormous amount of money for an Enterprise product and we gotta jump through 20 hoops to get rid of bloatware what the gently caress are you doing Microsoft
|
# ? Mar 6, 2018 14:36 |