|
So here's a question for any SCCM nerds in the thread: when you've deployed a compliance baseline to a collection of workstations, and you have a bunch that are noncompliant with the setting, is there any way to report on what the noncomplying setting actually is? Like for instance, I've got a powershell script checking for a count of things on the computer (in this case specific event log entries) and want the count to be under, say, five. I can get it to accurately report, "yes, it's under 5" or "no, it's not" but I can't seem to find a report or anything that tells me "no, it's not under 5 and here's what it actually is". This is in 2012 SP1.
|
#
?
Sep 29, 2014 19:01
|
|
|
|
| # ? May 31, 2024 20:48 |
|
|
Hey what should I do about these virtual Winxp machines that have to run windows xp for ~legacy~ whatevers? Can I just block WAN access from the firewall for them, is that good enough?
|
|
#
?
Sep 29, 2014 19:44
|
|
|
So I spoke with some coworkers today about integrating SCCM and MDT, and reviewed some documentation. Looks like SCCM you can build task sequences that actually install applications. You can apply a task sequence to unknown computers, to get them to do stuff as part of os deployment. But how can you identify what apps to deploy? I was reading you can create SCCM user defined variables that pop-up during install, but the documentation is kind of so so as to what is best practice, or normal practice. Like you can create a rule for PCs in certain OUs to put them in certain collections, but we don't much deploy software by OU. Perhaps we should. Basically, how do you identify what software to install to a PC, if the device records aren't pre-staged in SCCM, nor is the computer device pre-created in an OU that can be used for identification? Having it pop up a list of device collections for a tech to choose from would be ideal, and running the appropriate tasks. On the other side of the coin, I have a script maybe 80% done that does it the other way around. It asks the user what collection to apply the device to, puts the device in that group, determines what applications are deployed to that collection group, wakes up the agent, then scrapes c:\windows\ccm\appenforce.log for completion of the installs based on application name. SCCM seems really easy to control with PowerShell, so I don't think this will be a complex script at all, and it seems if you google, some people have come to similar solutions. It's kind of annoying, it doesn't feel right, but it will work I think. Meeting with some folks on Thursday to determine if we want to integrate with MDT or try to write our own stuff. If we do cut over to SCCM + MDT integration, it looks like the whole imaging process would change. Right now we PXE boot from MDT. Looks like we'd have to PXE boot from SCCM if I'm following it correctly, and MDT is only really an image source, or, test with boot media. SSH IT ZOMBIE fucked around with this message at 01:59 on Sep 30, 2014 |
|
#
?
Sep 30, 2014 01:57
|
|
|
NevergirlsOFFICIAL posted:Hey what should I do about these virtual Winxp machines that have to run windows xp for ~legacy~ whatevers? Can I just block WAN access from the firewall for them, is that good enough? If you have a pile of bucks and want to have some fun, could always look at something like NSX.
|
|
#
?
Sep 30, 2014 05:51
|
|
|
I've got a Surface Pro 3 with Windows 8.1 Pro. What are my options for getting this working with DirectAccess, which requires 8.1 Ent. There is no Ultimate equivalent in Win8 land, so I suppose I have to reimage the Surface with a VL copy of 8.1 Enterprise? Is there any universe where I don't have to have Win8 VL?
|
|
#
?
Sep 30, 2014 08:11
|
|
|
I'm going crazy over here. So, I've been trying to install MediaWiki on Azure with AD integration using the LDAP extension. It worked just fine on my laptop with a VM running AD on the same subnet and using an internal vSwitch. However, things change when I put it in Azure. I wanted to use it as a Website, not a VM running IIS, because I want it to be public. The website doesn't communicate with VMs I create though. I've tried connecting it with the Azure AD and nope, doesn't work. Does anyone have any tips for me? Can I add a website to an Azure virtual network? I'm a beginner in Azure. This architecture is so huge it's kind of overwhelming, to be honest.
|
|
#
?
Sep 30, 2014 09:59
|
|
|
SSH IT ZOMBIE posted:So I spoke with some coworkers today about integrating SCCM and MDT, and reviewed some documentation. Looks like SCCM you can build task sequences that actually install applications. So this is just how I've tackled things with my limited experience with SCCM so take everything with a large grain of salt. We run a lite touch deployment where after the PXE boot you select the computer name and what OU to put the computer in and then you get a drop down list of what software you want to install. This works for our environment since we dont really have a standard setup by department since there tends to be a lot of overlap between groups. The way you do this easily is through the UDI design wizard which helps you create how the setup screen during the imaging process will look and then apply the scripts that get created from this process into your task sequence. I can try and dig through some links I have saved if you have any questions or want some more reading materials. I really like SCCM and am learning quite a bit about it but it can be a slow frustrating piece of software to work with. It sometimes seems so big and unmanageable with all that you can do with it and all the different things you can configure and hook into it.
|
|
#
?
Sep 30, 2014 16:22
|
|
|
NevergirlsOFFICIAL posted:Hey what should I do about these virtual Winxp machines that have to run windows xp for ~legacy~ whatevers? Can I just block WAN access from the firewall for them, is that good enough? We put them on their own VLAN with 802.1 authentication with a cert just for those devices.
|
|
#
?
Sep 30, 2014 16:36
|
|
|
Swink posted:I've got a Surface Pro 3 with Windows 8.1 Pro. What are my options for getting this working with DirectAccess, which requires 8.1 Ent. Nope. You can buy software assurance for your Win8.1 Pro and that will get you Ent, but most orgs deploying 8.1 Ent already have a big Enterprise Agreement anyway. Windows 8.1 Pro + Software Assurance = Windows 8.1 Enterprise access. No way around the software assurance part of it.
|
|
#
?
Sep 30, 2014 16:39
|
|
|
skipdogg posted:Nope. You can buy software assurance for your Win8.1 Pro and that will get you Ent, but most orgs deploying 8.1 Ent already have a big Enterprise Agreement anyway. Windows 8.1 Pro + Software Assurance = Windows 8.1 Enterprise access. No way around the software assurance part of it. The licensing changed early this year, so you can get the Win8.1 Enterprise upgrade without SA. You still have to get it through volume licensing though. The options for Windows volume license now are: 8.1 Pro upg 8.1 Ent upg 8.1 Ent w/ software assurance 8.1 Ent/Software Assurance only There's no more 8.1 pro + software assurance available.
|
|
#
?
Sep 30, 2014 17:19
|
|
|
Is it worth spinning up MBAM for maybe 50-75 laptops? I see that a single server config for MBAM standlone is ok apparently for testing, but not supported as an actual production system, any particular reasoning for that?
|
|
#
?
Oct 1, 2014 00:45
|
|
|
BaseballPCHiker posted:So this is just how I've tackled things with my limited experience with SCCM so take everything with a large grain of salt. We run a lite touch deployment where after the PXE boot you select the computer name and what OU to put the computer in and then you get a drop down list of what software you want to install. This works for our environment since we dont really have a standard setup by department since there tends to be a lot of overlap between groups. The way you do this easily is through the UDI design wizard which helps you create how the setup screen during the imaging process will look and then apply the scripts that get created from this process into your task sequence. I can try and dig through some links I have saved if you have any questions or want some more reading materials. That's what we do today, it works well, but then installation scripts kind of sit in two places and have to be added to both.
|
|
#
?
Oct 1, 2014 01:54
|
|
|
Any tips on migrating from split scope DHCP servers to a single DHCP 2012 Server? It's about time to ditch server 2003, but this configuration has me wondering what the best approach is. About 30,000 leases on any given day, and 2,000 static DHCP reservations (tons of wireless APs) Current Scenario: - 3 DHCP servers running Server 2003, in a split scope configuration - The tech team has been using an Access database to enter MAC address and IP information, then runs a merge.vbs script to apply the new entries to the servers based on split scope End Goal: - 2 DHCP servers on Server 2012, no more split scope, hot-standby configuration (aka active-passive; 1 server is the master and all DHCP data is written to it, the passive server is only there for emergencies) - The team still wants to use the Access database, unless I can create a better method. The DHCP remote admin tool is inferior in their minds, since an Access database can have more info and is easier to use I guess 1. Can I simply export the DHCP data from one of the 2003 servers, and import it into my master Server 2012 DHCP server? I used the powershell server migration tools (smig) and it seemed to work fine... but should I import data from all 3 since it was split scope? 2. Is it crazy to use an access .mdb and a .vbs script these days? I'm considering writing something in powershell that reads the Access db and applies changes to DHCP, similar to the merge.vbs script. I'm open to alternatives though. Lazy option is just update the .vb script with the new server info 3. Any other must-have free tools out there for DHCP? My last job we purchased Men & Mice which was pretty decent, but it didn't seem to offer much beyond the basic DHCP mmc snap-in. It's not a hugely distributed network, only 1 domain in 1 city so I don't think we need anything too high-end. Advice is greatly appreciated, I'm up against people that have been doing things the same way for many years, but now that server 2003 is nearing end of life we can change things for the better. Thanks in advance.
|
|
#
?
Oct 2, 2014 05:23
|
|
|
Just curious how everyone is managing their Adobe CC subscriptions for updates? - Do you have an onsite update server? - Do you just not update it?
|
|
#
?
Oct 2, 2014 12:08
|
|
|
So a coworker asked if I could stand in, and help with a simple task at one of his customers, as he was too busy. I should have said no... Background history: A customer reinstalled a mix of old HP DC5100 and DC7100 to Windows 8 Pro x86 this spring. They both have the same onboard Intel graphics adapter (82915G/GV/910GL Express) which Intel clearly states they haven't made (and don't intend to make) a Windows 7/8 capable driver for, so Windows 8 defaults to the "Microsoft Basic Display adapter", which was OK at the time. 6 months later, complaints starts rolling in about the screen resolution is locked (greyed out) at 1024x768, which I agree is a little low on a 24" monitor. Normally I'd say to bad, nothing I can do. But it turns out about 30% of the machines doesn't have the resolution locked and run 1280x1024 or 1600x1200. I've pulled a report from their inventory and double checked that working and non working machine detect the device with same device ID, they are using the same Microsoft Basic display Adapter driver version. They are on same bios version also. They run a mix of monitors, but again I have working and non working machines with the same monitor. They have all been installed from the same base installation, with the same applications and the same WSUS updates installed afterwards. I checked the registry for any settings or policies relating to locking these settings. I was even on a working machine, that after a reboot stopped working? Some "less old" HP DC7900 had same issue, but that was easily fixed by upgrading to the proper Intel HD Graphics driver. I'll throw in a forum upgrade of your choice, to anyone who points me in the right direction, or maybe explain how Microsoft Basic Display Adapter determines what resolution to use.
|
|
#
?
Oct 2, 2014 13:30
|
|
|
lol internet. posted:Just curious how everyone is managing their Adobe CC subscriptions for updates? We've only installed Adobe CC products for maybe 3-5 people so far so we haven't bothered making packages for it or managing updates related to it. At this point we've been leaving it up to the end-user (if they can get through the firewall to update it.) I've had issues using Adobe's packaging utility for their CC poo poo so watch out for that if you do intend to make SCCM-type packages for CC applications. The issues I've encountered were the installations failing every time when they attempt to install some prerequisites like Microsoft Visual C++ components, etc.
|
|
#
?
Oct 2, 2014 14:44
|
|
|
Malcolm posted:Any tips on migrating from split scope DHCP servers to a single DHCP 2012 Server? It's about time to ditch server 2003, but this configuration has me wondering what the best approach is. About 30,000 leases on any given day, and 2,000 static DHCP reservations (tons of wireless APs) Why aren't you using IPAM? http://technet.microsoft.com/en-us/library/hh831353.aspx
|
|
#
?
Oct 2, 2014 16:50
|
|
|
Kullrock posted:So a coworker asked if I could stand in, and help with a simple task at one of his customers, as he was too busy. I should have said no... I'd guess based on this function calls in website it appears to be using some combination of DirectX capabilities probing + EDID. http://ywjheart.wordpress.com/2014/04/19/modify-microsoft-basic-display-driver-to-get-a-better-resolution/ Might be worth moving some monitors around and seeing if the resolution follows them, if it's EDID? Or maybe see if monitor drives exist that might make the computer happier?
|
|
#
?
Oct 2, 2014 16:52
|
|
|
Kullrock posted:So a coworker asked if I could stand in, and help with a simple task at one of his customers, as he was too busy. I should have said no... Yeah the 5100 and 7100 are machines made in the time of XP, I'm honestly surprised Win8 even took. HP has some Vista drivers for the 7100 but the only thing graphics related is a utility to set the refresh rate. Which might cause the issue if the monitors get set to a refresh rate the video card doesn't like.
|
|
#
?
Oct 2, 2014 22:23
|
|
|
Calol internet. posted:Just curious how everyone is managing their Adobe CC subscriptions for updates? We just don't update it. The licensing thing also doesn't work through our proxy which is a pain. Can you point me towards the update server or packaging resources?
|
|
#
?
Oct 3, 2014 01:33
|
|
|
Swink posted:Ca Like this?
|
|
#
?
Oct 3, 2014 02:27
|
|
|
Gyshall posted:We put them on their own VLAN with 802.1 authentication with a cert just for those devices. thank u
|
|
#
?
Oct 3, 2014 02:47
|
|
|
I had an interesting debate at work on the proper way of replacing a computer but keeping the same computer name in AD. Method 1. After turning off the old computer, delete the account in AD. Join the new computer as a new account. Method 2. Change the old computer to be a workgroup, reboot. Turn off old computer. Join new computer to the domain as a new account. Method 3. Turn off old computer. Reset computer account in AD. Join new computer to domain using the existing computer account. Any thoughts on this? I think there are merits to methods 1 and 3, depending on whether you want to preserve existing Active Directory relationships but 2 sounds like madness. Is it something that used to be done 20 years ago or something?
|
|
#
?
Oct 3, 2014 04:25
|
|
|
Put a bullet in old computer, join new computer with same name. Always worked for me, unless I'm missing something.
|
|
#
?
Oct 3, 2014 04:53
|
|
|
Well, now I'm confused. I think the benefit of resetting the account is that it prevents the old computer from rejoining the domain if it gets plugged back into the network.
|
|
#
?
Oct 3, 2014 06:55
|
|
|
Maneki Neko posted:I'd guess based on this function calls in website it appears to be using some combination of DirectX capabilities probing + EDID. I just tried dumping EDID data from a non working machine with the monitor driver installed. The output says it supports 1440x900 @ 75 Hz. - Less than the Samsung specs says it's supposed to support, but still more than 1024x768. But your wordpress link could be a possible solution/explanation, If the machines have been booted without a monitor connected, MBDD locks locks the resolution. Atleast I think thats what he is trying to say. - That could at least explain why a working machine suddenly locked the setting after a reboot, because I was moving the same monitor between several test machines. I just tried installing the Vista refresh rate tool also. It doesn't work on Windows 8. Worth a shot though, thanks anyway.
|
|
#
?
Oct 3, 2014 08:37
|
|
|
Dr. Arbitrary posted:Well, now I'm confused. It can still re-join the domain. Just format it, then you'll be fine.
|
|
#
?
Oct 3, 2014 13:42
|
|
|
Dr. Arbitrary posted:I had an interesting debate at work on the proper way of replacing a computer but keeping the same computer name in AD. My method which I am sure is slow and dumb is to name the old one blah blah-OLD and restart it, then change the name to what I want on the new machine and then go into AD and delete the -OLD computer.
|
|
#
?
Oct 7, 2014 00:03
|
|
|
We have asset tags on all machines and our PC name is the asset tag. No Joans-PC bullshit.
|
|
#
?
Oct 7, 2014 00:36
|
|
|
What's the point of renaming anything? If you're replacing the old computer, just turn it off, and join the new one as the same name. Is there something I'm missing?
|
|
#
?
Oct 7, 2014 01:00
|
|
|
When Jim in management convinces HR to let his nephew Jimmy play intern for the summer, that workstation has to come from somewhere. Or the replacement PC for when Fran in payroll's workstation spontaneously combusts (nobody fucks with the lady in Payroll, nobody) and needs a replacement before the deadline to put in end of year bonuses, etc which just so happens to be lunchtime. I think what we do is just rename the computer LOCATIONXXADUSERNAME whenever we give it to a user. Makes it really easy to keep track of who's logged in from where, etc in security logs and on network traffic logs. Hadlock fucked around with this message at 01:26 on Oct 7, 2014 |
|
#
?
Oct 7, 2014 01:24
|
|
|
I guess that's not really a concern where I am because when a machine gets replaced by one of the same name, the old one is so old to not be of use and gets chucked in a place nobody would try and get it from. And in places where we do move computers around, they've got names that aren't related to people, so nobody cares if Einstein gets replaced by Eifel.
|
|
#
?
Oct 7, 2014 01:27
|
|
|
I guess the SharePoint thread is archived but what's the best way to setup a simple Corporate Intranet? For example... Would I want to have the whole company under one site collection and have the documents for HR, Sales, etc in separate document libraries, or different sub-sites then break inheritance or just completely different sub-sites or even completely different site collection for each department?
|
|
#
?
Oct 7, 2014 20:47
|
|
|
I want to push out a GPO that creates a VPN that only uses SSTP for the connection. I can create a VPN on an individual computer with no problems.  But when I try to create the VPN GPO, SSTP isn't an option.  Is there anything I can do? We've got Windows 7 Professional clients and Windows Server 2012 servers.
|
|
#
?
Oct 8, 2014 13:42
|
|
|
Try using Connection Manager Administration Kit, it is a feature in Windows server.
|
|
#
?
Oct 8, 2014 15:05
|
|
|
Any suggestions for laptop encryption AND remote wipe (for healthcare if that matters in particular). I'd normally go down the bitlocker route for encryption, but management at this customer has a super hatred of bitlocker based on some bad past experiences.
|
|
#
?
Oct 8, 2014 18:34
|
|
|
Maneki Neko posted:Any suggestions for laptop encryption AND remote wipe (for healthcare if that matters in particular). I'd normally go down the bitlocker route for encryption, but management at this customer has a super hatred of bitlocker based on some bad past experiences. I've heard some OK things about Symantec's PGP whole disk software. But it's Symantec so....
|
|
#
?
Oct 8, 2014 18:38
|
|
|
BaseballPCHiker posted:I've heard some OK things about Symantec's PGP whole disk software. But it's Symantec so.... My last workplace used this and it was Russian Roulette on whether your laptop booted after about 3 months or so.
|
|
#
?
Oct 8, 2014 19:01
|
|
|
Maneki Neko posted:Any suggestions for laptop encryption AND remote wipe (for healthcare if that matters in particular). I'd normally go down the bitlocker route for encryption, but management at this customer has a super hatred of bitlocker based on some bad past experiences. ESET has a product called "DesLock" I think.
|
|
#
?
Oct 8, 2014 19:25
|
|
|
|
| # ? May 31, 2024 20:48 |
|
|
Maneki Neko posted:Any suggestions for laptop encryption AND remote wipe (for healthcare if that matters in particular). I'd normally go down the bitlocker route for encryption, but management at this customer has a super hatred of bitlocker based on some bad past experiences. Not what you want to hear, but Bitlocker. Its integration into Windows and the ability to manage it via GPO, etc. make it a reasonable choice. I'm sure there are other products that offer templates for GPO, etc. but I don't know what they are.
|
|
#
?
Oct 9, 2014 04:35
|
|