|
When you add the new msi to the existing GPO, it's recognised as newer and will install. If you go into properties of the msi file, there's a signature timestamp from Adobe. I guess it's using this.
|
#
¿
Jan 7, 2011 16:39
|
|
|
|
| # ¿ May 19, 2024 11:46 |
|
|
I've messed up somewhere on the permissions for a new Folder Redirection GPO. Users can create files but can't open them ("Access Denied). Traversing folders is fine. The folders are being redirected to a DFS share and users can create, and read/write files elsewhere on the share. Inside the "profiles" folder, users can list/traverse folders to get to their own. But get Access Denied when opening their own files. E.g., on Desktop, I've changed owner to Administrators, given Full Control to Administrators and the user, then given ownership back to the user (applying to subfolders/files). "Include inheritable permissions from this object's parent" is not selected. I don't know where I copied the "do it this way" list of permissions, but I'm worried this is going to be a big Xcacls scripting job to remove everything that's there and give the correct permissions to already created folders (that have "grant users exclusive rights..." on them). I spent a few hours at this today. What am I missing?! edit: I've noticed that I can access everything fine if I go \\server1\profiles\me\desktop (or \\server2) but get Access Denied when going through \\dfs\profiles. edit2: Access Denied on \\dfs\profiles... when in Windows 7, but not on 2k8r2. Administrator account. edit3: This is something to do with offline-files. If I browse to a folder in a network share, I can access the files fine, if I hit "make available offline", files in that folder start to give Access Denied. alanthecat fucked around with this message at 15:05 on Jan 11, 2012 |
|
#
¿
Jan 10, 2012 18:41
|
|
|
quote:Now go to User Configuration\Policies\Network\Offline Files and configure things as you see fit. No. Turning on encryption for offline-files means dealing with certificates. I didn't know this and had two domains configured with encryption and suddenly people couldn't access their files because something or other had expired. Not encrypting offline files fixed it and I never looked into it again. And redirecting AppData sucks.
|
|
#
¿
May 16, 2012 15:11
|
|
|
I just got event collecting/forwarded events working (mostly). I also, today, deployed some software. The forwarded events log is full of events like: The Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. Is there anything I can do to stop these from appearing? I'm worried about filtering them out or I'll miss warnings that aren't related to logged in users.
|
|
#
¿
Sep 13, 2012 17:27
|
|
|
wolrah posted:I know you're not supposed to do it for a variety of reasons, but habits are hard to break and I set the DNS name to companyname.local rather than something like ad.companyname.com. You can rename it easily enough if you've another server. Quite possibly, you can install Server in a VM on another machine, use it for the renaming and then delete it, all before needing to activate Windows. I've renamed twice and both times everything went smoothly. Also, I never bother with the ad. part. I just use companyname.com and I've never had issues. I've just had to add a www cname in DNS. That said, I don't exactly manage complex environments. It's nice when the login in is reallylongusername@companyname.com for both AD and Gmail.
|
|
#
¿
Nov 23, 2012 16:51
|
|
|
I don't know of any way to get back from where you are, but Advanced Group Policy Management for Software Assurance/Enterprise customers might apply for the future. I want to know is there a way other than scripts for apply drive maps in computer configuration? I know I could use preferences with loopback processing but I'm trying to move as many GPOs to computer configuration so login times will speed up.
|
|
#
¿
Mar 14, 2013 16:11
|
|
|
Sounder posted:...afterward all of the workstations decided that the Assigned Applications in the GPO needed to be re-applied. And shouldn't MSIs just not reinstall if there's no need for a repair? I think I changed some to DFS recently and they reinstalled, though I'm not 100% sure on that. I've a GPO applying a scheduled task to desktops asking them to wake for a "gpupdate /force" and a "shutdown /r" outside opening hours for software installs. I've seen it work before but it's definitely not worked properly recently. Probably an ACPI setting where some users shut down and others sleep.
|
|
#
¿
Mar 22, 2013 00:01
|
|
|
crap post.
alanthecat fucked around with this message at 23:19 on Aug 7, 2013 |
|
#
¿
Aug 7, 2013 23:14
|
|
|
FISHMANPET posted:I'm applying the login script to a set of computers, not the users, so I need to loopback. Yeah, I thought a little more. I was imagining the GPO on a user OU, with the WMI for Windows 7 and item targeting on the group. Your way looks to be neater. Someone says: Computer Configuration / Windows Settings / Security Settings / Local Policy User Rights Assignment to set Deny logon locally for this account. I can't test it, but it's in response to Deny Interactive Logon not suiting. alanthecat fucked around with this message at 23:25 on Aug 7, 2013 |
|
#
¿
Aug 7, 2013 23:21
|
|
|
Yaos posted:What sucks is doing best practices for everything except you have to do local admin for a lovely program that requires admin to run and requires UAC to be off. So close. I haven't used it yet, but there's a workaround involving a shortcut to a scheduled task that might help you out there. I might be using it myself this week.
|
|
#
¿
Nov 7, 2013 22:06
|
|
|
Orcs and Ostriches posted:While we're on printer deployment, we currently deploy printers through group policy preferences. However, most of our computers are shared (student) machines, so have dozens, if not more, profiles. Works fine, except during initial log in when the system downloads and installs the printer drivers. This is done over a moderately slow WAN link, plus the computers themselves are pieces of poo poo. You could set up shared printers on the server and deploy them to the computers but with the security settings as 'deny' to all the students. This should install the printers w/ drivers as the computer boots (I'm assuming) but then once a student logs in they'll be hidden. Then if your GPP printers are pointed directly to the printer or are pointed to a different shared printer (which could just be pointed to the same eventual printer) then they should work normally.
|
|
#
¿
Feb 2, 2014 02:58
|
|
|
|
| # ¿ May 19, 2024 11:46 |
|
|
People (in this and the Enterprise thread) say don't use the same ad domain name as your real one, but I've never understood why. I use company.tld and the only change I've had to make is a DNS entry for www so the website can be accessed internally. Admittedly, the networks I've run have been nice and straightforward. I've done two successful domain renames too. Read the docs, reboot everything twice was the gist.
|
|
#
¿
Jun 5, 2014 00:08
|
|