|
We're officially migrating our organization from W7 to W10 this year. Are there any good guides/books out there that cover common pitfalls, W10 GPOs probably worth turning on, other stuff to keep an eye out for during a migration?
|
# ¿ Jan 9, 2019 20:01 |
|
|
# ¿ May 13, 2024 23:22 |
|
I've heard that best practice for GPOs is have each GPO only do one thing. If we're going to have lots of things we'll want to do via GPO, what's the best way to avoid having a dozen or two GPOs per OU? Can you nest GPOs like you can security groups so you can apply Policy1, Policy2, etc to SiteA GPO applied to SiteA OU to avoid it becoming a mess, while still being maintainable?
|
# ¿ Jul 12, 2019 22:50 |
|
skipdogg posted:So this is a balancing act. Worth mentioning is a lot of Microsoft "Best Practices" were written 15 to 20 years ago, when slow wan links, slow lan links, and slow computers were the norm. Many of the issues their best practices seek to avoid are overcome easily with today's modern wan/lan links and fast workstations. I don't recall many recent discussions about Group Policy processing slowing down computer logons to the point where users complain. It's just not much of a thing anymore (but it can be if things aren't designed properly). Windows 10 migration is coming up, since we gonna be reimaging most of the computers in our organization, this is a terrific opportunity to automate a lot of stuff we've been doing manually (public desktop shortcuts, software installs, printer mapping, etc) and keep things more standardized as changes happen. I want to make sure that whatever I put together is not only relatively easy to maintain, but understandable by someone who's never seen our AD/GPO structure before. My biggest immediate concern is I don't want to end up with oodles of unsorted policy objects that are difficult to sort through, but also don't want to eventually task someone with digging through all the settings in a policy to figure out what the hell else it seems to be responsible for doing. I really want to learn AD PowerShell, but at least for the immediate future, I'll still need to be able to manage everything via the GUI until I have a better PS understanding and my boss is more comfortable with me using PS for more than queries. Considering that, is there either a good method of documenting and tracking what each GPO does, or quickly displaying everything in a policy that's not default setting? The later would be especially useful, to help me better understand how our prod GPOs are currently set up, as opposed to building what I'd like to do in our test network and hoping for minimal conflict. klosterdev fucked around with this message at 00:13 on Jul 13, 2019 |
# ¿ Jul 13, 2019 00:11 |
|
Thanks for the GPO recommendations! Currently putting together what I'd like to do in the test network, some of it became waaay simpler when I learned about item-level targeting. (can do stuff cleanly like have all our drive mapping by security group in the same GPO) Feels like my head gonna pop, but I'm learning a lot, and is starting to come together!
|
# ¿ Jul 18, 2019 04:50 |
|
buffbus posted:ILT is great. There are a handful of things I do with a registry preference using ILT and “remove when no longer applied” instead of admin templates so I can manage exceptions without tons of extra GPOs. A good place to find how to convert those is https://getadmx.com Thanks, been keeping that in mind! Did my first prod GPO deployment yesterday after making some child OUs to organize computer objects, just laptop + desktop power settings and an inactivity screen timeout, but goddamn does it feel good to make it happen.
|
# ¿ Jul 20, 2019 19:06 |
|
Are there any restrictions to applying security groups to computer objects? Trying to prevent write-access to a network share on a specific computer that has to stay logged in by someone who has Modify access to that share. $Folder has Read and Execute / Modify security groups Created additional security group called $FolderNoWrite Set NTFS permissions on share to explicit deny Write to $FolderNoWrite Made $Computer member of $FolderNoWrite Gpupdate, logged out and in User was still able to make a text file on the share. Recreated in test network, still did not work when applied deny group to computer object, but did work when applied to the user object.
|
# ¿ Aug 1, 2019 21:31 |
|
Useful to know, thanks! Came up with a better solution. Created a separate user account that only has read-only access to the required share (info from the share is displayed on a TV) and restricted its login to only that computer.
|
# ¿ Aug 1, 2019 22:08 |
|
FISHMANPET posted:I once had someone ask me to find an NTP client they could pay for. There just might be a market for a company that offers paid/re-branded versions of non-problematic open/free standards and software. A support contract for software like Putty would straight-up print money.
|
# ¿ Sep 4, 2019 05:20 |
|
lol internet. posted:So is ir safe to say then everyone is creatingnew users on prem and migrating to them? Create user in AD, let propagate, use Enable-RemoteMailbox on the on-prem, assign O365 licenses Probably something similar for already-existing users during the migration itself, minus creating them.
|
# ¿ Sep 6, 2019 04:34 |
|
kiwid posted:I was thinking of maybe cleaning this up. Any tools out there to help with this? You can use powershell to query AD to spit out various useful bits of information about your objects if you can think of anything you want out of your AD. (eg computer objects that haven't authenticated against AD in a year) Most important thing you can probably do when cleaning up your AD is planning before you do it, and making sure what you're going to do will be consistent now, and maintainable from hereon out. Identify bad practices in what you do now (eg granting everyone write/full control to a share with a single security group that's grown significantly in scope, or adding users to a share instead of using groups at all) and figure out how you can improve it to no longer be terrible (create read/write security groups, or for shares with broad purposes, create some folders with disabled inheritance in the share and apply separate read/write security groups to those folders) Or create nested groups that apply to the employee's job function! Additionally, remember Chesterson's fence. There might be a stupid hacky reason something nonsensical exists you won't learn the purpose of until its gone.
|
# ¿ Sep 7, 2019 03:48 |
|
kiwid posted:Is there a way to enforce a GPP? Which settings did you configure? My (everyone's) ability to change the power options and power plan are greyed out from the GPOs I set.
|
# ¿ Sep 13, 2019 21:56 |
|
Tell me all about your preferences for solving problems the cheap way instead of the right way
|
# ¿ Sep 14, 2019 05:39 |
|
Microsoft project managers are you okay
|
# ¿ Oct 11, 2019 01:36 |
|
What's a good way to assign GPO policies to users when item level filtering isn't an option? We decided to shut off Word/Excel/PowerPoint macros via GPO after a malicious .docm made it through our filters, but there are a few users who need to use Excel Macros from an outside organization to do their job, so we want to make Excel macros enabled for a few specific users. My understanding is that you used to be able to use Security Filtering, but at some point MS decided that should apply to computer objects but not user objects. Ideally, I'd like to apply an explicit Excel macro-allowed GPO further down the AD tree (so it takes precedence), that applies only to users in a specific security group, but I'm unsure if that is still doable. What's the best way to have certain GPOs only apply to certain users without separating them by OU?
|
# ¿ Oct 25, 2019 16:17 |
|
AreWeDrunkYet posted:The computer account needs to have read rights now, but you can still do security filtering by setting read/apply delegation to a group of users and just plain read to authenticated users. Assuming this is a user-side policy. Awesome, thanks!
|
# ¿ Oct 26, 2019 03:20 |
|
this opinion is brought to you by lastpass ask us about our corporate discounts
|
# ¿ Nov 9, 2019 06:49 |
|
cage-free egghead posted:We do have network shares for each user, would that be the best way to do that? I'd love if there was a way to automate this because I have a dozen PCs like this to do. If you've got AD, a longer term solution would be to set up security groups for all major shares, configure automapping in group policy management, and use item-level targeting to only have it map for users in those security groups. We've gotten so many fewer calls asking to map $Drive since I set it up, and it's another thing we have to think less about during our migration. New or existing user needs access to $Drive? Add them to the applicable security group and forget about it.
|
# ¿ Nov 14, 2019 04:14 |
|
Digital_Jesus posted:Please no. Just make a separate clearly labeled mapping policy per security group. Is there a good way to organize group policy objects? Recently learned how to filter GPOs by security group, but my next concern about going full-ham one-GPO-does-one-thing is organizing everything without an obnoxiously long list to sort through each time I need to apply something. Obvs good naming convention is important, but ideally I'd like a way to compartmentalize by category or something that makes it easier to sort through.
|
# ¿ Nov 15, 2019 04:35 |
|
Digital_Jesus posted:Not really. The list sorts alphabetically so a good naming scheme helps. 1:1 GPO to thing isnt really necessary, you can combine things that are similar to save space if you do it intelligently. Thanks! Been doing my best to create and organize our GPOs/security grouping by category in a way that would feel fairly intuitive for anybody who may inherit what I'm putting together down the line. Right now I've put together a Drive Maps GPO using item-level targeting for read/write security groups, but my long-term plan to get and keep file-access/mapping clean and organized is - Each $Site has one primary share, with a security group that can grant users Read+Execute - In the share are several inheritance-disabled folders, each for a program the site is responsible for, with their own Read/Write security groups - Each of the above security groups is a member of the security group that grants Read+Execute to the root of that site's share - Drive mapping GPO has one entry per $Site, with item level targeting allowing for anyone in the root Read+Execute group - If a user needs access to any of $Site's folders, they're added to the relevant security group for that folder, which also adds them to Read+Execute root group, causing the root drive for $Site to automap In the even longer term, I’m going to create security groups for common types of employees and use nested grouping to grant them the minimum-level access that those employee types need. Still need to test all this, once we've got our W10 and '08R2 migrations complete. Really excited about tackling this, and it should keep the auto-mapping list fairly short and consistant.
|
# ¿ Nov 16, 2019 18:02 |
|
Now that W7 is mostly migrated, I need a way to get any remaining W7 laptops on the domain out of the woodwork. What's a GPO I could hit W7 systems with that would cause a situation that would be annoying enough that the users will have to give us a call, but is remotely reversible (so no breaking the NIC) once I can get their info down and a promise to bring their laptops to HQ?
|
# ¿ Jan 19, 2020 06:21 |
|
skipdogg posted:Wouldn’t it be easier to just run an AD report on your win7 computers, or is tracking down who has them the issue? Wizard of the Deep posted:Yea, you should just be reviewing AD, and making people get new equipment. I'm fairly sure there are several laptops that are sitting in random employee drawers that they were assigned before we had any inventory control system that only ever get used once in a blue moon. Gonna do a review of recently authenticated W7 systems soon once we're sure all W7 systems we can find are out, but I can't just go by all W7 objects themselves because nobody used to delete the computer objects when they were decommed. So if I can just make something obnoxious happen that teeechnically doesn't prevent them from working when they authenticate a few months from now, it's another thing I won't have to think about until they call.
|
# ¿ Jan 19, 2020 18:46 |
|
Any good recommended processes/resources to learn more about ticket auditing? Looking to improve our process and avoid (usually complicated) tickets falling through the cracks and sitting in purgatory, often caused by failure to escalate.
|
# ¿ Feb 12, 2020 02:17 |
|
We've had good experience with Sophos, at least compared to moving away from the disaster that is SEP
|
# ¿ Feb 21, 2020 16:54 |
|
Create a security group for the exceptions, add the exceptions to the security group, then go into the delegation tab for the GPO and click "Advanced". Add the exception security group, allow "Read" deny "Apply group policy". Make sure it's computers in the security group if you're going computer policy instead of user policy.
|
# ¿ Mar 10, 2020 15:25 |
|
Moey posted:This is similar to what I do when I get forced to do dumb poo poo like this on selective machines/accounts randomly across our domain. Security Filtering is your friend. It's stupid-useful. Other important security filtering method is to only have it apply to people/computers in the security group. Go into the delegation tab for the GPO and click "Advanced". Add the security group you want the GPO to affect, allow "Read" allow "Apply group policy", then untick (but don't deny) "apply group policy" on Authenticated Users, but keep Read. (if you remove Read or Authenticated Users the GPO will fail to apply) Remember that the policy still has to be linked to a relevant OU. Once you have both those down it's incredible how much flexibility you have with setting policies opposed to making a mess of OUs.
|
# ¿ Mar 12, 2020 04:41 |
|
|
# ¿ Mar 27, 2020 23:18 |
|
Don't have to worry about KMS if your enterprise so behind the curve you still use MAK
|
# ¿ Apr 10, 2020 00:07 |
|
Are you talking about when you grant yourself access to a folder? Folders are set to inherit permissions from the folders parent. (unless you've explicitly disabled inheritance on a particular folder)
|
# ¿ Jun 19, 2020 14:56 |
|
Imo it's a bad idea to use mail-enabled security groups because even though the list of names for the distribution list and file share overlap perfectly now, they may not later. Part of my AD cleanup before everything blew up required decoupling some of those into two separate groups because needs change over time.
|
# ¿ Sep 29, 2020 20:36 |
|
I know what number I'm forwarding unsolicited vendors to from hereon out
|
# ¿ Sep 30, 2020 17:03 |
|
You can still have a mail hygiene appliance between O365 and the outside world without having to have the device on-prem, you just need to move to a virtualized cloud appliance.
|
# ¿ Sep 30, 2020 17:45 |
|
Dameware didn't impress me, I mean it worrrrked, but my experience was it felt fairly limited, but idk how it was actually set up or if it was set up correctly When we moved to Bomgar it was fantastic, and you can do so many things with it, but it's expensive af and ever since they were bought by BeyondTrust their support has been sub-trash. Software is still pretty great tho.
|
# ¿ Oct 20, 2020 21:51 |
|
Yeah the worst part about Dameware is that we could only access systems on our network. Relying on users to be able to connect to a VPN isn't reliable at all. If Dameware can do that now it wouldn't be greaaaat, but it would solve the worst problem about it.
|
# ¿ Oct 20, 2020 22:04 |
|
I saw something like that on a 20H2 system I set up the other day, but didn't have time to look at the cause. Did you make sure your ADMX/ADML files are updated for 20H2?
|
# ¿ Feb 24, 2021 00:51 |
|
Probably dumb question: A quick google search says MAB operates at layer 2, and seems to affect layers 2-3/4 in some capacity (depending on what they mean by port) if its an authentication issue, wouldn't that be a completely seperate issue at the application level?
|
# ¿ Feb 27, 2021 01:17 |
|
I'm still feeling optimistic because MS decided to publicly announce their changing their AAD SLA from 99.9% to 99.99% after the last major AAD outage. And another major outage, and not just any outage but specifically an AAD major outage that took everything else down with it is going to cause a lot of hell to be raised. They can't go back to 99.9% and not expect to lose waves of customers during a period of major growth. MS has no way out of this mess but to fix their processes.
|
# ¿ Mar 19, 2021 19:24 |
|
Daisy chain a bunch of powered USB hubs and Raid 0 those mofos
|
# ¿ Apr 7, 2021 16:48 |
|
I think there's a legacy GPO for screensavers specifically but I've never tried using it
|
# ¿ Apr 9, 2021 20:13 |
|
Yeah I wouldn't set the users passwords to expire. Force complexity yes, but password expiration encourages bad more-guessable passwords. E: Focus on 2FA instead of expiration
|
# ¿ Jun 22, 2021 16:50 |
|
|
# ¿ May 13, 2024 23:22 |
|
Password expiration is unfortunately going to take a long time to die from the number of people still married to a government recommendation from the 90's about as accurate as the contemporary food pyramid instead of the government recommendation of today and many, many major companies and organizations. Resistance to MFA is also a big factor, both from the user perspective of them hating anything even slightly inconvenient, especially suits, and the IT perspective of either being stretched too thin to take on the project of setting it up, or just not wanting to make the effort to implement.
|
# ¿ Jun 23, 2021 16:27 |