|
Day 5 of our SEP definitions not updating properly. We had to reinstall our LUA for :reasons: and it keeps erroring out that definitions files are missing, support plx halp
|
# ¿ Nov 6, 2014 21:25 |
|
|
# ¿ Apr 28, 2024 20:20 |
|
Gyshall posted:Uninstall SEP, install ESET, never worry about antivirus again. Seriously, it's 2014 Jesus christ if I had this choice I would do something about it. Too bad I'm a lowly sys admin (jr sys admin? I dunno my job title is Technical Consultant) for an MSP and my client is our largest client, they make the calls, we've attempted to sway them to other AV programs but so far have been unable, it's a loving nightmare. This is apparently something that happens every 6 or so months where LUA just decides to break, but it's never broken this badly and it might not be on our end, it might be an issue on Symantec's end. This is driving me up the wall, giving me pretty bad anxiety atm because I just got promoted to this position and then everything loving breaks that I'm supposed to be taking care of. oh well gently caress it, I put in a ticket with Symantec and we'll see if these jokers can figure it out.
|
# ¿ Nov 7, 2014 03:14 |
|
Co-worker of mine found something interesting over the weekend. His roommate has a macbook for work, it's joined to their domain blah blah blah. Well, said roommate has a lovely laptop for home use and can barely play games, he asked my co-worker if he knew a way to get around UAC so he could install games from steam on the macbook. Co-worker said that he might know a way, but that it probably violates company policy and if he does it, that anything that happens after is not his problem. Roommate was ok with this. So, my friend booted to an OSX CD, re-partitioned some of the drive and installed OSX on the new partition. That new partition uses completely different credentials but is able to access everything from the primary partition, i.e. all his work stuff. I'm curious if this works on windows as well, because it seems like an easy way around security protocol unless the drive is encrypted.
|
# ¿ Nov 10, 2014 19:05 |
|
BaseballPCHiker posted:So apparently SCCM licensing has changed? Anyone heard anything about this? It was mentioned in one of the threads a page or two back, I forget if it was this one or the working in IT thread... I think they are charging more per server or something?
|
# ¿ Jan 5, 2015 19:59 |
|
Cross-posting this question to hit a wider array of people: I know this has come up before, perhaps in another thread, but I can't find the info now and I was foolish and never saved URLs of the recommended sites. What sites do you guys frequent to stay up-to-date on technology or general websites you use in your IT life? I mostly use spiceworks forums and SA and then follow links to learn things/find out about stuff, but I'm looking to expand my list of sites to visit a couple times a week to look at discussions/news. Any recommended blogs, news sites, communities or whatever are very welcomed
|
# ¿ Jan 17, 2015 00:12 |
|
Going to move this to CoC once I get my thoughts together and look at this some more.
MF_James fucked around with this message at 22:46 on Jan 21, 2015 |
# ¿ Jan 21, 2015 21:11 |
|
Tab8715 posted:Couldn't you make this two steps? Export the name of all the objects in a OU to a .csv such as ou1.csv then have ps read ou1.csv and move those objects? But it won't know which OU to move them to? We are going from 8 OUs to 22 OUs, the current OU structure and what objects are in them isn't going to matter or help with the structure we're going to. Actually our current structure.. now that i think about it, is 9 OUs, 1 OU has 2200 objects, 6 of them have 300 or so in each and the last 2 have the rest. Unless I misunderstood what you were saying.
|
# ¿ Jan 21, 2015 21:26 |
|
skipdogg posted:There's a powershell thread in CoC that is really useful Yes, 22 files each represents an OU we are creating, the files contain only location name though, we have 2 objects per location (HOST000001 and GUEST000001) and the file is setup as 0000001, 0000002, 000003, etc Also, thanks I didn't realize there was a PS thread in CoC (I honestly didn't even think about it)
|
# ¿ Jan 21, 2015 21:36 |
|
Trying to do some WMI filtering on GPOs and I've got a question because I keep running into syntax errors doing what I'm trying to do (possibly because you can't do it!) I've got a few filters setup that look at Win32_OperatingSystem and others that look at Win32_ComputerSystem (specifically using name like "blah"). I'd also like to setup a few filters that look at both computer name AND operating system to apply a GPO, is there anyway to do that, or am I going to have to drill into item level targetting (please god no)
|
# ¿ Jan 30, 2015 18:58 |
|
Sacred Cow posted:1 Primary site, 1 Secondary site and 1 Distribution point across 2 Forests I feel like you most likely work for my client.
|
# ¿ Feb 4, 2015 21:13 |
|
Sacred Cow posted:Probably not. We're a bare-bones IT department for a small private company. We got bought out recently and I'm sure most of you know how that usually works out. Ahh ok, well let's just say that the client I am currently assigned to is pretty much what you described
|
# ¿ Feb 4, 2015 23:40 |
|
Coredump posted:Just double checked everything this morning. The SID's are different, so the machines have been sysprepped correctly. The new machine does kill the trust relationship of the existing pc and take over as the computer linked to the object in AD. My question is, can this be stopped? Is there a way to have the AD check to see if there is a computer objected in AD and stop the new one from joining? We have people who are not checking names properly and will add a new computer to the AD and kill the trust relationship of a computer in a classroom causing all sorts of issues. Automate the process so people aren't manually doing this? I just wrote a vbscript (don't ask, I wanted powershell, they said no for now, in 6-months when our backend is refreshed I'll be allowed to do the powershell version), it takes a csv of objects I'm creating, checks if that objects exists, if it does, it logs the information and moves to the next object, if it doesn't already see the object in AD it will create it and do all sorts of other fun stuff. The nice thing is that this whole process is automated, the CSV is a feed from one of other systems, so now that it's setup and tested I don't do shiiiiit.
|
# ¿ Feb 24, 2015 22:29 |
|
hihifellow posted:I posted it halfway up the this page and it's not a bad idea, especially if you have nothing managing local admin passwords except a spreadsheet you hope people keep updated (or worse, the same password for everything (like us )) We use ERPM to manage Don't ask why we do it this way (the massive amounts of local users that is), I've been told that at the time it was the best way to do what we wanted (honestly after working here for a few years, it does seem like it was the best way), but it will be nice when we upgrade our 2207 remote locations to server 2012, and when we upgrade our production DCs to 2012 and change functional level from 2003 to 2012. Boy was I pissed off when I wrote a PS script to move all the AD objects around for an org structure only to find out that it wouldn't work in our production environment because the AD PS tools/hooks didn't come around till 2008 R2. I was especially angry because literally 2 days before I started writing the script is when we changed our QA functional level to 2012 as preparation for our massive backend/frontend upgrades. MF_James fucked around with this message at 08:22 on May 15, 2015 |
# ¿ May 15, 2015 07:39 |
|
Tab8715 posted:Curious, what's everyone experience with modifying intra/inter AD Replication timing? lowest replication can go is 15 minutes though, unless we're talking about different stuff. We have 5000+ devices in our environment and have no issues, we have 5 different sites defined as well.
|
# ¿ Sep 30, 2015 23:55 |
|
Tab8715 posted:Great post, I have no idea why it took me so goddamn long to find an answer for this question. Curious, do you work for MS? Most of that information is found pretty quckly when googling sites and services (ok maybe not REALLY quickly). I spent about 4 hours one night trouble shooting some domain issues and learned a boatload about sites and services and other stuff, I'll see if I can dig up the one link I found.. it was basically a boatload of info on sites and services in one page... *EDIT* well after googling for a bit I can't seem to find the drat website. Apparently when I'm half asleep I'm better at googling than I am when I'm wide awake and well fed MF_James fucked around with this message at 20:23 on Oct 19, 2015 |
# ¿ Oct 19, 2015 18:39 |
|
I'm getting conflicting information when googling for this stuff so here goes... Doing a quick and dirty fix for some website issues we're having with our 2003 machines while we wait to convert to 2012. What I want to do is turn OFF compatibility mode for all intranet websites, because the default is to have it on and it's screwing with some website(s) that updated recently. I'm pretty sure the policy I should be screwing with is: Comp Config\admin templates\windows components\IE\Compatibility view "Turn on Internet Explorer 7 Standards Mode" Now I've seen conflicting information as to whether enabling or disabling this setting will achieve what I want. I'm attempting to test this, but I'm currently fighting with some QA machines that apparently do not want the setting or something, it's hard to diagnose because I can't actually use gpresult or anything that will tell me WHAT GPs are currently applied to the computer. Anyone dealt with this before that can say whether the setting should be enabled or disabled?
|
# ¿ Nov 4, 2015 23:27 |
|
peak debt posted:You can buy technically legal Windows 10 keys from Russian resellers for less than 20 bux so spending 1300 on an MSDN license is probably a bit overkill. Especially since you have to be extra careful about how you use that MSDN software and stay within what's allowed. oh hey I was right, rsop gives access denied once I try to drill into the different configurations. You're probably right about user vs computer though, I just was messing with the computer policy since that's where we have a few settings already configured, whereas in the user area we have no settings configured. MF_James fucked around with this message at 23:54 on Nov 4, 2015 |
# ¿ Nov 4, 2015 23:44 |
|
Thanks Ants posted:I had to go through this before - we changed an Intranet page to actually render properly in newer browsers, and the public IE compatibility list didn't know that the page it thought should run in this mode didn't exist any more. sadly we do not control the site and it's highly unlikely we will be able to ask them for any sort of change, we're stuck fixing it on our end.
|
# ¿ Nov 8, 2015 00:35 |
|
dox posted:Here are some good customizations for Windows 10 OSD-- most of everything else stays the same. Just make sure to make new Task Sequences for 10 after upgrading MDT. Yes, this, it's still what microsoft recommends. You do have multiple DCs up that you can use as DNS servers.. right........... right?
|
# ¿ Nov 25, 2015 19:13 |
|
Tab8715 posted:What's the best way to deploy a GPO? For example, I want to... I would think it comes down to a few questions: Do you actually use the default user policy and not have any others linked at the highest level? Are these 2 settings going to apply to every user always? Does it make sense for it to be there, or do you have another GPO that also acts as a defacto default policy applied? If yes, I would guess they would be a good candidate for the default user policy. I don't see a reason to complicate things and cause longer processing times with multiple GPOs that are going to apply to all your users. What you want to avoid at the very top level GPOs is filtering of any kind because you should just be creating them at lower level OUs if they are going to only apply to certain groups of users. If there is no actual GPO setting then, yes, you will have to make a straight registry edit. I'm not sure regarding that specific item. I think with reg edits what you want to do is set it to MF_James fucked around with this message at 07:44 on Dec 22, 2015 |
# ¿ Dec 22, 2015 07:26 |
|
Moey posted:I am in the same boat Docjowles. Too much stuff to migrate it, too scared to rename in. I could lab it to see what happens, but for now I will leave it on the back-burner. even labbing it there's likely a bunch of poo poo that you can't test or just won't see because you're 1 dude (with maybe a few helpers) and your owrkplace is hundreds if not thousands of dudes + workstations and servers and oh my god we renamed it and now 70% of people can't log in and the other 30% can't access $webhostedapp$
|
# ¿ Jan 14, 2016 21:58 |
|
Judge Schnoopy posted:Group Policy question here. My first question would be... why are your users and your computers mixed together? That's going to cause all sorts of hell for group policy unless you want everything to apply to all users/computers... I don't know a way around what you're experiencing because I've never had issues where users are falling into the same OU as computers... Like a sane structure would be forest --> Users OU and at the same level a Computers OU, link any policies that are computer policies to the computers OU and anything that's a user policy to the user OU. Although you are the one with the really hosed AD environment right? That's pretty hosed if you've got all this poo poo falling together...
|
# ¿ Feb 19, 2016 22:20 |
|
^-- also yes, what he said.Judge Schnoopy posted:They're not, and I guess maybe I'm just being lazy about fixing the old policy. Your link order matters, as well, so check this out rq: https://technet.microsoft.com/en-us/library/cc757050(v=ws.10).aspx basically stuff linked at the lowest level will overwrite stuff linked at the highest level, link order matters etc. If you are doing Something at the top-level domain and then doing it in the lowest child OU level, the child OU will win out, but if you are doing it 2 different ways I don't know what exactly will happen (there are a few instances where you can do the same thing 2-3 different ways, after testing, generally there's a correct way to do it) Also, the link order within the OU matters, stuff processed last (so higher link order number iirc) always wins.
|
# ¿ Feb 19, 2016 22:34 |
|
This just in: Not every company handles budgets the same way, loving SHOCKER
|
# ¿ Mar 3, 2016 23:40 |
|
cached credentials?
|
# ¿ Apr 16, 2016 00:39 |
|
is there an easy way to find out what local policy edits have been made to a machine? I am hoping there's something like rsop/gpresult that will only look at local policy edits. Trying to figure out how someone got some stuff to work on one server so I can document and migrate to another, there are a few local edits that I've found, but I'm pretty sure there's more that I'm missing and there's too much poo poo to go through by hand to figure it out.
|
# ¿ Apr 22, 2016 18:53 |
|
Dr. Arbitrary posted:I've got a service that keeps getting stopped and disabled. I found out the trigger is when group policy updates. Well sounds like you've got a GPO that sets that service as disabled. Pick whatever OU in GPM you're having issues with and start looking at the details of each GPO and ctrl-f for the service you're looking for. You created your own policies, we can't tell you what is doing it.
|
# ¿ Jun 9, 2016 18:53 |
|
Dr. Arbitrary posted:What's crazy is that it's not a normal service like the spooler, it's a custom one. Do you have a test environment experiencing the same problem? Disable GPOs 1 at a time, or all at once and see what happens.
|
# ¿ Jun 9, 2016 21:30 |
|
Sickening posted:Remove the folder that local group policy is saved in. This is one of the first thing I do before trying to figure out mysteries such as these. YYUUUUPPPPP We just decommed 50-60 servers and replaced them with new VMs/hosts etc. The amount of times i had to dig around in local policies to figure out why poo poo wasn't working was astounding.
|
# ¿ Jun 9, 2016 22:32 |
|
Maneki Neko posted:This sounds like one of those "there was a good reason at the time" stories that everyone involved forgot about. Yuuuup, Also, give it 3-5 days, everything will explode, and it can be pointed back to this policy that no one remembers making or why, but clearly there was a point because now everything is smoldering ash. (just kidding ) Also, the fact that you can ctrl-F and search the settings of the policies is a huge help when you're walking into a bunch of policies you did not make and you're attempting to figure out stuff just like this.
|
# ¿ Jun 13, 2016 20:09 |
|
We do GPO by OU somewhat, but it's tiered and not a monster, we also only have like 20 GPOs total and none of them are monsters. We do some security filtering and WMI filtering (yes I know that's not preferable but it was the easiest way) MF_James fucked around with this message at 22:03 on Jun 15, 2016 |
# ¿ Jun 15, 2016 22:01 |
|
Internet Explorer posted:What I am not doing is making an OU called "Marketing Printers" and putting everyone who needs access to the Marketing printers in that. Yeah this sounds stupid, I would probably kill someone that did this.
|
# ¿ Jun 15, 2016 22:25 |
|
Ugh going to go loving crazy trying to figure this out, wonder if maybe one of you guys could help. I've got 2200 remote machines with ~10 LOCAL users each (they are all named the same across all the machines), and running server 2012 R2. 90% of these users have hosed up file associations for xls/doc type files, don't ask, it's awful and I'm pretty pissed the "project" team that caused this problem does not have to fix it. So, domain level USER GPOs are out of the question, which sucks because there's a group policy user preference item that would do exactly what I need. I've tried this: https://blogs.technet.microsoft.com...ailto-protocol/ and it did add a reg entry for the program I selected, but did not seem to actually do anything useful, unless I'm dumb and did it wrong. Server 2012 and on hashes user registry hives so I can't just load hives, delete keys, import and unload, it will just return to what it was before (kind of). Anyone dealt with something like this have any ideas? I've got a microsoft ticket open, but uh they keep sending me "fixes" that are domain user GPOs. Switching to domain users is the end-game goal, but it's not a possibility at the moment.
|
# ¿ Jun 21, 2016 20:48 |
|
Internet Explorer posted:That sounds awful and you have my condolences for having to support what sounds like an awful setup. I can't find the info I found before, but, if I load a user hive as my admin account, then delete the keys, import the keys I want, and then unload the hive, log the user on, nothing will have changed (essentially), if I then log the user off, load the hive again, I see the same registry entries that were there before I hosed with it. I found somewhere that talked about how user registries are being hashed in windows 8/2012 which causes this not to work. Which means what you're suggesting won't work because it's essentially what I already tried.
|
# ¿ Jun 21, 2016 21:17 |
|
buffbus posted:I haven't had the misfortune of supporting local accounts in a domain setting but a possibility is applying the user side preference as a loop back gpo linked to the computer ou. Hmm this sounds crazy enough to work, I'll give that a go, worst case I waste 30 minutes.
|
# ¿ Jun 22, 2016 05:52 |
|
Swink posted:I've got Domain Controllers running on HyperV 2012R2. The VM infrastructure cannot update group policy from the domain controllers, while physical infrastructure can. You are selecting the correct VLAN on the virtual switch, right? The NICs on your virtual machines are also configured correctly (domain suffixes etc), right?
|
# ¿ Jun 22, 2016 20:57 |
|
buffbus posted:Is the AD domain name a subdomain like corp.company.com or at least a publicly reserved but not used variation of your company name? If the internal domain is the exact same name as a different public service and you are relying on split-brain dns zones to make it work, you are going to have a bad time with a lot of things which includes remote access to company resources over a tunnel. Cloud services will suck too once you get to that point. Clients and even most servers like to cache those resolutions. Yeah this is likely going to be the first answer to your problem, you could have layered issues, but this is the first thing to do. We just went through this recently for our own domain, we have roughly the same amount of users/servers you do, it was not too terrible.
|
# ¿ Jul 29, 2016 18:09 |
|
Also, if the new shortcut will have a different name than the old shortcut, you can put a delete shortcut for the old one. I'd generally recommend using an update option for the new one rather than any other option, if the shortcuts are the exact same name/target typem update will, well.. update it.
|
# ¿ Aug 12, 2016 19:20 |
|
Internet Explorer posted:HKCU is indeed linked to the user who is currently logged in. You can limit access to RegEdit, but you cannot limit access to HKCU and have programs still work properly. HKCU is where any setting that doesn't reside in a .config or .ini file exists for a user. Nah let's just manage our domain by doing edits on EVERY loving MACHINE.
|
# ¿ Aug 25, 2016 20:57 |
|
|
# ¿ Apr 28, 2024 20:20 |
|
my googlefu is failing me atm. We've got an RDS farm, 2 brokers and 2 session hosts. The farm itself is fine, but for some reason people can individually connect to servers via IP. Let's say the loadbalanced name is "RDSGateway" and our 2 session hosts are 1.1.1.1 and 1.1.1.2. Load balancing works fine overall, but I can plug in 1.1.1.1 or 1.1.1.2 to individually hit the servers, which shouldn't be possible, or at least it wasn't when terminal services was the thing on our 2003 servers. Is this just a change in behavior or do we have something set incorrectly? We do not have an RD gateway server configured, just the 2 connection brokers and 2 session hosts.
|
# ¿ Aug 26, 2016 18:22 |