|
SCCM to handle remote desktop sessions with client workstations, WSUS to handle updates and WDS 2010 to do imaging of machines. WDS 2010 is so complex I'd rather be using Clonezilla or Novell Zenworks to image machines. How difficult is it to configure workstation imaging via SCCM?
|
# ¿ Jul 19, 2010 23:31 |
|
|
# ¿ May 5, 2024 02:56 |
|
echo465 posted:What do large Microsoft shops do for printing? We manage just fine with a single virtual Server 2008 print server and about 40-60 printers. There's definitely some driver hell, but it handles the load just fine. If you're going to be dealing with 150 printers then I suppose one virtual print server with a single failover would work okay. If you're paranoid about a driver install you can always make a snapshot before you install it (if you decide to take the virtualization route.)
|
# ¿ Aug 13, 2010 03:06 |
|
Halo14 posted:What the hell. I started reading that thinking it explained why the entire Commbank network (EFTPOS, Online Banking, ATMs, Branch computers etc) went down a couple of weeks back. This was back in 2012? Wonder what caused it this time? So having developed some experience with SMS 2003, SCCM 2007 and LANDesk, I read through both of the stories (Emory Library and CommBank). The initial thought I had in response was "Okay, I could understand how workstations would be accidentally formatted, but how does one accidentally format the SCCM server as well?". That's when I read the CommBank article and thought "Oh. Now I see how that would happen."
|
# ¿ May 18, 2014 03:42 |
|
Sacred Cow posted:I learned with CBT and a lot of test packages send to a test laptop. If something isn't working, learn which logs you need to check and where to find them (server or client?). Speaking of logs, use the SCCM log parser (CmRcViewer) whenever possible. It makes it much easier to spot the errors then slogging through a text doc. Yeah you almost always should use setup.exe /admin when customizing Office installs for deployment. That will launch OCT and you can customize any settings you want end-users to have when their systems receive Office. Save as an MSP file, save to the Updates folder of the extracted Office installation. I personally don't use the /adminfile command to call the custom MSP file and I don't modify the setup.xml file. The install looks at the Updates folder, sees the service pack files and the msp file and just automatically applies all of it during the install. I had problems when trying to manually specify MSP files using /adminfile to call either a local location or a network share. Created a little more work when building and customizing but it works. Always try to use included MSI installers because they have the functionality you need already built-in. Use /? on the MSI file to see what commands are available (which are universal for the most part) or if it already has an MST (transform file) then that's a good starting point. Some self-extracting EXE files that use InstallShield can also be customized (if an MSI is unavailable.) Try setup.exe /? or setup.exe /R to run a recorded install which will generate a custom ISS file. A lot of programs will also have their own customization utilities as well like Adobe applications. Adobe has an application that can build customized MSI/MST files for Reader, Flash, etc. Microsoft has a utility called Orca which can handle MSI/MST files.
|
# ¿ Jul 24, 2014 20:29 |
|
peak debt posted:Has anyone implemented a proper Word macro signing solution in their domain? I've looked around but there doesn't seem to be a Microsoft step-for-step guide, or best practices FAQ for that. Yeah not too sure on that one. I went with the "bend me over setting" to be perfectly honest because of the sheer amount of applications in use at our company. A lot of them are applications that are tightly integrated with Excel/VBS scripting. The one thing we've recently been using GPO for though is to add new Trusted Locations for Excel & Word via a .reg file that points to an HKCU modification. Basically we locate the users in ADUC that need this change, add them to a custom ADUC group, then tell GPO to apply the .reg file to any user that's a member of that ADUC group. This way when the end-user logs in to any domain PC, GPO applies the modification to HKCU upon logging in. Don't know if that gives you any ideas, but that might work for you if you want to go that route. Obviously you would need to know what your Trusted Locations should be for those macros.
|
# ¿ Aug 14, 2014 04:15 |
|
I wanted to run a GPO issue by you folks and see what you think might be the cause. We have AGPM 4.1 on our GPO server and I'm working on a couple of policies through that. I'm seeing an issue affecting numerous policies where if I generate an HTML report on any of them via AGPM and I look at the links section of the report, the links section will be blank. If I drill down to the actual policy under Group Policy Objects, I can see the OU links there. Our environment has replication across four DCs. Has anyone encountered this issue before? Is it a replication issue or a hosed up AGPM? Or perhaps policies are broken? I'm doing everything correctly (check out, modify, check in, deploy) in AGPM but the reports aren't displaying the proper links information. As an example, I have one policy that has four ADUC accounts under Security Filtering when looking at the actual policy. If I look at the report for that policy in AGPM, it only displays two ADUC accounts. I saw this hotfix but the symptoms don't sound similar and that is for AGPM 4.0. PUBLIC TOILET fucked around with this message at 19:35 on Sep 19, 2014 |
# ¿ Sep 19, 2014 19:32 |
|
PUBLIC TOILET posted:I wanted to run a GPO issue by you folks and see what you think might be the cause. We have AGPM 4.1 on our GPO server and I'm working on a couple of policies through that. I'm seeing an issue affecting numerous policies where if I generate an HTML report on any of them via AGPM and I look at the links section of the report, the links section will be blank. If I drill down to the actual policy under Group Policy Objects, I can see the OU links there. Our environment has replication across four DCs. Has anyone encountered this issue before? Is it a replication issue or a hosed up AGPM? Or perhaps policies are broken? I'm doing everything correctly (check out, modify, check in, deploy) in AGPM but the reports aren't displaying the proper links information. As an example, I have one policy that has four ADUC accounts under Security Filtering when looking at the actual policy. If I look at the report for that policy in AGPM, it only displays two ADUC accounts. I figured this out in case anyone else experiences the issue. I'm not too familiar with AGPM so I did some research. Turns out I wasn't importing the actual production Group Policy into AGPM so they weren't synchronized and that was causing the missing items in the reports.
|
# ¿ Sep 25, 2014 01:51 |
|
lol internet. posted:Just curious how everyone is managing their Adobe CC subscriptions for updates? We've only installed Adobe CC products for maybe 3-5 people so far so we haven't bothered making packages for it or managing updates related to it. At this point we've been leaving it up to the end-user (if they can get through the firewall to update it.) I've had issues using Adobe's packaging utility for their CC poo poo so watch out for that if you do intend to make SCCM-type packages for CC applications. The issues I've encountered were the installations failing every time when they attempt to install some prerequisites like Microsoft Visual C++ components, etc.
|
# ¿ Oct 2, 2014 14:44 |
|
Swink posted:Ca Like this?
|
# ¿ Oct 3, 2014 02:27 |
|
Maneki Neko posted:Any suggestions for laptop encryption AND remote wipe (for healthcare if that matters in particular). I'd normally go down the bitlocker route for encryption, but management at this customer has a super hatred of bitlocker based on some bad past experiences. Not what you want to hear, but Bitlocker. Its integration into Windows and the ability to manage it via GPO, etc. make it a reasonable choice. I'm sure there are other products that offer templates for GPO, etc. but I don't know what they are.
|
# ¿ Oct 9, 2014 04:35 |
|
I would be interested in an enterprise cloud thread. I've always been curious about the cost benefits and whatnot when comparing in-house to cloud within a small business environment. Being in healthcare, in-house solutions are the primary go-to solution. There are certain products and vendors who utilize the cloud and proclaim HIPAA compliance, but those are just applications and not actual server solutions for the most part.
|
# ¿ Oct 31, 2014 03:12 |
|
Mr. Clark2 posted:On a windows 2k8R2 server with no TPM is there a way to use Bitlocker to encrypt the drive that does NOT require user intervention when the server reboots? If not Bitlocker, something else? The server has a few shares on it, so any encryption would have to be done so that it doesnt impact users. There's a way to use BitLocker so that it would only need a USB dongle connected to a USB port during boot-up (but I presume that's what you mean by hardware key.)
|
# ¿ Nov 14, 2014 23:46 |
|
Is it even worth the cost to go Azure for everything? I don't know what the cost is, but per-minute billing just sounds like the final amount will be astronomical. I recall Amazon doing that with EC2 although I haven't used that in at least a year or so.
|
# ¿ Nov 15, 2014 18:14 |
|
Try a customized deployment package with a Java 7 MSI and a .reg file to disable automatic updating and three different group policies to customize security settings (one for general use, two for specific web interfaces that have vendor-specific requirements) then test and deploy it across a network with over 6,000 workstations. It should be seamless and problem-free!
|
# ¿ Nov 22, 2014 06:45 |
|
Zero VGS posted:If they spell it BitLocker Administration and Monitoring, why wouldn't they use BLAM or MBLAM, instead of you know, grabbing the acronym from Malware Bytes Anti-Malware? Sometimes I feel as though most Microsoft support engineers don't understand how the products they support work in a real, production environment. Doesn't really surprise me, though.
|
# ¿ Dec 3, 2014 04:09 |
|
Maneki Neko posted:3004394, 3011970 and 2986475 got pulled, so that's good I guess, but holy poo poo. Looks like a new KB came out to address the issues with 3004394. https://support.microsoft.com/kb/3024777
|
# ¿ Dec 12, 2014 14:38 |
|
Yes I have seen this issue when there are DNS problems within the network. Do you have DNS scavenging enabled in your DNS server(s)?
|
# ¿ Jan 8, 2015 02:41 |
|
BaseballPCHiker posted:That sounds correct. From my limited experience computers with the TPM chip have to have a BIOS password enabled and then have the TPM chip enabled and ownership applied. Once that is done you can apply a GPO that enables bitlocker on the machine and force the host to upload it's encryption key to AD for safe keeping. If you do it that way without requiring a PIN or USB dongle it should be mostly transparent to your end users. This is correct. The method you're speaking of is to allow ADUC to manage the Bitlocker keys. That's an option, otherwise I believe you can have your MBAM server manage the keys. If a problem occurs with a workstation, you will see it boot to a black screen that asks for a recovery key. At that point you would access an MBAM web interface, enter the string on the screen of the broken workstation, and in return it spits out a key that you enter into the workstation. If successful it continues to boot into Windows.
|
# ¿ Jan 12, 2015 02:57 |
|
skipdogg posted:Yeah, I can't deal with the Spiceworks forum, too many MSP guys there. Nothing against MSP guys but our environments are too different which makes their suggestions crap. I actually rather enjoy reading /r/sysadmin. It's been a good mix of helpful advice, interesting questions, and an on-the-ball familiar IT misery vibe I can associate with there.
|
# ¿ Jan 20, 2015 01:08 |
|
incoherent posted:I really liked advance installer when I was using the free tier to build installers for internal use. If you go pro or better you have a lot more features to work with. Honestly I've just flat out used Orca or this. Never tried Advanced Installer but it looks easier and cheaper than Flexera. Regardless, Orca is free even if it is a bit outdated/granular and it gets the job done when it comes to creating custom transforms.
|
# ¿ Jan 28, 2015 02:22 |
|
JHVH-1 posted:Can it be done with local policy? (Sorry I am a windows noob, and really a Linux guy). Unfortunately these are (not yet) managed via AD. They just spin up from a server image which I am trying to make generic and customize itself when it spins up, the goal end is to make all this as hands off as possible. I want to some day either tie into the AWS directory service, or build out an AD server. Your best bet for this would be Group Policy and/or Office Customization Tool. Install your desired version of Office on a PC and from a command-line point it to the Office installation folder and do "setup.exe /admin". This will bring up the OCT and help walk you through the process of customizing Office. At the end you can generate a .MSP file and whatnot then build a fresh Office installation that calls the .MSP file with all of the customized options you've made. Personally I prefer using the OCT to customize everything, but some people prefer a mix of both that and Group Policy. For instance you can use the OCT to customize only Outlook/Exchange mail profiles/server settings and generate a .MSP file, then use Group Policy to configure every other setting. PUBLIC TOILET fucked around with this message at 00:10 on Mar 17, 2015 |
# ¿ Mar 17, 2015 00:06 |
|
JHVH-1 posted:Ok that is interesting. I can spin up these servers at any time and detach them from our auto-scaling groups to create new base images or test things out. So this might come in useful if it can update settings on an existing install. The images all have office pre-installed and use KMS. Anything where I can call a common command and give it a specific file to use to run at boot makes things easier. Technically, yes, you could create one or multiple .MSP files and utilize the "msiexec /update" command if you make a small change that you want to push out to existing installations. I don't recommend using it frequently, but it will work. The ideal use of the OCT is to create a .MSP file and customize everything you possibly can at one time then place said .MSP file in the \Updates folder of your Office installation files (wherever your extracted image is located.) What I've seen happen is someone has to update that single .MSP file in the \Updates folder because for instance the default Exchange server has been changed. Simply run the OCT, open the existing .MSP file, make the desired change to the Exchange/Outlook server information, save and overwrite the .MSP file. Now from that point forward, when you run the setup.exe, it will automatically use the updated .MSP file in \Updates with the new information. However, this also means you have to update any existing installations that have the old Exchange/Outlook information. In that instance is when the "msiexec /update" command comes in handy along with a way to push it across the network (SCCM or whatever software package distribution product you use.) Another option is to use a .PRF file but I've seen the .MSP file method work better. PUBLIC TOILET fucked around with this message at 03:18 on Mar 17, 2015 |
# ¿ Mar 17, 2015 03:15 |
|
MC Fruit Stripe posted:Looking for a VPN client replacement. The one I've sworn by for years, seen below, is also pretty out of date. I love it because it lets me create multiple entries - I need to VPN into any number of sites and it lets me import a profile for each. It's spectacuar. It's the Cisco VPN Client pictured here: I've heard this one is decent but I've personally never tried it.
|
# ¿ May 24, 2015 03:21 |
|
GreenNight posted:Jesus Christ, now I can sync all the various local admin accounts across my domain. Why have I never heard of this tool before. The tool was originally released not long ago (I think May of this year?) but I see they have a new version up from this week. I personally haven't used it yet but I've also mentioned it to higher-ups who should be lighting fires to get this poo poo in place, but unfortunately they aren't. Maybe I just have too much foresight into how not utilizing this may result in a future data breach of PHI?
|
# ¿ Jul 11, 2015 15:53 |
|
Internet Explorer posted:I'd point at a corrupted sysvol as well. Not sure if this would relate, but do keep in mind there is a local cache of GPOs, maybe an issue with the template you are using? https://macgyveritblog.wordpress.com/2014/01/27/recreate-the-local-group-policy-cache-in-windows/ That write-up points to "C:\ProgramData\Microsoft\Group Policy\History (Windows 7 / Server 2008)" but the only local policy location I've seen existing/in use before is "C:\Windows\System32\GroupPolicy". I guess it may be different on some machines/local networks.
|
# ¿ Oct 16, 2016 03:18 |
|
Could you configure your Wi-Fi network to use a certificate-based authentication and push the certificate to workstations with Group Policy?
|
# ¿ Nov 10, 2016 03:06 |
|
How Group Policy will be handled within Windows 10 moving forward has been one primary concern of mine. I couldn't help but notice that each time there's been a major update (1511, 1607, etc.), they've added/modified/removed various configurable policy options. So each update has resulted in the need to update administrative templates on both the workstations and servers. That doesn't even include the changes they've made between Pro/Enterprise in that regard. So how do they plan to approach this moving forward? Just keep on loving around with group policy every time they push a major update as they continue to force the subscription model? Sounds like an IT nightmare in the making. It's going to require constant maintenance of the Group Policy structure alone. Another issue is their ongoing loving of RSAT for Windows 10. Missing options, broken features, etc. I imagine RSAT will need to be updated after each major update, too. How about the lack of QA recently? Just all around belligerent.
|
# ¿ Nov 25, 2016 05:48 |
|
CLAM DOWN posted:Why would you pay for SCCM but not use the core features it's meant for Where I am, replace "SCCM" with "LANDESK" and I wonder the same thing. At least in that case the answer will likely be "because it's LANDESK."
|
# ¿ Jan 17, 2017 19:50 |
|
Yeah, short of using LAPS or Group Policy to push a security group to all machines which contains a domain account with administrative privileges (and you use cached credentials,) what else could you do that's secure? As was already mentioned, a PowerShell script would work as a logon script or a scheduled task, but then you're opening a security hole. Add all of that to the fact that the company you represent has ancient hardware and won't give you the proper tools to succeed, get out of there. I personally hate using PsTools because it's counter-intuitive and flaky when you should just have proper software/procedures in place that complete the same tasks safely/securely (ex. PDQ, SCCM, LANDESK)
PUBLIC TOILET fucked around with this message at 21:54 on Feb 28, 2017 |
# ¿ Feb 28, 2017 21:48 |
|
GreenNight posted:Finally. Had a Microsoft Sales Rep meeting not long ago (prior to the release of Creators Update.) One of the issues I raised was the need to constantly monitor, modify and upgrade the organization's Group Policy system every time a major Windows 10 update comes out. I had asked what Microsoft's plans were to address this or at least make it more seamless/sensible. All I received in return were some shrugs, a response of "I'll ask our engineers", followed by no actual answers. My opinion? If you're in an organization that relies heavily on Group Policy for managing Windows, you might as well hire a person dedicated solely to managing it (even if Microsoft does recommend using Provisioning instead of Group Policy.)
|
# ¿ Apr 12, 2017 20:51 |
|
Is there any ETA for the next major patch of Windows Server 2016? I had a ton of problems with the current version when I was trying to configure a Windows Server Essentials role so I've since had to use Windows Server 2012 R2. No idea why but everything works fine in 2012 R2 but if I attempt the same process on 2016, it's like pulling teeth.
|
# ¿ Jun 1, 2017 16:49 |
|
CLAM DOWN posted:1) Patch Tuesday in June
Those were just some of the things I experienced, mostly within Server 2016 Core. I ended up starting over with Server 2012 R2 and none of those issues were present in that version following the same installation/configuration processes. I should also note this was on a home lab server in a workgroup setting (not a domain.) With that said, I can only assume the majority of my issues were directly related with using the "Core" version without the full GUI. However, I'm now using Server 2012 R2 Core with a Hyper-V VM running Server 2012 R2 GUI and that hasn't had any issues. PUBLIC TOILET fucked around with this message at 21:09 on Jun 1, 2017 |
# ¿ Jun 1, 2017 21:04 |
|
Wrath of the Bitch King posted:If you have money, SCCM. If you don't, PDQ. One thousand times this. Old job used SCCM, current job was SMS then went to LANDESK because of the cost. I still wish they would have spent the money on SCCM or just went with PDQ. At one point, even one of the IT Directors had trialed PDQ long after having purchased/approved implementation of LANDESK and was impressed by how well it worked.
|
# ¿ Oct 14, 2017 03:51 |
|
Super Slash posted:Win 10 Enterprise 1709 question: I thought there was a way, but I guess not. Best I could find: https://www.ghacks.net/2017/10/25/block-reopening-of-programs-on-windows-10-start/
|
# ¿ Jan 26, 2018 19:26 |
|
Thanks Ants posted:MS are really upping their documentation game (I guess until they decide to move things around again). I like the project management oriented stuff they have now for deploying their stuff, like https://docs.microsoft.com/en-us/MicrosoftTeams/1-envision-define-my-success-phone-system I haven't checked their Server 2016 documentation in a while, how's that now? Last time I looked, they had plenty of documentation on Storage Spaces for Server 2012 R2 but zero for 2016.
|
# ¿ Apr 14, 2018 22:07 |
|
These posts make me satisfied that I'm looking at a job opportunity letter from a school district an hour and a half away and thinking "nope."
|
# ¿ Dec 23, 2018 21:40 |
|
Company got hit with this activation issue today. We're probably close to 50/50 Windows 7/10. Only affecting the Windows 7 Enterprise machines- completely deactivated. Good times.
|
# ¿ Jan 10, 2019 03:54 |
|
I haven't Googled this but I thought I'd ask here first: What (if possible) is the easiest way to migrate a Hyper-V Ubuntu Server VM running on a Windows 10 Enterprise LTSC 2019 host to a Hyper-V Server 2016 host? Can I just do "Export", copy the file(s) to the server, then "Import" from the Hyper-V Manager?
|
# ¿ Jan 26, 2019 05:48 |
|
That's the first time I've heard of netplwiz not being available for use-- is this a domain-joined Surface? Or a standalone? If it's domain-joined then yeah, netplwiz might not work.
|
# ¿ Jun 1, 2019 03:48 |
|
|
# ¿ May 5, 2024 02:56 |
|
So, 1.) Why are Windows Updates so loving slow in Windows Server 2016? 2.) Why did Microsoft feel the need to strip WSEE from Windows Server 2019 and give it its own SKU/product?
|
# ¿ Jul 6, 2019 17:15 |