|
jassa posted:I've been working on our Win 7 MOE, we're planning on rolling it out to 1000+ XP machines using USMT 4.0 to back up and restore user profiles. On the first day of pilot testing we encountered a user who had over 200Gb of data in her local profile (99% of which was personal data sitting in a folder on her Desktop). I'd like to make the task sequence abort if the combined size of all the user profiles exceeds 20Gb - how would you guys recommend I go about this? I was thinking a script might do it but I'm a complete novice with scripting so I'd rather avoid it if there's another solution. Two ways I can think of: Make a task sequence step ahead of the state store that runs a script like code:
Other way: Make a compliance rule that runs a script like the above one. A day later you have a list of PCs whose profile is larger than 20GB then you can assign that list to helpdesk to go badger the users.
|
# ¿ Feb 14, 2013 12:42 |
|
|
# ¿ May 22, 2024 03:20 |
|
jassa posted:Have any of you guys been able to easily and effectively disable hybrid sleep on a fleet of Win 7 x64 machines? When googling I can find heaps of discussions about disabling sleep and hibernate, but very little of any help regarding hybrid sleep. Ideally I want to disable it for the machine as part of the OSD task sequence, but I'd settle for a working user-based GPO or even a logon script at the moment. Power things are automated with powercfg.exe you can set everything there. But I don't think that's your problem, because if sleep is set to never happen, then hybrid sleep will neither. The only thing disabling hybrid sleep does is prevent PCs with lovely ACPI drivers from bluescreening when they're supposed to sleep. But, what's so bad about PCs turning off over night? It'll save you quite a bit of money and it's nice for the environment too. Yaos posted:We just moved our first department to Active Directory and it was very smooth. Now we just have to get SCCM up and running and we can spend years figuring out how to silently deploy applications! Maybe if I have time figure out zerotouch deployment too and save about an hour every couple of months. Powershell definitely.
|
# ¿ Feb 27, 2013 16:13 |
|
The Skype administrators guide is up to date in the sense that they didn't really add any GPO administrability to Skype since version 4. You can disable autoupdates, file transfers and a handful of other things but nothing past that. If you want to do any further customization you'll have to edits Skype's xml configuration file which isn't too hard however. Powershell's "select-xml" command is pretty useful for that.
|
# ¿ Feb 27, 2013 22:33 |
|
Gyshall posted:Maybe the wrong thread, but regarding monitoring software, maybe someone can give me a recommendation for what we need - The email alerts aren't a great source for a display like this because the more simple monitoring solutions don't support querying mailboxes. The backup software should likely also log these successes/failures into the event log though which you can use for event forwarding http://technet.microsoft.com/en-us/library/cc748890.aspx to a central server. From there you can then parse it with a monitoring software like PRTG or Zabbix or even a custom script to display some pretty squares (green for all success, yellow for 1 failed backup, red for 3). zapateria posted:We have network monitoring software that alerts us when hosts go down and if they come back up. What they won't do is say why if it was a valid restart (like a scheduled software update or another sysadm rebooting). This is more like a "nice to have" thing. Windows will log an event 41 if the reboot was unexpected.
|
# ¿ Mar 2, 2013 14:51 |
|
Switch off offline files on both PCs it's likely you are viewing the cache on one of them.
|
# ¿ Mar 6, 2013 22:12 |
|
jassa posted:Just got a call from a panicked coworker (at 12:30am on a Sunday) who committed the ultimate SCCM 2007 R2 mistake - he accidentally deleted a couple of collections, including the All Systems collection. From initial searching it looks like this can effectively recreate the All Systems collection (the alternative being to reinstall SP2 apparently) but it's looking like the other collection is gone forever and I have no idea exactly what was/wasn't advertised to it. I was hoping I could help this guy restore the collections without involving the sysadmin team and managers, but it's beginning to look like I'll have no choice but to get them involved. In the SCCM backup directory in the SiteDBServer subdirectory you will have a backup of the SQL database as an MDF file. You can restore that to a different database under a temporary name, then you can get the rules back from the v_CollectionRuleQuery view.
|
# ¿ Mar 10, 2013 00:26 |
|
As long as you only have 1-3 sites, WDS/MDT is more than enough to image PCs. SCCM only starts to really shine on complex environments with dozens of locations, different forests and varying languages. But note that if you already use System Center for patching, software deployment or something else, you don't need to pay any additional money for imaging. You pay your flat $60 per client no matter how many features you use.
|
# ¿ Mar 12, 2013 01:20 |
|
dotalchemy posted:Company computer should equate to no reasonable expectation of privacy. Depends on your country, in Germany taking automated screenshots is illegal even if you do mention it in the employment contract. Logging URLs is allowed, but capturing website content isn't. To capture the URLs you can push out a proxy to the PC by a group policy, then use the log files of the proxy. As for the applications, you could use SCCM to log their run times but that's generally quite useless since the productivity apps generally run in the background all the time. So what you're likely going to find out is that someone starts Outlook at 8:05 and quits at 17:12 but you have no idea whether he spent that whole time playing web games or answering mails.
|
# ¿ May 7, 2013 21:39 |
|
Sacred Cow posted:Adobe updates are pretty easy on SCCM with System Center Update Publisher. Just subscribe to the Adobe update feeds and publish to SCCM. Java on the other hand is still a huge pain in the rear end. Trying to get 32-bit v7 Java to deploy on a x64 OS was a nightmare. Nightmare as in "extract the MSI then install that"?
|
# ¿ May 22, 2013 20:12 |
|
Ever since Vista came out you should have been using GPPs for network drives http://blogs.technet.com/b/askds/archive/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership.aspx
|
# ¿ Jun 20, 2013 22:48 |
|
In general you don't really clone stuff nowadays anymore. The problems you get with unwanted settings and drivers being taken over to the other machine are just too troublesome. Automated installations do quick provisioning of new machines much better, whether you do it homebrew style with unattend files and scripts, fancier with SCCM task sequences or really fancy with Orchestrator. That way you have a clean new install where you know exactly what is and isn't on the machine.
|
# ¿ Jun 21, 2013 21:09 |
|
EAT THE EGGS RICOLA posted:Wait, there must be a way that doesn't suck to manage proxy config settings and stuff. That's ridiculous. Proxy settings should go in DHCP setting 252 because they're a property of the network, and not of the computer account. If you put them in a group policy and the user takes his laptop to a hotel, that group policy will still apply, IE will search for a proxy it can't reach and they can't get on the Internet.
|
# ¿ Aug 16, 2013 22:53 |
|
hihifellow posted:Even if you can't get him to do that, at least try to convince him to make the domains subdomains of the main org. Seven separate domains sounds like an administrative nightmare on top of the time wasted keeping them straight. If you do that without fixing the underlying problems I give it like two weeks before everyone is put into the Enterprise Admin group since they can't work as Domain Admins anymore.
|
# ¿ Dec 19, 2013 09:58 |
|
At the simplest level, do the delegation by going to the OU where everybody is in, and delegate Full Control to some "AD Administrators" group you create then put everybody into that group. That's functionally identical to people being Domain Admins, so nobody will be able to bitch about not having the rights to do their AD jobs, but you have the certainty they can't do additional stuff like shut down DCs and move FSMOs. You can always finegrain it down further by location and job role later (aka never, but the important part of the job has been done).
|
# ¿ Jan 24, 2014 12:46 |
|
What I found out is that many driver packages as downloaded from the manufacturer are extremely oversized. I think I once saw a 50MB ZIP download that consisted out of 700kB of drivers and 49.3MB of poo poo nobody needs. So you can definitely slim down your packages if you want to do the work.
|
# ¿ Feb 3, 2014 19:04 |
|
One issue that was 100% reproducible was that if you added the touchpad driver for the 2530p to SCCM, all installations of 2510p laptops bluescreened. I had to edit the inf file for that driver to remove the hardware ID of the 2510 device to get that to work.
|
# ¿ Feb 4, 2014 16:25 |
|
System Center Essentials was an SCCM 2007 thing, it has since been replaced by Windows Intune, which is essentially a web interface cloud SCCM. It does updates, software installations and inventory but won't do imaging. It also annoyingly tries to push you towards Windows 8 through licensing deals. It's not terrible but doesn't compare too well to real deployment solutions, personally I would only recommend it for supersmall offices (like <20 PCs).
|
# ¿ Feb 21, 2014 20:30 |
|
By putting all the group policies that have something to do with them to NOOOOOOOOOOO
|
# ¿ Mar 18, 2014 00:11 |
|
If you use a subdomain there's the problem of naming though. You could call your domain COMPANY and log on as COMPANY\username but then your FQDN is company.company.com which looks stupid. Or you use ad.company.com as FQDN, but then your accounts are AD\username which also looks stupid. Or you could use company.com as the domain, but then your website won't work from internal IPs! You can't win
|
# ¿ Mar 18, 2014 21:46 |
|
DHCP doesn't need to be on Windows servers at all, but if you want to do DNS on something other than domain controllers you're signing up to a lifetime subscription to "WHY IS MY LOGON SLOW / WHY ARE MY CERTIFICATES NOT WORKING" tickets.
|
# ¿ Mar 18, 2014 23:03 |
|
contenttransfermanager.log and clientlocation.log is what you probably want to be looking in if the content status is all green in the SCCM console but the clients aren't getting their stuff.
|
# ¿ May 15, 2014 21:11 |
|
I always deleted the required deployment in the morning when we did our Windows XP to 7 upgrade, and recreated it once the next office came up. Everything else seemed a bit like leaving a loaded gun lying around.
|
# ¿ May 19, 2014 21:45 |
|
You could just learn Powershell instead of paying a bazillion dollars for what's basically a fancy click and play game design software.
|
# ¿ May 25, 2014 15:59 |
|
lol internet. posted:Thanks! It's completely possible that an installation will want a reboot in some cases but not in others, mostly due to applications being open and locking files. To get a 100% certain answer on whether an installation will _ever_ reboot you'd have to open up the MSI in an MSI editor and check the reboot conditions. If it doesn't have any, or all of its condition can be safely taken care of by pskilling certain processes then you're fine. Mind that even with an msiexec REBOOT=Suppress the installer will still return a 3010 code to SCCM so SCCM will still believe it'll need a reboot. But, don't sweat it that much. SCCM will only reboot without user interaction if nobody is logged in. If somebody is, the countdown will go down to 0:00 and be stuck there until somebody confirms the prompt.
|
# ¿ Jul 10, 2014 12:49 |
|
If the SAP guys can export the data you need to an MSSQL DB you can query that quite easily:code:
|
# ¿ Jul 11, 2014 12:56 |
|
DNS is a security risk because hackers can guess what a server does from its name.
|
# ¿ Jul 12, 2014 22:32 |
|
MBAM doesn't really do anything new though, it just puts a fancier UI on everything. Even without it, you can activate Bitlocker by group policy and store the recovery keys in AD.
|
# ¿ Jul 15, 2014 00:29 |
|
Number19 posted:I was running my build and capture routine today and ran into this: You can't do those updates with "Apply Updates" but you can wrap them up in a package and put them onto the machine with "Install Package" if you select "Installer reboots the computer on its own".
|
# ¿ Aug 12, 2014 20:20 |
|
Has anyone implemented a proper Word macro signing solution in their domain? I've looked around but there doesn't seem to be a Microsoft step-for-step guide, or best practices FAQ for that. As far as I've seen: - The default setting is that both unsigned and signed macros pop up a warning, then execute if you confirm that warning. - You can set a group policy to run every macro, unsigned or signed, automatically. Aka the bend me over setting. - You can set a group policy to never run an unsigned macro and pop up a warning for signed ones. What you notably cannot do is set a policy to never run unsigned macros and always run signed ones. We have a shitload of macro enabled word documents, so disabling them isn't an option. Forcing people to constantly click on confirm prompts isn't going to be a popular decision, and it's not like conditioning users to automatically click on "Enable" 200 times a day is going to do positive things to security anyway. I'm kind of wondering what to do here...
|
# ¿ Aug 12, 2014 21:16 |
|
I tried the Trusted Locations thingy too. Unfortunately it takes precedence over macro signing so if you add the standard file drive to the trusted locations, and somebody saves an unsigned macro there, it runs, even if you have the group policy "Only run signed macros" activated. What happened to deny over allow, Microsoft
|
# ¿ Aug 14, 2014 10:36 |
|
We use IPSEC, it seems weird to do your encryption on layer 5 if you can do it on layer 3...
|
# ¿ Aug 23, 2014 01:28 |
|
They'd probably argue that if you had millions for software licensing you should be able to afford to hire a licensing specialist for a week every year...
|
# ¿ Aug 23, 2014 13:55 |
|
Greg Jackson posted:Is there an easy way to get this done? We do it on our virtual desktops using group policy (I believe, I didn't do it myself), these are standalone laptops not on a domain? Everything you can do in group policy you can also do in local policy. Run rsop.msc on one of the virtual desktops to see what policies are set.
|
# ¿ Aug 29, 2014 23:40 |
|
20k ought to be enough for anybody
|
# ¿ Sep 11, 2014 11:57 |
|
Plus another 5k desktop.inis
|
# ¿ Sep 11, 2014 12:37 |
|
itskage posted:However it makes more sense to me to just go unto DNS, make a CNAME for printers and point it at newserver. Then in GP make it \\printers\. That way in the future when printers get moved again, you just change the CNAME. This used to be a recommended thing, but ever since certificates started getting popular it doesn't work that well anymore. Won't be a problem for printers yet but don't count on it working forever.
|
# ¿ Sep 12, 2014 11:36 |
|
No, the only thing that ABE does is hide files if they aren't accessible, they don't modify rights at all. You could hide a file by enabling ABE and removing read rights, but then they cannot read the file even if they do know the path. What you are trying to do isn't possible, "read file" and "list folder contents" are the same bit in Windows file rights.
|
# ¿ Sep 18, 2014 21:53 |
|
Maneki Neko posted:So are there ANY useful details on MS14-066 out there (aka SSLMAGEDDON) so I can figure out how much to freak the gently caress out? Chances are quite a few of your SSL ports will be forwarded, for web servers, RDS gateways, proxies, SCCM distribution points etc.
|
# ¿ Nov 13, 2014 09:16 |
|
angry armadillo posted:I can't really do that either with this network I can give you a 100% guarantee that the users of that super-safe offline-only computer are using USB sticks on a daily basis to transfer their work files onto that machine hth
|
# ¿ Mar 12, 2015 15:46 |
|
|
# ¿ May 22, 2024 03:20 |
|
FISHMANPET posted:Does anyone know how to setup a SCCM lab/test/dev/whatever environment alongside a production environment? I don't what the boundaries to collide have have clients start registering with my test instance, but I'm not sure what I need to do to keep the separated. The easiest way to do that is to not publish the test SCCM settings into AD, and not have any system discovery or client push installations. That way you're forced to manually set the SCCM site on the clients that should contact that server - either by setting in in the Control Panel or as a command line option to ccmsetup.exe. But that guarantees that only clients you want to talk to the test server will do so.
|
# ¿ May 21, 2015 21:48 |