|
Internet Explorer posted:Quick, someone Photoshop Nadella into "I don't always test my code..." with your "your production" line.
|
# ¿ Jun 16, 2016 20:11 |
|
|
# ¿ Apr 29, 2024 03:01 |
|
For anyone who is affected by the patch which breaks GPO evaluation you can run this as an EA and it will crawl the forest for items missing the read permission and add it.Powershell Script posted:CLS
|
# ¿ Jun 17, 2016 17:05 |
|
MF_James posted:Ugh going to go loving crazy trying to figure this out, wonder if maybe one of you guys could help. I haven't had the misfortune of supporting local accounts in a domain setting but a possibility is applying the user side preference as a loop back gpo linked to the computer ou.
|
# ¿ Jun 22, 2016 04:56 |
|
Potato Salad posted:Does a local account login process go looking for GPOs applying to its computer account? Yes, computer side GPO settings will process before the user even logs in (aside for some async processing in the case of a very fast logon).
|
# ¿ Jun 22, 2016 14:27 |
|
mayodreams posted:Where the problematic domain controllers p2v'd? I"ve had issues with p2v corrupting or locking the SYSVOL, which requires rebuilding it. I can confirm, a p2p usually involves some sort of drive snapshot which can thoroughly piss off a domain controller.
|
# ¿ Jun 22, 2016 15:08 |
|
Gerdalti posted:I just rolled out DFS-N at my office, and it's being less than awesome. Is the AD domain name a subdomain like corp.company.com or at least a publicly reserved but not used variation of your company name? If the internal domain is the exact same name as a different public service and you are relying on split-brain dns zones to make it work, you are going to have a bad time with a lot of things which includes remote access to company resources over a tunnel. Cloud services will suck too once you get to that point. Clients and even most servers like to cache those resolutions.
|
# ¿ Jul 29, 2016 15:17 |
|
devmd01 posted:We have a .local. Company.local isn't too bad, though it's not best practice. Where you get hosed with mDNS is simply naming the domain "local".
|
# ¿ Jul 29, 2016 15:44 |
|
Some Vpn clients have a post connect script option.
|
# ¿ Aug 11, 2016 23:16 |
|
If your company has SA and therefore MDOP then you can have them stand up AGPM if they are worried about untraceable ad-hoc changes. https://technet.microsoft.com/en-us/windows/hh826067.aspx
|
# ¿ Aug 25, 2016 21:43 |
|
hihifellow posted:Microsoft really should have called it "Authenticated Objects" but it's entrenched now so eh They should have and I feel there's a good chance many people at Microsoft themselves are confused due to this. In reference to the recent patch which changed the security context of group policy processing, Microsoft themselves said you need to add both Authenticated Users and Domain Computers to the read permissions on the GPO. This of course is false as Authenticated Users covers both bases. In general Authenticated Users should always be given read permission to all GPOs (not to be confused with the "apply group policy" security permission). It was merely a lucky coincidence I became sufficiently annoyed at this not being the case at my company and ran a script against all ~3600 GPOs just a few months before the patch was released.
|
# ¿ Sep 29, 2016 18:16 |
|
FISHMANPET posted:I thought the issue was that after the patch computers couldn't read the GPO because "Authenticated Users" wasn't in the access list, and the solution was to make sure Authenticated Users could read every GPO so the computers could actually read and apply them. That's correct. It's Microsoft's own suggested fix stating that you also needed Domain Computers to be given access as well which means at least one person there doesn't know that Domain Computers is included within Authenticated Users or at the very least they don't understand the distinction between security filtering and security rights. Just saying people shouldn't feel too bad about being confused by the terminology since even people at MS sometimes get things mixed up. "•If you are using security filtering, add the Domain Computers group with read permission." https://support.microsoft.com/en-us/kb/3163622
|
# ¿ Sep 29, 2016 18:38 |
|
Not sure this is happening here because I don't know what is being done on the server to verify the policies but if you run-as under an account which has logged in interactively in the past, it will process policies from the time of last interactive logon and not update them.
|
# ¿ Oct 12, 2016 19:48 |
|
Internet Explorer posted:That's odd. I don't think I've ever seen a single bad GPO cause GPOs to stop processing. Well...unless it's the 1000th gpo to be applied.
|
# ¿ Oct 14, 2016 04:42 |
|
Orcs and Ostriches posted:.......And if the 40GB hard drives on these 13 year old pieces of poo poo ....... Extrapolating from the above, I'm thinking normal IT logic and workflows might not apply to his situation.
|
# ¿ Feb 27, 2017 19:53 |
|
LAPS (or BeyondTrust password Safe if you are a masochist) is the proper solution because you can give the password out or even leave it written on a postit and it soon wont matter. If all you want is the old group policy preferences but with a secure password you can grab a copy of winbatch and created an exe to run as a startup script.
|
# ¿ Feb 27, 2017 20:08 |
|
Wrath of the Bitch King posted:I've heard a few times about the Group Policy Preferences method of creating a user account on a system being dangerous (because of the SYSVOL problem), but is this easily demonstrated? Or would it only be able to be accomplished by an InfoSec guy who knows exactly what they're doing to find that info? It's encrypted in the policies location in sysvol but with a single well-known key. No normal user is going to stumble upon it but a tech savvy person with time to spare will find it and grab it. FWIW the GP prefs setting of the password is locked out at the client level so if you get a fresh install of Windows 7 with RSAT and don't run updates, you can still use it. It will remain configured and actively push the password out. You just can't edit it with an updated computer.
|
# ¿ Feb 27, 2017 20:29 |
|
I've used SCCM at the last few places I've been. When properly configured, users can either have software silently pushed based on custom queries or they can open a menu and select it.
|
# ¿ Apr 6, 2017 16:56 |
|
Yeah, "properly configured" isn't usually the state in which I find it, not to make it sound impossible to set up. It's just that many admins try to use it like an old version of altiris and manually feed it computer names for software targeting, not aware how flexible it can be.
|
# ¿ Apr 6, 2017 17:07 |
|
The fact that security updates will stop if you don't at least deploy every other build should get you a bit of a foothold.
|
# ¿ Apr 17, 2017 20:43 |
|
Looks like it's available in my LTSB 2016 VM
|
# ¿ Jul 25, 2017 21:37 |
|
devmd01 posted:Reboot all of my domain controllers on a Thursday night because of a Server 2016 2018-01 patch revision, sure why not! I suppose at least domain controllers are some of the easiest things to reboot as long as they are staggered a bit.
|
# ¿ Jan 26, 2018 04:36 |
|
We are currently roadblocked because we need to hybrid join and that seems to only work well if the system is built on site. Supposedly we should be able to build offsite with a cert/policy bundle in the near future but for some reason that feature isn’t available yet. 120k seats fwiw but we are still in early poc.
|
# ¿ Feb 14, 2019 14:46 |
|
Is it access denied just for accessing the share or is the issue specifically when trying to create a new file/folder? Also, does it work when reading a file by exact path instead of browsing to it? I don’t work on file servers much these days but vaguely recall there being rights missing for reading extended attributes and for listing folder contents, respectively for the above.
|
# ¿ Feb 16, 2019 01:38 |
|
Assuming the intention is for all folders to have the same permissions. You might just reset all access rights down the structure in case there are lingering user specific denies.
|
# ¿ Feb 16, 2019 16:28 |
|
snackcakes posted:Unless there's something I deeply do not understand about permissions I don't see how it could be a permissions issue if it works by IP but not DNS name. If it was permissions wouldn't it not work either way? I’m having trouble finding the tech net thread but there was a bug which involved rights for something which is usually enabled but if not can cause these issues, though in that case the user was just unable to write when accessing via host name. Fairly sure the right was “read extended attributes”. I know you said offline files were disabled but if this is isolated to a handful of computers it couldn’t hurt to reset the cache just in case. https://www.technlg.net/windows/delete-offline-files-cache-windows-7/
|
# ¿ Feb 16, 2019 16:57 |
|
Terminal servers can be published behind web access gateways and IMO that is the only somewhat secure way of allowing access to company resources from an unmanaged personal computer.
|
# ¿ Apr 5, 2019 15:02 |
|
You should be good. DNS and dhcp are in their own other sections so that should be fine. Even if you messed around with the site subnets you would just have a possibility of some workstations getting confused which site they are in and then having some performance issues. Of course if you broke replication, which it doesn’t sound like you did, you could have some dns records in the integrated zone not propagate but that’s it.
|
# ¿ May 11, 2019 02:46 |
|
There are lots of different ways of doing GPOs and most of them have some merit. Your GPO design is mostly defined by your OU layout so if that is already set in stone you have to work within those confines. As someone who does all the group policy for physical and virtual workstations in a megacorp, the best advice I can give you is to leverage the additive nature of group policy. So try to avoid creating 10 base config GPOs for 10 different business units or locations or wherever which are 95% the same. Instead apply the common setting at a higher level or use multiple links. When I came to this place, one change to the common config of everything would mean changing more than 50 GPOs and all the change documentation which goes with an enterprise wide change. Now it’s one edit for most things. As far as separating GPOs into separate functions, it’s not needed in most cases but if it is there is a specific way to do it. Most people get this part wrong. Changes to a GPO trigger reprocessing on other similar function GPOs but this is dictated by Client Side Extensions. Way too much to post here but if you go that route lookup CSE optimization. Also, avoid loop back processing if you don’t hate future you. Enabling loop back processing enables it for every other GPO that computer processes. There are specific additional precedence rules for these. Just don’t and if you have to then spend a good day researching the long term implications so you don’t screw yourself.
|
# ¿ Jul 13, 2019 15:56 |
|
klosterdev posted:some of it became waaay simpler when I learned about item-level targeting. (can do stuff cleanly like have all our drive mapping by security group in the same GPO) ILT is great. There are a handful of things I do with a registry preference using ILT and “remove when no longer applied” instead of admin templates so I can manage exceptions without tons of extra GPOs. A good place to find how to convert those is https://getadmx.com It can go too far though. Depending on size of your org, all the drive mappings might be too much and result in super long logon times. Printer mappings are even worse if you do those. I’d just try to keep it at less than 100 or so mappings if you can. If you get into the 1000s that’s when the real pain starts.
|
# ¿ Jul 18, 2019 13:50 |
|
For all I know you could be talking about me. I put more effort into talking people out of GPO additions than I do almost anything else. Part of the reason for that is I am the only person in corporate IT who really does GPOs at this point in a company with about 100k workstations. The other reason is we will be going to autopilot and modern management in the future and I’d rather not hate life when I do that.
|
# ¿ Jul 21, 2019 02:07 |
|
Just a reminder if you enable loopback processing it affects all GPOs and not just the one with the loopback setting.
|
# ¿ Dec 27, 2019 16:12 |
|
Or just a group policy scheduled task to give them a popup every hour or something. Can either WMI filter the GPO or toss it in an existing GPO and use ILT on the task preference.
|
# ¿ Jan 19, 2020 13:51 |
|
Internet Explorer posted:Also don't forget about item level targeting on preference GPOs. This. Also you can use info from Getadmx.com to convert almost any policy setting to a registry preference. We have over 100k workstations across only 6 OUs and stuff like this always comes in handy.
|
# ¿ Mar 12, 2020 06:08 |
|
Even then, KMS generally only needs about 2 check-ins per year. Machine key changes are client side driven and won't happen until the next domain connection after the expiration. This just sounds like a very aggressive account purge script and if that's the case, it should be suspended.
|
# ¿ Apr 11, 2020 05:58 |
|
Just taking stabs because I've stood up a few KMS hosts before. I have never used the GUI for it because it makes me uneasy, mostly because it gives vibes of starting over from scratch each time. I usually just use the various slmgr commands from an elevated command prompt. If the key types are messing you up, make sure you attempt to register the CSVLK on the host and the GVLK on the clients. Also keep in mind you need a fairly new OS version on the host if you are activating server 2022 keys. For the MS Office products which still use keys, those usually need a small support pack installed.
|
# ¿ Mar 26, 2024 22:43 |
|
|
# ¿ Apr 29, 2024 03:01 |
|
Number19 posted:They are also great and I wish I could get more people to take them. I use them for all my daily and admin accounts and it's so much easier to use. I still prefer to use my fingerprint with hello for business to sign into my devices but the Yubikey is amazing for privileged accounts, especially when sessions constantly glitch out and need a new sign-in the last couple weeks.
|
# ¿ Mar 27, 2024 22:37 |