|
Is there a way to rename DHCP reservations without using the GUI? I see netsh commands to change the name or description on a scope, but there's nothing about individual reservations other than showing, adding, and deleting that I have been able to pull up. edit: I would prefer to avoid having to delete and recreate the reservations if possible, and since it can be done on a live reservation in the GUI, presumably there's a command line option somewhere.
|
# ¿ Jul 2, 2013 21:00 |
|
|
# ¿ May 14, 2024 12:10 |
|
GPF posted:You're going to have to delete then recreate if you're doing it commandline. Here's how I do it in PowerShell: Yup, usually do exactly that to add reservations - I was just hoping there was a way to specifically modify those fields to avoid any disruption if something goes wrong. I guess this is just a rare case of something that can be done from the GUI, but not command line. By the way, if you are using that script to remove then add back a reservation, it wouldn't hurt to put the reservation IP on the exclusion list before deletion, then remove it from the exclusion list once the new reservation is up.
|
# ¿ Jul 3, 2013 18:44 |
|
devmd01 posted:How do people handle granting temporary local admin for people like developers and such who occasionally need to install software for their job, but don't need admin all the time? Create a new account with local admin privileges specific to that machine and give it an expiration date. If a user needs local admin, they can generally figure out Run as... VVV Yeah, it's really not a great idea to give them local admin for a little while, the damage can be done quickly. Either they're authorized and they should have it all the time (still good to do it on a separate account), or you should be installing for them. But if your company's policy is temporary local admin, an expiring account should be sufficiently fire and forget VVV AreWeDrunkYet fucked around with this message at 19:56 on Jul 29, 2013 |
# ¿ Jul 29, 2013 15:39 |
|
I have had no luck with Google, how do you run clispy (the System Center 2012 Configuration Manager Client Software Distribution Troubleshooting Tool) from the command line and save the output to a text file? I want to feed it a list of computer names without having to go through the GUI and manually saving the log for each one.
|
# ¿ Sep 17, 2013 17:38 |
|
The SCCM server I am working with doesn't have PS 3.0 installed (and unfortunately doing anything about that isn't an option), but I have other machines available that do. Is there any way for me to use add-cmdevicecollectiondirectmembershiprule to add devices to a collection? I am thinking that invoke-command on the server might do the trick, but I haven't found any documentation on that and would be interested to know if that could cause any problems before messing around.
|
# ¿ Jan 14, 2014 21:39 |
|
kiwid posted:My boss wants me to update every user in Active Directory with their address and phone numbers (approx 300 users). We have all the address and phone number information in csv format. What is the best way to import this information into Active Directory? For one-off things, I usually just do it in excel rather than scripting. Have a list of user names in one column, the addresses in a second column, and make the third column something like code:
AreWeDrunkYet fucked around with this message at 11:03 on Mar 24, 2014 |
# ¿ Mar 24, 2014 02:34 |
|
Excel + Powershell will pretty much completely replace any interaction you might have with ADUC, and you don't have to learn any new software. Those third party replacements can't do anything you couldn't do with PS anyway, and Excel is unmatched for most reporting functions.
|
# ¿ Jun 10, 2014 17:14 |
|
Dr. Arbitrary posted:This is pretty dumb. Just a heads up, all the cool kids use MMC with the AD Users and Computers snap-in turned on.
|
# ¿ Jun 13, 2014 12:39 |
|
Hadlock posted:10 has better device lock down features, but yeah from a nuts and bolts standpoint, win 8.1 and win 10 are very similar. So there's little incentive to upgrade due to software. Plus it's 7 years to end of extended support still. Probably in three or four years the vnext/win10 ecosystem will be stable enough to think about converting over to for large corporations. Our company just brought on some contractors to smooth over the conversion to win 10 but the early adopter trial isn't scheduled to start for at least another year. And we're barely 2,000 employees. Probably 65% of employees are running Windows 7 enterprise still. I suspect Win 10 is going to have higher early uptake than previous upgrades. The OSD process is getting more reliable to automate deployments, and VSM is enough of a reason alone for most organizations to take the plunge.
|
# ¿ Nov 11, 2015 23:05 |
|
mobby_6kl posted:I used to use Excel LDAP Search to run some queries against a list of users and get a nice spreadsheet with their phone/address and other information. However this no longer works with the new/64 bit Excel. I tried to install 2010 in parallel but the plug-in fails to load anyway. PowerShell will do all of this, but why not just install 32 bit office? No real downsides unless you deal with enormous spreadsheets and more plugins will work.
|
# ¿ Feb 2, 2016 04:01 |
|
CLAM DOWN posted:Not security filtering, Delegation tab under the GPO settings in the GP Management snapin, you go to Delegation, add the user/group you care about, select the user/group you just delegated to/added to the list, hit advanced, then deny read access to that GPO. Deny Read will do the job, but I personally prefer Deny Apply. But yeah, the better way is to create a sub-OU and overwrite the setting there. Unless you're messing with precedence manually, that will apply last. This way you also don't have to change any production GPOs that are touching the bulk of your users. e: And it will be plainly obvious to the next admin that looks at it, unlike some special delegation group that may get entirely overlooked.
|
# ¿ Feb 23, 2016 02:33 |
|
NevergirlsOFFICIAL posted:Yeah this is the main thing. If you make a different OU and exclude it from the gpo it'll get a nice big blue exclamation mark so you know it's not inheriting policies. You don't need to do this. Just being in a sub-OU will give the setting applied at that level precedence. If you block inheritance, you then have to recreate all your other domain settings in that OU. e: Though clearly this issue has gone in a different direction, the fundamentals are still sound if it comes back to a GPO.
|
# ¿ Feb 24, 2016 02:24 |
|
peak debt posted:That is like the worst advice. Windows 10 is deep in beta state right now, I'd never roll that out in the Enterprise. Either stay on Windows 7 or if you need the new features, roll out Windows 8.1 Microsoft is serious about Win10 support. Most of the initial quirks have been dealt with since release 1511, and they'll go out of their way to help you if you can identify a legitimate issue and open a case. Honestly though, the OS doesn't matter. Getting Win10 running is easy, but basically pointless unless you can also get UEFI running across the board. If you can get Win8.1 working, in most cases you can in-place upgrade and/or swap out the wim in your task sequences with minimal additional effort. But getting firmware settings right across non-consistent hardware, ughh, and non of the Win10 security features are worth a drat without. Calidus posted:Our book keeper quit last week and a the new starts next week. All the various(STUPID) banking and vendor websites require custom internet security settings and cookies. It is possible the change the name and sign in information on a user account and keep all those settings the windows machine? If I rename the account using Active Directory, can just rename the user folder on the windows work station? The cookies may be a hassle, but you can easily migrate most IE settings by exporting HKLM/Software/Microsoft/Internet Explorer HKLM/Software/Policies/Microsoft/Internet Explorer HKCU/Software/Microsoft/Internet Explorer HKCU/Software/Policies/Microsoft/Internet Explorer and re-importing them into a new profile. As others have said though, the correct long-term approach is documenting the settings and getting them into GPO or DCM or something. AreWeDrunkYet fucked around with this message at 16:00 on Mar 12, 2016 |
# ¿ Mar 12, 2016 15:54 |
|
Tab8715 posted:Ah hah. The ones I've seen have mostly been PowerShell and SCCM user groups, but they tend to come back to general Microsoft technologies.
|
# ¿ Mar 28, 2016 18:47 |
|
peak debt posted:We opened a case regarding how to roam the Windows 10 start menu buttons with AppSense or UE-V and Microsoft's literal answer was: "We don't know either where the start menu settings are saved" Get your TAM to escalate up the engineering chain. Unless you get lucky, the front-line guys are useless except for giving you instructions to gather diagnostics.
|
# ¿ Mar 28, 2016 23:59 |
|
Most things SharePoint does, other products do better. What's your goal? That may be a better starting point.
|
# ¿ Apr 8, 2016 01:02 |
|
Tab8715 posted:Also, anyone have any tips or tricks for going through Event Viewer? I'm usually just scrolling through until I find something useful but I'm curious anyone could point me towards something solid. PowerShell helps get-winevent logname log | where-object -filter {whatever} get-eventlog logname log | where-object -filter {whatever} AreWeDrunkYet fucked around with this message at 18:53 on May 7, 2016 |
# ¿ May 7, 2016 18:50 |
|
Starkk posted:So I'm on the help desk at a large company. We are rolling out Windows 10 upgrades soon to about ~800 computers at our headquarters (prob another 10,000+ at our branches). The problem is the in place upgrade that was created does not install the video driver for any computer that has Intel HD graphics as the Windows 7 driver is not compatible with Windows 10 so the only thing that is installed on computers using the upgrade is the basic windows video adapter. The guy who built the in place upgrade is perfectly fine letting this stand since he isn't the one who is going to have to manually install updated video drivers to all the computers that are affected. The question I have is, is there a way to have the task sequence check which Intel graphics chipset is in the computer and than install the corresponding driver? That is very doable and your engineers are just being lazy. Your best bet is probably to query how many systems would be affected, estimate the time the help desk would need to spend on each one, and have your management escalate the issue to department that's designing the task sequence with data in hand.
|
# ¿ Mar 7, 2017 05:22 |
|
redeyes posted:Generally after the first boot Windows would install the correct video drivers via Windows update.. unless you have that blocked with group policy. Surely you're running Windows patches through validation then rolling them on your schedule rather than just having users hit Windows update. Give them the option, sure, but letting Windows patch itself is going to break something critical sooner or later.
|
# ¿ Mar 7, 2017 16:31 |
|
PUBLIC TOILET posted:Had a Microsoft Sales Rep meeting not long ago (prior to the release of Creators Update.) One of the issues I raised was the need to constantly monitor, modify and upgrade the organization's Group Policy system every time a major Windows 10 update comes out. I had asked what Microsoft's plans were to address this or at least make it more seamless/sensible. All I received in return were some shrugs, a response of "I'll ask our engineers", followed by no actual answers. My opinion? If you're in an organization that relies heavily on Group Policy for managing Windows, you might as well hire a person dedicated solely to managing it (even if Microsoft does recommend using Provisioning instead of Group Policy.) As far as microsoft is concerned, I think group policy is dead. Their vision is a generic OS with application and security settings handled by intune. But yeah, the same registry settings do different things from one update to the other. It can be maddening. And there's not clear visibility and documentation to the same extent there was in windows 7, but that may just be a matter of maturity.
|
# ¿ Apr 13, 2017 18:07 |
|
Sickening posted:Umm what? This seems like a really bizarre statement to make. Isn't it more likely that teams are not talking to each other effectively and updates are causing group policy bugs and less likely that Microsoft is abandoning group policy? Just the impression I've been getting lately from what the sales engineers are focusing on, I don't think it's an official position or anything. But if they're redirecting resources to the point that they're not maintaining the product it's effectively the same thing.
|
# ¿ Apr 13, 2017 19:03 |
|
nexxai posted:Seriously. The fact that they keep releasing these patches after the OS has been EOLd only legitimizes the C-levels who think that replacing "perfectly good computers" is a waste of money. Just disable the boot partition on any remaining XP/2003 machines. When they don't come up next restart, simple answer is "Oh, must be some virus thing - did you know that XP is no longer supported? Let's just rebuild them with 10/2016R2!" Because surely you don't have any critical systems running on those platforms.
|
# ¿ Jun 13, 2017 23:23 |
|
devmd01 posted:Question about delegated rights: a predecessor granted domain users read delegation to the primary OU where users were located. I'm trying to think of why this could be a bad idea and I'm coming up short. I discovered it after we migrated users to a new OU and it broke some applications, because the service accounts needed read delegation to work. I'd rather go least privileged and put the appropriate service accounts in a security group that has read delegation to the new OU, instead of granting to domain users. Any thoughts? There's not a lot of downside to read rights across the board, with the exception that now anyone can spin up a job that could peg your DCs.
|
# ¿ Jul 18, 2017 13:58 |
|
Boywhiz88 posted:I think this is the best place for this post after checking the first few pages of SH/SC. Backups are probably best just done as a service assuming they don't have weird bandwidth limitations, and they should check out if whatever software that is can be hosted by the vendor.
|
# ¿ Nov 4, 2017 18:03 |
|
Is there a go-to book to get familiar with (on-prem) AD infrastructure concepts top to bottom for someone who has administered pieces of an AD environment? Preferably something that gets the ideas across effectively rather than one designed to help pass a test.
|
# ¿ Jan 23, 2019 20:54 |
|
skipdogg posted:The "Cat book" is basically the AD Bible and covers all the moving pieces. Thanks!
|
# ¿ Jan 23, 2019 22:21 |
|
GreenNight posted:Everyone in the company I work for are all local admins. Shrug. There's a big difference between everyone being an admin on their workstation (not best practice under most circumstances, but not the end of the world and the risk is manageable) and Domain Users having admin to every workstation (aww hell no).
|
# ¿ Jan 31, 2019 15:24 |
|
orange sky posted:I actually posted this in the IT thread because I thought regshot was talked about there, but it was here after all. Looks like a command line interface for regshot is a years old feature request.
|
# ¿ Feb 7, 2019 07:28 |
|
The computer account needs to have read rights now, but you can still do security filtering by setting read/apply delegation to a group of users and just plain read to authenticated users. Assuming this is a user-side policy.
|
# ¿ Oct 25, 2019 16:23 |
|
Since when can't you deploy scheduled tasks with GPO? But even if not, you can create them with PowerShell without going to a third party tool (Register-ScheduledTask). Above posters are right that it's not the best approach for rebooting systems that aren't always online though, reboot preferences around updates work better there.
|
# ¿ Feb 2, 2022 21:14 |
|
Have you tried disabling this setting? https://learn.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp UsePassportForWork Windows may still prompt for local Hello, but that can be disabled from here: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock DevicePasswordEnabled PreventEnablingLockScreenCamera But also why would you disable WHFB?
|
# ¿ Oct 24, 2023 06:43 |
|
Hughmoris posted:I'm a data guy trying to learn AD DS from zero, for a new gig. For practice, I've used virtualbox to spin up a DC and a Win10 workstation. I then set up DNS and NAT and have the basics working together. If you have options, you might want to reconsider this gig. All of these workflows are things a reasonable enterprise has abstracted off AD. To answer the question directly, yes you can do it. GPO or a logon script for the bonus. None of that should be happening except the user account creation automated off your IDP though.
|
# ¿ Dec 23, 2023 02:09 |
|
Hughmoris posted:Thanks for the insight. At the moment, other options involve a smaller paycheck. So for now... AD #1! AD #1! Pretty much. If you're building a new environment Entra (or a non-Microsoft IDP that easily wires into Entra) is the cleanest path for user account management in an M365 environment that gives you all of the other user services including file shares. Assuming no legacy app integration this all wires into on-prem AD pretty easily, but chances are the reason this org is asking these questions is legacy app integration.
|
# ¿ Dec 23, 2023 02:17 |
|
Hughmoris posted:Hmm. I have a M365 Developer sandbox. Might see if I can figure out how to sync it with my homelab AD DC, as another exercise. Thanks! https://learn.microsoft.com/en-us/entra/identity/devices/hybrid-join-plan
|
# ¿ Dec 23, 2023 02:27 |
|
At least Okta and Ping are fine, until you start adding complexity basically any IDP that does SAML will work with Entra. Old but still mostly relevant I think: https://www.microsoft.com/en-us/download/details.aspx?id=56843
|
# ¿ Jan 5, 2024 13:18 |
|
A company has an agreement with an OEM to register devices to Autopilot in intune, then purchases a device with that SKU for a remote user. OEM ships to the remote user (at this point you can pretend with your manually registered VM), user goes through OOBE and ends up on the desktop on a managed device. If the user is only using an AAD logon, that’s kind of it. Some additional things to play with; -Apps and profiles with the enrollment status page if they have to be there before the user logs on -Hybrid domain join and always on VPN for the first time logon -Using Graph API to register existing managed devices AreWeDrunkYet fucked around with this message at 03:32 on Jan 12, 2024 |
# ¿ Jan 12, 2024 03:27 |
|
The net effect is very cool, you can cut out a lot of device cross-shipping of devices for distributed employees. It's just mostly a black box experience so there's not all that much to code or configure if you already have the MDM infrastructure.
|
# ¿ Jan 12, 2024 04:54 |
|
|
# ¿ May 14, 2024 12:10 |
|
Hughmoris posted:This is an overly broad question but do you all feel there is money to be made specializing in Intune + Autopilot, or are you looking for the door? The relevant job listing search string is probably “end user computing”, but that’s rarely broken out except at large enterprises and compensation is typically going to lag behind other systems specializations.
|
# ¿ Jan 13, 2024 01:44 |