We are looking to deploy an Active Directory domain with an Identity Management to replace an older database system. We would like to have input from other educational institutions on AD deployments they have done what IDM they have used and any reasons to stay away from any IDM solutions. If any institutions would like to share just general info with our AD/IDM committee please contact me.
↧
Deploying Active Directory with Identity Management in college/university.
↧
IE10 Homepage Group Policy Server 2008 Quick Fix
So I've been trying to set the IE10 homepage through a group policy on our Server 2008 DCs with not luck.
I have tried this method which some people said worked
http:/
and changing the max to 11.0.0.0 or 10.5.0.0 with no luck.
Finally I came up with my own workaround and thought I'd share.
Create a GPO
Go to
User Configuration -> Preferences -> Windows Settings -> Registry
Right Click and Create a New -> Registry Item
Set the Following Properties
Action: Update
Hive: HKEY_CURRENT_USER
Key Path: Software\Microsoft\Internet Explorer\Main
Value name: Start Page
Value type: REG_SZ
Value data: YOUR WEBSITE URL
Worked for me instantly on the next login. Hope that works for everyone else!
Cheers.
↧
↧
AD Permission Delegation
Hi everyone
We are in the process of redesigning our OU structure. We had previously delegated permissions to the Help Desk to perform certain duties. I personally find this to be a very tedious process that is prone to people making mistakes.
Does anyone know of a good freeware program that is available to perform something like this? What about the ability to audit the permissions?
Thanks everyone
Aaron
↧
Printer deployment issue via GPO
Hi folks,
A little bit of background on a few things before I get into it. Assume the following VM's, machines are all on the same domain i.e. company.com
Client-Machines:
- Win7 Pro 64-bit
Domain Controllers (all with Group Policy Roles)
1) DC1.company.com (Win Server 2008)
2) DC2.company.com (Win Server 2008R2)
Issue:
New Printer deployments are not being pushed to client machines, and old printers which have been decommissioned/removed from "deployed printers" list are still being displayed to users.
What I've done so far:
I ran gpresult /r (with elevated privileges), and the computers are indeed obtaining group policies from either one of the domains listed above, with the most recent GPO being applied today. I've checked that GPOs are applied to correct OUs, and that the client machines are also part of the correct OUs.
I'm a bit stumped on this one. I may be overlooking something. Any help is greatly appreciated.
↧
Some users having problems logging into roaming profile
When some of our students log into our lab computers, they are getting an error message that Windows could not locate their roaming profile and they are being logged in with a temporary profile.
I've noticed that the students who are able to log in successfully have two folders in the roaming profiles folder. One with their username and one with .v2 after their username. The students who are being logged in with a temporary profile do not have the .v2 profile folder.
We are running Active Directory on 2008 R2 servers. We have been upgrading our lab computers from XP to Windows 7. We have a handful of XP lab computers still to be updated.
What do I need to do to fix this issue? Thanks!
↧
↧
Which DFL to raise to
Hi,
I am adding an Additional domain controller with Windows Server STD 2008R2.
For this I need to raise my Domain Functional Level.
Currently I am in 2000 Mixed mode, and I have 2 options to raise to:
1) Windows 2000 Native
2) Windows Server 2003
So which should I select, I need to have the domain on 2008 servers, and then demote the old 2003 server, by promoting the 2008 server, and taking th FSMO of the old AD.
If I take the first option, can I still raise to further "Windows Server 2003", as this step is irreversible.
Please guide.
↧
IMPOSSIBLE To Remove Error and Non-Existent Setting
Running RSoP gives me an error for an old setting (Internet Explorer Branding) which was removed the hard way via RSTAT on a machine with IE 8 still installed because the setting was in our Default Domain Policy and our domain's function level was raised to 2008. I also removed the entry via ADSI Edit (gPCUserExtensionNames) which was correlated from the error in the event log for Group Policy.
You can read about the details here: http:/
By some twist of fate only my machine has rid itself of the error but every other machine on my domain still has it (in RSoP Error Information).
So, does anyone have any suggestions on how to deal with this issue specifically, or some other way of determining where this information is living so it can be killed?
Thank you!
Edit: I am also curious why or how the Default Domain Policy GUID changed, as the error message is now referencing the old GUID... Could this be a culprit?
↧
Hi, I want to "hide" the run cmd from the start menu but not disable win + R
Hi, I want to "hide" the run cmd from the start menu but not disable win + R as if disabling we cannot run login batch files, yes I know group policy can now run drive mappings but it takes forever to update on some computers, where as a DC make the batch files available pronto. Any thought's
↧
I am looking for a Spiceworks thread or article about picking a domain suffix
We might be changing our Branding as well as our name. A year or so ago I saw a great article on SW about choosing your domain suffix. I wanted to be proactive and paste it in our open ticket so this does not get overlooked.
I searched high and low, but I cannot find it. Can anyone help me out? Easy BA if you can
↧
↧
IE 11 Server 2012 Disable Protected Mode GPO Not Working
Hi,
I recently setup a Server 2012 R2 domain with Windows 8.1 workstations running IE 11 and some (probably all) users are experiencing print preview and printing issues from IE 11. Essentially nothing shows up in either Print Preview or in the actual print out when the user goes to print a webpage.
I read up on it and it seems that it's an issue with Folder Redirection/Roaming Profiles and IE Protected Mode... With Protected Mode enabled, IE cannot write to the specific temp folder it requires in order to create Print Previews and printouts. It's recommended to disable Protected Mode under Security Settings for the Internet Zone, and after doing this on a few users profiles the issue was resolved.
I wish to implement a GPO so that I don't have to manually disable Protected Mode on all users profiles. I enabled the "Turn on Protected Mode" GP on my "Users GPO" under: User Config>Policies>Admin Templates>Windows Components>Internet Explorer>Internet Control Panel>Security Page>Internet Zone and selected the "Disabled" radio button. A day and several restarts later, I'm still seeing Protected Mode as ENABLED...
I ran a gpresult on one of the computers and it shows that the Protected Mode GP is in effect and that it's set to Disabled but when I go to IE Security settings the mode is still enabled... Is there anything else I can try before I contact M$?
↧
AD and Folder level audits
Hello all,
I need to know how to run a report that shows me all folders and the users/group who have access to those folders as well as permissions. Can someone point me in right direction?
↧
Group Policy retrieval vs processing. What happens when?
I was looking through some group policies today and was wondering how/when certain things are processed if you are running all your policies synchronously. If the order in which policies are applied (and by that token the reverse of the Precedence) is:
1. Local
2. Sites
3. Domain Root
4. OU's (starting at the highest level and moving to the lowest level)
Then we are to assume that Local policies process first and the lowest level OU policies process last and thus can overwrite everything else that has just happened.
If this is the case then how do setting like "Turn off Local Group Policy objects processing" work if we put them in a GPO in a Domain OU? Do the Local policies process twice first applying the local settings and then removing them? Or are all the policies at all the levels (local, sites, domain, OU's) gathered at the same time and then parsed for certain settings (like the one mentioned above) that would upset the normal order in which they are processed and then process those settings 1st (horrible run on sentence, I'm sorry)? Or do settings like this only apply if they are already cached? If that is the case then when are cached settings checked for in the order of things?
I've often wondered the same thing about group policy settings like "Startup policy processing wait time", which must rely on caching or how the hell else would it make the system wait to process policies if its part of a policy?
I guess I'm looking for a really good detailed flow chart of what happens when and wondering if any policies are created more equally than others in terms of how and when they are handled.
Thanks in advance.
↧
Add 2012/win8/8.1 group policy extensions to 2008 R2 domain
Is there a way I can add the group policy extensions for Server 2012/Win 8/Win 8.1 to my server 2008 R2 domain? More specifically, I'm wanting to disable SkyDrive in Win 8.1 using group policy but "Computer Configuration\Administrative Templates\Windows Components\SkyDrive" isn't available on my server 2008 R2 DCs.
↧
↧
problem 22 (Invalid argument) when using Quest AD Migration Manager
Environment: Migrating users from Windows 2003 R2 SP2 Standard Edition to Windows 2008 R2 Standard Edition Domain. They are independent domains with an established 2-way transitive trust.
We are in the process of testing out Quest Tools for AD Migration.
- As stated above, a 2-way transitive trust was established between our source and target domains. Source domain is Win2k3 and target is Win2k8. All servers in each domain have the same version of Windows running across the domain, so Win2k3 Domain has all Win2k3 servers.
- We setup our Quest Server with the Tools installed and joined it to the target domain.
- WINS is setup within the subnet we are testing in and it is registering all of the client systems we are working with along with all servers from both domains.
Below is the question:
After feeding Quest Tools our csv file and running the migration wizard for 2 user accounts we receive the below error. We are choosing to merge accounts based on sAMAccountName matching rule. Why are we getting the below error?
Data below has been edited to use generic values, but syntax is just like the log file view generated by the migration wizard.
Failed Object 1:
CN=User 1,OU=Users,OU=Migration_Test,DC=subdomain,DC=main,DC=domain
Object Class:
user
Error:
LDAP error 0x50. Other (00000523: SysErr: DSID-031A1202, problem 22 (Invalid argument), data 0
).
In addition, below is the format for our csv file using tabs as delimiters:
SAMAccountname SAMAccountname Name
dduck 991212123 DonaldDuck
mmouse 991212124 MickeyMouse
(2nd SamAccountName is a 9-digit ID we made up, since our target domain uses a 9-digit ID as the value for the SamAccountName attribute)
In the migration wizard we choose the following options for the various steps in the below order:
- Step 1: Source Objects: The two user objects provided above.
- Step 2: Select Target Container: We selected the OU we designated as our ADMigrationTest.
- Step 2: OU Hierarchy under step 2: We chose, "Migrate objects without OUs as a flat list."
- Step 2: When merging with existing accounts on target under step 2: We chose, "Merge and leave the account where it was before the migration.
- Step 3: Security Options - Skip Security Description migration rule.
- Step 3: Group Options - Add source members to the corresponding target groups.
- Step 3: User Principal Name handling - Copy
- Step 3: Password options - Password handling - Skip account password.
- Step 4: Object Processing Options: General - Enable target accounts.
Sorry for the long post, but I wanted to make sure that someone had all most of what they need, so that you could quickly answer my question and there is little to no back and forth.
FYI: We have contacted Dell and they said, they DO NOT recommend using the sAMAccountName to match on. We also did Google searches and nothing seems to help us.
I am hoping someone with practical experience can help out.
Any help is greatly appreciated, thank you!
↧
How can I create a logon script to map network drives and printers?
Hello All,
I am new, just signed up and hopefully find this site really useful.
I am an IT Intern and today my boss assigned me a project- to create a logon script that can map network drives and access printers once a user signs in to Windows 7.
I have no idea how to even start. I know some C# and C++, are these languages used?
I have found a lot of logon scripts online, but I want to learn what everything on the script means and what it does. So I am looking for step by step instructions on creating a logon script. Is there any one here that know of any tutorials or can point me on the right track....OR can teach me?
↧
What to do with a managed application that has been upgraded via GPO
Hypothetical Situation:
You assign IE10 via Group Policy. IE11 comes out, you assign it as an upgrade to the managed IE10. These exist in the same GPO (Workstation Policy)
If in fact you are certain all workstations now run IE11, can you remove the IE10 from the GPO?
↧
Managing Software Restriction w/ Local Admins
All right! All right! The users shouldn't be local admins. PRETENDING for a moment, I cannot change that... :-)
I am playing around with Software Restriction Policy in a GPO. It's working ... okay. I mean, it sure stops most everything from running where it shouldn't be.
What I am running into, however, are the updaters that place EXEs into verboten directories and try to launch. So far, the only thing I know how to do is whitelist by a wildcard filename (like install-flash* for the Flash installers) or a path where there the updater drops files if it's not some global area.
How do you handle this? Do you just keep building extensive lists of whitelisted processes and areas?
↧
↧
Deploying Shortcut via GP Not Working for Certain Users
So I am deploying a shortcut to a website using Group Policy to deploy this shortcut to all users desktops. This works great if the user has never logged onto the workstation and has to create a new profile. But if there is an existing profile for that user the shortcut never shows up.
Very puzzled by this behavior. Thanks in advance for any advice.
↧
Recommendations for Changing Subnet of a Domain Controller/PrintServer
Hello,
I will need to move my domain controller to another site and I'm expecting see the thing I've not taken into consideration by sharing the plans here.
This is a single domain controller, no redundancy. It servers as the only DHCP/DNS/FileServer, there is also a print server as a VM on the same machine (definitely was not my plan).
The server right now sits on the hub of a hub&spoke VPN network. 6 "spokes".
I will have to move it to one of the "spokes". Effectively, I'm assuming it will slow down the network up to %50 percent. Because traffic will have to go to the hub first, and then to the "new" location, there will be double bandwidth used, double the load on the firewalls which should decrease the performance significantly. Let me know if you think I miss some other thing that might effect the performance.
Also, do you think I should plan making any change on the printers connected to the print server? Or they should work on DNS names and no action would be necessary. I'm assuming the latter is correct.
Also I learned that I need to follow these instructions here after changing the IP address of the DC. http:/
What else do you think I should expect?
Thank you
↧
Important/Fun things to do with Active Directory
My company is finally getting serious about our Active Directory setup. As a new SA, what kind of cool/interesting/useful things can I do with a great AD?
↧