Topics created by wrx7m

@flaxking said in PowerShell - Using Variables to Delete SMTP Proxy Addresses in AD:

if they do not have previous experience with objects

Describes me. lol

@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

@Obsolesce said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

@wrx7m said in Group Policy - HKCU Registry Update (via GPP) For All Users, Only on RDP Server:

t only applies the setting when linked to the OU of the user

We'll according to that screenshot, it IS a user setting.

Yeah. I want all users or a group of users who login to the RD00 server (and only this server) to have this GPP modifying HKCU to apply. Is it even possible?

Yes, it's possible.

Ensure the GPO is applying to the user. For example, if User1 is in the Company > Users OU, then make sure that GPO is either in Company or Users OU and the Users OU is inheriting the GPO. Verify with RSOP and gpresult that user is getting the policy.

I think, but it's been awhile since I did much with AD GP... (like you are in the screenshot) use item-level targeting to the server name.

Test it by having one of the in-scope users log on to a difference server, run gpresult and see if it's applying, then try it on the targeted server and see if it applies then.

There's also a lot more that can be done, especially with the credentials... storing them as an encrypted file and retrieving them for the function (function just for that, functions using other functions), keeping all the parameter data in an object to retrieve, or from CSV, etc....

It depends on how far down the rabbit hole you want to go, and how much time you want to spend making it.

Honestly, I'd do this kind of thing with a different project, but this can work too. There's a lot you can do.

@black3dynamite said in Windows Server 2016 RDS - GPO for Disabling Windows Update Notifications for Non-Admins/Users?:

@wrx7m said in Windows Server 2016 RDS - GPO for Disabling Windows Update Notifications for Non-Admins/Users?:

@black3dynamite said in Windows Server 2016 RDS - GPO for Disabling Windows Update Notifications for Non-Admins/Users?:

@wrx7m Is that a computer configuration or user configuration policy? Try applying the rules to only non-admins groups.

Yeah, it is at the computer level. I would like to do it via user config but I only want them to apply to users on the RD servers. I need to figure out the proper way to structure AD/GPOs to not screw up everything else.

I am guessing creating another OU as a sub container and move the RD servers into.

Edit: Since it isn't GPP, there isn't any item level targeting, so I can't do it that way.

If you can make those changes directly in the registry, maybe can allow you to use GPP and item level targeting.

Hmmm. That makes sense. Let me mull it over.

@wrx7m said in RDS - Suggestions for Migrating User Profiles from Server 2008 R2 to Server 2016 UPD:

@black3dynamite said in RDS - Suggestions for Migrating User Profiles from Server 2008 R2 to Server 2016 UPD:

@wrx7m said in RDS - Suggestions for Migrating User Profiles from Server 2008 R2 to Server 2016 UPD:

@dafyre said in RDS - Suggestions for Migrating User Profiles from Server 2008 R2 to Server 2016 UPD:

@dafyre said in RDS - Suggestions for Migrating User Profiles from Server 2008 R2 to Server 2016 UPD:

@pmoncho said in RDS - Suggestions for Migrating User Profiles from Server 2008 R2 to Server 2016 UPD:

@wrx7m

Just curious, when you chose UPD, did you choose to store all settings or just certain folders?

Some applications don't play nicely with roaming profiles.

UPDs mount at the usual C:\Users\user.name and the applications can't tell a difference.

Right. But, only when the user is logged in. After they logout, that path doesn't exist. I am trying to figure out how to work around that for adding the custom (for each user) erp shortcut on their desktop in their session.

Add the shortcut to C:\Users\Public\Desktop.
That way it will always show up on each user Desktop.

This would be nice and easy, but each user has a custom shortcut- It has a workstation ID in the target path.

https://www.pdq.com/blog/pdq-deploy-and-powershell/
Create a script that creates the shortcut each user Desktop and append the workstation id in the target path.

Turns out that there was a wildcard A record in DomainA2.com

The script I started with was shamelessly stolen from a Technet post.

That gave me a pretty good start. I did some light editing to more accurately match what was going on at my employer when I first used it for a large batch of users rather a while ago.

Now I'm making some more changes and additions to turn it into something a bit more broadly useful day to day.

@wrx7m said in Fedora - Automating Config File Modifications:

Without using a CM tool, what is the easiest way to automate modifications to several config files across 7-8 servers? I was looking at sed, but am not sure if there is a better tool that isn't a CM.

More specifically, I have several Fedora servers running squid proxy. From time to time, I need to modify the config file to whitelist a particular domain. Because I will soon have a few more servers, I would like to automate these type of file updates so I don't have to manually go into each server's config and copy and paste stuff in to certain sections; some information is specific to a particular server, where as this section would be universally necessary on all servers. So, I would be inserting lines in specific sections.

I intend to move to some sort of CM for this stuff in the future, but I need to get these going sooner than I could learn the CM tool.

Sync with a s3 bucket hourly. Then you only need to update on s3

@Dashrender said in PDQ Drops Inventory (Deploy) Agent:

@coliver said in PDQ Drops Inventory (Deploy) Agent:

@warren-stanley said in PDQ Drops Inventory (Deploy) Agent:

@coliver from memory it allowed endpoint status display, along with connection when outside the corporate network for running commands and application management.

It was part of the subscription and didn't require any other additional setup - so was nice in theory.

Ah. Salt and Ansible can do similar things but would require some backend work.

Salt has an agent, right?

Yes, and Ansible can be setup in a Pull configuration so it can act like it has an Agent as well.

@wrx7m said in Windows 10 Updates - Trigger "Update and Restart":

@IRJ said in Windows 10 Updates - Trigger "Update and Restart":

@wrx7m said in Windows 10 Updates - Trigger "Update and Restart":

@IRJ said in Windows 10 Updates - Trigger "Update and Restart":

@wrx7m said in Windows 10 Updates - Trigger "Update and Restart":

A simple restart command doesn't perform the update step, just the restart, so the update doesn't get applied.

This has been an issue for a very long time with windows. I am surprised it hasn't been fixed yet. It's really annoying

Well, at least with Win 7, a standard reboot applies updates. At least, I think it does. The main difference between Win 7 and 10, is that they have switched to the osoclient.exe to manage the updates.

I'm pretty sure server 2008 and onward had the issue. I don't remember dealing with it on workstations

I still have a 2008 R2 box and can test it on the next go 'round. I won't have it much longer, as I am dumping it prior to EOS.

LOL - Didn't make this cutoff. Next week, hopefully.

@wrx7m said in IOPS for SSD?:

@travisdh1 said in IOPS for SSD?:

@wrx7m said in IOPS for SSD?:

@Pete-S They dropped the price to 1061.24 since I posted. lol Interesting. Yes, but that is a max of 12 nvme. I may have misunderstood that option with 8 SAS/SATA. I am guessing that the max of 12 would allow for more SAS/SATA, although it doesn't mention it. My issue was also with the available drive capacities and cost per TB for spinning disks in the 2.5" spec.

Yeah, especially direct from the OEM. Have you thought about buying the storage from xByte instead?

Are their drives brand new? I did price out a server with specs as similar to Dell's as possible and it was only off by a couple grand.

IMHO, I consider their drives are 99.9% brand new as its possible an OEM install was done on the drive or something like that. Plus testing of the drive by the OEM and xByte.

Their hardware is manufacturer refurbished, not used. Big difference.

If you can get a Dell ProSupport (w/w-out) Plus 7 year warranty on the server with the drives from xByte, it doesn't really matter if they are new or not. They are under warranty for 7 years and you have no worries.

@Pete-S said in Comparing Server CPU Capabilities?:

@wrx7m said in Comparing Server CPU Capabilities?:

... And I don't have to run a Windows server for vCenter server or upgrade manager anymore.

I haven't played around with VMware much. How does it work with vCenter? Does run in a VM on each hypervisor or completely separate from the hypervisors?

It is a virtual appliance. You can upgrade and migrate from an existing Windows version. You can run it on a single server.

Can you post the result of these two reg queries:

REG QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin REG QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorUser

@Dashrender said in Planning for New ESXi Hosts - Which CPU Metrics Should I Use?:

@Pete-S said in Planning for New ESXi Hosts - Which CPU Metrics Should I Use?:

@wrx7m said in Planning for New ESXi Hosts - Which CPU Metrics Should I Use?:

@Pete-S said in Planning for New ESXi Hosts - Which CPU Metrics Should I Use?:

@wrx7m said in Planning for New ESXi Hosts - Which CPU Metrics Should I Use?:

@Pete-S They list both the 61xx and 62xx as options for the R740XD.

Good!

What CPUs do you have in the R720 today? 1 or 2 CPUs?

Do you want the new ones to be faster or just capable of running more VMs?

I have 2 x E5-2609 CPUs in each server. I would like faster, but more VMs would be the priority.

The E5-2609 CPUs are at the low end of what was available at the time so no problem there.

Actually, are you looking to keep the old servers around for testing and such?
In that case you could just drop in refurbished CPUs that are faster and/or has more cores for very little money. If the server can take E5-2600 V2 you can get up to 12 core CPUs.

yeah, but Windows licensing is an issue, assuming multiple CPUs... for a test server, not likely worth going over the 16 cores. Not to mention the test server might require licensing (if needed beyond the 90 day test period for something).

Two 8-cores would be an option. For instance two E5-2690. They are 2.9 GHz base frequency and have 8 cores. About $100 each when buying refurbished.

About 50% faster per core (2609 have no turbo) and about 3 times faster multicore performance. Has more cache and faster memory transfer speed. Was a very high end CPU at the time. Was listed at $2000 while the E5-2609 was $300.

The fastest 8-core E5-2600 V2 CPU is the E5-2667 V2. 8 cores and base frequency of 3.3 GHz. It will likely also be an option for the R720XD. V2 uses 22nm technology so uses less power with the same clock speed and can fit more cores or run higher frequencies.

@wrx7m said in Printer Leasing/Maintenance - Installing Software on the Network for Monitoring Print Devices:

@dbeato said in Printer Leasing/Maintenance - Installing Software on the Network for Monitoring Print Devices:

It is common, however just make sure when they configure only the Static IP of the printers to be picking them up. Also make sure the SNMP community is not public (also none of your devices should have that).

I should ask them about this. I am guessing that all the printers are going to have to be networked now.

Yes, otherwise it will not work.

@Kelly said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

It hasn't gone into effect, but as of 1/1/20 you will be operating under this law: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.

Thanks. At this point, it is only companies that this request would apply to.

@marcinozga said in Any Way to Automate Adding a New Computer to an AD Group?:

@flaxking said in Any Way to Automate Adding a New Computer to an AD Group?:

@marcinozga said in Any Way to Automate Adding a New Computer to an AD Group?:

Ansible can do that. https://docs.ansible.com/ansible/latest/modules/win_domain_group_membership_module.html#win-domain-group-membership-module
You can add new PCs to domain, and change their group membership, you just need to know computer names in advance.

Which is just a layer on top of Powershell. The Active Directory Powershell module is still required.

It's not required, or that module is included already in Windows 10 by default. Because I haven't had to install it on any machine I managed with Ansible.

"win_domain_group_membership requires the ActiveDirectory PS module to be installed"
https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/windows/win_domain_group_membership.ps1

They have it in the documentation as well "This must be run on a host that has the ActiveDirectory powershell module installed."
https://docs.ansible.com/ansible/latest/modules/win_domain_group_module.html

@wrx7m said in Sales Person Wants Me to Provide Independent Rep With an Email Account:

@scottalanmiller said in Sales Person Wants Me to Provide Independent Rep With an Email Account:

My second thought is, if having an email account creates a security concern, it is not creating the account that creates the problem, it simply exposes an existing security problem.

Not necessarily security, but accessing features like SFB, OD and Teams. But, as Kelly mentioned, they have Exchange Online P1, which doesn't have any of the other services (different than E1.)

Right, i was assuming that they'd only get email. Even those other things, though, still have security. but no reason to think that you'd provision those, too.

@wrx7m said in Server 2016 - Force Default Update Server to WSUS Server Via GPO:

@dbeato said in Server 2016 - Force Default Update Server to WSUS Server Via GPO:

This would have happened on Server 2012 R2 as well, dual scan has been around and causes a lot of problems as you noted.

It is strange that I didn't have these issues in 2012 R2. I essentially copied the same GPO for 2012 R2 and made some minor changes to it to convert it for 2016. My 2012 R2 show the correct default service.

Weird, I have various Server 2016and now 2019 with WSUS and while dual scan was an issue for me on Server 2012/ 2012 R2 not anymore.