Jump to content




ingram59

Established Members
  • Content Count

    28
  • Joined

  • Last visited

Community Reputation

0 Neutral

About ingram59

  • Rank
    Member
  1. Steps and the Problem Requiring a Solution: GPO configuration is listed below: Printers on a given floor have been successfully delivered to users' desktops on their respective floors, initially based on IP range in Item-Level targeting. However, all floor printers are not needed by all users on the given floor. I want users to only see the printers on their floor that are designated for their specific departments. (ie: LEGAL and ACCTG. departments are on the same floor. Only LEGAL staff should see LEGAL printers and ACCTG. staff should only see ACCTG. printers). I DO NOT want to make LOTS of floor-specific GPO's. Simply one per floor using Item-Level targeting to control delivery. I refine that item level targeting by adding a department's USERS OU for the respective printers. When I do this, the printer shows up or stays on the properly targeted computers. Here is the problem: I want to REMOVE the LEGAL printers from the desktops of the ACCTG. staff and vice versa. 1st round of GPO settings for initial printer delivery: Environment and Settings: GPO delivering a user-configuration printer General: Action - Update Common: Item-level targeting IP address range for floor. 2nd Round of GPO Settings to isolate printers by departments: Environment and Settings: SAME GPO delivering a user-configuration printer General: Action - Update (forced by "common" option) Common: (Selected) Remove this item when it is no longer applied Item-level targeting IP address range for floor AND Users OU for the department receiving the printer. Testing Results: After running a GPUPDATE /FORCE with 1st group of settings, the printers deliver as expected and they do not show up on computers where they are not needed. However, when I run the GPUPDATE /FORCE AFTER changing to the 2nd group of settings and allow setting to replicate, the unwanted printers ARE NOT removed from the users' desktop to whom they don't apply. I need to be able to clean up those printers but am not sure how to do it beyond what I have tried.
  2. I didn't see a category for this so I'm posting it here. Current Environment: I have four Windows 2012 R2 servers configured for DFS and two namespace servers (DC's). I'm currently using DFS and NOT replication. I have numerous namespaces, each with only ONE FOLDER TARGET. I have between 1 and 2tb of space on each DFS server. I need to migrate a large high level subdirectory and its content (800gb appx) FROM one of these servers TO a fifth DFS Windows 2012 R2 server in order to more evenly distribute content and balance drive sizes. I need to do this without risking data content or integrity and keeping all content current and making the process transparent to the user community. I want to use the replication capability of DFSR? However, first I have some questions based on the following testing that I completed. TESTING: I added a fifth DFS server. I created FolderA on Server4 of my DFS servers, and created a new Namespace1 with a folder target pointing to \Server4\FolderA. It worked fine. I then set up the FIRST REPLICATION group using Server4 and Server5 with Server4 as PRIMARY pointing to FolderA (\\SERVER4\FOLDERA) and Server5 as the replication partner using FolderB. (\\SERVER5\FOLDERB) I DID NOT ADD another folder target to Namespace1. I would then open the namespace (\\dfs\namespace1), pasting files to it. Based on my configuration I anticipated that files would ALWAYS be dropped in \\Server4\FolderA and REPLICATED to \\Server5\FolderB, since my FOLDER TARGET was on Server4. However while monitoring the folders on BOTH servers I got mixed results. Sometimes the pasted content showed up FIRST on \\Server5\FolderB and then quickly replicated to \\Server4\FolderA. Other times it would show up on \\Server4\FolderA and replicate to \\Server5\FolderB. It appears that replication puts content in either one of the replicated folders, IGNORING the Folder Target that was defined. QUESTIONS: With replication configured between two servers is A SINGLE FOLDER TARGET ignored with data going to EITHER location or was I seeing a false result due to the refresh timing of the folders? (I had remote desktops open on BOTH servers and was monitoring the FolderA on Server4 and FolderB on Server5) What is the best approach to take to migrate the date to the new server? here is my thought. Please provide input or corrections. Steps: Pre-seed content with Robocopy or a data restore to Server5. Set up replication using the "Replication Group for Data Collection" option Allow content to replicate In the late afternoon, add a new Folder Target (Server5\FolderB) to Namespace1 Delete the ORIGINAL Folder Target (Server4\FolderA) from Namespace1 Delete the Replication Group This is my thought. What am I missing? And what will happen to replicated content if I use the steps as shown? I've had strange things occur with Replicated content if it isn't done correctly (the date disappears) Thanks in advance for your time and input. Dino
  3. Please read CAREFULLY before replying. I tried to be concise in my testing description. I need this resolved and I've hit a dead end and need some recommendations. I have two domains, A and B that have two-way transitive trusts. I need the computers in DomainA to connect to DFS shares in DomainB OU1 and OU2 are at the same level and inheriting policies. OU2 has a sub-ou OU3 Both Computers and Users are in DomainA and DFS shares are in DomainB I've done the following testing and CAN'T, for the life of me understand my users can't connect to DFS from the problematic OU. My testing was an attempt to rule out user rights and narrow it down to a GPO issue, but I still can't find the culprit. I ruled out USER rights issues by flipping users and computers. Below is how everything played out. User1 on Computer1 in OU1 (won't connect to DFS) User2 on Computer1 in OU1 (won't connect to DFS) User1 on Computer2 in OU1 (won't connect to DFS) User2 on Computer2 in OU1 (won't connect to DFS) User1 on Computer1 in OU2 (Connects to DFS) User2 on Computer1 in OU2 (Connects to DFS) User1 on Computer2 in OU2 (Connects to DFS) User2 on Computer2 in OU2 (Connects to DFS) User2 on Computer2 in OU3 with policy inheritance (Connects to DFS) User2 on Computer2 in OU3 with BLOCKED inheritance and linked GPO's from OU1 (Connects to DFS)
  4. Please read the full posting before answering. I've searched extensively for a GPO fix to my issue but I can't find one. I've got a lot of users that work wit IE. Under Internet Options / Programs / Default Web Browser there are two options, "Tell me if Internet Explorer is not the default web browser" and "Make default". Both are grayed out on some machines and of course, cannot be modified. On other machines the "Tell me...." option is active and can be checked and the "Make Default" is grayed out. Machines with both conditions have the SAME group policies applied to them. I have a PS script on my DC allowing me to search GPO's for specific content. However I don't know what to search for in order to find the GPO that has these settings in them. Google searches have proved fruitless in finding the GPO options that need to be changed. I'm less concerned about the "Make Default" than I am about the "Tell me...." option. Where are these settings located and what are they titled? If they are not specific settings, what registry changes can I push that allows me to activate the "tell me..." option in IE? Also, why, if the same policies are being applied (meaning they are not being blocked by security filtering), are the settings on these machines different. This is extremely frustrating and I'm really looking for a solution to this. Thanks in advance for your assistance.
  5. One addition. It does appear that after I reboot the SCCM server the device DOES NOW appear in the collection AND the Content status properly updates and is available. However, a REBOOT is REQUIRED every time a change like this is made. That WAS NOT and SHOULD NOT be the case.
  6. Here is the scenario. Please read the entire post before responding. Sccm 2012 recently updated to the latest release. Device collection with a Query rule to retrieve computers based on a certain condition. Collection and query rule built prior to the upgrade. Collection limited to All Systems I create a Direct Rule under the Membership Rules for that collection and add a device. I select the device and it does show up in the Membership Rules After closing the window, refreshing the collection, Updating Membership AND waiting overnight, the member count DOES NOT change and my direct add machine DOES NOT appear in the collection I go back in to the collection Properties / Membership Rules and it IS listed there as the Direct entry, along with my Query rule that was previously added The device in question is present in All Systems (it is my workstation) 2nd testing step Created a BRAND NEW TEST COLLECTION Did a direct add of my machine Collection shows zero entries following update and refresh Added two other random machines Collection shows zero entries following update and refresh Rebooting the sccm server has no impact. This is only one of the symptoms of some issue indicating that it is NOT just collection related. Another symptom relates to updating distribution points after adding new drivers. The update completes but the date and time stamp on the Content status DOES NOT reflect the update that was executed. Even when waiting overnight. Your assistance is greatly appreciated.
  7. The issue I'm describing is VERY FRUSTRATING. We are decommissioning a proxy server yet our firewall is still showing windows 7 computers hitting the proxy server. Here are the steps that I've taken and what I've looked at on one of the computers in question. DESELECTED "Automatically Detect Settings" Set "Use automatic configuration script" to reference the CORRECT proxy server that is currently in use DESELECTED AND CLEARED the entry under the "Proxy Server" entry for "Use a proxy server for your LAN......" Fields are blank and UNCHECKED Edited the registry and removed ALL references to the proxy server that we DO NOT want to reference (the one being decommissioned) both IP address and the hostname that references the proxy server. Changed the one installed application to point to the correct proxy server. Flushed the DNS cache on the workstation. With ALL these steps taken, can someone tell me where to look or tell me why the machine is still trying to reach out to the proxy that we're decommissioning?
  8. ingram59

    Tracking down account lockout

    That doesn't make senses to me. If you look at the 2nd screen shot, the computer name is different. The "Computer" listed is the machine that I was on when I viewed the event log. I did this on a member server and on a DC.
  9. I have a GPO containing User and Computer settings. It is 'enabled' in the Details tab and 'Authenticated Users' was added under the Delegation tab. It is linked to the proper OU's and the Security Filtering contains the group containing members needing the GPO. Also for added measure, Domain Computers was added in the Delegation Tab. However, the policy is not applying, even with a reboot, and I HAVE given it adequate time to replicate. When I run a GPUPDATE /Force and then a GPRESULT /r from the command line on my test workstation, logged in as my Domain Admin account, the policy does not show up and does not appear in the HTML file when I create it using GPRESULT. This machine is in an OU for which the GPO is applied. When I run the GPO Modeling Wizard, the policy shows up as Denied... Access Denied (Security Filtering) See attached screen shot. How do I get this policy to apply the the computer and associated user when policy refreshes. I've attached two screen shots:The results of the modeling wizard: and the RSOP run from 'elevated' command line: This is time sensitive. I'm needing input as soon as reasonably possible. Thanks in advance for your input. Thanks, Dino
  10. I have a Domain Admin account in one of our domains containing six DC's. My account is being locked out on a DAILY basis. I don't use that account to run any services. I'm attaching screen shots of the messages. They are nondescript from the standpoint of directing me to the server or computer that is generating the lockouts. How can I track down the machine that is locking out my account? Event log screen shots attached.
  11. I've created a User GPO to map a drive for users in a SUB-OU who need it. The GPO is linked to the user SUB-OU for the department in question. There are about 50 users in that SUB-OU and I only need the GPO to apply to about ten of them. I created a Global Security group with only those ten users and added it to Security Filtering for the GPO thinking that would work. However the GPO refuses to apply unless I leave Authenticated Users in Security Filtering. (Authenticated Users is now required for applying User GPO's). In this scenario, the mapping then applies to ALL users in the linked SUB-OU and not simple to the ten users in the security group that I created. How do I get the GPO to apply to the SUB-OU but still only set the mapping for the few users who need it? I don't want to make another SUB-OU just to accommodate drive mapping for these users since this is a process that will have broader implications for other department.
  12. I appreciate the feedback so far. The installer and the uninstaller are VERY POORLY WRITTEN. There are no unattended or silent flags to use for the removal. Also, I already looked at the link in this thread and ran it. The application does not show up when I run the powershell commands. LOTS of Microsoft software shows up though. It is not an MSI install. It is an EXE install. There is no uninstall key. I've attached a screen shot of the uninstall options. The "console mode" in the screen shot simply opens a GUI uninstall.
  13. There is an older application (Fishbowl 2013) running on over 100 machines. It was manually installed. We just recently moved to SCCM. It was an EXE install and there is NO uninstall value in the registry to reference. The uninstall uses "uninstall.exe", located in the "program files (x86)\Fishbowl" folder. There are no flags that will allow me to provide input to the uninstaller. I am able to do a removal on the local machine without incident. The vendor was of no help. What I want to do is use SCCM to uninstall this application so that we don't have to touch over 100 machines. I've tried creating a 'package' and an 'application', with a CMD file containing the full path to the uninstall command, but it doesn't work in either scenario. I don't want to 'install', the uninstaller, which is what both options want to do. I simply want to run the uninstaller 'hidden', so users get no prompts and so it completes automatically. I am not a powershell coder. I find it cryptic and confusing and am not able grasp it. Any help would be greatly appreciated. Dino
  14. I've got two forests (Forest A and Forest B ) with a validated two-way non-transitive trust between the domains in each forest. I login as a domain admin to a server in Forest B and can open AD users and computers and browse as needed. I can also open AD in Forest A from that same server in Forest B and can I see all objects. Where I'm having a problem is trying to grant access to a user in the domain on Forest A to a folder on a server in the domain in Forest B. On the server in the domain in Forest B, I open "Share and Storage Management and select the share to which I want to grant the user access. I right-click on the share and go to Properties / Permissions / NTFS Permissions. I click on "Add" / "Locations" and select the domain in Forest A. (See attachment) I see the icon as displayed in the attached JPG. However, when I click on the "+" sign, the domain indicated at the arrow does not open or populate. This is a crucial issue that I need to resolve. What am I missing or what else do I need to do to grant the required access. Thanks in advance for timely responses.
  15. Re: your previous reply. I don't see Add/Remove Program anywhere. It looked like it had been replaced with installed software references. What am i missing. And, if I disable the software inventory, where do I make the change that will get me the installed programs...? I'm new to 2012, although I worked extensively in 2007.... Thanks, Dino
×