|
CLAM DOWN posted:Please tell me at the very least that people are not logged in interactively with admin accounts, and they just use a separate admin account to elevate rights only when required. They're doing this at my place, but it's the same local admin password format for everyone, like first name then year. I told the lawyer "you know if anyone else can spell your name they can just remote in to your local documents". Nice I'm already getting some traction to do things the right way.
|
#
?
Nov 2, 2014 04:20
|
|
|
|
| # ? May 14, 2024 11:14 |
|
|
CLAM DOWN posted:Yikes, does that not violate PCI DSS or something?! Oh, it totally does. They were a pharmacy and totally in violation of HIPAA too. That company was just one big violation. I'm amazed that so far it hasn't caught up to them, at least to my knowledge!
|
|
#
?
Nov 2, 2014 05:26
|
|
|
 Local Admin Rights
|
|
#
?
Nov 2, 2014 14:35
|
|
|
Am I missing something here...? I'm under the impression in a typical Windows Domain the primary domain controller, controls the time for the entire domain even if it's a virtualized. If my PDC is pointed at a timeserver off the domain (something from http://tf.nist.gov/tf-cgi/servers.cgi) and my host is a member of the PDC's domain it should be getting time from the PDC - correct?
|
|
#
?
Nov 3, 2014 16:50
|
|
|
Tab8715 posted:Am I missing something here...? If it's virtualized and has time sync from the VM host, the VM host will effectively be authoritative. Best to turn time sync off for DC VMs and have them sync to an external source via NTP.
|
|
#
?
Nov 3, 2014 17:45
|
|
|
Can anyone experienced with MBAM tell me why my RecoveryAndHardwareCore.Machines_Users is not updating? Using MBAM 2.5. Every other table is updating so I don't think it's a permission error. This isn't yet in production but it can't go forward if basic helpdesk can't unlock computers only with user/domain. I can only unlock them as sysadmin or advanced helpdesk, never with the username. I also hosed up by configuring the Bitlocker Drive Encription GPO, not the MBAM GPO. Guess I'll have to install the MBAM one and take out all configurations on the BDE GPO.
|
|
#
?
Nov 4, 2014 12:36
|
|
|
Windows Server 2003 R2 x64. This is an old server that just runs backups. I purchased two little NAS boxes, connected via eSATA. Each has RAID set up w/ 8TB usable. I did the same setup for both: Disk Management -> Initialize -> Convert to GPT -> New Partition The first one set up fine. The second? Windows just pops up an error that says "The format did not complete successfully." A Google search gave me a few KB results. KB829305 does not apply, as we didn't try to format without a drive letter. KB890549 does not apply, as we are not using a "shared cluster volume". KB883100 does not apply, as the system does not have the "Remote Storage Server" service to stop. Event Logs show nothing. Formatting from the command line just says "format failed". No error codes. All the drives went through a DBAN + MHDD to ensure they were working. How do I troubleshoot something like this?
|
|
#
?
Nov 4, 2014 19:47
|
|
|
Xenomorph posted:stuff
|
|
#
?
Nov 4, 2014 19:51
|
|
|
Ugh. I think it was simply a bad eSATA cable. It's some cheap Silicon Image eSATA SoftRaid card (SiI 3124), set to JBOD/passthrough mode. I tried reducing the complexity of the "RAID" down to 1 disk. Windows just wouldn't format it. I shut down and disconnected the other device(s), swapped the port, etc. Only when I tried another cable did it work. Both cables are new and freshly removed from their plastic wrap. I wish there were some logs somewhere that gave a reason as to why the drive wouldn't format. New cable -> format -> success. Now we can finally get back to saving those catte pictures.
|
|
#
?
Nov 4, 2014 21:00
|
|
|
GreenNight posted:Specific orders directly from the CEO. I have expressed my opinions on the matter in full in an email which I have copies of. I've been there 12 years now and it's been that way the entire time. Well at least you have fantastic job security as a result "You did WHAT with the Win\system32 folder? Of course it was taking up a lot of space on your hard drive. No I'm not shouting YOU'RE THE ONE SHOUTING!"
|
|
#
?
Nov 5, 2014 20:12
|
|
|
Day 5 of our SEP definitions not updating properly. We had to reinstall our LUA for :reasons: and it keeps erroring out that definitions files are missing, support plx halp 
|
|
#
?
Nov 6, 2014 21:25
|
|
|
Has anyone seen an RDP Session just stop refreshing after 30 seconds? I'm logging from domain.a to a computer on domain.b with nothing special going on other than one Windows 7 64-bit VM over ESXi. Everything I'm working with has the latest updates and multiple reboots. I'm even a domain and local admin. The connection works fine for 30-seconds but then stops refreshing. If click on a icon when it stopped refreshing I'll it hear open but not see anything. If I re-connect I'll see it open! Gucci Loafers fucked around with this message at 22:27 on Nov 6, 2014 |
|
#
?
Nov 6, 2014 22:22
|
|
|
MF_James posted:Day 5 of our SEP definitions not updating properly. We had to reinstall our LUA for :reasons: and it keeps erroring out that definitions files are missing, support plx halp Uninstall SEP, install ESET, never worry about antivirus again. Seriously, it's 2014 Tab8715 posted:Has anyone seen an RDP Session just stop refreshing after 30 seconds? Are you talking about having to repaint the window or just a reconnect dialog? Full screen or windowed? What does the network topology look like between domains? (IPsec, RDP through firewalls, etc.)
|
|
#
?
Nov 6, 2014 23:01
|
|
|
Tab8715 posted:RDP problem As above, this is likely a network issue. Got any more info as Gyshall mentioned?
|
|
#
?
Nov 6, 2014 23:11
|
|
|
Gyshall posted:Are you talking about having to repaint the window or just a reconnect dialog? Full screen or windowed? What does the network topology look like between domains? (IPsec, RDP through firewalls, etc.) No reconnect dialog appears nor do I get disconnected. It just stop drawing. To my surprise there is a firewall between the two domains that I wasn't made told about what would I want to look for in there? Note, I'm able to RDP to other Windows VM's without any issue. The RDP Session seems to last longer if I don't make the window full-screened.
|
|
#
?
Nov 6, 2014 23:27
|
|
|
As a stab in the dark, maybe an MTU mismatch on one of the links between the firewall and either host? Having the wrong MTU set is always a recipe for Really Weird poo poo.
|
|
#
?
Nov 6, 2014 23:45
|
|
|
What happens if you set RDP to only use TCP? You might have a UDP timeout issue on the firewall.
|
|
#
?
Nov 6, 2014 23:49
|
|
|
Thanks Ants posted:What happens if you set RDP to only use TCP? You might have a UDP timeout issue on the firewall. RDP uses tcp/3389 only, you can verify by running a netstat -ano on the system, nothing is listening on udp/3389.
|
|
#
?
Nov 6, 2014 23:55
|
|
|
CLAM DOWN posted:RDP uses tcp/3389 only, you can verify by running a netstat -ano on the system, nothing is listening on udp/3389. UDP was introduced in version 8 (maybe?), which can be installed on Windows 7 and might actually come down as a Windows update.
|
|
#
?
Nov 7, 2014 00:03
|
|
|
Erwin posted:UDP was introduced in version 8 (maybe?), which can be installed on Windows 7 and might actually come down as a Windows update. Well goddammit. Thanks for the info. We haven't rolled out Windows 8 or above here (waiting for 10 probably, who knows), and I've just recently started Server 2012 R2 deployment plans.
|
|
#
?
Nov 7, 2014 00:16
|
|
|
RDPv8 is sweet but you have to manually deploy two patches to get it working on 7.
|
|
#
?
Nov 7, 2014 01:59
|
|
|
Gyshall posted:Uninstall SEP, install ESET, never worry about antivirus again. Seriously, it's 2014 Jesus christ if I had this choice I would do something about it. Too bad I'm a lowly sys admin (jr sys admin? I dunno my job title is Technical Consultant) for an MSP and my client is our largest client, they make the calls, we've attempted to sway them to other AV programs but so far have been unable, it's a loving nightmare. This is apparently something that happens every 6 or so months where LUA just decides to break, but it's never broken this badly and it might not be on our end, it might be an issue on Symantec's end. This is driving me up the wall, giving me pretty bad anxiety atm because I just got promoted to this position and then everything loving breaks that I'm supposed to be taking care of. oh well gently caress it, I put in a ticket with Symantec and we'll see if these jokers can figure it out.
|
|
#
?
Nov 7, 2014 03:14
|
|
|
Docjowles posted:As a stab in the dark, maybe an MTU mismatch on one of the links between the firewall and either host? Having the wrong MTU set is always a recipe for Really Weird poo poo. Seconding MTU as the RC. I have seen some weird poo poo in my time with MTUs and RDP...
|
|
#
?
Nov 7, 2014 06:05
|
|
|
Tab8715 posted:No reconnect dialog appears nor do I get disconnected. It just stop drawing. To my surprise there is a firewall between the two domains that I wasn't made told about what would I want to look for in there? Note, I'm able to RDP to other Windows VM's without any issue. If there is a firewall between the two, and they are two domains in a forest, you want to have some sort of secure channel between the two - like an IPSEC VPN. Depending on the firewall manufacturer, there may be an update to the firmware, etc. Assuming the RDP connection works OK inside Domain B's LAN, and RDP connections work OK inside Domain B's LAN, that is where I'd start to look. MF_James posted:Jesus christ if I had this choice I would do something about it. Too bad I'm a lowly sys admin (jr sys admin? I dunno my job title is Technical Consultant) for an MSP and my client is our largest client, they make the calls, we've attempted to sway them to other AV programs but so far have been unable, it's a loving nightmare. I think Symantec products exist only to create more work for the VARs who resell it. This is my theory.
|
|
#
?
Nov 7, 2014 16:05
|
|
|
[ASK] me about deploying MDOP 2014 on a forest with 2003 functional level, with 400 Server 2003 DCs, only 60 of which have 2GB or RAM, the rest has 1GB. God loving damnit, half this stuff won't work. I spent 3 days troubleshooting MBAM before knowing that they had no 2008R2 DC's. I hate some projects.
|
|
#
?
Nov 10, 2014 15:59
|
|
|
I sure hope you're a consultant, now you can upsell them on a migration to 2008r2 at a minimum and raise the functional level, since 2003 loses support next year in July! More billable hours for everyone!
|
|
#
?
Nov 10, 2014 16:09
|
|
|
devmd01 posted:I sure hope you're a consultant, now you can upsell them on a migration to 2008r2 at a minimum and raise the functional level, since 2003 loses support next year in July! More billable hours for everyone! Yeah, I'm a consultant, but I'm here working for Microsoft, Microsoft are the ones selling stuff here. This is a government client, a project to migrate this AD to 2008 will be a huuuge project, and my company will surely be involved somehow However, I'm just a trainee, replacing someone on bereavement leave (but honestly implementing MDOP is really easy) so it's not my place to do that yet. However, this will certainly push them to do it a bit more. Everything is so stagnant in this place.. Urgh. And now I'm just sitting here like a jerk staring at the walls waiting for someone to tell me something because I've got to wait for the nth guy in the chain of command to allow me to proceed with App-V and UE-V since DirectAccess is out of the equation. One thing is cool though, my documentation never looked this good with all this extra time.
|
|
#
?
Nov 10, 2014 16:27
|
|
|
orange sky posted:I spent 3 days troubleshooting MBAM before knowing that they had no 2008R2 DC's. Sounds like your fault tbh. I'd be pissed as hell if you worked for me 
|
|
#
?
Nov 10, 2014 16:35
|
|
|
Gyshall posted:Sounds like your fault tbh. I'd be pissed as hell if you worked for me I just came for the implementation, Microsoft was supposed to assess the state things before selling the product and hiring us. E: Although I do admit I should have checked it beforehand. Live and learn I guess.
|
|
#
?
Nov 10, 2014 16:36
|
|
|
How come, I'm able to map a share across to a separate domain to the standard C: Drivecode:code:
|
|
#
?
Nov 10, 2014 16:45
|
|
|
There is a gpo setting to limit access to optical drives to the logged in user. AFAIK it isn't enabled by default, but it is what I used to let people burn media on our XP machines.
|
|
#
?
Nov 10, 2014 17:21
|
|
|
I put \\192.168.1.242 in explorer I'll see the $f drive but the net use command it'll fail? Weird. [b]Update[/] It maps if I use just F and not F$... Well, it works now 
Gucci Loafers fucked around with this message at 18:08 on Nov 10, 2014 |
|
#
?
Nov 10, 2014 18:05
|
|
|
Co-worker of mine found something interesting over the weekend. His roommate has a macbook for work, it's joined to their domain blah blah blah. Well, said roommate has a lovely laptop for home use and can barely play games, he asked my co-worker if he knew a way to get around UAC so he could install games from steam on the macbook. Co-worker said that he might know a way, but that it probably violates company policy and if he does it, that anything that happens after is not his problem. Roommate was ok with this. So, my friend booted to an OSX CD, re-partitioned some of the drive and installed OSX on the new partition. That new partition uses completely different credentials but is able to access everything from the primary partition, i.e. all his work stuff. I'm curious if this works on windows as well, because it seems like an easy way around security protocol unless the drive is encrypted.
|
|
#
?
Nov 10, 2014 19:05
|
|
|
That's why you force full disk encryption, without full disk encryption you can just use a flash drive to blank out the admin password in Windows 7 and go in to do anything you want with installations.
|
|
#
?
Nov 10, 2014 19:09
|
|
|
Tab8715 posted:I put \\192.168.1.242 in explorer I'll see the $f drive but the net use command it'll fail? Weird. Trying to map C$ will map hidden admin share of the root drive (which may not actually be C:). Other drives in the system won't get hidden admin shares, so X$ or whatever just won't work. You created a share called F though, so trying to map it worked fine.
|
|
#
?
Nov 10, 2014 19:12
|
|
|
MF_James posted:I'm curious if this works on windows as well, because it seems like an easy way around security protocol unless the drive is encrypted. It absolutely does, as you describe. You can even boot from a Linux or other LiveCD and access the files that way.
|
|
#
?
Nov 10, 2014 19:40
|
|
|
MF_James posted:I'm curious if this works on windows as well, because it seems like an easy way around security protocol unless the drive is encrypted. Yup, or linux etc.
|
|
#
?
Nov 10, 2014 19:44
|
|
|
I'm a bad sysadmin, I just set up a 4 drive raid 0 and put the page file on it. I have a good reason I swear, its only temporary!
|
|
#
?
Nov 10, 2014 22:23
|
|
|
devmd01 posted:I just set up a 4 drive raid 0 This made the server admin in me twitch a little.
|
|
#
?
Nov 10, 2014 22:41
|
|
|
|
| # ? May 14, 2024 11:14 |
|
|
Believe me I was twitching too when I did it, but that was the only option given the resources available and the time constraints I'm working under for this SQL cluster remediation project that is...not going well.
|
|
#
?
Nov 10, 2014 22:48
|
|