|
BaseballPCHiker posted:Special snowflake user has beaten me in inter-office politics and now gets their way in regards to their PC locking after 15 minutes of inactivity. I must suffer through this until our next audit when inevitably they will flag this and demand I change it back. (Yes I have the special demand in writing stating my objections). OU-level policies are applied last and will overwrite policies applied at higher levels. Just put the PC in a security group, apply the policy to disable the setting to that group, then apply the GPO to same OU as the other computers, then set the "disabled" policy to the lowest number in the Link Order of the OU in GP. https://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx "At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence. This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)" [Edit: gently caress me, how did I think that was the last post in the thread? Oh well, leaving it because there is a link.]
|
# ? Feb 23, 2016 01:47 |
|
|
# ? May 14, 2024 09:24 |
|
CLAM DOWN posted:Not security filtering, Delegation tab under the GPO settings in the GP Management snapin, you go to Delegation, add the user/group you care about, select the user/group you just delegated to/added to the list, hit advanced, then deny read access to that GPO. Deny Read will do the job, but I personally prefer Deny Apply. But yeah, the better way is to create a sub-OU and overwrite the setting there. Unless you're messing with precedence manually, that will apply last. This way you also don't have to change any production GPOs that are touching the bulk of your users. e: And it will be plainly obvious to the next admin that looks at it, unlike some special delegation group that may get entirely overlooked.
|
# ? Feb 23, 2016 02:33 |
|
Internet Explorer posted:Network Detective is great. I don't think a non-domain admin account, or at the very least an account granted local admin on everything, can get all that Network Detective queries. Have you reached out to their support? They are usually pretty good. I have not, I get it through my RMM so I don't know if I actually have access to support but will try. Thank you
|
# ? Feb 23, 2016 18:21 |
|
AreWeDrunkYet posted:
Yeah this is the main thing. If you make a different OU and exclude it from the gpo it'll get a nice big blue exclamation mark so you know it's not inheriting policies.
|
# ? Feb 23, 2016 18:24 |
|
This stupid user who cant ever have their computer locked is now officially pissing me off. Knowing that our auditors would nix this as soon as our next review came up the powers that be have asked that it only be unlocked during business hours and then locked all the other time. I don't know what to do at this point. I know you can set times to user accounts that only allow them to login during certain hours but that wouldn't necessarily prevent anyone else from logging in on the machine. I'm seriously considering looking into some mouse wiggle program that will just move the mouse once every 15 minutes and running it as a scheduled task during business hours.
|
# ? Feb 23, 2016 19:01 |
|
Yeah, that went from unreasonable to ridiculous.
|
# ? Feb 23, 2016 19:55 |
|
Can you not tell this user to gently caress off, or get your boss to tell them to gently caress off, or something/anything
|
# ? Feb 23, 2016 19:56 |
|
BaseballPCHiker posted:This stupid user who cant ever have their computer locked is now officially pissing me off. Knowing that our auditors would nix this as soon as our next review came up the powers that be have asked that it only be unlocked during business hours and then locked all the other time. I don't know what to do at this point. I know you can set times to user accounts that only allow them to login during certain hours but that wouldn't necessarily prevent anyone else from logging in on the machine. I'm seriously considering looking into some mouse wiggle program that will just move the mouse once every 15 minutes and running it as a scheduled task during business hours.
|
# ? Feb 23, 2016 20:14 |
|
CLAM DOWN posted:Can you not tell this user to gently caress off, or get your boss to tell them to gently caress off, or something/anything This is a wall street esque trading company. The traders get everything they want under the sun. It's also the most concerned about security place that I've ever worked for. When those two ideas meet it makes for some very interesting times such as this. This person is a trader therefore we need to move heaven and earth for them. Also it'll ding us on our upcoming security audit. So of course it comes down to "JESUS CHRIST HOW IS THIS SO HARD JUST MAKE IT WORK!". All because a trader cant be bothered to hit ctrl+alt+del and sign in when they need to. I'll have to figure something out and will be sure to post my solution when I do.
|
# ? Feb 23, 2016 20:18 |
|
Buy him a nice programmable gaming mouse that has a button on it that will toggle a macro that causes it to roll the scroll wheel down one click every 14 minutes.
|
# ? Feb 23, 2016 20:30 |
|
Can you script turning the locking on and off locally? Then do whatever you want to prevent the GPO from applying that to that particular machine and have it run the script when he logs in and off. It's ugly, but if you absolutely have to make it work then I don't see a better way
|
# ? Feb 23, 2016 20:40 |
|
Dr. Arbitrary posted:Buy him a nice programmable gaming mouse that has a button on it that will toggle a macro that causes it to roll the scroll wheel down one click every 14 minutes. And when he forgets to turn it off and the wheel scroll results in him selling $1M instead of buying $1M, the whole IT department will burn
|
# ? Feb 23, 2016 20:42 |
|
thebigcow posted:Can you script turning the locking on and off locally? Then do whatever you want to prevent the GPO from applying that to that particular machine and have it run the script when he logs in and off. Yeah, a scheduled task might be the only "acceptable" way to do this.
|
# ? Feb 23, 2016 20:50 |
|
BaseballPCHiker posted:This is a wall street esque trading company. The traders get everything they want under the sun. It's also the most concerned about security place that I've ever worked for. When those two ideas meet it makes for some very interesting times such as this. This person is a trader therefore we need to move heaven and earth for them. Also it'll ding us on our upcoming security audit. So of course it comes down to "JESUS CHRIST HOW IS THIS SO HARD JUST MAKE IT WORK!". All because a trader cant be bothered to hit ctrl+alt+del and sign in when they need to. I'll have to figure something out and will be sure to post my solution when I do. Sounds like you've got enough cash to implement smart cards.
|
# ? Feb 23, 2016 20:58 |
|
e: wrong thread
|
# ? Feb 23, 2016 22:30 |
|
Judge Schnoopy posted:And when he forgets to turn it off and the wheel scroll results in him selling $1M instead of buying $1M, the whole IT department will burn More likely: He makes a very bad trade, and then blames the mouse after losing millions.
|
# ? Feb 23, 2016 23:12 |
|
Do you have a working relationship with your auditing firm? Have someone run it by them and see what they say, best case they say "hell no" and your side listens to them, otherwise they might be able to tell you an acceptable workaround
|
# ? Feb 23, 2016 23:19 |
|
This sounds like a job for Windows Hello.
|
# ? Feb 24, 2016 02:19 |
|
NevergirlsOFFICIAL posted:Yeah this is the main thing. If you make a different OU and exclude it from the gpo it'll get a nice big blue exclamation mark so you know it's not inheriting policies. You don't need to do this. Just being in a sub-OU will give the setting applied at that level precedence. If you block inheritance, you then have to recreate all your other domain settings in that OU. e: Though clearly this issue has gone in a different direction, the fundamentals are still sound if it comes back to a GPO.
|
# ? Feb 24, 2016 02:24 |
|
Da Mott Man posted:This sounds like a job for Windows Hello. Good thing it doesn't work for Windows 10 Pro. You can let people log in by hitting the space bar then a 4-digit pin though, saves time and Microsoft claims it's as good as a password because it only works at that single, local device you set it up on. I guess in a world where we bank on iPhones, that logic will fly. Edit: also you can write a GPO to never sleep and schedule it on and off the computer with PDQ Deploy. Zero VGS fucked around with this message at 07:25 on Feb 24, 2016 |
# ? Feb 24, 2016 07:23 |
|
Zero VGS posted:Good thing it doesn't work for Windows 10 Pro. You can let people log in by hitting the space bar then a 4-digit pin though, saves time and Microsoft claims it's as good as a password because it only works at that single, local device you set it up on. I guess in a world where we bank on iPhones, that logic will fly. Uh what? Windows 10 Pro can join a domain and Windows Hello(Windows Passport) has domain policy that work exactly like the password complexity settings that we know and love. Not sure why I'm arguing for the joke option, other then you missed very wide the reason.
|
# ? Feb 24, 2016 10:50 |
|
Well I've found a solution. It's stupid but it works. There is a dead simple program called Move Mouse : https://movemouse.codeplex.com/ I downloaded that and used its built in scheduling feature. It basically just moves the mouse one little pixel every 14 minutes during business hours and then turns off at the end of the day. I'm waiting on the inevitable tirade from the trader about how this messes up something but gently caress it. I'm not wasting any more time on this "project". I'll let the auditors know about when they come later this year. The IT audit does influence the accounting and business audit process as well, and our auditors at least last year werent complete poo poo heads so we'll see what they say.
|
# ? Feb 24, 2016 15:17 |
|
Can you deploy a smart card reader for logins?
|
# ? Feb 25, 2016 14:05 |
|
Give the fucker a smart card reader and a smart card for logins. During the day, it's his prerogative to leave his smart card right next to the reader on his desk. Then vote Bernie 2016 and wait for the 99% to literally eat the flesh of the rich.
|
# ? Feb 25, 2016 14:13 |
|
any sql server dbas in this thread? not sure where to post a pretty advanced question. well, advanced for me, the db dev.
|
# ? Feb 27, 2016 01:33 |
|
Abel Wingnut posted:any sql server dbas in this thread? not sure where to post a pretty advanced question. well, advanced for me, the db dev. Check this thread - http://forums.somethingawful.com/showthread.php?threadid=2672629
|
# ? Feb 27, 2016 01:36 |
|
danke
|
# ? Feb 27, 2016 01:41 |
|
Anyone have experience deploying IaaS SQL in Azure in a Always-On configuration?
|
# ? Mar 3, 2016 00:50 |
|
Anyone know off the top of their head if the US government allows permanent resident (non citizens) work at Boeing in IT? Curious because Boeing obviously has contracts with the DoD.
|
# ? Mar 3, 2016 05:24 |
|
lol internet. posted:Anyone know off the top of their head if the US government allows permanent resident (non citizens) work at Boeing in IT? Curious because Boeing obviously has contracts with the DoD. You should probably ask in Goons in Platoons, they have some job threads there that revolve around security clearances and government contractors.
|
# ? Mar 3, 2016 10:34 |
|
Zero VGS posted:You should probably ask in Goons in Platoons, they have some job threads there that revolve around security clearances and government contractors. Are security clearances tied to the military in the USA or something
|
# ? Mar 3, 2016 17:28 |
|
CLAM DOWN posted:Are security clearances tied to the military in the USA or something Security clearances involve a good amount of time and money to get, if nothing because you can't work until you have the clearance. The military has plenty of time and money, so if you need a security clearance, they'll have other poo poo for you to do while the paperwork gets processed. Or they'll just have you do the work without the proper clearance and then everyone shrugs their shoulders and says that there must have been a fuckup in the paperwork. In the end though, it's a good route towards clearance.
|
# ? Mar 3, 2016 17:31 |
|
I can't think of a Boeing engineering team that can allow foreign national IT.
|
# ? Mar 3, 2016 17:55 |
|
A Canadian may be able to do more work than others by strict interpretation of DoC policy, but you still have to consider Boeing's internal export policy as well.
|
# ? Mar 3, 2016 18:04 |
|
Dr. Arbitrary posted:Security clearances involve a good amount of time and money to get, if nothing because you can't work until you have the clearance. I know, I have a high level security clearance in Canada. I just did non-classified work until mine was processed, it took about 6 months. It also shouldn't cost a person any money? Why would your company not pay for it? I just didn't get the military tie-in.
|
# ? Mar 3, 2016 18:10 |
|
I think often veterans already have the security clearances so they're more easily employable right out the gate. And I think often that these contracts might encourage hiring veterans so you end up with a lot of veterans doing contracting work. Or maybe it just happened that civilians working for the DoD congregated in GiP for whatever reason.
|
# ? Mar 3, 2016 18:13 |
|
Yeah, I keep forgetting how big of a deal "veterans" are in the USA and how it actually is helpful somehow for getting jobs. You guys are weird. Anyways, derail alert.
|
# ? Mar 3, 2016 18:23 |
|
I have one new marketing manager at work asking me if we have Microsoft Project, or if there's anything like it he can use. From what I can see none of our other 500 employees have it, we just have the normal O365 apps. Microsoft Project is $25/user/month or $500-1000-ish for a perpetuity license. What do I tell this guy, is there some kinda freeware that'll do a good enough job or should I just hold my nose and nab the thing?CLAM DOWN posted:Yeah, I keep forgetting how big of a deal "veterans" are in the USA and how it actually is helpful somehow for getting jobs. You guys are weird. Anyways, derail alert. I was only saying that anyone working any kind of information services in the military gets a security clearance, the investigation to get one costs like $50,000 or something, so when US vets get out, all these defense contractors hire them first and you get paid way more than even the rest of the private sector to do the same job but with a clearance. That's why if you browse the vet jobs threads in the GiP forums, a lot of people are super knowledgeable about the clearance process and govt contractor hiring practices.
|
# ? Mar 3, 2016 19:34 |
|
Zero VGS posted:the investigation to get one costs like $50,000 or something omg
|
# ? Mar 3, 2016 19:38 |
|
|
# ? May 14, 2024 09:24 |
|
Zero VGS posted:I have one new marketing manager at work asking me if we have Microsoft Project, or if there's anything like it he can use. From what I can see none of our other 500 employees have it, we just have the normal O365 apps. Microsoft Project is $25/user/month or $500-1000-ish for a perpetuity license. What do I tell this guy, is there some kinda freeware that'll do a good enough job or should I just hold my nose and nab the thing? If he needs it to do his job, then he needs it. Just expect to keep shelling out the money to others because there is no free Project viewer.
|
# ? Mar 3, 2016 19:40 |