|
Orcs and Ostriches posted:Are you hiring? Actually, yes. We're not hiring filthy Americans/foreigners though, but if you're in Canada let me know.
|
#
?
Feb 27, 2017 19:54
|
|
|
|
| # ? May 15, 2024 08:09 |
|
|
Wrath of the Bitch King posted:Well, based on what you're saying there is no tenable admin password solution for your situation considering the entire infrastructure is broken down dilapidated poo poo. I mean, cached credentials with a domain account should still work even if the domain goes poof, but I digress. Cached domain credentials don't work because I never need to log in to most of the stuff with a domain account. I image it, SCCM installs poo poo, and then it's out the door. poo poo's not even in my office most of the time. CLAM DOWN posted:Actually, yes. We're not hiring filthy Americans/foreigners though, but if you're in Canada let me know. Canadian here.
|
|
#
?
Feb 27, 2017 19:56
|
|
|
Orcs and Ostriches posted:Cached domain credentials don't work because I never need to log in to most of the stuff with a domain account. I image it, SCCM installs poo poo, and then it's out the door. poo poo's not even in my office most of the time. I guess you could just keep asking snooty rhetorical questions.
|
|
#
?
Feb 27, 2017 19:59
|
|
|
Methanar posted:I guess you could just keep asking snooty rhetorical questions. What rhetorical question? I wanted a way to reset local admin passwords across the domain with 2 conditions: Don't leave passwords easily accessible in sysvol. Manually choose the password. It doesn't seem like some unreasonable request, but apparently there isn't a middle ground to do so. I guess I'm in the unique environment of actually needing to login to the local admin accounts on occasion, but I guess that's just the way poo poo goes here. But whatever, it's apparently not possible and my poo poo's all broken, so I'm done with it.
|
|
#
?
Feb 27, 2017 20:04
|
|
|
Shockingly, you can't use slick, modern solutions if you have a foundation from 1998.
|
|
#
?
Feb 27, 2017 20:05
|
|
|
Orcs and Ostriches posted:Cached domain credentials don't work because I never need to log in to most of the stuff with a domain account. I image it, SCCM installs poo poo, and then it's out the door. poo poo's not even in my office most of the time. So lets circle back: what exactly are you trying to accomplish? If you're building this stuff out with OSD it should be incredibly simple to provide yourself a backdoor into the systems unless you're running into some sort of security compliance headache about the credentials, which I'd find doubtful considering the shoestring infrastructure you've alluded to. It should be easy to have a cached login with a domain account of your choice as well if you're using OSD to stage and build these things. Just make a login with X account the last step of the build. It's not ideal of course but with what you're working with it sounds like the only reasonable option if the SYSVOL issue is so worrisome. Anyway, every real management solution for this is going to be domain dependent unless you use something that throws agents all over the place, so if you can't consider the availability of your domain to be reliable then you're pretty much hosed. Wrath of the Bitch King fucked around with this message at 20:09 on Feb 27, 2017 |
|
#
?
Feb 27, 2017 20:06
|
|
|
Orcs and Ostriches posted:Cached domain credentials don't work because I never need to log in to most of the stuff with a domain account. I image it, SCCM installs poo poo, and then it's out the door. poo poo's not even in my office most of the time. Vancouver? PM me.
|
|
#
?
Feb 27, 2017 20:08
|
|
|
LAPS (or BeyondTrust password Safe if you are a masochist) is the proper solution because you can give the password out or even leave it written on a postit and it soon wont matter. If all you want is the old group policy preferences but with a secure password you can grab a copy of winbatch and created an exe to run as a startup script.
|
|
#
?
Feb 27, 2017 20:08
|
|
|
buffbus posted:LAPS (or BeyondTrust password Safe if you are a masochist) is the proper solution because you can give the password out or even leave it written on a postit and it soon wont matter. If all you want is the old group policy preferences but with a secure password you can grab a copy of winbatch and created an exe to run as a startup script. Or run it with SCCM. Oh wait.. if your crappy workstations poo poo the bed you have to go back through the history of what you changed it to every month and figure out which one it has. LAPS writes it to AD when it changes it which means a better chance of it being accurate. Also you could just toss a properly secured and authenticated website up that grabs the password from AD for you so you can access it from any of your lovely workstations that manage to be on the internal network at any of your remote locations.
|
|
#
?
Feb 27, 2017 20:12
|
|
|
Zaepho posted:Or run it with SCCM.
|
|
#
?
Feb 27, 2017 20:16
|
|
|
I've heard a few times about the Group Policy Preferences method of creating a user account on a system being dangerous (because of the SYSVOL problem), but is this easily demonstrated? Or would it only be able to be accomplished by an InfoSec guy who knows exactly what they're doing to find that info? Legitimately curious.
|
|
#
?
Feb 27, 2017 20:19
|
|
|
Ok, I thought I'd be done but let's hash this out. There are literally times when I need to log into a domain computer with no domain account. Maybe it's a laptop that's not currently on our private wireless network, maybe it's a computer that has some login issue preventing domain accounts. I don't have a cached domain account on either, because I haven't needed to log on before. Maybe it's a lovely thing that runs a CNC machine, which doesn't work with domain users and thus doesn't allow domain users*. These don't seem unreasonable to me. I currently use the local administrator account. Normal operation was to just set all local admin accounts to one password and leave it (so there are a few floating about depending on the time they were installed), but I'm trying to update them and keep them up to date. I'd also like to know the password, because either: I don't know which one I'll be working on at any given site visit, or I'm not in a location to easily look up the specific password. That's all I'm looking for. I just want to have some local account, not dependant on domain access, which has a password I know and can update. *It's an old piece of poo poo that cost way too much, and our domain accounts are too locked down for it to work. None of this is changing.
|
|
#
?
Feb 27, 2017 20:20
|
|
|
Run a powershell script on a schedule, I guess. If there's an SCCM infrastructure that regularly touches this stuff you should be able to setup a compliance rule that automatically updates the account information to whatever you want it to be. Of course, securing the script is another matter entirely.
|
|
#
?
Feb 27, 2017 20:23
|
|
|
Wrath of the Bitch King posted:I've heard a few times about the Group Policy Preferences method of creating a user account on a system being dangerous (because of the SYSVOL problem), but is this easily demonstrated? Or would it only be able to be accomplished by an InfoSec guy who knows exactly what they're doing to find that info? It's encrypted in the policies location in sysvol but with a single well-known key. No normal user is going to stumble upon it but a tech savvy person with time to spare will find it and grab it. FWIW the GP prefs setting of the password is locked out at the client level so if you get a fresh install of Windows 7 with RSAT and don't run updates, you can still use it. It will remain configured and actively push the password out. You just can't edit it with an updated computer.
|
|
#
?
Feb 27, 2017 20:29
|
|
|
Wrath of the Bitch King posted:I've heard a few times about the Group Policy Preferences method of creating a user account on a system being dangerous (because of the SYSVOL problem), but is this easily demonstrated? Or would it only be able to be accomplished by an InfoSec guy who knows exactly what they're doing to find that info?
|
|
#
?
Feb 27, 2017 20:30
|
|
|
CLAM DOWN posted:You do a large amount of remote/moving around work, and your company won't spring for a laptop for you? Get a new loving job. As much as it's boring for every answer to be "holy poo poo get out", if you're dealing with 13 year old desktops and are a mobile worker without a mobile computer then there's only so much that can be improved by the choice of software you make for managing local admin passwords. Edit: New page dammit. I see we've progressed past this point. Thanks Ants fucked around with this message at 20:48 on Feb 27, 2017 |
|
#
?
Feb 27, 2017 20:44
|
|
|
Wondering if someone can help me understand a recent issue we've had. We run a small windows server for accounting and data backup. Because the company is so small I have 4 users setup on the server as local user accounts and these users user Remote Desktop to access the server when they travel and 1 of them who is on the network is always just logged in to the shared drives on the server for direct access. Last Friday one of the users told me they weren't able to open our accounting software and upon inspection it was telling them they no longer had permission to access the folder where the database is located. Now each of these 4 users is part of a security group that grants them full access to folders I specify and the group was listed in the ACL as it has been for 7 years now without issue. All users were still in the group, permissions for said group were accurate. I ended up logging into the local user accounts on the server machine and trying to browse to the folders at which point I got a notice saying I did not currently have permission to access this drive, with the options to continue and cancel. Hitting continue then allows me to access the folder and then inspecting the ACL for it it seems windows automatically added the user to the access with full rights. This is in addition to the group already having access. I had to do this for all 4 users so that they could regain access to the accounting database. The question is, why did this happen all of a sudden? Things had been working fine for 7 years with just having granted their user group access, but for whatever reason it decided the other day the group was no longer valid or something. There have been no significant changes to the server just random security updates, but the last one happened a couple weeks ago and things were working fine after it. If I had to guess someone messed with the Group Policy editor, but honestly no one on the access list would be smart enough to do that or even know what it was or where to find it. They can barely user remote desktop. It's all a little odd, I'd rather not have each user individually granted access to these databases and control it on a group level, but even a new group didn't correct the problem. Any ideas?
|
|
#
?
Feb 28, 2017 15:41
|
|
|
thebushcommander posted:Wondering if someone can help me understand a recent issue we've had. We run a small windows server for accounting and data backup. Because the company is so small I have 4 users setup on the server as local user accounts and these users user Remote Desktop to access the server when they travel and 1 of them who is on the network is always just logged in to the shared drives on the server for direct access. Last Friday one of the users told me they weren't able to open our accounting software and upon inspection it was telling them they no longer had permission to access the folder where the database is located. Now each of these 4 users is part of a security group that grants them full access to folders I specify and the group was listed in the ACL as it has been for 7 years now without issue. All users were still in the group, permissions for said group were accurate. I ended up logging into the local user accounts on the server machine and trying to browse to the folders at which point I got a notice saying I did not currently have permission to access this drive, with the options to continue and cancel. Hitting continue then allows me to access the folder and then inspecting the ACL for it it seems windows automatically added the user to the access with full rights. This is in addition to the group already having access. I had to do this for all 4 users so that they could regain access to the accounting database. The question is, why did this happen all of a sudden? Things had been working fine for 7 years with just having granted their user group access, but for whatever reason it decided the other day the group was no longer valid or something. There have been no significant changes to the server just random security updates, but the last one happened a couple weeks ago and things were working fine after it. If I had to guess someone messed with the Group Policy editor, but honestly no one on the access list would be smart enough to do that or even know what it was or where to find it. They can barely user remote desktop. It's all a little odd, I'd rather not have each user individually granted access to these databases and control it on a group level, but even a new group didn't correct the problem. Any ideas? Did you change something with UAC?
|
|
#
?
Feb 28, 2017 16:11
|
|
|
SEKCobra posted:Did you change something with UAC? I haven't changed anything on the server manually in probably 8 months, though along with this lock-out issue I noticed the CRM application we use was giving a UAC prompt when people logged in as well. Wonder if an update to that messed something up, but it's almost 8 years old at this point and to my knowledge isn't updated/supported anymore so this would have been the first update in years for that.
|
|
#
?
Feb 28, 2017 17:42
|
|
|
Orcs and Ostriches posted:Ok, I thought I'd be done but let's hash this out. https://community.spiceworks.com/how_to/1966-how-to-change-local-user-or-admin-passwords-on-remote-computers You have to run this from a centralized server and keep track on which PCs have already been changed or not using a text file or some similar solution. You obviously can't distribute a "change-password.ps1" script to the PCs locally otherwise you're back at the start.
|
|
#
?
Feb 28, 2017 18:48
|
|
|
Orcs and Ostriches posted:Ok, I thought I'd be done but let's hash this out. 1) Set up LAPS. Keep reading. 2) You need to log in to that CNC computer? Ctrl-alt-del, log in as other user, username = .\ Whammo, the computer name just appeared in front of you. 3) Whip out your phone, log into vpn, run that powershell script you saved and get the CNC computer password. Or remote to your dc from another computer in the shop. Or call your home office. Nothing has yet depended on domain connectivity on that CNC computer. If none of these three things are available to you, move to Vancouver and work for Clam instead because Jesus. 4) That's the password of the local, not domain dependent account right there and you can now do the needful.
|
|
#
?
Feb 28, 2017 20:23
|
|
|
Yeah, short of using LAPS or Group Policy to push a security group to all machines which contains a domain account with administrative privileges (and you use cached credentials,) what else could you do that's secure? As was already mentioned, a PowerShell script would work as a logon script or a scheduled task, but then you're opening a security hole. Add all of that to the fact that the company you represent has ancient hardware and won't give you the proper tools to succeed, get out of there. I personally hate using PsTools because it's counter-intuitive and flaky when you should just have proper software/procedures in place that complete the same tasks safely/securely (ex. PDQ, SCCM, LANDESK)
PUBLIC TOILET fucked around with this message at 21:54 on Feb 28, 2017 |
|
#
?
Feb 28, 2017 21:48
|
|
|
He doesn't want to do LAPS. I agree that's the best way, but he's been told, insisting on it is just obstinate. There's reasonable reasons to do it without it too, what if you're only managing a small subpart of your domain, don't have domain admin, and your current local admin password has leaked. And you specifically cannot use PDQ, SCCM or Landesk, because those are software distribution platforms and they will cache your newly chosen passwords in places people can access. The PsTools method is solid because the unencrypted password doesn't have to be cached in bad places.
|
|
#
?
Mar 1, 2017 08:44
|
|
|
My LAPS story: I spun up a new VM and accidentally gave it the name of an existing server (lol), joined it to the domain and everything. LAPS happily gave it a new password. Once the mistake was realized I try to log into the original VM and of course its trust relationship with the domain has been revoked. I killed its network connection and was able to log in with cached credentials, saving my rear end. This was lucky because LAPS doesn't maintain a password history; I would have had to go find a boot ISO and root it to regain access. So LAPS can be bad if you are dumb. But otherwise it is good.
|
|
#
?
Mar 2, 2017 17:17
|
|
|
Microsoft wasn't much help, but: For my workplace, is anyone aware if I can create and push out a company logo button/link on all Outlook desktop clients that brings users to our O365/intranet site (or perhaps Outlook Web Access (owa)? MS said they didn't have anything like that and suggested I research a third-party add-in.
|
|
#
?
Mar 2, 2017 17:32
|
|
|
Not sure what you're trying to do here - clicking on 'File' in Outlook 2016 shows the OWA URL under the Account Settings area.
|
|
#
?
Mar 2, 2017 17:43
|
|
|
The higher-ups want to increase traffic and time spent on our home page. So they're asking me to get our logo on the Outlook desktop clients so users can click it and be brought right to our intranet site.
|
|
#
?
Mar 2, 2017 18:02
|
|
|
ProperCoochie posted:Microsoft wasn't much help, but:
|
|
#
?
Mar 2, 2017 18:08
|
|
|
What's wrong with just setting the browser home page via GPO. Why does this have to be done within outlook?
|
|
#
?
Mar 2, 2017 18:13
|
|
|
ProperCoochie posted:The higher-ups want to increase traffic and time spent on our home page. So they're asking me to get our logo on the Outlook desktop clients so users can click it and be brought right to our intranet site. Is telling them it can't be done an option?
|
|
#
?
Mar 2, 2017 20:33
|
|
|
Thanks Ants posted:Is telling them it can't be done an option? It might have to be. They don't want to use GP to set all the home pages because of "politics". The top dogs are in denial that people just want to visit our intranet site just to grab a payroll form or whatever.
|
|
#
?
Mar 2, 2017 20:49
|
|
|
You can set the home page to a default but allow users to change with GPP.
|
|
#
?
Mar 2, 2017 20:54
|
|
|
If nobody is visiting the page it's because there's no useful information on it, making it slightly easier to access isn't going to fix that. If it really bothers the higher-ups then just fake the analytics until they are content.
|
|
#
?
Mar 2, 2017 20:57
|
|
|
"Hey guys, how do we get more people to visit our Intranet?" "Improve the Intranet so users have a reason to go there!" "No, let's just force them." "Hey, no one visits our company's public website." "Should we improve it and focus on SEO standards to increase the page ranking?" "No, no one visits it so don't put any resources into it." 
|
|
#
?
Mar 2, 2017 20:59
|
|
|
ProperCoochie posted:It might have to be. If you are using chrome in your environment you can set a gpo to make the page the second tab that opens.
|
|
#
?
Mar 2, 2017 23:11
|
|
|
ProperCoochie posted:The higher-ups want to increase traffic and time spent on our home page. So they're asking me to get our logo on the Outlook desktop clients so users can click it and be brought right to our intranet site. Send a daily email to "All Users" with the link so it's always on top of the Inbox.
|
|
#
?
Mar 3, 2017 09:32
|
|
|
Get a web traffic intercepting proxy and inject JavaScript into every page that spawns a new tab with your intranet site in.
|
|
#
?
Mar 3, 2017 09:40
|
|
|
I actually love the way the Chrome GPOs work, I actually built an indtricate mesh of enforced and recommended rules, autofill being default off and recommended off, but since users would go haywire they can still turn it on, getting a little Icon saying 'Bad Boy' Only thing they could improve is making the 'Bad Boy' Message less of a tooltip and more prominent.
|
|
#
?
Mar 3, 2017 10:16
|
|
|
Internet Explorer posted:"Hey guys, how do we get more people to visit our Intranet?" "Improve the Intranet so users have a reason to go there!" "No, let's just force them." We are fighting exactly this. But we're going to have to do the default homepage GPO. But only for IE, so I assume our Firefox and Chrome usage will go through the roof here real soon.
|
|
#
?
Mar 3, 2017 16:29
|
|
|
|
| # ? May 15, 2024 08:09 |
|
|
Thanks Ants posted:Get a web traffic intercepting proxy and inject JavaScript into every page that spawns a new tab with your intranet site in.
|
|
#
?
Mar 3, 2017 16:45
|
|
