|
Bob Morales posted:So then he went on about how I'm being wasteful and if we don't be careful we won't make any money and we won't get any bonuses. And that I shouldn't be selfish and the money we pay for the energy to run the AC and the AS/400 could be shared with the rest of the employees. drat, would have been nice to get that $0.30 bonus after splitting the AC cost among all the employees. Sucks man. xzzy posted:The vent would be a lot more effective if the rack was actually pressed up against it. We have this sweet design where the server exhaust blows on the network rack which is situated one foot away at a 90 degree angle. The network equipment exhausts into a cement wall mere inches away. I like the symphony of fans barking on and off all day. Judge Schnoopy fucked around with this message at 17:44 on Dec 28, 2017 |
# ? Dec 28, 2017 17:41 |
|
|
# ? Jun 4, 2024 07:11 |
|
xzzy posted:The vent would be a lot more effective if the rack was actually pressed up against it. I slid it back so I could take a picture. It still doesn't do jack.
|
# ? Dec 28, 2017 17:43 |
|
That must be the only AS/400 in a wood panelled room
|
# ? Dec 28, 2017 18:45 |
|
nielsm posted:Worst error today: User cannot access internal web app. It spews a server error message, HTTP 400. That's a pretty great way to deal with that. Tho I also gotta say gently caress AD groups. Soooo many issues with inflated SID counts thanks to our dumbass internal software making a new security group for authentication for every single individual project and attachment. Which we've been doing for years and years with all sorts of mission critical poo poo built on top of it. This has just started coming to a head with users bumping against the 1024 group limit and it's a colossal pain in the rear end. Cuz when you're part of too many security groups, you can't authenticate against the domain, which means you just can't log in period. Basically what I'm saying is gently caress AD group membership
|
# ? Dec 28, 2017 18:53 |
|
The Iron Rose posted:That's a pretty great way to deal with that. I mean, the limitation sucks but at the same time AD groups weren't really meant to be used in that manner imo
|
# ? Dec 28, 2017 18:56 |
|
nielsm posted:Worst error today: User cannot access internal web app. It spews a server error message, HTTP 400. I didn't know that this was something that could happen.
|
# ? Dec 28, 2017 18:56 |
|
I don't always have to deal with last minute hires, but when I do it's EVP level or higher.
|
# ? Dec 28, 2017 19:27 |
|
I'd rather have security groups for applications to reference than letting them touch the schema.
|
# ? Dec 28, 2017 19:29 |
|
Dick Trauma posted:
I had a similar issue where HP OneView wouldn't accept the certificate I was generating because it was over 3kb. Had to remove City, State, Country, and Email from the certificate attributes, so it was down to Common Name and Subject Alternative Name. I've run into 'key too large' issues using SHA512 before, but never 'certificate too big'.
|
# ? Dec 28, 2017 19:29 |
The Iron Rose posted:This has just started coming to a head with users bumping against the 1024 group limit and it's a colossal pain in the rear end. Cuz when you're part of too many security groups, you can't authenticate against the domain, which means you just can't log in period. I didn't know there is even a hard limit like that. Will be good to know. Is it direct memberships only, or does that limit also count indirect (recursive) memberships? After solving that ticket I sent it to the Problem Manager. It's not exactly a common situation, but I have seen the same issue before (didn't figure out the connection then, old ticket may still be unresolved) so it's probably something that at the very least needs documenting.
|
|
# ? Dec 28, 2017 19:31 |
|
Thanks Ants posted:I'd rather have security groups for applications to reference than letting them touch the schema. I agree with this, but if you're using a project management software or some kind of change management, each change/project shouldn't require a new security group, you should be able to group projects/changes within some sort of framework and assign a group to that framework, then you have a pool of X amount of people per group (people could even span multiple groups!) and those groups get assigned to changes/projects, instead of having 1000000 security groups a year because that's how many projects you run a year. I can see the argument that having a group per project is helpful because you have exactly the people you need assigned to it instead of a pool of people with 70% of them not needing access. Perhaps a better thing would be, when the project is completed, remove old groups and assign an Everybody group or something to give everyone access to completed projects so they can see documentation etc, I dunno. MF_James fucked around with this message at 19:34 on Dec 28, 2017 |
# ? Dec 28, 2017 19:31 |
We have a document management system that for some reason determines access control based on distribution group membership. Of course access is only calculated in a batch job twice a day, very convenient.
|
|
# ? Dec 28, 2017 19:36 |
|
MF_James posted:I mean, the limitation sucks but at the same time AD groups weren't really meant to be used in that manner imo No no they really aren't We're transitioning from a fly by the seat of your pants operation to a real enterprise - or trying to - so it's a lot of introducing process and best practice and seeing some horrible awful poo poo in production. Most of that's above my pay grade, mind, but the highlights are fun to list Not all fun and games though. We're going to try and strip local admin access in Q1 2018 and nobody knows it's coming. The PMs might not care, but the hundreds of developers and creatives are going to absolutely lose their poo poo. I think with Mac's we can use JAMF to grant temporary local admin access. You can sorta do the same in windows with some clever GPO fuckery... but because Windows only resets the security context on login it requires users to login and logout in order to grant or remove admin access. Which means it's a bit of a non-starter, though I'm sure there's some way to force a logout after X period of time. The Iron Rose fucked around with this message at 19:50 on Dec 28, 2017 |
# ? Dec 28, 2017 19:45 |
|
I don't know how many times I'm going to have to tell the riser management company that I need a copper handoff. I hate riser management companies.
|
# ? Dec 28, 2017 19:51 |
|
Bob Morales posted:We have an enclosed half-rack in our server room. The 82 year old owner of the company calls it 'the server'. He'll probably install an extra one just to make sure that can't happen.
|
# ? Dec 28, 2017 19:53 |
|
The Iron Rose posted:Not all fun and games though. We're going to try and strip local admin access in Q1 2018 and nobody knows it's coming. The PMs might not care, but the hundreds of developers and creatives are going to absolutely lose their poo poo. You may want to look into Bit9 and CarbonBlack as a solution. Program whitelisting gives you a few really good things, one of which is that I have yet to see a *locker that actually works on my work machine. They all just throw the Bit9 prompt asking for permission to run, which is set to default deny. Users retain local admin, but they are severely curtailed on what they can install. You can whitelist by code signer, individual program hash, and a few other things.
|
# ? Dec 28, 2017 19:55 |
|
Not pissing me off: I just shut down our Win2k3 public-facing web server and disabled all firewall rules allowing random inbound access to my poo poo. Killed the in-house email gateway too after we migrated to a competent cloud solution last week. I have less than half the number of active firewall rules as this morning.
|
# ? Dec 28, 2017 19:57 |
|
Methylethylaldehyde posted:You may want to look into Bit9 and CarbonBlack as a solution. Program whitelisting gives you a few really good things, one of which is that I have yet to see a *locker that actually works on my work machine. They all just throw the Bit9 prompt asking for permission to run, which is set to default deny. Users retain local admin, but they are severely curtailed on what they can install. You can whitelist by code signer, individual program hash, and a few other things. Thanks for the rec! The plan, in theory, is to just put everything into JAMF and SCCM's software center. I have my doubts over whether or not that's really sustainable, given that it's a bit of a pain and not every program works nicely as a silent install. Which is really just, effectively, a software whitelist and I'm entirely sure there's better ways to do that.
|
# ? Dec 28, 2017 20:01 |
Bob Morales posted:We have an enclosed half-rack in our server room. The 82 year old owner of the company calls it 'the server'. Lol as if cost savings ever get passed down to employees.
|
|
# ? Dec 28, 2017 20:15 |
|
The Iron Rose posted:Thanks for the rec! The plan, in theory, is to just put everything into JAMF and SCCM's software center. I have my doubts over whether or not that's really sustainable, given that it's a bit of a pain and not every program works nicely as a silent install. We use SCCM as our system management and desktop imaging engine, Bit9 and MS Endpoint for program whitelisting and anti-virus, bitlocker for FDE with the key escrow managed via I think CREDANT. All in all it works really quite well. Despite having a shitton of users, a decent minority of which I wouldn't trust with a typewriter without somehow setting it on fire, we have almost no malware, virus or *locker tickets come in. On the flip side we have a ton of bit9 tickets come in asking for COUPONBUGDOTCOM.exe to be whitelisted because the front desk lady totally desperately needs it to do her job 1/1 critical sev issue. So much easier to hit the 'No, violates standing policy' button to send the ticket closure email with the canned 'we are unable to complete your request at this time, as it violates one or more of our computer use policies, if you feel this was in error, you can reopen this ticket' response. I would rather hit that button ten thousand times than to unfuck 6+ TB of network shares because Ted decided to watch sketchy porn from a random east bloc streaming site at 2AM on a saturday and had his laptop running *locker for 18 uninterrupted hours.
|
# ? Dec 28, 2017 20:18 |
|
skooma512 posted:Lol as if cost savings ever get passed down to employees. Well, then it is no longer a cost savings. Do you even business, bro?
|
# ? Dec 28, 2017 20:28 |
|
Mmmm give me that lukewarm trickle-down pls
|
# ? Dec 28, 2017 20:48 |
|
I am on vacation until next week but I am browsing emails out of boredom. Apparently some devs are missing a bunch of data. Where is this data you might ask? Apparently they decided to make a share point site in the old tenant and save critical data to it as a file repository. Out of the dozens of on-prem and cloud options, sharepoint was the best option for them to satisfy their data hording. We don't have a sharepoint administrator. I am not loving around trying to figure out how to do it. I am just going to grant them access and tell them "you can do it, i believe in you". Why would people voluntarily store data in SharePoint?
|
# ? Dec 28, 2017 21:15 |
|
Sickening posted:I am on vacation until next week but I am browsing emails out of boredom. Apparently some devs are missing a bunch of data. Where is this data you might ask? Apparently they decided to make a share point site in the old tenant and save critical data to it as a file repository. Out of the dozens of on-prem and cloud options, sharepoint was the best option for them to satisfy their data hording. We don't have a sharepoint administrator. I am not loving around trying to figure out how to do it. I am just going to grant them access and tell them "you can do it, i believe in you".
|
# ? Dec 28, 2017 21:18 |
|
Love it when two people who's entire day job is to work with a particular product start finger-pointing at me for the fact that two installations can't talk across a VPN tunnel. Nothing at all to do with them both being configured to receive an inbound connection from their peer, no sir, must be the network
|
# ? Dec 28, 2017 21:19 |
|
We had a user pissed off at us today because she decided this morning that she wanted to work from home, and hadn't logged into her laptop in at least six months, and all the issues she was having were our fault. If she can't just login to the laptop without having to update, then what's the point of even having it?!
|
# ? Dec 28, 2017 23:50 |
|
Thanatosian posted:We had a user pissed off at us today because she decided this morning that she wanted to work from home, and hadn't logged into her laptop in at least six months, and all the issues she was having were our fault. If she doesn't use her work computer, what's the point of her having it?
|
# ? Dec 29, 2017 00:41 |
|
chin up everything sucks posted:If she doesn't use her work computer, what's the point of her having it? Almost checkmate, except she DID try to use it, it didn't work, loving IT hosed things up again, those fuckers.
|
# ? Dec 29, 2017 01:17 |
IT is my personal assistant, why did they drop the ball? My productivities
|
|
# ? Dec 29, 2017 01:21 |
|
The best is when the load average on a computer node is 0.0 for 20 hours a day but when their lovely job crashes it because they seized the system on I/O it's an all hands on deck emergency because of all the resources being wasted and money being lost.
|
# ? Dec 29, 2017 01:24 |
|
As some one on the receiving end of Corp IT wanting local admin rights i actually think centrally managed might be IT working against the business. I fully expect to get flamed on this, but Corp IT should admin o365/Gmail and that’s about it for desktop users. _maybe_ patch management for non technical folks.
|
# ? Dec 29, 2017 01:37 |
|
Totally depends on the organisation. There are some where you can spell out exactly what corp. IT is responsible for and what users need to do themselves (and crucially don't just give up on these lines of demarcation as soon as somebody saves a file locally and then loses their laptop), but that's far from the norm.
|
# ? Dec 29, 2017 01:41 |
|
That's how we do it, there's "central services" that manages all the business poo poo like timecards and email, "server management" that does the compute stuff, and finally "desktop management" which has groups for all three of the major platforms. It works well because no one ever gets their toes stepped on. We each get our own sandbox to play in and can try new stuff, and if something catches on we can share the experience on request.
|
# ? Dec 29, 2017 01:42 |
|
skooma512 posted:Lol as if cost savings ever get passed down to employees. Get a kill-o-watt and check the usage of the A/C. Probably a few cents a day. here's my reposted crappy portable A/C story: Jerk McJerkface posted:So the building in NYC was owned by a family, and it was completely not up to code anywhere. The manager had his cousins sort of living there, in vacant offices, and working as maintenance people. It was crazy. I don't know why he was cutting the water main, but I do know he was trying to remodel the building and get it up to code since they were being fined a bunch. They did not move the telco room, and in fact it went down a few other times for other reasons. The building put a huge lock on the telco room door, but since the doorway wasn't square you could just sort of tilt the door towards the hinges and the locks would let go.
|
# ? Dec 29, 2017 02:03 |
|
|
# ? Dec 29, 2017 02:21 |
|
Irritated Goat posted:Instead of Step 1, Step 2, etc. Now, it's just find the log for that particular day\machine and hammer F5 on it until you see a success or fail. You want a Bash prompt, tail -f that SOB. Bonus points for piping it through grep and making the computer go beep when you get a success or fail (I'd actually like to see that code).
|
# ? Dec 29, 2017 02:23 |
|
mllaneza posted:You want a Bash prompt, tail -f that SOB. Bonus points for piping it through grep and making the computer go beep when you get a success or fail (I'd actually like to see that code). code:
|
# ? Dec 29, 2017 04:15 |
|
Jaded Burnout posted:
Does that work? I had something more complicated in my head half worked out, lol
|
# ? Dec 29, 2017 05:04 |
|
RFC2324 posted:Does that work? I had something more complicated in my head half worked out, lol Probably. I've not used /dev/audio since 2003 but I don't see why not. Probably sounds awful and lasts 100ms.
|
# ? Dec 29, 2017 05:38 |
|
|
# ? Jun 4, 2024 07:11 |
|
Jaded Burnout posted:Probably. I've not used /dev/audio since 2003 but I don't see why not. Probably sounds awful and lasts 100ms. after asking i googled and found people piping /dev/random into it as an alarm clock
|
# ? Dec 29, 2017 06:25 |