|
I'm trying to help someone out with some group management tasks. For reasons beyond my control, when when someone is no loner eligible for their AD account, it gets deactivated and moved into an OU that only admins have access to. So I can see it, but the person I'm helping can't. He's doing some adding and removing of users from groups in bulk - up to 70k at a time. In the ADUC console, he can open a group and find one of these deactivated members and remove it from the group, without having read access to the actual account object. But that doesn't scale. I'm trying to figured out if there's some way to remove an account from a group that doesn't involve trying to read the group. Because of the size of the groups, Get-ADGroupMember doesn't work, I'm using the Member property of Get-ADGroup. This is a list of DNs of users, which I then pass into Remove-ADGroupMember. But what the cmdlet does is take that DN and try and retrieve the full user object and then fail. Is there any voodoo magic I can do remove the users in the same way ADUC is, without actually trying to retrieve them?
|
#
?
Feb 19, 2019 01:03
|
|
|
|
| # ? May 30, 2024 18:20 |
|
|
Try:code:e: -Instance should also work if you're making bulk changes to the group and only want to make one call to the AD server. code:The Fool fucked around with this message at 01:22 on Feb 19, 2019 |
|
#
?
Feb 19, 2019 01:12
|
|
|
I know some of y'all work or have worked in bigass datacenters. Long story short, I'm sorta becoming a mid-rear end datacenter and I probably should invest in a server lift. Is there a thread for datacenters, or do any of you have any recommendations/anti-recommendations on server lifts?
|
|
#
?
Feb 22, 2019 17:22
|
|
|
Potato Salad posted:I know some of y'all work or have worked in bigass datacenters. Long story short, I'm sorta becoming a mid-rear end datacenter and I probably should invest in a server lift. Your best bet is probably to hit up the general IT thread
|
|
#
?
Feb 22, 2019 17:44
|
|
|
Potato Salad posted:I know some of y'all work or have worked in bigass datacenters. Long story short, I'm sorta becoming a mid-rear end datacenter and I probably should invest in a server lift. They are expensive as hell. I am very pro them, but I have never ran a data center where it fit in the budget.
|
|
#
?
Feb 22, 2019 18:41
|
|
|
Looking for a definite answer to P2V Server 2003 X64 for Hyper V. I've tried Disk2VHD, I get the blue screen. Tried both VHD/VHDX as IDE instead of SCSI /w proc compatibility enabled I was going to try VMConverter > VMC 3.0 converter but I get an error on VM Converte. Physical hardware is proliant server, I assume it's the SCSI drivers. Anyone have experience with this or a recommended software?
|
|
#
?
Feb 23, 2019 20:43
|
|
|
lol internet. posted:Looking for a definite answer to P2V Server 2003 X64 for Hyper V. When I had to move a Server 2000 install to VMware I used Clonezilla to back up the drives to the network, and then restored from that on the vm. I had to set the boot drive as IDE or Windows would just not boot. I'm not saying this is a good way to get the job done, but it is a way that worked for me.
|
|
#
?
Feb 23, 2019 23:16
|
|
|
Been working on packaging applications for Intune over the past couple of weeks, happy to report that it works really well. The tool (https://docs.microsoft.com/en-us/intune/apps-win32-app-management) wraps the installer up with any files that it depends on, and you have full control of the path that is executed when the install button is clicked, so you can add any preconfiguration strings that the installer supports. For installers that don't use MSI you can write your own rules to detect whether an application is already installed based on files/registry keys. I don't think there's any way to pass variables into the path (e.g. you can't pass the UPN) but I guess if enough people ask for it then it will come. Stuff that I'd previously been writing Powershell for to download zip files and extract them into a temporary location before kicking off a setup process have all been replaced with these new packages without any issues.
|
|
#
?
Feb 27, 2019 11:46
|
|
|
Thanks Ants posted:Been working on packaging applications for Intune over the past couple of weeks, happy to report that it works really well. The tool (https://docs.microsoft.com/en-us/intune/apps-win32-app-management) wraps the installer up with any files that it depends on, and you have full control of the path that is executed when the install button is clicked, so you can add any preconfiguration strings that the installer supports. This is good to hear. I'm going to be pushing to move towards this later this year.
|
|
#
?
Feb 27, 2019 15:35
|
|
|
Works with delivery optimisation. That's good to know, we're seeing quite significant bandwidth savings with that.
|
|
#
?
Feb 28, 2019 19:24
|
|
|
I tried to find an office or O365 thread to no avail, so I'm hoping this is the right place to ask this - The company I work for utilizes a (read: really, really dumb) combination of Sharepoint and Infopath nonsense for a digital, "anonymous" corporate suggestion box. I put the "anonymous" in quotes because the thing has some security built in to it that captures the submitter for a very short period of time in the case of something stupid received like a threat of physical violence or a bomb or whatever. I want to kill this over-engineered custom thing and use MS forms & Flow to accomplish the same thing with much less overhead. I've built the form wherein a user can input a suggestion and, optionally, leave their name. A flow was made to generate an email to the team that reviews these items that contains only the information entered into the form, not the metadata of the submitter. So far, so good. My problem: the powers that be in the organization still want to have the ability to track someone down in a pinch for the same reasons outlined above: if someone submits something harassing or threatening in nature because it's "anonymous" they want to be able to find out who did it. We could turn the 'Record Names' feature on and that would solve this issue, however it then loses the anonymity (even if I never actually forward submitter information to anyone) because there's a big loving disclaimer in the center of the form that says "Hi, {FIRSTNAME}, when you submit this form, the owner will be able to see your name and email address." I guess, ultimately, the question is: if Record Names if set to off, what are the chances my network admin can look through logs and track down the IP of who clicked the submit button on the offending entry? Is this kind of thing feasible to do if necessary?
|
|
#
?
Mar 5, 2019 00:16
|
|
|
You could setup the flow and just test it? Check the logs and see what gets captured. I'm certain it's logging your credentials somewhere. These people are auth'd into 365 right? You can always have your flow submit the information to an audit log if you absolutely had to. Me, I'd claim it was trackable because it probably is, then just let it go. On the off chance someone abuses it AND it turns out I'm wrong then I'd say I made a mistake or claim MSFT changed something. But that's me.
|
|
#
?
Mar 5, 2019 03:12
|
|
|
Using scom 2012 R2 which is in extended support. Does that mean they would release an update to work with server 2019 or did that end with mainstream support?
|
|
#
?
Mar 5, 2019 07:06
|
|
|
Extended support generally means "we'll fix the security vulnerabilities and nothing else" and also why in the hell are you running a million year old install of SCOM
|
|
#
?
Mar 5, 2019 14:34
|
|
|
FunOne posted:You could setup the flow and just test it? Check the logs and see what gets captured. I'm certain it's logging your credentials somewhere. The credentials aren't passed at all into flow, so that's a no go. The Record Names feature in Forms is what allows those credentials to be passed - with that option off, all you get is the form content. That's the tricky part here - I need to avoid turning that option to on because the disclaimer, as it's worded, implies that whoever is on the ultimate receiving end of these submissions is getting your name. But they're not! I understand why it's there, but I wish there was a way to turn that disclaimer off. Was just hoping someone else had maybe gone through something similar to avoid having to crawl through logs with a fine-toothed comb but them's the ropes 
|
|
#
?
Mar 5, 2019 15:07
|
|
|
I'd probably do the same as mentioned above. I'd set it up and submit a form myself then just see what gets logged where. It doesn't need to be easily accessible, it just needs to be a thing you can find on the 15th Tuesday of the next century.
|
|
#
?
Mar 5, 2019 15:43
|
|
|
Hey, folks who use scheduled tasks a lot, have you ever noticed a problem where after disabling/reenabling a given task, its next scheduled runtime just keeps resetting whenever it's reached instead of actually running? This is specifically on Server 2016. Editing the task and re-entering credentials for the service account it's running as fixes the problem. I'm guessing that it is has something to do with the fact that we're shutting down these tasks to update the software they run, maybe some security feature that prevents the task from running without fresh admin authorization?
|
|
#
?
Mar 5, 2019 19:55
|
|
|
fwiw, I migrated all of my scheduled tasks to azure devops pipelines.
|
|
#
?
Mar 5, 2019 20:14
|
|
|
Anonymity: create a custom view for a list that always just looks like a form. Accomplish this by hiding any rows that have any data filled in. Track the submitter using revision history for the offending entry. Potato Salad fucked around with this message at 20:29 on Mar 5, 2019 |
|
#
?
Mar 5, 2019 20:26
|
|
|
With minimum time, that'll be $450.
|
|
#
?
Mar 5, 2019 20:28
|
|
|
FISHMANPET posted:Extended support generally means "we'll fix the security vulnerabilities and nothing else" and also why in the hell are you running a million year old install of SCOM Blah I inherited and been busy so don't have time to reinstall then reconfigure all the alerts like I'd want to I guess I'll just do a sloppy in place upgrade to current branch. Is everyone just going SAC nowadays? Find it so much overhead to do SAC for vmm, scmm and now scom
|
|
#
?
Mar 6, 2019 07:33
|
|
|
Assuming you mean Semi-Annual Channel as opposed to doing the Long Term Servcing Channel that releases every few years, yeah we're doing that for SCCM and now SCOM. We just went through a SCOM upgrade, from 2016 to 1801 then 1807 and it was pretty painless. And looks like you can do an inplace upgrade from SCOM 2012R2 U12 to either 1801 or 1807 (the language here is kinda vague) but even if it's only to 1801, the 1807 upgrade is pretty simple. https://docs.microsoft.com/en-us/system-center/scom/deploy-upgrade-overview?view=sc-om-1807#in-place-upgrade
|
|
#
?
Mar 6, 2019 19:03
|
|
|
FISHMANPET posted:And looks like you can do an inplace upgrade from SCOM 2012R2 U12 to either 1801 or 1807 (the language here is kinda vague) but even if it's only to 1801, the 1807 upgrade is pretty simple. To add to this, in the vast majority of cases I've seen, the in-place also just works.
|
|
#
?
Mar 6, 2019 19:49
|
|
|
The Azure Sentinel product looks pretty neat. Might try to play with it while it's in preview. I wonder what the final pricing is going to be like, if it's competitive it could be a SIEM game changer. We pay major bucks for our current SIEM solution.
|
|
#
?
Mar 6, 2019 20:24
|
|
|
Odd ball, not really Windows question, but I figure someone here might know. I need to make routine modifications to data stored in CSV files for some business process automation work. Nothing complicated, lookup & replace, mangle, that kind of thing. Does anyone make a normal tool to do this that ISNT some big-data online server or service bullshit? I need to be able to hand it fully configured to a nontechnical user and I don't want them mucking through Excel daily for the various changes. It feels like the kind of thing I used to solve with a bash script, so surely someone has a command line style utility that I can make a config file for and go from there. Or am I getting into Python this weekend?
|
|
#
?
Mar 7, 2019 22:42
|
|
|
Learning a data science tool may not be worth your time Powershell or Python both work shockingly well for altering csv Benefit of PS would be that any Windows system will work out of the box, no Py shell and module version management needed
|
|
#
?
Mar 7, 2019 22:49
|
|
|
PowerShell is nice because you can load the CSV into an object and take advantage of PowerShells decent object manipulation tools and pipeline. Python is nice because of pandas. There is also OpenRefine
|
|
#
?
Mar 7, 2019 22:57
|
|
|
I'd use Powershell, but Powershell is the hammer I carry around and swing at every problem, so calibrate accordingly. User experience question: does anyone have a guide or even general suggestions for optimizing Windows 10 for the enterprise environment? My team may finally have wrested control of the base Win10 image back from some other idiots who took it over for a while, and we want to burn the fucker to the ground and rebuild it leaner and meaner. I used to keep up with what could safely be removed, disabled, or tuned up for a better business experience, but I've been slacking since they made me queen scripting bitch on the servers.
|
|
#
?
Mar 7, 2019 23:46
|
|
|
Security wise, read https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines
|
|
#
?
Mar 7, 2019 23:48
|
|
|
Sorry if this is the wrong place, but I have an Azure networking question I can't figure out. If this isn't the right thread, point me in the right way. I didn't see an Azure specific thread. I have two virtual networks, we'll call them EAST-NET (10.0.0.0/24) and WEST-NET (10.0.1.0/24). They both have virtual gateways which we'll call EAST-GW and WEST-GW. Both have mutual connections and are listed as "connected". I have a third network called SSLVPN-NET (192.168.0.1/24) with its own SSLVPN-GW. Mutual connections listed as "connected" with both of the production networks. It has a point-to-site VPN set up (using range 192.168.123.0/24). Connecting to the point-to-site VPN from my home computer, I can't ping anything in EAST-NET or WEST-NET. My question is... with the gateway connections set up, does routing not populate automatically? If there's a way I need to set up routing, I'm not sure how to start that process. Will "peering" fix my issue? Thanks for any help.
|
|
#
?
Mar 8, 2019 16:00
|
|
|
FunOne posted:Odd ball, not really Windows question, but I figure someone here might know. I need to make routine modifications to data stored in CSV files for some business process automation work. Nothing complicated, lookup & replace, mangle, that kind of thing. As above, I would very likely solve this with PowerShell. You can import-csv and manipulate as required, then export it back out.
|
|
#
?
Mar 8, 2019 16:03
|
|
|
Dirt Road Junglist posted:I'd use Powershell, but Powershell is the hammer I carry around and swing at every problem, so calibrate accordingly. If you're talking about ripping parts of it out and minimizing unnecessary services, just don't bother. We used to do this back in the Win7 days, but you can't fight Win10 anymore, at least not without dumping a ton of resources into. With the new servicing model it's a constant battle that just isn't worth it, especially with how powerful hardware is these days. You can still do it if you're hellbent on doing so, but it's a constant battle and not a good use of your time.
|
|
#
?
Mar 8, 2019 17:50
|
|
|
Dirt Road Junglist posted:User experience question: does anyone have a guide or even general suggestions for optimizing Windows 10 for the enterprise environment? My team may finally have wrested control of the base Win10 image back from some other idiots who took it over for a while, and we want to burn the fucker to the ground and rebuild it leaner and meaner. I used to keep up with what could safely be removed, disabled, or tuned up for a better business experience, but I've been slacking since they made me queen scripting bitch on the servers. Do you have a deployment infrastructure in place? If not, do that. If so: Use a thin image that you build on deployment, don't preinstall apps and sysprep anymore. You can remove most of the Modern Apps from the build using powershell: https://www.kapilarya.com/how-to-uninstall-built-in-apps-in-windows-10 You can build your own start menu layout: https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout If you have Enterprise or Education, make sure you're disabling the consumer stuff with GPO: https://docs.microsoft.com/en-us/windows/client-management/group-policies-for-enterprise-and-education-editions
|
|
#
?
Mar 8, 2019 18:09
|
|
|
COOL CORN posted:Sorry if this is the wrong place, but I have an Azure networking question I can't figure out. If this isn't the right thread, point me in the right way. I didn't see an Azure specific thread. I was under the impression the recommended way to connect to vnets in azure is through peering, and route tables are definitely advertised automatically in that scenario. I don't think the gateways route automatically.
|
|
#
?
Mar 8, 2019 18:21
|
|
|
Azure: read up on hub/spoke peering
|
|
#
?
Mar 8, 2019 18:23
|
|
|
COOL CORN posted:Sorry if this is the wrong place, but I have an Azure networking question I can't figure out. If this isn't the right thread, point me in the right way. I didn't see an Azure specific thread. Sounds like you might have a peering issue (as mentioned above).
|
|
#
?
Mar 8, 2019 18:31
|
|
|
Potato Salad posted:Azure: read up on hub/spoke peering Is there more to read up on beyond knowing the networking concepts and how to setup peering in azure?
|
|
#
?
Mar 8, 2019 18:38
|
|
|
The issue is complicated by an outside network being part of the scenario (to a SonicWALL firewall). I think the issue is that I need to find the right protocol to allow thru-traffic through Azure and into an outside firewall/network. And now every time I try to make a change in Azure it takes a couple hours and then fails 
|
|
#
?
Mar 8, 2019 19:23
|
|
|
Specifically the model I'm talking about for peering is the creation of a hub network to which everything else is peered as spokes. This simplifies how your site VPNs and each network fw/router is set up and will almost always drive down your ops spend. What you have going on is almost definitely peering problems, which is easy to get wrong without a simple topology with one peer (the hub) per spoke Potato Salad fucked around with this message at 19:28 on Mar 8, 2019 |
|
#
?
Mar 8, 2019 19:26
|
|
|
|
| # ? May 30, 2024 18:20 |
|
|
COOL CORN posted:The issue is complicated by an outside network being part of the scenario (to a SonicWALL firewall). I think the issue is that I need to find the right protocol to allow thru-traffic through Azure and into an outside firewall/network. And now every time I try to make a change in Azure it takes a couple hours and then fails Have your sonicwall connect to whatever network is geographically closest to it using a gateway, peer your other networks with that network. Or you can do what I did and skip the gateway and have your VPN terminate in a VM. I used StrongSwan. You would still using peering to connect your vnets to each other.
|
|
#
?
Mar 8, 2019 19:30
|
|