|
I'd also resort to comparing the v_TaskExecutionStatus records for a good device vs. a bad device. I often found that to be more helpful than pouring over line after line of SMSTS.log Compare everything: steps executed, exit codes, outputs, and time to complete. You should see some difference.
|
#
?
Apr 10, 2019 06:37
|
|
|
|
| # ? May 30, 2024 19:00 |
|
|
Updates cause weird problems are weird: We did actually compare logs from a failed and successful device. They are identical. We blasted a Surface with the image over and over until we got it to fail and are now reading through Event Logs. Nothing useful here either. The rate of occurrence of this problem is incredibly low, probably 1-2%. Makes forcing it to happen tricky. We have managed to observe it in geographically diverse locations, but due to the way our DMVPN is setup this doesn't entirely rule out a network gremlin, it just makes it seem less likely. I'm well and truly stumped on this one.
|
|
#
?
Apr 11, 2019 16:15
|
|
|
It's going to be DNS. Non joke answer, log a Microsoft ticket or get a PFE on that, they'll love that one.
|
|
#
?
Apr 11, 2019 17:55
|
|
|
MF_James posted:This was my first thought when they said new server, but considering some devices work and others don't it's odd, but it wouldn't be the first time one vendor goes with spec and one against...
|
|
#
?
Apr 11, 2019 17:57
|
|
|
Aunt Beth posted:Yup, it was a cert issue on the new server! Why Cisco didn't care though is still a mystery... Huzzah! One thread issue down.
|
|
#
?
Apr 12, 2019 14:59
|
|
|
More Azure chat: A while back, I could swear there was some talk about a MS service/product that was hybrid cloud/on-premise for file sharing that would point your clients to get files from your local servers when the client was actually on-premise, and direct them to the Azure-based share for when they were off the LAN. The distinction between the two was invisible to the end user, basically they would just double-click their shortcut or whatever to their mapped drive, and the rest would be handled behind the scenes. Does this even exist or was it just some weird drug-induced dream I had? I'm seeing Azure File Shares and Azure File Sync, and they're both kinda sorta similar to what I'm remembering but neither one is quite exactly it. Am I imagining this?
|
|
#
?
Apr 12, 2019 19:02
|
|
|
That sounds like something OneDrive might do.
|
|
#
?
Apr 12, 2019 19:17
|
|
|
Mr. Clark2 posted:More Azure chat: A while back, I could swear there was some talk about a MS service/product that was hybrid cloud/on-premise for file sharing that would point your clients to get files from your local servers when the client was actually on-premise, and direct them to the Azure-based share for when they were off the LAN. The distinction between the two was invisible to the end user, basically they would just double-click their shortcut or whatever to their mapped drive, and the rest would be handled behind the scenes. Does this even exist or was it just some weird drug-induced dream I had? StorSimple.
|
|
#
?
Apr 12, 2019 19:30
|
|
|
Mr. Clark2 posted:More Azure chat: A while back, I could swear there was some talk about a MS service/product that was hybrid cloud/on-premise for file sharing that would point your clients to get files from your local servers when the client was actually on-premise, and direct them to the Azure-based share for when they were off the LAN. The distinction between the two was invisible to the end user, basically they would just double-click their shortcut or whatever to their mapped drive, and the rest would be handled behind the scenes. Does this even exist or was it just some weird drug-induced dream I had? I'm pretty sure it is Azure File Sync you're thinking of.
|
|
#
?
Apr 12, 2019 19:37
|
|
|
I don't think any of those have the desktop client element. I'm not aware of anything that does what you want.
|
|
#
?
Apr 12, 2019 19:38
|
|
|
Could you be talking about Work Folders? On-demand access: https://blogs.technet.microsoft.com/filecab/2018/01/08/work-folders-on-demand-file-access-feature-for-windows-10/ Remote access: https://blogs.technet.microsoft.com/filecab/2017/05/31/enable-remote-access-to-work-folders-using-azure-active-directory-application-proxy/ e: I have been failing to find a blog post that I only vaguely remember. The author used work folders on the client, with the data being in azure storage for remote users and local for on-prem users. The Fool fucked around with this message at 21:23 on Apr 12, 2019 |
|
#
?
Apr 12, 2019 20:41
|
|
|
Thanks Ants posted:I'm not aware of anything that does what you want. Well somebody should make something that does, they'll sell a million of 'em I tell ya! Thanks y'all, I'll take a look at these links.
|
|
#
?
Apr 12, 2019 21:59
|
|
|
The only thing I know of that comes anywhere close is Egnyte, and they're only just now getting around to delivering on the bit where the client connects locally when in the office, and to the cloud when they aren't without requiring the end user to do anything differently. Egnyte is a pile of flaming garbage though.
|
|
#
?
Apr 12, 2019 22:12
|
|
|
The Fool posted:Could you be talking about Work Folders? Please post that if you find it. Sounds kind of awesome, I've been toying with the idea myself idly.
|
|
#
?
Apr 13, 2019 01:38
|
|
|
Recently 'onboarded' a new client and found that a couple of the workstations have their primary user's domain accounts under the local admins groups. Is there a way to audit this for systems domain wide? Can this be done through GPO or scripted through MSP management software like Ncentral/n-able? Just hoping not to do this manually one-by-one. Hopefully my question here makes sense.
|
|
#
?
Apr 16, 2019 14:24
|
|
|
Otis Reddit posted:Recently 'onboarded' a new client and found that a couple of the workstations have their primary user's domain accounts under the local admins groups. Is there a way to audit this for systems domain wide? Can this be done through GPO or scripted through MSP management software like Ncentral/n-able? Just hoping not to do this manually one-by-one. Hopefully my question here makes sense. Powershell will be your friend here. Should be able to use WMI to grab the local admin group and then match any domain accounts against that list.
|
|
#
?
Apr 16, 2019 14:43
|
|
|
You might be able to just replace the membership of the local admins group with GPO, if you don't care about having any machines non-standard.
|
|
#
?
Apr 16, 2019 14:43
|
|
|
This is also a thing that PDQ Inventory can do very easily.
|
|
#
?
Apr 16, 2019 14:48
|
|
|
Our domain users group is in the local admins group via GPO. Good times ya'll.
|
|
#
?
Apr 16, 2019 16:08
|
|
|
At least it's not in the Enterprise Admins group
|
|
#
?
Apr 16, 2019 16:53
|
|
|
Thanks Ants posted:At least it's not in the Enterprise Admins group 
|
|
#
?
Apr 16, 2019 16:58
|
|
|
See, I'm an optimist!
|
|
#
?
Apr 16, 2019 17:00
|
|
|
Thanks Ants posted:At least it's not in the Enterprise Admins group 
|
|
#
?
Apr 16, 2019 17:12
|
|
|
ChubbyThePhat posted:Powershell will be your friend here. Should be able to use WMI to grab the local admin group and then match any domain accounts against that list. Thanks. Would you know a PS command?
|
|
#
?
Apr 16, 2019 17:25
|
|
|
Otis Reddit posted:Thanks. Would you know a PS command? I would probably try something like code:code:
|
|
#
?
Apr 16, 2019 17:32
|
|
|
Otis Reddit posted:Thanks. Would you know a PS command? I had a similar request a while ago where I needed to find local admins of specific servers and audit them. My script wouldn't be much use to you as I wrote it for my environment and for my reporting needs, but I based it mostly off this https://gallery.technet.microsoft.com/Query-members-of-Local-d0f393a6 This might not be exactly what you need, but I needed to audit the local administrators of a group of servers, and this got the job done. I also don't consider myself even good at powershell, so if there's better easier ways to do this, great. This worked for me though. It's tailored to an AD environment as well, so maybe some snippets of it could be useful if not in a domain environment. code:skipdogg fucked around with this message at 18:01 on Apr 16, 2019 |
|
#
?
Apr 16, 2019 17:49
|
|
|
Right, I'm giving up and turning to this thread. My Google skills are weak or I just get a load of crap relating to personal Microsoft accounts which isn't relevant. Steps to reproduce are:
The result is this message that is suppressed if you follow the instructions but the next time you use a PIN it comes back:  If I lock the PC without being on the VPN, no error when I unlock again. If I change the VPN client to not push our domain suffix to the client then I don't get the error when I unlock. I assume the client is trying to authenticate something against the domain but I have no idea what, and no idea how to stop it. This also happens with users that are in the on-premises domain but I assume without a Hybrid join in place then they can't just do whatever with Kerberos because they've not authenticated against AD, just against Azure. Is this an attempt to update a DNS zone maybe? The issue only started a few months ago and across several people at roughly the same time, so I'm guessing something has changed in an update. Thanks Ants fucked around with this message at 19:35 on Apr 16, 2019 |
|
#
?
Apr 16, 2019 19:17
|
|
|
Thanks Ants posted:Right, I'm giving up and turning to this thread. My Google skills are weak or I just get a load of crap relating to personal Microsoft accounts which isn't relevant. Is DHCP doing dynamic DNS updates, and DNS is set to only allow secure updates? I feel like it's a reach, but you've already addressed the other possibilities I thought of.
|
|
#
?
Apr 16, 2019 19:38
|
|
|
This looks like a promising place to look: https://blog.nimtech.cloud/windows-hello-on-azure-ad-domain-joined-devices-access-to-local-files/ Edit: And here https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication. It looks like the Azure AD join authentication to AD workflow uses DNS to find the domain controllers to auth, which it can't do in a non-hybrid setup or where Hello for Business might be configured without the key trust that it requires. Thanks Ants fucked around with this message at 20:48 on Apr 16, 2019 |
|
#
?
Apr 16, 2019 20:35
|
|
|
Thanks Ants posted:This looks like a promising place to look: I came to post that dynamic DNS sounded possible, but this also looks like a good avenue to check.
|
|
#
?
Apr 16, 2019 20:49
|
|
|
On a slightly related note, this AD is a heap of trash and I should be fine to drop ACLs referencing dead objects ("Account Unknown(S-1...)" without it blowing up, right?
|
|
#
?
Apr 16, 2019 20:52
|
|
|
Thanks Ants posted:On a slightly related note, this AD is a heap of trash and I should be fine to drop ACLs referencing dead objects ("Account Unknown(S-1...)" without it blowing up, right? 
|
|
#
?
Apr 16, 2019 21:01
|
|
|
I think an Exchange install was (badly) ripped out of it and it's left some stuff behind. The other option is to just leave them there because it's not causing any harm.
|
|
#
?
Apr 16, 2019 21:17
|
|
|
Thanks Ants posted:I think an Exchange install was (badly) ripped out of it and it's left some stuff behind. The other option is to just leave them there because it's not causing any harm. That sort of cruft would drive my former AD admin insane.
|
|
#
?
Apr 16, 2019 21:39
|
|
|
Dirt Road Junglist posted:That sort of cruft would drive my former AD admin insane. Ask me about inheriting a domain this year in which I have already deleted over 3500 accounts.
|
|
#
?
Apr 16, 2019 22:30
|
|
|
Our AD has a bunch of cruft from the Novell days.
|
|
#
?
Apr 16, 2019 23:02
|
|
|
I'm just glad the cruft I uncovered with BES_ prefixes turned out to be related to our BigFix Enterprise setup and not Blackberry Enterprise Server.
|
|
#
?
Apr 16, 2019 23:03
|
|
|
ChubbyThePhat posted:I came to post that dynamic DNS sounded possible, but this also looks like a good avenue to check. Yeah, I added the actual MS doc that explains why it's doing what it is after you quoted me. Weighing up whether to just do a Hybrid join vs. building a CA, I've heard people talking about how Hybrid domain join is going away though so that might tip my hand. Edit: Once you know what you're looking for, everything falls into place https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base And yes I am using this thread as a public version of my OneNote for when I eventually implement this. Thanks Ants fucked around with this message at 01:57 on Apr 17, 2019 |
|
#
?
Apr 17, 2019 01:50
|
|
|
Digital_Jesus posted:Ask me about inheriting a domain this year in which I have already deleted over 3500 accounts. 85,000 machine and user accounts haven't been used since 2010 and a secops policymaker expects those names to hang around indefinitely
|
|
#
?
Apr 17, 2019 20:20
|
|
|
|
| # ? May 30, 2024 19:00 |
|
|
it seriously looks like one of my client domains was used as an inefficient but highly available rainbow table
|
|
#
?
Apr 17, 2019 20:23
|
|