|
What queries is it pulling? The way we do it for servicenow data import and auth is to a standalone AD LDS instance that syncs over only the users and attributes that we need. That might be worth looking in to that way you’re not fighting the DC cert getting presented. Takes a little bit of work to set up the attribute sync and getting your adamsync config set up along with adding any attributes to the schema beyond the default, but it’s pretty bulletproof once you do.
|
# ? Jun 26, 2019 16:01 |
|
|
# ? May 30, 2024 10:38 |
|
It's checking against our AD to log into enterprise software
|
# ? Jun 26, 2019 16:12 |
|
Path of least resistance is to have the enterprise app trust your internal CA root. There's other ways around this, but thats what I would do to get it working.
|
# ? Jun 26, 2019 16:23 |
|
NevergirlsOFFICIAL posted:I'm running into an issue... And while troubleshooting, I ran into another issue. Here are both issues: The real issue: Is the third-party server joined to your domain? I want to say AD offers the newest certificate, so reissuing the GoDaddy cert may resolve the issue? I don't have a way to verify that right now. The second issue: holy poo poo do not do this. Burn that RODC to the ground, fix AD, and start from scratch. All sorts of wonky things happen when you restore DCs.
|
# ? Jun 26, 2019 16:59 |
|
Wizard of the Deep posted:The real issue: Is the third-party server joined to your domain? I want to say AD offers the newest certificate, so reissuing the GoDaddy cert may resolve the issue? I don't have a way to verify that right now. quote:The second issue: holy poo poo do not do this. Burn that RODC to the ground, fix AD, and start from scratch. All sorts of wonky things happen when you restore DCs. To be clear I'm not restoring it into production. I just want to log in to it so I can see what the certs looked like before the issue started.
|
# ? Jun 26, 2019 17:01 |
|
skipdogg posted:Path of least resistance is to have the enterprise app trust your internal CA root. There's other ways around this, but thats what I would do to get it working. yeah I'm hoping to get them to agree to this
|
# ? Jun 26, 2019 17:01 |
|
NevergirlsOFFICIAL posted:Third party server is not on the domain. I attempted reinstalling the GoDaddy cert but possibly I didn't do it correctly. I think it's not "the certificate most recently installed", but "the certificate issued most recently". I think. This is pulling from memories on an issue I wasn't directly involved in almost two years ago.
|
# ? Jun 26, 2019 17:04 |
|
NevergirlsOFFICIAL posted:THE SECOND ISSUE: Log on in "Directory Services Restore Mode" and use a local admin/domain restoration account.
|
# ? Jun 26, 2019 17:40 |
|
The Fool posted:Log on in "Directory Services Restore Mode" and use a local admin/domain restoration account. imagine working someplace where that account was documented
|
# ? Jun 27, 2019 02:48 |
|
Wizard of the Deep posted:I think it's not "the certificate most recently installed", but "the certificate issued most recently". I think. This is pulling from memories on an issue I wasn't directly involved in almost two years ago. interesting
|
# ? Jun 27, 2019 02:50 |
|
NevergirlsOFFICIAL posted:imagine working someplace where that account was documented It's trivial to reset with any number of winpe based tools
|
# ? Jun 27, 2019 02:55 |
|
NevergirlsOFFICIAL posted:imagine working someplace where that account was documented I do. But AD is basically my full time job. But yes I would agree most places don’t have it documented or it’s not the right password when shtf
|
# ? Jun 27, 2019 03:04 |
|
The Fool posted:It's trivial to reset with any number of winpe based tools ok I was going to try hiren's boot cd but didn't know if it would work on domain controller
|
# ? Jun 27, 2019 16:11 |
|
NevergirlsOFFICIAL posted:ok I was going to try hiren's boot cd but didn't know if it would work on domain controller You probably already know this, but I think it's worth noting for a later reader: PE based password tools only work on password stored in the SAM hive, which is only used for local accounts. Which means they do not work on domain accounts, and will only work on the local admin/restore services mode account on a domain controller.
|
# ? Jun 27, 2019 20:45 |
|
I've never gotten around to testing it, but apparently you can pull cached domain passwords from Windows. https://medium.com/@rootsecdev/abusing-windows-cached-credentials-in-metasploit-376b21e98e66
|
# ? Jun 28, 2019 02:07 |
|
Moey posted:I've never gotten around to testing it, but apparently you can pull cached domain passwords from Windows. Cached creds have been a thing for a long time. They're stored as ntlmv2 hashes with salting (thus the additional parameter for crack) but you're still brute forcing so using sufficiently strong passwords for admin credentials helps minimize the impact. The salting at least stops you from being able to pass the hash to another system and have it be valid. The much more fun one that pen testers use to pop DA creds is by scraping hashes out of memory. You start by getting creds on a regular user account (phishing, social engineering, whatever), enumerate for a server that the account as admin rights on, log in on that with local admin privs and then look to see if another admin account (hopefully a DA) is also logged in. Windows did a good job of cleaning up the old lm hashes from 2008/Vista forward on disk/cache, but when a user is actively logged in it is still calculating and leaving a lm hash in memory that you can get to with local admin. Those are trivial to crack so long as the password is 14 characters or less and the behavior is hard-coded in to the OS, cannot be disabled. They stopped doing it with Win10/2016, but anything before that is vulnerable. Only mitigations are to enforce 15+ character passwords on anything with admin creds, or upgrade everything to Win10/2016+. Setting limits to idle/disconnected RDP sessions on servers can also help you there too, but isn't fool-proof.
|
# ? Jun 28, 2019 14:22 |
|
How's everyone dealing with rsat when your in a sccm environment. GPO is pointing at sccm for WSUS. So when you powershell to install it can't install. Is literally creating a package the solution?
|
# ? Jun 28, 2019 15:26 |
|
lol internet. posted:How's everyone dealing with rsat when your in a sccm environment. That's how I do it. Application that goes out to the folks who need it.
|
# ? Jun 28, 2019 15:50 |
|
Server 2019 hosting Active Directory Based Authentication is a walk in the park. Took me longer to figure out that you needed a special Office executable to add the KMS keys for that than it did to get the whole thing deployed.
|
# ? Jun 28, 2019 18:42 |
|
The Fool posted:You probably already know this, but I think it's worth noting for a later reader: yes that's why I wasn't going to use it, bc it's dc, but didn't occur to me it would work on adrs
|
# ? Jun 28, 2019 19:40 |
|
lol internet. posted:How's everyone dealing with rsat when your in a sccm environment. If you're ok with your clients reaching out to Microsoft Update you can set a policy that will let them do so for additional content and repair content: https://www.stephenwagner.com/2018/10/08/enable-windows-update-features-on-demand-and-turn-windows-features-on-or-off-in-wsus-environments/ (that also exists in local policy) If you can't/don't want your clients to reach out then yeah I guess you're stuck making a package, or if it's for a few smart admin staff just dumping this on a network share and giving them instructions: https://blogs.technet.microsoft.com/askpfeplat/2018/12/18/rsat-on-windows-10-1809-in-disconnected-environments/
|
# ? Jun 29, 2019 02:39 |
|
In a Windows file server, I have a shared drive with about 1,000 root folders. Each folder ranges from "used every day" to "haven't been used since 2004." I want to give the IT director a report of which folders have files that have been created, accessed, or modified by employees in the past X days/weeks/months. What is the best way to do this? I normally use treesize pro, but that will give me a per-file report. I want these grouped by folder. I want something that looks like this: pre:Folder Latest date of an item in the folder that was accessed ------ ------------------------------------------------------ E:\Poop 2019-07-01 E:\Piss 2019-06-15 E:\Semen 2018-01-01
|
# ? Jul 1, 2019 17:38 |
|
Powershell script would be my go-to (iterate through each ChildItem, storing oldest relevant date for each one), but be aware that LastAccessTime isn't enabled in newer versions of Windows unless you've explicitly enabled it. Also things like backups will mess with that date anyway.
|
# ? Jul 1, 2019 18:28 |
|
There's a LastWriteTime property that might work for you, and you could also filter on PSIsContainer. So something likecode:
|
# ? Jul 2, 2019 11:23 |
|
^^ Unless you have some really funny (bad) backup software that touches files themselves instead of their archive bit metadata, this is the metadata property to use.
|
# ? Jul 2, 2019 14:37 |
|
oof o365 is having a bad fall down right now https://twitter.com/MSFT365Status/status/1146145223937892352 even the outage page is out.
|
# ? Jul 2, 2019 22:58 |
|
incoherent posted:even the outage page is out. New thread title?
|
# ? Jul 2, 2019 23:00 |
|
get out of my head. I was gonna propose a new title.
|
# ? Jul 2, 2019 23:05 |
|
incoherent posted:get out of my head. I was gonna propose a new title.
|
# ? Jul 2, 2019 23:06 |
|
So, 1.) Why are Windows Updates so loving slow in Windows Server 2016? 2.) Why did Microsoft feel the need to strip WSEE from Windows Server 2019 and give it its own SKU/product?
|
# ? Jul 6, 2019 17:15 |
|
With (2), people small enough to use WSEE probably would do better with point 'n click O365 administration? I'm guessing.
|
# ? Jul 6, 2019 17:32 |
|
Friends dont let friends use WSEE.
|
# ? Jul 6, 2019 17:36 |
|
PUBLIC TOILET posted:So, The only explanation from MS that I ever got in my last job, where I managed 2016 in a PaaS capacity and we opened more than one support ticket on this issue, was that "well the product has been out a while so the cumulative updates are large".
|
# ? Jul 6, 2019 20:17 |
|
PUBLIC TOILET posted:So, Are you on WSUS and doing basic maintenance to keep you database size down?
|
# ? Jul 6, 2019 20:46 |
|
The Fool posted:Friends dont let friends use WSEE. Hey! Come on, there's nothing wrong with it for home lab use.
|
# ? Jul 6, 2019 23:16 |
|
The Fool posted:Are you on WSUS and doing basic maintenance to keep you database size down? What does this mean, specifically?
|
# ? Jul 7, 2019 23:57 |
|
GreatGreen posted:What does this mean, specifically? Few scenarios: * Actively declining old, superseded update by lovingly by hand (To give your shop that air of artisanal IT) * Running the wsus scripts from microsoft on a set schedule. * Locate the ancient texts of adams wsus maintenance script (or, pay for it) The Fool posted:Are you on WSUS and doing basic maintenance to keep you database size down? They may not have express updates enabled for their wsus server. I've heard this common complaint on \r\sysadmin, but i don't have 16 deployed (going to skip to '19 tbh).
|
# ? Jul 8, 2019 04:00 |
|
PUBLIC TOILET posted:So, Wish they would fix this... A little over a year ago we upgraded our TS farm to a bunch of shiny new hardware and virtualized everything on Hyper-V. All with 2016, our first 2016 installs anywhere.. I spent some time chasing down what I thought was a major performance issue until I learned that 2016 updates are just slow as gently caress.
|
# ? Jul 8, 2019 13:32 |
|
stevewm posted:Wish they would fix this... We just bunny hopped over 2016 because of this issue. We have like 3 or 4 servers in production everything else gets 2019 unless something specifically breaks. Other Content: Office 365 Sub-Domains... So. We have a root domain and 3 subdomains: domain.root students.domain.root dev.domain.root test.domain.root I recently built dev and test because we are moving to a new SSO (shibboleth) and wanted to do some testing before we ripped the bandaid off and blew up the butt. But of course, Microsoft cannot make poo poo easy, ever. Currently our root is Managed and our Students are Federated. Don't ask, I don't know and if I could talk to the person who set it up this way I would have already killed them. But, we won't be swapping the root to federated until we have dev/test of Shibboleth up and running and we migrate them at the same time with students. I add the two new MSOL-Domains and try to move one to federated and BAM! nope, because the root is managed, sub-domains that are added AFTER the root get forced into whatever the root was because reasons. . It appears that from this article that the only way around it is to contact O365 support (who will totally know what I am talking about) to have them generate the domain without the RootDomain flag. I may also be bitching about this while I wait for my only dev account to be deleted from O365 so I can delete the domain and then generate those tickets. UGH. Still though, Sub-domains might be completely separate companies that use completely different SSO. Nice default, except when you run smack into it.
|
# ? Jul 8, 2019 21:10 |
|
|
# ? May 30, 2024 10:38 |
|
PUBLIC TOILET posted:So, Are you updating directly from MS, or WSUS? If I recall right, 2016 supports both the update rollup method, and individual rollups. If your wsus people don't know what they're doing, they'll end up assigning both sets of patches to the system and the OS will dutifully install the redundant patches which can take forever instead of just firing off one rollup.
|
# ? Jul 9, 2019 14:17 |