|
Disabling some accounts. The user that PowerShell is running as does have the required permission. At least the same user is able to do it via the GUI.
|
#
?
Apr 28, 2022 20:07
|
|
|
|
| # ? May 31, 2024 11:59 |
|
|
You need to run with an elevates command prompt independent of the account permissions. You can even elevate the command prompt with a different account than you are running the commands with. Not all AD powershell commands require it, but 100% of the time if you are getting unexpected permission denied messages, this is why.
|
|
#
?
Apr 28, 2022 20:14
|
|
|
If your Chrome policies have started breaking it's because you missed the announcement ~1 year ago that terms like whitelist and blacklist were being replaced, and the latest update has finally removed the old terms https://support.google.com/chrome/a/answer/7679408?hl=en
|
|
#
?
Apr 28, 2022 22:16
|
|
|
Does anyone have any recommendations on running IT on an ultra tight budget when it comes to infrastructure, AV, Firewalls, etc.? Environment: - 65 end users and 100 workstations spread over 8 locations with the worst internet you can imagine (agriculture) - 7 servers (5 Windows, 2 Linux) - PDC/DNS/DHCP/NPS - SDC/DNS/NPS/File/Print - Util Server (PDQ Deploy, Inventory, etc.) - SQL Server - RDS Server - 2x Ubuntu web servers (one external use, one internal only) I believe I'm about to inherit a disaster and while looking for a new job is on my forecast, currently I'm just trying to hold this down for now. The owner is making sweeping changes across the company including terminating the CEO which was my direct report. I've been told this is due to spending and losing money for the past few years. The owner has indicated to me that he's going to eliminate our MSP which does our server hosting, firewalls, AV, and end-user support. I was originally hired to do automation workflows, business intelligence reports, etc. and he knows I have the experience of building from scratch and running the infrastructure (VMware/Nimble SAN) at my previous job where I worked as a System Administrator. However, we currently have no in-house hardware and I won't have the budget to even setup a basic 3-2-1 VMware Essentials build. I'm thinking of purchasing a single tower server to run Hyper-V on and backups to a cheap NAS like a QNAP (fml) and sync to AWS for off-site. When it comes to firewalls, I only have experience with Meraki (expensive) and SonicWall, and AV was Sophos Central. Some questions: 1. Does pfsense have any UTM capabilities? Is this dumb to even think I can go cheaper than SonicWalls? 2. Is the built-in Windows defender good enough? I'm assuming no but I am not up to date on this. Any other recommendations would be appreciated.
|
|
#
?
May 3, 2022 14:09
|
|
|
Absolutely no problem having that discussion here, but there's a small business thread that might get you answers more along the lines of what you're looking for. https://forums.somethingawful.com/showthread.php?threadid=3723832
|
|
#
?
May 3, 2022 15:25
|
|
|
kiwid posted:Any other recommendations would be appreciated. Run away from this if possible. I also just realized how broken my enterprise IT brain is. I looked at your requirements and immediately wanted a 500K budget. Large enterprise has broken me. I've got no suggestions really. Fortigate, and Watchguard seem to be less expensive firewall solutions that are supported on their own hardware. Sophos UTM supposedly isn't terrible. There's some good refurb hardware deals out there for servers, though not sure what the market has done in the last couple years.
|
|
#
?
May 3, 2022 16:06
|
|
|
Internet Explorer posted:Absolutely no problem having that discussion here, but there's a small business thread that might get you answers more along the lines of what you're looking for. https://forums.somethingawful.com/showthread.php?threadid=3723832 Thanks I'll check this out. skipdogg posted:Run away from this if possible. Plan to but the problem is I live in a very rural area. I moved out here for this job specifically because it was my first 6-figure income (barely). Now I either have to find a healthy work-from-home/remote job or consider moving again which is such a fuckin headache.
|
|
#
?
May 4, 2022 03:15
|
|
|
kiwid posted:Does anyone have any recommendations on running IT on an ultra tight budget when it comes to infrastructure, AV, Firewalls, etc.? Defender's actually doing pretty well in the Gartner magic quadrant rankings at the moment. Budget permitting I would however look into Defender for Business, which will get you some decent Endpoint Detection and Response capability. If budget permits I'd look into M365 E3 licenses. Even with poo poo internet, that might reduce your burden on infrastructure.
|
|
#
?
May 8, 2022 01:28
|
|
|
I have mostly stepped away from SA work so hoping people can answer a debate for me: Once mainstream support ends for a Windows Server OS, they still sometimes issue emergency security patches, right? Can any other cumulative security patches be applied without extended support?
|
|
#
?
May 11, 2022 00:34
|
|
|
tadashi posted:I have mostly stepped away from SA work so hoping people can answer a debate for me: They might do security updates at their whim , but it’s not something to bank on. Extended security updates for servers are much more limited compared to the client operating systems and are for now limited to big volume license programs and Azure.
|
|
#
?
May 11, 2022 05:24
|
|
|
tadashi posted:I have mostly stepped away from SA work so hoping people can answer a debate for me: No, the extended support patches require a new activation key to be present, which is purchased from MS when you buy ESU for a license.
|
|
#
?
May 11, 2022 07:16
|
|
|
Has anybody seen a good blog post or similar about moving from Azure AD Connect to Azure AD Cloud Sync? MS have published this but it sort of ends without the "and if your pilot is successful then do this" bit.
|
|
#
?
May 21, 2022 20:05
|
|
|
Ok I think this is the second time now. I went to unlock my PC and it didn't recognize my fingerprint. Or the face. I then entered the password and it insisted it's wrong. I checked it on next attempt so I'm 99% sure it's correct. It's now asking for PIN that I've never ever used so there's a good chance I'll actually lock myself out. Does this just happen randomly? I've never had this before IT moved everything to this Azure AD nonsense. E: So I just avoided logging in for a day... and today it's the same. Seems like just restarting somehow let me avoid getting locked out, but still wouldn't enable me to actually sign in no matter what. Finally I shut it down for 5 minutes, started back up and it just logged me in with Hello. What a piece of poo poo. mobby_6kl fucked around with this message at 09:39 on May 31, 2022 |
|
#
?
May 30, 2022 11:14
|
|
|
Been using Hello/AAD for years and have never run into what you're describing. Think maybe your IT department messed it up or your laptop is having issues?
|
|
|
#
?
May 31, 2022 13:32
|
|
|
I've seen that exact behavior if you're using hello for business with a local ca and the ca is messed up
|
|
#
?
May 31, 2022 14:34
|
|
|
FWIW I'm now into month three of using Cloud Trust (beta) for Windows Hello kerberos SSO and it's still working perfectly.
Thanks Ants fucked around with this message at 15:56 on May 31, 2022 |
|
#
?
May 31, 2022 15:53
|
|
|
We're finally kicking Symantec Endpoint Protection to the curb, and rolling out Microsoft Defender using SCCM. It's all good, easy, etc. BUT There are a few things I can't seem to override/disable, and I'm hoping someone with experience can help me out.  App & Browser control wants me to turn it on, and alerts every Win10 system that it should be turned on. We don't actually want it on, not yet anyway. The alert under Virus & threat protection leads to this:  Which we also don't (can't) turn on. This is an air gapped environment, and there's no onedrive, there's no internet, there's most definitely no storing of data in a cloud service. I've tried various SCCM and Group Policy settings without much luck. The verbiage in Windows 10 doesn't actually match what's in SCCM/GP, so I'm at a total loss. Any ideas?
|
|
#
?
Jun 16, 2022 20:34
|
|
|
Have you tried the Enhanced Notifications setting policy? https://docs.microsoft.com/en-us/mi...=o365-worldwide
|
|
#
?
Jun 16, 2022 20:50
|
|
|
I do have that set so that at least they don't get notifications, but I was hoping to get rid of the yellow ! icon too.
|
|
#
?
Jun 16, 2022 21:30
|
|
|
Last ditch attempt would be running something like Process Monitor while making the change to the setting and seeing if anything relevant gets shat into the registry.
|
|
#
?
Jun 16, 2022 21:49
|
|
|
Are any of the security settings user-configurable? If not, is it possible to just hide the app from them altogether?
|
|
#
?
Jun 16, 2022 23:11
|
|
|
No questions really, I just tried to sign in from my personal machine In edge, it insists on also syncing all my browser poo poo so nope.
|
|
#
?
Jun 17, 2022 18:04
|
|
|
version numbers are strings and 1 is lower than 9
|
|
#
?
Jun 17, 2022 18:07
|
|
|
Gerdalti posted:We're finally kicking Symantec Endpoint Protection to the curb, and rolling out Microsoft Defender using SCCM. It's all good, easy, etc. Make sure you're using updated ADMX templates (worth checking just in case) These settings are under Windows components > Windows Security There's some App and browser protection settings and Virus and threat protection settings. You can hide those settings in your screenshots if you want. There are other settings in there you can hide as well if you want. You can hide the entire Windows Security systray icon if you feel like it.
|
|
#
?
Jun 17, 2022 21:06
|
|
|
skipdogg posted:Make sure you're using updated ADMX templates (worth checking just in case) I'll give that a look, thanks!
|
|
#
?
Jun 17, 2022 22:17
|
|
|
The Fool posted:version numbers are strings and 1 is lower than 9 Yeah I understand how it could've happened but c'mon, what are they paying the big bucks for in Redmond.
|
|
#
?
Jun 18, 2022 11:29
|
|
|
Next major build of windows 11 will have LAPS rolled into the OS.......and it only took 7 major OS updates to be included. Azure LAPS in insiders preview.
|
|
#
?
Jun 23, 2022 18:30
|
|
|
Holy poo poo at last https://docs.microsoft.com/en-gb/az...f-dynamic-group
|
|
#
?
Jun 24, 2022 22:10
|
|
|
God I hate GPOs... Is there something about this GPO that I've configured wrong? It's applied, RSoP shows it applied both user and computer settings but the timeout simply never happens...   Security Filtering: Authenticated Users Linked to the root domain. No blocking inheritance. edit: I'm wondering if any previously deleted GPOs might be "tattooed"? Any other settings that might conflict with this in power and sleep? kiwid fucked around with this message at 21:11 on Jun 29, 2022 |
|
#
?
Jun 29, 2022 21:00
|
|
|
kiwid posted:God I hate GPOs... What are you applying the GPO to? i.e. where is it linked and what objects exist under that container A GPO with computer settings must be applied to a computer object (Barring the use of loopback... don't use loopback) Additionally, a GPO with User settings must be applied to a User Object. I like to separate Computer and User GPOs so that a GPO has either User or Computer settings but not both, for exactly this reason.
|
|
#
?
Jun 29, 2022 21:22
|
|
|
Zaepho posted:What are you applying the GPO to? i.e. where is it linked and what objects exist under that container The user and computer are in the two highlighted OUs. Not using loopback processing except in my RDS - Computer Lockdown GPO. 
|
|
#
?
Jun 29, 2022 21:33
|
|
|
Thanks Ants posted:Holy poo poo at last  
|
|
#
?
Jun 29, 2022 21:57
|
|
|
kiwid posted:God I hate GPOs... Even if previous GPOs were tattoo'd onto the registry, that just means the settings stick around after the GPO is gone. This should be overwriting any existing settings. Are the settings actually reflected in on the end-points? You say it's in RSoP, but is it in GPResults?
|
|
#
?
Jun 30, 2022 02:12
|
|
|
stupid question: did you unplug everything from the computer that could prevent it from sleeping? or is this a VM?
|
|
#
?
Jun 30, 2022 02:30
|
|
|
Wizard of the Deep posted:Even if previous GPOs were tattoo'd onto the registry, that just means the settings stick around after the GPO is gone. This should be overwriting any existing settings. Yes gpresult /R /V shows it applied as well. incoherent posted:stupid question: did you unplug everything from the computer that could prevent it from sleeping? or is this a VM? So the GPO appears to be working for others but it's just this specific laptop that I've been testing with that isn't. The laptop has two monitors and a keyboard/mouse plugged in and that's it.
|
|
#
?
Jun 30, 2022 13:56
|
|
|
Is there some OEM-specific power management service running?
|
|
#
?
Jun 30, 2022 14:00
|
|
|
Thanks Ants posted:Is there some OEM-specific power management service running? I don't believe so. It's a Lenovo but I wipe and install fresh Windows 10 on all machines to get rid of the bloatware apps. The only thing I put back on is Lenovo Update for drivers and Lenovo Service Bridge for the website linking. I suppose I can take a look at the BIOS but this user is now out for a week so I won't be able to get into this for a bit now unfortunately.
|
|
#
?
Jun 30, 2022 14:11
|
|
|
If they work from home do they have a mouse wiggler plugged in, or a Bluetooth mouse in a bag that sends small movements now and then?
|
|
#
?
Jun 30, 2022 14:56
|
|
|
So I deleted the GPO and created a new one with exact same settings which is now working for everyone. Ugh.
|
|
#
?
Jul 6, 2022 16:44
|
|
|
|
| # ? May 31, 2024 11:59 |
|
|
sometimes that really is how it be on this bitch of an earth
|
|
#
?
Jul 6, 2022 22:17
|
|