|
If it’s not in your audit logs you aren’t finding it. If it does exist it’s in your audit logs iirc
|
|
#
?
Oct 27, 2022 00:06
|
|
|
|
| # ? May 28, 2024 04:24 |
|
|
ElGroucho posted:Anybody know where the hell you would pull a history of license assignment/unassignment for things like Power BI or Visio Pro? For some reason all our licenses were unassigned, and know I'm trying to figure out who the hell to assign back to again Uhh, are these folks on prem? You can use something like PDQ Inventory to see who has Visio or Power BI Desktop installed.
|
|
#
?
Oct 27, 2022 00:26
|
|
|
GreenNight posted:Uhh, are these folks on prem? You can use something like PDQ Inventory to see who has Visio or Power BI Desktop installed. Good idea. I'll check SCCM for installed apps Now I have to figure out what the hell happened, because people are not happy. And it looks like we can't blame Okta this time.
|
|
#
?
Oct 27, 2022 00:28
|
|
|
ElGroucho posted:Good idea. I'll check SCCM for installed apps Na this time you can blame Microsoft.
|
|
#
?
Oct 27, 2022 00:34
|
|
|
Nevermind, it was Okta. Luckily, I found the Azure logs and parsed that poo poo out so I could figure out who got unassigned. gently caress you, Okta
|
|
#
?
Oct 27, 2022 21:04
|
|
|
ElGroucho posted:Nevermind, it was Okta. Luckily, I found the Azure logs and parsed that poo poo out so I could figure out who got unassigned. What did Okta do this time — or rather how did it creatively poo poo the bed
|
|
#
?
Oct 28, 2022 00:27
|
|
|
MS support is telling us that custom role creation for Teams administration isn't possible. Has anyone made this work successfully? I can't tell if this is crazy or just the most Microsoft thing.
|
|
#
?
Oct 31, 2022 15:26
|
|
|
Nothing is more annoying then being the new guy, being asked to do some tasks and having no access so you need to constantly ask the guy who does.
|
|
#
?
Oct 31, 2022 23:56
|
|
|
you ate my cat posted:MS support is telling us that custom role creation for Teams administration isn't possible. Has anyone made this work successfully? I can't tell if this is crazy or just the most Microsoft thing. Teams is Sharepoint adjacent, so get used to the jank.
|
|
#
?
Nov 1, 2022 01:49
|
|
|
you ate my cat posted:MS support is telling us that custom role creation for Teams administration isn't possible. Has anyone made this work successfully? I can't tell if this is crazy or just the most Microsoft thing. Wait.
|
|
#
?
Nov 1, 2022 02:22
|
|
|
Problem statement: We allow employees to use their own Windows and MacOS PCs, and I am worried that data could get saved locally and then can leak from the organization. Ideally I would like a way that when someone logs in from a non-managed device, they are restricted to web version of Office only and can't save or edit files locally. More details: We issue all of our employees a company-owned laptop which is in Intune and fully managed. However, we also allow users to access to access Office on their personal computer and currently have no restrictions around devices. I've applied the Conditional Access policies CA001 through CA014. Ideally, when someone wants to access company info on a personally owned computer, I would like them to be restricted to the web browser only, no downloading of files. I don't want them using OneDrive on their computer or opening files with a local version of Office. Is there any way to do this? Am I thinking about things wrong? My concern is that in our current setup, someone can save a document to their personal computer and now I can't wipe that document when they leave the organization. I found this guide but it seems outdated and using it vs. the templatized CA policies caused more problems.
|
|
#
?
Nov 1, 2022 17:34
|
|
|
What you're describing is possible. Just know that it's not 100% bulletproof. You're just stopping people from doing something that they don't realize is risky, not so much locking down Fort Knox. You want to look at MAM policies. https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy
|
|
#
?
Nov 1, 2022 17:41
|
|
|
Internet Explorer posted:What you're describing is possible. Just know that it's not 100% bulletproof. You're just stopping people from doing something that they don't realize is risky, not so much locking down Fort Knox. You want to look at MAM policies.
|
|
#
?
Nov 1, 2022 17:56
|
|
|
Strike all I wrote before. You can do conditional access policies iirc for anything that's not intune compliant e.g. a non Corp device.
|
|
#
?
Nov 1, 2022 17:59
|
|
|
You're probably better off restricting the files rather than trying to manage what people can do on unmanaged devices. If the documents are stored in SharePoint then look at Information Protection.
|
|
#
?
Nov 1, 2022 18:33
|
|
|
Ok, I got tasked with the hellish challenge of cleaning up some MS licensing because of the joys of mergers/acquisitions, but something I'm stumbled upon is dealing with cloud servers, and RDP user licensing on them. Has anyone found documentation on which RDP license is actually able to be used on them? I've got like 5 different versions from various people, but asking for proof is coming up crickets. Most reliable MS documentation I've found is that you need to use RDP/User license with SAssurance to be able to use them on non-dedicated cloud servers. But of course the various partners have their own versions/programs (which seems to be in flux like normal), so does anyone know if the CSP/SPLA licenses actually qualify for cloud hosted? Edit: Figures - 15min after posting I get a call back from MS's licensing group and they're hunting it down, because they don't know the answer themselves. 
unknown fucked around with this message at 21:30 on Nov 18, 2022 |
|
#
?
Nov 18, 2022 19:07
|
|
|
Does anyone know how Windows Server handles hot-swapping drives? I'm working on a backup solution that would involve rotating disks in a hot-swap tray, but I don't know if Windows will handle the swap gracefully, or if I'd have to go in and manually online the drive after each swap. Ideally, I'd pull the drive and replace it with an identical one that would pick up the same drive letter, so the backup software sees it as a native disk without me having to do anything manually. Any suggestions on how I can achieve this?
|
|
#
?
Nov 19, 2022 01:51
|
|
|
fatman1683 posted:Does anyone know how Windows Server handles hot-swapping drives? I'm working on a backup solution that would involve rotating disks in a hot-swap tray, but I don't know if Windows will handle the swap gracefully, or if I'd have to go in and manually online the drive after each swap. if you want the same drive letter each time, go Google diskpart commands or the powershell that does the same you need a little bit of automation in this case
|
|
#
?
Nov 19, 2022 14:31
|
|
|
Some backup software is designed to work in this way (Veeam is one of them), and devices like the Overland/Tandberg RDX are designed to support that use case.
|
|
#
?
Nov 19, 2022 14:59
|
|
|
Thanks Ants posted:Some backup software is designed to work in this way (Veeam is one of them), and devices like the Overland/Tandberg RDX are designed to support that use case. Ok, I was planning on using Veeam anyway but I didn't know about that feature. The documentation seems to suggest it's pretty straightforward after you do the rotation once. Do you happen to know if it's possible to extract the disk from an RDX cartridge and plug it into SATA directly? I love the idea, and it's definitely more cost-effective than LTO for home use, but I don't really like the idea of having to have a proprietary drive to read the media in the event of catastrophic loss of my hardware. Part of the reason I settled on disk rotation was that I can plug the disk into a $20 SATA dock or any computer with a spare connector and read the files.
|
|
#
?
Nov 20, 2022 02:51
|
|
|
unknown posted:Has anyone found documentation on which RDP license is actually able to be used on them? I've got like 5 different versions from various people, but asking for proof is coming up crickets. Just for the record - it took Microsoft's licensing team 10 days to give me the actual official answer! OV/OVS (open value [subscription]), which includes the CSP (but not SPLA - that's a different beast) 2022 RDS licenses qualify for non-dedicated cloud usage. The big catch is that when you activate it on the cloud licensing server, you need to fill out a license validation within 10 days, and you also can't move it to another provider for 90 days. A quick note that OL (Open License) generation (aka 2019) also qualify for the above circus.
|
|
#
?
Nov 26, 2022 00:28
|
|
|
Number19 posted:I have a workstation that absolutely will not apply group policy. C:\Windows\GroupPolicy or whatever is empty and gpupdate fails saying it can’t read the policy from the domain controller despite my being able to browse to the policy in the policy store on all DCs. I'm bumping this because this has now happened to a few other computers and I'm out of troubleshooting steps. Some new stuff I have discovered:
It's a truly baffling issue and I'd love to know why the gently caress this happens. Google searches have yielded nothing that has helped. I almost want to pay MS for a support ticket but I don't think anyone there will know either. Does anyone have any ideas for poo poo I haven't tried yet?
|
|
#
?
Nov 28, 2022 22:42
|
|
|
it's dns op
|
|
#
?
Nov 28, 2022 22:46
|
|
|
The Fool posted:it's dns op I would have thought that as well but the system account can resolve all the domain and DC FQDNs just fine. e: very specifically when trying to connect to SYSVOL as system, the error returned is: The specified network password is not correct. It's definitely an authentication issue, but I have no idea why
|
|
#
?
Nov 28, 2022 22:53
|
|
|
Does the network path between working PCs and broken PCs differ?
|
|
#
?
Nov 28, 2022 22:54
|
|
|
Thanks Ants posted:Does the network path between working PCs and broken PCs differ? Some are VPN clients, some are LAN. That was my first guess as well but I had some of each break around the same time. e: to be clear: 2 of the borken ones were in the same VLAN, although they do not share a switch. Each switch's path to the core is identical though
|
|
#
?
Nov 28, 2022 22:54
|
|
|
Kerberos works with netbios. I don't know enough to know why when you use the fqdn it is defaulting to ntlm, maybe.
|
|
#
?
Nov 28, 2022 22:57
|
|
|
What's your imaging process like? Are you sysprep'ing your machines?
|
|
#
?
Nov 28, 2022 23:00
|
|
|
Submarine Sandpaper posted:Kerberos works with netbios. I don't know enough to know why when you use the fqdn it is defaulting to ntlm, maybe. The error from the Group Policy client uses the FQDN for policy refreshes: quote:The processing of Group Policy failed. Windows attempted to read the file \\fqdn\SysVol\fqdn\Policies\{39204A9B-B3A0-4C46-AFF1-E7437F41A346}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: where fqdn is the proper value skipdogg posted:What's your imaging process like? Are you sysprep'ing your machines? This would have been done on a fresh out of the box non-imaged machine, like all the others which are not showing this problem. The very first one was imaged using SCCM and was definitely sysprepped
|
|
#
?
Nov 28, 2022 23:01
|
|
|
Kill your tickets on a broke and see if you get any on a new attempt. I think it's dns tho
|
|
#
?
Nov 28, 2022 23:06
|
|
|
Have you verified all your DNS records for the domain controllers? Make sure there's no old DC information hanging out, and sites and services are setup and up to date. Also setup a packet capture on a busted machines and see what it's doing and where it's trying to get its info from.
|
|
#
?
Nov 28, 2022 23:06
|
|
|
Submarine Sandpaper posted:Kill your tickets on a broke and see if you get any on a new attempt. I have purged skipdogg posted:Have you verified all your DNS records for the domain controllers? Make sure there's no old DC information hanging out, and sites and services are setup and up to date. the computer account tickets and that did not help All my records are up to date and I have made sure there are no records for dead DCs anywhere e: i'll setup Wireshark on one of them in a few and see if I can get a capture of wtf is happening Number19 fucked around with this message at 23:22 on Nov 28, 2022 |
|
#
?
Nov 28, 2022 23:19
|
|
|
The Wireshark at least showed a bit more useful info. I am getting a KRB5KDC_ERR_PREAUTH_FAILED for the computer account policy refresh. I think this eliminates DNS as the fault and seems to confirm what I saw before with the pushd command:quote:C:\WINDOWS\system32>pushd \fq.dn\sysvol Now I need to figure out why the computer account is having Kerberos failures. It definitely seems like the computer password is wrong now somehow, but I've tried a computer account password rotation with no luck. What a bizarre problem.
|
|
#
?
Nov 29, 2022 00:29
|
|
|
Does klist show a difference between a working and a non-working machine? Edit: Wait, computer account. Do you have some script being pushed running as the computer user that's attempting to use network resources and getting the machine locked out after failing? Thanks Ants fucked around with this message at 01:24 on Nov 29, 2022 |
|
#
?
Nov 29, 2022 01:22
|
|
|
Thanks Ants posted:Does klist show a difference between a working and a non-working machine? No, no scripts to my knowledge. I wouldn't do something like that anyways since it's a Bad Idea. I don't think it's an account lockout issue anyways since \\NETBIOS\sysvol works while \\FQDN\sysvol does not. I think these computers are haunted
|
|
#
?
Nov 29, 2022 02:16
|
|
|
Disable ipv6 via reg key. I don't think it'll actually work, but I've seen the windows 10 implementation of ipv6 do some really weird things.
|
|
#
?
Nov 29, 2022 06:52
|
|
|
This has taken an interesting turn this morning. I think I've isolated the "what" here but have no idea as to the "why" or how to fix it. I did a couple more tests and this is not isolated to SYSVOL. It's any DFS path accessed using the FQDN. Using the same methodology to get a command prompt as system, I ran "start \\fqdn\sysvol" and after some time was greeted by an "Enter network credentials" prompt which then has the username of the former workstation user. As in, the computer account is trying to login in using DOMAIN\user.name instead of DOMAIN\COMPUTER_NAME$. On a working workstation, this goes straight through. It really looks like that particular DFS logon path has a bad cached credential. Running the same test for \\DOMAIN\sysvol goes straight through. The question is "how the gently caress did this happen?" and "how do I make it stop doing this?" What a weird fault.
|
|
#
?
Nov 29, 2022 18:28
|
|
|
What does "former workstation user" mean here? Is this someone who's left the company? Is something being baked into your builds?
|
|
#
?
Nov 29, 2022 18:34
|
|
|
Well goons, I have this sorted out. I still don't exactly know the "why" but I have the "what" and the "how to fix" so I'm good for now. So far as I can tell, this is what's been happening:
The fix is to login as the local admin (using the LAPS password), use PSexec to elevate to system, connect to the DFS share (using start \\fdqn\sysvol so it pops up the login prompt), have the user enter their new password (sometimes required twice). This fixes the fault and GPOs update again. I mean...what the gently caress but at least I have a fix.
|
|
#
?
Nov 29, 2022 19:53
|
|
|
|
| # ? May 28, 2024 04:24 |
|
|
Were the DC's patched recently? Been reading about authentication issues with the latest Windows patch.
|
|
#
?
Nov 29, 2022 19:57
|
|