If you want to do it interactively from Explorer, your only choice is basically to create an interactive logon session (such as Remote Desktop) as the user that has permission to access those file shares. If it's something you can script your way out of, PowerShell is very convenient for collecting credentials once and then reusing those for establishing multiple connections to different machines.
|
|
# ? Mar 29, 2023 18:48 |
|
|
# ? May 14, 2024 15:14 |
|
Yeah, it's not repetitive or predictable enough to script a solution for. Right now, I just generally map a dozen drives that don't reconnect at logon, but that's kind of annoying.
|
# ? Mar 29, 2023 18:55 |
|
Internet Explorer posted:Pretty funny, because you could have said the same exact thing 20 years ago. I get where you're coming from but not really, IMO. Once terminal services transitioned to RDS they certainly started closing some gaps but it wasn't a huge priority. AVD is a totally different situation.
|
# ? Apr 4, 2023 14:07 |
AVD is literally RDSaaS and I don’t really get into end user poo poo but it seems to be as janky of a pile of poo poo as ever. It’s just all abstracted out now
|
|
# ? Apr 4, 2023 14:26 |
|
Conceptually, sure, but I'm talking on an actual feature level where there are distinct differences. Thankfully I got laid off so I don't have to stay on top of it anymore.
|
# ? Apr 4, 2023 16:14 |
|
i am a moron posted:AVD is literally RDSaaS and I don’t really get into end user poo poo but it seems to be as janky of a pile of poo poo as ever. It’s just all abstracted out now From an end user perspective, AVD fixes a lot of the issues with profile jankiness, feature discovery, access control, and media streaming. All the other Terminal Services problems with application compatibility, cpu allocation, network exhaustion, etc all still exist. MS cramming Defender into the environment at every step and in every way is also profoundly unwelcome.
|
# ? Apr 5, 2023 04:16 |
|
I've got a weird situation and I need someone to point me in a direction for further research. I currently have a user base in 365 and azure. Some of these users are also members of legacy domains, some synced from on prem and some entirely separate. These legacy domains have file servers and such that need to stick around. I also have an azure ad ds environment with some servers and many laptops joined to it. This actually works fairly well, except I have to traditionally domain join the laptops to the aadds. What I would like to end up with is - scrap all legacy domains - all workstations company wide on azure ad - file servers joined to something that lets users automatically authenticate to them on their azure ad workstations Not sure if aadds joined servers can work that way - the azure object and ad user are the same identity, but I'm not finding much documentation on it. This has to be a solved problem, but I'm not sure where to go next.
|
# ? Apr 13, 2023 21:20 |
|
You can get part of the way there - you can have all the workstations AAD-only, and just run a legacy AD for servers. You need to create the users in AD and have them sync to Azure (use Azure AD Connect Cloud Sync) but with an AAD Premium P1 license or any bundle that includes that like EM+S, M365 Business Premium etc. you get password writeback so nobody will ever need to interact with AD. Then you deploy Windows Hello Cloud Kerberos trust so that whenever your workstations need a Kerberos token to hit an on-prem file server they can get one.
|
# ? Apr 13, 2023 21:27 |
|
Thanks Ants posted:You can get part of the way there - you can have all the workstations AAD-only, and just run a legacy AD for servers. You need to create the users in AD and have them sync to Azure (use Azure AD Connect Cloud Sync) but with an AAD Premium P1 license or any bundle that includes that like EM+S, M365 Business Premium etc. you get password writeback so nobody will ever need to interact with AD. So aadds is basically that in reverse - it's a traditional AD synced from azure, rather than the other way around. You create users in azure, they become objects that can be addressed in AD. Everyone has security e3 licenses, so two of the legacy domains sort of work like this now, but I'd like to avoid converting my entire infra if I can.
|
# ? Apr 13, 2023 21:32 |
|
AADDS is poo poo, I would avoid it if at all possible. You're better off putting VMs into Azure and then buying three-year commitments for them.
|
# ? Apr 13, 2023 21:34 |
|
Thanks Ants posted:AADDS is poo poo, I would avoid it if at all possible. You're better off putting VMs into Azure and then buying three-year commitments for them. I'm stuck with it for the moment, I made a poor decision in 2019. Did further research, I'm basically boned if I want to use azure ad, looks like. Right now I've got two file servers joined to aadds (works fine, the users who access them are on aadds domain joined laptops), one file server on a legacy domain with user laptops on the same, no ad sync, and two user groups on legacy domains with a NetApp file server (azure based, on prem caching servers). It's starting to look like my best bet may just be to convert the one domain that only exists for it's file server to ad sync or the aadds and leave the rest of the mess alone. Putting all of the servers in azure, outside of the NetApp ones, is a no go due to needing to have a short distance to the files. Lots of huge cross linked engineering files that don't play well being accessed over a non-local network. Silly Newbie fucked around with this message at 21:44 on Apr 13, 2023 |
# ? Apr 13, 2023 21:42 |
|
Silly Newbie posted:I'm stuck with it for the moment, I made a poor decision in 2019. Are you me? I keep asking google these same questions every few months and sorta head down different roads because it always seems like there's an answer, but it tends to all fall apart the second your infrastructure is anything more than shared ms office documents, or aren't willing to scrap 100k in hardware and pay 300k a year in cloud compute.
|
# ? Apr 13, 2023 22:10 |
|
bobua posted:Are you me? I keep asking google these same questions every few months and sorta head down different roads because it always seems like there's an answer, but it tends to all fall apart the second your infrastructure is anything more than shared ms office documents, or aren't willing to scrap 100k in hardware and pay 300k a year in cloud compute. At least working in an M&A environment isn't boring and we get to keep learning new things. I'm starting to understand why all of my counterparts seem to have these sloppy looking siloed environments though.
|
# ? Apr 13, 2023 22:19 |
|
Sorry when I said VMs into Azure I meant your domain controllers, as an AADDS alternative. At least then you can have a pair of DCs in each region you operate out of, and stuff works with it.
|
# ? Apr 13, 2023 22:28 |
|
Thanks Ants posted:Sorry when I said VMs into Azure I meant your domain controllers, as an AADDS alternative. At least then you can have a pair of DCs in each region you operate out of, and stuff works with it. That's a good call, I have DCs in azure already for my legacy domains. I'm just hoping for an option that isn't "make a new domain, create all the people from Azure/365 in it, sync back and hope nothing breaks". I think that's going to be a problem for 2024.
|
# ? Apr 13, 2023 22:41 |
|
I have a couple stupid Microsoft licensing questions. 1. Do I need Windows User CALs for "bots"? E.g. Power Automate RPA bots that connect into a server via RDS and perform RPA tasks on our ERP software? 2. Let's say we have a factory floor where 10 people work. All 10 people have a Windows CAL because they have their own personal user account and personal workstation. However we have an additional 15 workstations across the factory floor that use a "general" login account, for example: "Plant 2B Processing", "Plant 2B Packaging", "Plant 2B Shipping". These general accounts are used by the people that already have Windows CALs but they're not signing in with their actual user accounts. Do I need additional Windows CALs for these general logins? Thanks.
|
# ? Apr 18, 2023 15:00 |
|
User CALs are for people, not accounts, so you're covered on the second point.
|
# ? Apr 18, 2023 15:33 |
|
To piggy back on that, my understanding is that the company needs to own a CAL for any user who accesses a particular server, but the CAL isn't bound to that server. For example, I have 100 users and 10 servers. Each of those servers are only accessed by 10 individual user, and no user accesses multiple servers. I need 10 user CALs. Is that correct?
|
# ? Apr 19, 2023 06:30 |
|
Roughly: User CALs are for people. If you have 100 people accessing servers (any number of servers), they need a user CAL. Doesn't matter how many devices (computers) they use to do that access. (think: desktop, laptop, phone, etc). The exception/restriction to that is of course the user cal is tied to their domain login*. (*not really). Also "accessing" is so utterly broadly defined that technically it includes things like getting a DHCP address from a server or making a DNS query to the server. Device CALs are for devices - and unlimited users on those devices. Eg: if you have a multi-user computer on the shop floor, you can license that device (with a device CAL), and anyone can use that device. RDS (user/device) CALs cover Remote Desktop Services only. Licenses the login name or the Device connecting and data between the client and the server. If the user on the RDS connection accesses another server you need an additional regular CAL (see above). Very roughly put: You end up buying a user CAL for every employee in your company just to be safe. And if you run a IIS web server you should get that $2000 "external connector" license so you don't have to license every person in the world that touches your web server. (Seriously)
|
# ? Apr 19, 2023 19:28 |
|
CALs are a reason to move as much stuff as possible to M365 subscriptions and to not use IIS to host public-facing services
|
# ? Apr 19, 2023 19:55 |
|
Oh, and if your company owner loves playing accounting games and splits staff across multiple companies, that's a user/device license per company. As in, if users A,B,C are in company 1 and users D,E,F are in company 2, and each company owns 1 server that all 6 people use, you'll need 12 licenses (6 per company). Company 1's license isn't valid in Company 2. And as Ants said, it's a really good reason to go to M365 subscriptions and get rid of local infrastructure.
|
# ? Apr 19, 2023 20:05 |
If you’re small enough you can also just ignore the CAL thing indefinitely, Microsoft doesn’t give a poo poo about it anymore and the last audit I sat through (six years ago?) they tried to get my client to true up and upsell them on some things and client just ignored them and MS never pursued any part of it
|
|
# ? Apr 19, 2023 20:30 |
|
i am a moron posted:If you’re small enough you can also just ignore the CAL thing indefinitely, Microsoft doesn’t give a poo poo about it anymore and the last audit I sat through (six years ago?) they tried to get my client to true up and upsell them on some things and client just ignored them and MS never pursued any part of it ehh sounds like a good way to get wrekt
|
# ? Apr 19, 2023 21:03 |
It really doesn’t matter at all. If you aren’t big enough to have a procurement department that handles this for you MS sure as poo poo isn’t going to waste legal resources over any of it
|
|
# ? Apr 19, 2023 22:23 |
|
if it mattered ms would put technical controls on it
|
# ? Apr 19, 2023 22:28 |
|
The Fool posted:if it mattered ms would put technical controls on it This is oddly reassuring.
|
# ? Apr 19, 2023 23:12 |
|
Like how you can get one azure ad p2 license and then enable the features for your whole org.
|
# ? Apr 19, 2023 23:20 |
|
I’d say to just spring for the Premium Power Automate license (I think it’s like $500 a month for multiple machines? Been a while, don’t remember the specifics) so you can run poo poo unattended (no user logged in) We’ve got a few VMs we run flows on and it works pretty well. If what you’re automating is UI based VS API based, you’ll have to account for some jank (like setting default resolution in the config file to 1920x1080 or whatever the common resolution is for your environment every update) but yeah. Saves our three man team a gently caress load of time.
|
# ? Apr 20, 2023 13:54 |
|
The Fool posted:if it mattered ms would put technical controls on it
|
# ? Apr 20, 2023 18:54 |
|
GreenNight posted:Like how you can get one azure ad p2 license and then enable the features for your whole org. lol, this still works?
|
# ? Apr 20, 2023 23:26 |
|
Thanks Ants posted:AADDS is poo poo, I would avoid it if at all possible. You're better off putting VMs into Azure and then buying three-year commitments for them. What trouble have you had with AAD DS, if you feel like sharing? I'm about to demo it. sporkstand posted:lol, this still works? Works for a whole lot of features.
|
# ? Apr 21, 2023 00:42 |
|
Potato Salad posted:What trouble have you had with AAD DS, if you feel like sharing? I'm about to demo it. It lives in a weird place where it isn’t “full fat” AD and isn’t Azure AD. If you stick to the use case that it’s designed for (deploying legacy services into a vnet and giving them an AD environment to auth against) then it’s fine. I see talk of people wanting to create VPN tunnels to AADDS to have on-prem NAS join the domain and it’s just not designed for that, and there’s no commitment from MS to have things like Kerberos Cloud trust supported on AADDS - partly because if you’re getting to that point you’re probably using it wrong. I think it’s changed recently but it also could only be deployed in a small subset of Azure regions, with only one instance per Azure AD directory so if you wanted something resilient you were told to build your own VMs and run AD on them. I used AADDS in a project a few years ago to lift a bespoke CRM package that ran in Terminal Services and used AD integrated auth with SQL Server for a client who was too cheap to replace their EOL hardware and wouldn’t true-up their licensing - we shifted everything to Azure and ran it as a RemoteApp through Application Proxy and it was perfect.
|
# ? Apr 21, 2023 01:12 |
|
Could you, technically and legally, assign something like a business premium license to an account to get autopilot\intune onto a laptop, then hand that laptop off to users with non-intune accounts, or does intune only apply policies\updates when an intuned licensed user signs in each time.
|
# ? Apr 21, 2023 14:29 |
Iirc intune is gated by the enterprise mobility and security license. If you're not an enterprise who knows.
|
|
# ? Apr 21, 2023 14:50 |
|
bobua posted:Could you, technically and legally, assign something like a business premium license to an account to get autopilot\intune onto a laptop, then hand that laptop off to users with non-intune accounts, or does intune only apply policies\updates when an intuned licensed user signs in each time. no, it'll drop the local agent knows whether the user has the entitlement or whether the machine has that new $10 Intune premium or whatever it's called
|
# ? Apr 21, 2023 16:32 |
|
https://techcommunity.microsoft.com/t5/intune-customer-success/announcing-windows-laps-management-through-microsoft-intune/ba-p/3801584
|
# ? Apr 22, 2023 18:37 |
|
The contract for our current AV solution - Kaspersky Endpoint Security for Cloud - is up for renewal in a few months and we're looking to get a couple of quotes from competitors. We have a couple contracts that stipulate that our endpoints need to have AV software installed so this is an organizational requirement. What is the MS equivalent? Any other recommendations?
|
# ? Apr 25, 2023 23:30 |
|
Microsoft Defender for Endpoint is what they’re calling it this week. It works pretty well and is included if you have the right licenses.
|
# ? Apr 26, 2023 00:38 |
|
We've been very happy with MS 365 cloud endpoint defender whatever. It is extremely powerful and we have the e5 licenses. Just wish we had the time to really dig in and get automation running for user/device risk closures, playbooks, etc. I'd run it on my person machine too if it didnt pipe everything i do back to the central control panel for any other admin to see
|
# ? Apr 26, 2023 00:50 |
|
|
# ? May 14, 2024 15:14 |
|
Defender for Endpoints is very good, but it doesn't have a single pane of view for all its features (AV, AntiMalware, EDR, and DLP), and expects devices to be Intune managed. It will need more hands on than most other 'A/V' only solutions, but does offer a lot more if you put in the effort. Crowdstrike is another one to consider, the security team at my company likes it.
|
# ? Apr 26, 2023 02:51 |