|
GPO migration can be helped by this very nice tool https://learn.microsoft.com/en-us/mem/intune/configuration/group-policy-analytics-migrate
|
#
?
May 31, 2023 22:06
|
|
|
|
| # ? May 29, 2024 21:31 |
|
|
I appreciate all that, but I'm extraordinarily siloed, here. On paper, all I do is script apps for deployment. In reality, I deal a bit with some of the bits and bobs of prod deployments (managing collections/deployments), but our branch doesn't develop/maintain the Task Sequences, GPOs, AD, or the CM infrastructure. We package things and handle the deployments and that's basically all of it. It's all very weird. It's a wild show, because I finally, after years, made a publicly visible mistake a few weeks ago, and people lost their goddamn minds very loudly (idgaf) and had their executives calling my executives (also, idgaf) because the amount of wage time lost to one small typo was probably more than I make in a year. Between the actual Homeland Security auditing requirements, the bullshit fake hearsay "auditing" requirements, the extensive testing (our test lab is like 300 machines), our lifecycle of even the smallest change (think Acrobat reader minor patch) is like 6 weeks from submission of paperwork to code actually getting released into the wild (and might be a 3 week small rollout + phase-in + full prod release taking it to 9 weeks from conception to prod). It's all very weird.
|
|
#
?
May 31, 2023 22:32
|
|
|
well that sounds like a loving nightmare condolences
|
|
#
?
May 31, 2023 22:33
|
|
|
We also don't use like... I'd guess... 80% of the CM Console because either (a) nobody knows how it works or (b) there's so much operational cruft and inertia that the political capital to even start looking at new things is Sisyphean. I don't know how this compares to elsewhere, but we got out of packages almost entirely (I can count on one hand the number of packages/year we release, compared to hundreds of applications). We have basically 2 guys writing applications and 1 (me) is almost exclusively pushing stuff in PowerShell and the other is almost exclusively authoring MSIs to wrap things and his stuff is so incredibly black box we are turbo hosed if anything happens to him again. We have extremely large task sequences for imaging, the MSI guy does all our WSUS (which is only used for MS stuff, though I've heard you could push stuff from other vendors that way, never really looked into it). Implementing a configuration baseline requires so much paperwork almost nobody ever does it. I look forward to the day when I gently caress up all 135,000 machines and I can truly free myself from caring about anything forever because nothing I can do is worse than that (j/k loving up something so bad we do a CMS-level PII leak would be the holy grail).
|
|
#
?
May 31, 2023 22:38
|
|
|
Does anyone here ever work with MIM outside of the synchronization engine with AD? Has anyone done integrations into other LDAPs directories or designed actual workflows? How is that?
|
|
#
?
May 31, 2023 22:55
|
|
|
Crosby B. Alfred posted:Does anyone here ever work with MIM outside of the synchronization engine with AD? Has anyone done integrations into other LDAPs directories or designed actual workflows? How is that? Developing integrations with MIM to all sorts of things that vaguely resemble a directory is part of my job description. I'm still very new to it, but have put one little thing in production at least. However it's only using the synchronization engine and developing extensions for that, not any other components.
|
|
#
?
May 31, 2023 23:05
|
|
|
What does that look like on a day to day basis? How difficult is it?
|
|
#
?
May 31, 2023 23:13
|
|
|
Day to day, it tends to be very maintenance free when the agents are well enough written and the source data are good quality. The difficulty depends a whole lot on what systems you're tasked to integrate with, how sensible their APIs are, and how well your requirements docs are written. Basically to integrate something with MIM, you need a management agent that can read and write the relevant objects in the system. You can either write those from scratch in C# (there's templates to start from), or use one of the generic MAs that offer frameworks to e.g. implement things in PowerShell or access data in an SQL database. The learning curve can be a bit tough, there's a ton of theory of how the sync engine works you need to have a good grasp of, and the total configuration ends up scattered across a lot of modules. It's absolutely a programming job. In general, if you have a remote system that has objects with attributes, and an API to create, read, update, list, and delete those objects, you can make MIM manage it. It technically doesn't have to be user accounts at all.
|
|
#
?
Jun 1, 2023 07:14
|
|
|
What's the best way to learn all of it?
|
|
#
?
Jun 1, 2023 07:38
|
|
|
Honestly, I'm not sure. I'm on a team with an experienced consultant who's been teaching me. Assuming you don't have that, my best suggestion is to look for courses and tutorials and try to build something. You can find various open sourced management agents and rules extensions projects to work off too, but a lot of it is also configuration outside just the code and DLLs.
|
|
#
?
Jun 1, 2023 11:27
|
|
|
Thanks Ants posted:Microsoft 365 F3 licenses might be better suited to the type of employee I've got security and compliance e3 + office 365 e1, e3, and E5 rolled out to all my users. By my reading, I could swap all of my field techs to just Microsoft 365 F3 rather than Security E3 + Office E1 and the only downside is a smaller mailbox, is that right? I just need them to get company wide emails, maybe send vacation requests to their supervisors, and have MAM-WE licensing for personal phones.
|
|
#
?
Jun 5, 2023 06:41
|
|
|
Silly Newbie posted:I've got security and compliance e3 + office 365 e1, e3, and E5 rolled out to all my users. By my reading, I could swap all of my field techs to just Microsoft 365 F3 rather than Security E3 + Office E1 and the only downside is a smaller mailbox, is that right? I just need them to get company wide emails, maybe send vacation requests to their supervisors, and have MAM-WE licensing for personal phones. I’m in the same boat and that’s my understanding. I’m about to swap a few maintenance techs over today. They only use their Microsoft account for SSO and a company email. If they ever use a PC for training it’ll be in a browser.
|
|
#
?
Jun 5, 2023 11:56
|
|
|
Cyks posted:I’m in the same boat and that’s my understanding. I’m about to swap a few maintenance techs over today. Update: talked to my CSP, we're right. Also https://m365maps.com is great.
|
|
#
?
Jun 6, 2023 00:12
|
|
|
Silly Newbie posted:Update: talked to my CSP, we're right. Also https://m365maps.com is great. Thanks for the follow up. I switched 6 over yesterday as a test group and no issues so far. I never considered the F3 license until a few posts ago but it’s going to save us around 20k a year which is noticeable percentage of my yearly budget. Cyks fucked around with this message at 15:30 on Jun 6, 2023 |
|
#
?
Jun 6, 2023 13:32
|
|
|
Wow didn't know Biz premium and E3 pulled so far a part.
|
|
#
?
Jun 7, 2023 06:18
|
|
|
Not only is it a third the cost of business premium but the f3 licenses don’t count towards the 300 business license max which is nice. I did accidentally buy Office 365 F3 instead of Microsoft 365 F3 and super told me “You can just cancel the license for the next billing cycle!” Thanks support; the next billing cycle is 363 days from now; I was asking if I can get refunded today. Only cost like $250 but still.
|
|
#
?
Jun 7, 2023 13:19
|
|
|
I'm the defacto intune admin at my place and apple is really getting their poo poo together for MDM on the mac os https://mobile-jon.com/2023/06/09/mobile-jons-wwdc-2023-review-part-1/ JIT user setup, force filevault enrollment, and useful managed apple ID are coming.
|
|
#
?
Jun 12, 2023 17:53
|
|
|
Is there a decent tool where I can export my DHCP settings, set reservations on the MAC addresses and reimport them? I'm basically looking to move things around so IPs are grouped together properly and IPs are reserved.
|
|
#
?
Jun 22, 2023 13:17
|
|
|
Cross-tenant sync is GA  https://learn.microsoft.com/en-gb/azure/active-directory/multi-tenant-organizations/cross-tenant-synchronization-overview
|
|
#
?
Jun 22, 2023 18:29
|
|
|
Thanks Ants posted:Cross-tenant sync is GA Cross-cloud (such as public cloud to Azure Government) isn't currently supported Boo
|
|
#
?
Jun 22, 2023 18:34
|
|
|
Is there an MSP post?? I have a feeling my question is more geared towards there but not able to find one.
|
|
#
?
Jun 29, 2023 06:59
|
|
|
An MSP thread would be even more of a hotbed of depression than the other generic IT working threads, it's important to dilute things a bit
|
|
#
?
Jun 29, 2023 11:59
|
|
|
I have some Finance & Accounting people who need to send a quarterly email to some (internal) recipients and get an affirmative reply. Right now they use Boomerang to send it, but the app asks for permission to be able to look at all your email and send/receive. Does Microsoft have something that would let them set up recurring emails and get responses? Perfect would be something that emails as them or has them on the conversation and the reply is from there. This happens frequently enough they want to automate it but infrequently enough that I don't want to go fire up Amazon SES and blast stuff out. We'd use boomerang but don't want to accept the security risk of finance person's email exposed to yet another party. Microsoft is fine.
|
|
#
?
Jul 6, 2023 23:47
|
|
|
n/m i was looking at one feature.
|
|
#
?
Jul 7, 2023 01:13
|
|
|
So I got issued a work laptop w/ windows 11. Only local account is admin, and that's where they supposedly entered my domain credentials. Did the change the password for myname@domain. It shows up in Accounts under Email, but when I try to use that as a Microsoft account to get into the store to download apps, it won't let me use that login, says no account exists even though I am looking at it in the other window? I used my personal MS account on the non admin local user I created to login and that linked fine. Any ideas on what could be going on there? I'm having a hard time working my head around what exactly got set up. Any good articles or videos about this topic would be really appreciated
|
|
#
?
Jul 7, 2023 03:06
|
|
|
Hed posted:I have some Finance & Accounting people who need to send a quarterly email to some (internal) recipients and get an affirmative reply. Right now they use Boomerang to send it, but the app asks for permission to be able to look at all your email and send/receive. Sounds like a use case for Power Automate. Set a scheduled trigger to send an email with a Microsoft Form that logs responses to a SharePoint List? kiwid fucked around with this message at 03:23 on Jul 7, 2023 |
|
#
?
Jul 7, 2023 03:20
|
|
|
Hed posted:I have some Finance & Accounting people who need to send a quarterly email to some (internal) recipients and get an affirmative reply. Right now they use Boomerang to send it, but the app asks for permission to be able to look at all your email and send/receive. Publicly, brutally, physically punish your people for choosing an accounting or finance degree. Source: am an accountant Edit: Make them regret opening a ticket.
|
|
#
?
Jul 7, 2023 05:16
|
|
|
Trauts posted:So I got issued a work laptop w/ windows 11. Only local account is admin, and that's where they supposedly entered my domain credentials. Did the change the password for myname@domain. It shows up in Accounts under Email, but when I try to use that as a Microsoft account to get into the store to download apps, it won't let me use that login, says no account exists even though I am looking at it in the other window? Accounts for business/enterprise can’t be used for the normal Microsoft store. Ideally you should be using company portal or a third party tool to install apps at this point, not the Microsoft store.
|
|
#
?
Jul 7, 2023 11:37
|
|
|
kiwid posted:Sounds like a use case for Power Automate. Thanks, this turned out to be a winner. Even easier, I just had them send an email with everyone needed on it, and they can get the compliance-required yes or no. Much better than getting some 3rd party software involved to send some scheduled emails, and they can manage it themselves. Zarin posted:Publicly, brutally, physically punish your people for choosing an accounting or finance degree. I'm going to start sending them automated emails from a mysterious "BOFH".
|
|
#
?
Jul 7, 2023 15:26
|
|
|
I have (what I hope is) a quick question about deleting a user account and litigation hold. Our normal process is when someone leaves, we just hit delete user in the admin center. This process grants access to their OneDrive to another employee and creates a shared inbox for their emails. And then 90 days later we delete the shared inbox. This works fine. The wrinkle is when HR requests litigation hold be turned on, as that is not compatible with shared inboxes. Is there a way to turn on litigation hold and convert the mailbox to shared or is it one or the other?
|
|
#
?
Jul 12, 2023 18:22
|
|
|
dexter6 posted:I have (what I hope is) a quick question about deleting a user account and litigation hold. I have never messed with accounts/mailboxes that are in litigation hold but according to a random reddit post I found, you can convert after doing the litigation hold as long as the account is licensed with EOP1 and online archiving or an EOP2 license.
|
|
#
?
Jul 16, 2023 02:09
|
|
|
Speaking of legal hold, I was just reviewing some crap I have squirreled away. Holds from 2020 and 2021. Sure would be cool if we had some sort of line of communication for when we can nuke these.
|
|
#
?
Jul 19, 2023 13:26
|
|
|
Moey posted:Speaking of legal hold, I was just reviewing some crap I have squirreled away. Holds from 2020 and 2021. Good, your email backups are working.
|
|
#
?
Jul 19, 2023 14:14
|
|
|
Moey posted:Speaking of legal hold, I was just reviewing some crap I have squirreled away. Holds from 2020 and 2021. When working on an on prem> exchange online migration last year, I ran a report of all the mailboxes we had on legal hold and sent them to our in house counsel. Asked them to review the users and tell us if we could take any of these people off legal hold - some of these mailboxes have been on hold for like 7-8 years at this point. They quickly replied back and said to keep everything on the list intact. So when my boss asked why these people needed more expensive licensing...I just forwarded her the email I got from the lawyers. It's their problem now!
|
|
#
?
Jul 24, 2023 00:08
|
|
|
Doubt they read the list, in their position I’d consider what getting one name wrong would cost and I’d probably say “Yeah, keep the whole list intact.” Whatever is saved on the licenses wouldn’t be worth the potential downside.
|
|
#
?
Jul 24, 2023 02:11
|
|
|
tehinternet posted:Doubt they read the list, in their position I’d consider what getting one name wrong would cost and I’d probably say “Yeah, keep the whole list intact.” Whatever is saved on the licenses wouldn’t be worth the potential downside. This is totally possible, considering I got the reply back in less then 5 minutes iirc.
|
|
#
?
Jul 25, 2023 22:32
|
|
|
I'm new to Enterprise Windows and I solved an issue recently by running an installer from a powershell console as administrator instead of just double clicking it in explorer and having it fail silently. Am I missing something about UAC here? I was logged in on my admin account when double clicking the .msi, shouldn't that have the same privileges as being launched from powershell in a console run as admin?
|
|
#
?
Aug 3, 2023 02:56
|
|
|
Not really. What should have happened was the MSI realized it needed admin escalation, and requested it. It didn't. Running it from an administrative console allows it to inherit the admin rights. Explorer.exe isn't running an elevated session unless you explicitly tell it to. And you shouldn't really do that. You probably could have accomplished the same thing by right-clicking the MSI and selecting "Run as administrator". Maybe hold shift or ctrl, I can never remember which. All in all, everything functioned as expected, and you've got a poo poo MSI that doesn't know about UAC.
|
|
#
?
Aug 3, 2023 03:23
|
|
|
You have to kick off the servicenow mid server installer from an already elevated prompt, otherwise it won’t work. So dumb.
|
|
#
?
Aug 3, 2023 14:41
|
|
|
|
| # ? May 29, 2024 21:31 |
|
|
I used to support an accounting app that needed admin access and access to a mapped drive the user accounts didn't have admin and the admin accounts didn't have access to the share that was always fun
|
|
#
?
Aug 3, 2023 22:29
|
|
