|
OK So I have a fun one. I have an ADFS installation that cannot read the employeeNumber entry from Active Directory. I dug into it and the account didn't have read permissions for those attributes. Now, if I give full control over the AD Objects to the ADFS service, it can read the employeeNumber. If I remove Full Control but leave all the read permissions I cannot read the attribute any longer. Right now when I look at effective permissions, the account has permission to read the attribute on the object but it still cannot read the drat attribute. I just get blank. I truly cannot fathom it at this moment. Am I doing something completely stupid?
|
#
?
Apr 2, 2018 17:34
|
|
|
|
| # ? Jun 2, 2024 19:24 |
|
|
What happens when you try to use the ADFS credentials in ldp.exe and try to enumerate the the attributes? It's a hardcore tool, but should give you an ideal whats up http://www.active-directory-security.com/2016/06/ldp-for-active-directory-download-usage-tutorial-and-examples.html
|
|
#
?
Apr 3, 2018 01:30
|
|
|
incoherent posted:What happens when you try to use the ADFS credentials in ldp.exe and try to enumerate the the attributes? It's a hardcore tool, but should give you an ideal whats up Thank you for that link. I went through it and was able to enumerate what could be read by the account when it had Full Control vs. otherwise. Its nuts. I can set it to read everything, yet employeeNumber isn't enumerated. When I go to security descriptors, I can see that I have full read permissions and no go. I give it Full Control and BAM! I can read it. It's weird as hell. I think there are some bad bad settings in our AD from our previous lords. I'll dig deeper. And again thank you!
|
|
#
?
Apr 3, 2018 16:53
|
|
|
Sounds like a you'll need to call Microsoft professional services. Out of curiosity what is your forest/domain level? Also does the behavior happen when you bind to every domain controller? (or Global catalog DC?)
|
|
#
?
Apr 3, 2018 19:04
|
|
|
Does it make sense to use System Center VMM to manage multiple 2 cluster vhosts? I briefly used it to manage larger 6-7 node clusters in the past.. never multiple 2 node clusters.
|
|
#
?
Apr 3, 2018 19:35
|
|
|
Multiple as in "3 to 4" 2-node or more?
|
|
#
?
Apr 3, 2018 20:03
|
|
|
lol internet. posted:Does it make sense to use System Center VMM to manage multiple 2 cluster vhosts? If you already have the licensing, go for it. At worst you get cluster aware patching, VM Templating, and a bit of an easier single pane of glass to manage each of the clusters. If you don't have the licensing, consider how much the features will benefit you and then work back from there.
|
|
#
?
Apr 3, 2018 20:42
|
|
|
incoherent posted:Multiple as in "3 to 4" 2-node or more? Like 10+ 2 node clusters
|
|
#
?
Apr 4, 2018 02:52
|
|
|
What’s the general goon consensus on Intune? How close are we to getting rid of GPOs and only using Azure AD Join?
|
|
#
?
Apr 4, 2018 03:31
|
|
|
Not that close. If you want to manage an office full of admin workers on desktops then Intune is probably a bad choice. If you need some light-touch management to ensure that laptops with access to corporate data have BitLocker enabled, a way to distribute apps, configure Wi-Fi networks with the correct certificates then go for it. It's a different tool to GPO, though there is an increasing amount of overlap. If you want to have Azure AD login -> Intune enrolment as a workflow then you need Azure AD Premium, and EM+S is cheaper, so base your licensing costs on that. If you just have a bunch of desktops and nobody does email remotely then just put a couple of domain controllers in different Azure regions and build VPNs to them, and go down the traditional AD bind route. Maybe do EM+S for people that have laptops. Thanks Ants fucked around with this message at 11:55 on Apr 4, 2018 |
|
#
?
Apr 4, 2018 11:52
|
|
|
incoherent posted:Sounds like a you'll need to call Microsoft professional services. Out of curiosity what is your forest/domain level? Also does the behavior happen when you bind to every domain controller? (or Global catalog DC?) So far every domain controller. Yea I think offical services is the way to go on this one too. The previous "team" of knuckle heads have done some super shady crap to this domain.
|
|
#
?
Apr 4, 2018 18:53
|
|
|
Oh question about windows 10 gpo. Which policy will stop the os from installing "modern" apps for printer devices automatically? Ie. Network printers are pushed out through gpo, but when I click on the he start menu it looks like the printer is installing an app into the OS as well so I hat ends up happening is that the program gets added to the start menu but never installs because the users don't have Admin access.
|
|
#
?
Apr 4, 2018 21:34
|
|
|
Do you mean the one that allows users to install printers without needing admin rights?
|
|
#
?
Apr 4, 2018 21:41
|
|
|
Nah I know what they mean, there is a setting that disables the ability for a device driver to kick off a Windows Store download for a helper app Edit:  Obviously it resets after OS upgrades because Microsoft Thanks Ants fucked around with this message at 21:59 on Apr 4, 2018 |
|
#
?
Apr 4, 2018 21:52
|
|
|
ptier posted:OK So I have a fun one. If I had to guess someone set/marked the employeeNumber attribute in AD as confidential. It explains the issue you're seeing. Check for that, I'm short on time so I can't go too in depth about it, but there's plenty of blogs that can explain it better than me. I put some links below, or google "AD Confidential Bit" Sorry I didn't reply sooner http://www.frickelsoft.net/blog/?p=151 https://support.microsoft.com/en-us/help/922836/how-to-mark-an-attribute-as-confidential-in-windows-server-2003-servic http://www.frickelsoft.net/blog/?p=288 https://dirteam.com/tomek/2005/11/21/confidential-bit/
|
|
#
?
Apr 5, 2018 02:35
|
|
|
anthonypants posted:Do you mean the one that allows users to install printers without needing admin rights? No not this
|
|
#
?
Apr 5, 2018 03:15
|
|
|
skipdogg posted:If I had to guess someone set/marked the employeeNumber attribute in AD as confidential. It explains the issue you're seeing. This!  This right here! Thank you so much! I thought it would be something like this, but honestly I had no inkling of the nomenclature as I had never run into it in production before. And yea it probably needed to be a confidential thing because security. Which is all good. Just no one here from then to tell anyone else. Now my adfs service can't get rocked and totally screw up our AD because it can only read!
|
|
#
?
Apr 5, 2018 20:35
|
|
|
We're currently in the market to purchase 60 new phones. We're looking at both iOS and Android phones. Our carrier (Verizon) is quoting roughly $200 more per iOS device (iPhone 6s and Samsung Galaxy J7V are what we're looking at). Does this seem normal? I'm finding it hard to believe that Apple devices are competitive with that much of a price difference. Also, we're evaluating using Intune to manage the phones. In our testing so far, it seems that the management options are more limited with regards to Android. I can't even find a way to remotely reset a password/PIN on the Android devices. Same goes for remotely enabling some kind of 'lost mode'. On the iOS side, both of these things are easy to do so I don't know if I'm missing something or if the capability just isn't there.
|
|
#
?
Apr 6, 2018 16:53
|
|
|
SAFE 2.0 devices and later similar standards have pin reset in AirWatch, I'd be surprised if Intune really lacked it
|
|
#
?
Apr 7, 2018 02:38
|
|
|
Mr. Clark2 posted:We're currently in the market to purchase 60 new phones. We're looking at both iOS and Android phones. Our carrier (Verizon) is quoting roughly $200 more per iOS device (iPhone 6s and Samsung Galaxy J7V are what we're looking at). Does this seem normal? I'm finding it hard to believe that Apple devices are competitive with that much of a price difference. I can’t speak to the business purchasing side but I know Apple is incredibly controlling on pricing and in general is just very expensive, even to vendors/stores. It wouldn’t surprise me that android devices have more leeway on deal making.
|
|
#
?
Apr 7, 2018 03:23
|
|
|
Ugato posted:I can’t speak to the business purchasing side but I know Apple is incredibly controlling on pricing and in general is just very expensive, even to vendors/stores. It wouldn’t surprise me that android devices have more leeway on deal making. There isn’t much of a discount on the business side either. Laptops maybe 50 bucks. A small discount on AppleCare. We never purchased in bulk, but we did purchase direct from Apple
|
|
#
?
Apr 7, 2018 17:11
|
|
|
Also just a heads up, if you want to do any kind of device management with iOS, make sure your vendor can register your devices to Apple's DEP which will funnel them into your MDM when your users set them up (makes poo poo really easy to manage).
|
|
#
?
Apr 7, 2018 18:49
|
|
|
Yeah Intune for Androids suck, my customers hate that fact since Microsoft sells it as the greatest thing. Then you open it and it says "Samsung KNOX only" in 99% of the settings I guess they keep all those settings only to be able to advertise to the customers that "Intune does it" and that is a really lovely tactic to me and it only fucks us partners, we get the biggest complaints
|
|
#
?
Apr 7, 2018 19:05
|
|
|
Seriously, get an AirWatch (now wso) demo, maybe even vIDM if you don't have a good SSO solution
|
|
#
?
Apr 7, 2018 20:51
|
|
|
Does anyone use Knox for MDM? I'm curious about it. Other idiots at my work roll a half assed Meraki setup and abandoned it. They also now charge for it. Might as well evaluate options.
|
|
#
?
Apr 7, 2018 23:22
|
|
|
Moey posted:Does anyone use Knox for MDM? I'm curious about it. I just setup the Knox Mobile Enrollment program for our Galaxy tablets. Basically it skips the setup and forwards the device to whatever MDM you have (kind of like Apple DEP). Works pretty well. I haven't used the full blown Knox MDM though.
|
|
#
?
Apr 9, 2018 13:26
|
|
|
Matt Zerella posted:Also just a heads up, if you want to do any kind of device management with iOS, make sure your vendor can register your devices to Apple's DEP which will funnel them into your MDM when your users set them up (makes poo poo really easy to manage). Small story: We ping ponged back and forth from Verizon to Sprint back to verizon (manager pissising match) and from the get-go we directed sprint to enroll all the new phones through DEP. With about 100+ devices to deploy we had them all out to the field within a week. Then, when the pissing match was over and back on verizon they sent their list of new hardware to DEP and had an insanely quick redeployment. A+++ would recommend.
|
|
#
?
Apr 9, 2018 21:24
|
|
|
Just got off a call with Office 365 support where the guy tried to convince me that it’s totally normal for an entire days’ worth of changes to become inaccessible and appear as blank lines in the history listing when using the OneDrive restore function. Is it just me or has O365 support gotten way worse over the past few months? I used to be able to call them and get connected with a tech within a few minutes, and they were usually pretty helpful. Now I have to submit a ticket online and wait hours or days for a call back, and it’s some clod who just tells me to click on random things while going “uhhhh... hold on... let me check something... please hold.”
|
|
#
?
Apr 10, 2018 18:37
|
|
|
My understanding is that feature changes on SharePoint Online for Teams functionality are invasive and rapid. Yeah OneDrive has been crappier for me too The insistence that everything should go on the SP platform is going to kill some of their products
|
|
#
?
Apr 10, 2018 18:50
|
|
|
incoherent posted:Small story: We ping ponged back and forth from Verizon to Sprint back to verizon (manager pissising match) and from the get-go we directed sprint to enroll all the new phones through DEP. With about 100+ devices to deploy we had them all out to the field within a week. Yeah it's loving awesome and was one of the main selling points to my boss when we started a new company and went full laptop/hotdesk. I didn't need to touch a single laptop after handing out the boxes.
|
|
#
?
Apr 10, 2018 18:53
|
|
|
Weedle posted:Just got off a call with Office 365 support where the guy tried to convince me that it’s totally normal for an entire days’ worth of changes to become inaccessible and appear as blank lines in the history listing when using the OneDrive restore function. Is it just me or has O365 support gotten way worse over the past few months? I used to be able to call them and get connected with a tech within a few minutes, and they were usually pretty helpful. Now I have to submit a ticket online and wait hours or days for a call back, and it’s some clod who just tells me to click on random things while going “uhhhh... hold on... let me check something... please hold.” O365 support has always been bad, unless you have the resources for a TAM that cracks the whip on your behalf. Smaller orgs that don't have the resources for a TAM and Premier Support and all that other stuff... I feel bad for them.
|
|
#
?
Apr 10, 2018 19:26
|
|
|
Matt Zerella posted:Yeah it's loving awesome and was one of the main selling points to my boss when we started a new company and went full laptop/hotdesk. I didn't need to touch a single laptop after handing out the boxes. Also being able to wipe a phone and clear iCloud lock has been a blessed event. I don't care if you use your personal (idiots, but no logical reason not to as my profiles prevent exch to icloud moves) or create a free work iCloud account. Also I have the VPP program so every FREE program they think they'll ever need is already provisioned on the device. Google apps, microsoft apps, waze and barracuda apps (for muh precious archives). If I could get my desktops as dialed in as I can iOS devices i'd be taking longer vacays.
|
|
#
?
Apr 10, 2018 19:37
|
|
|
skipdogg posted:O365 support has always been bad, unless you have the resources for a TAM that cracks the whip on your behalf. Smaller orgs that don't have the resources for a TAM and Premier Support and all that other stuff... I feel bad for them. Premier support is still kinda poo poo for O365 tbh. Spent half a hour on a conference call with a dude who was clearly unprepared despite giving him the questions in advance. Motherfucker, just put us through to the product team.
|
|
#
?
Apr 10, 2018 19:40
|
|
|
Jeoh posted:Premier support is still kinda poo poo for O365 tbh. Spent half a hour on a conference call with a dude who was clearly unprepared despite giving him the questions in advance. Motherfucker, just put us through to the product team. Good luck. They are graded on how little they forward to product team so getting a tech to give up on your ticket is close to impossible.
|
|
#
?
Apr 10, 2018 20:08
|
|
|
I need to find a way to get Active Directory to use a secondary system for multi factor authentication. This is going to be used in conjunction with physical access control to make sure the person is actually badged into the building before they can login. Essentially, I want the process to look like this: User enters credentials v AD authenticates credential v AD passes user information to our system (who is trying to log in and a timestamp of the attempt) v Our system verifies user is physically present v Our system sends some form of verification/acceptance of access v AD lets user log in Can AD do this? We can use any protocol AD needs for the communication. I'm having a hell of a time finding any documentation for multi factor outside of an Azure deployment.
|
|
#
?
Apr 10, 2018 23:20
|
|
|
This is why ADFS exists. You can create custom multi-factor middleware if you so choose. https://blogs.technet.microsoft.com...2012-r2-part-1/ It is not for the faint of heart and I wouldn't recommend rolling your own solution unless it is for some reason absolutely necessary. e: I may have misunderstood your request. ADFS doesn't work for workstation logins.
|
|
#
?
Apr 10, 2018 23:34
|
|
|
Yes, this is for logging into a workstation. The problem we're trying to solve is someone using another person's credentials to access their machine while they are away. We only want Windows to allow them to log in if the access control system sees they badged into the building. Complex dev work to make this happen isn't a problem since we have full-time devs that can handle that stuff, but the complex part should be on the end of our software, not the AD system.
|
|
#
?
Apr 10, 2018 23:50
|
|
|
KillHour posted:Yes, this is for logging into a workstation. Every on-prem MFA solution I've ever looked at requires installing an agent on every workstation you are going to protect. In Windows 10, you're probably looking at a custom credential provider: https://msdn.microsoft.com/en-us/library/windows/desktop/mt158211(v=vs.85).aspx In other versions of Windows, a custom GINA dll: https://msdn.microsoft.com/en-us/library/windows/desktop/aa375457(v=vs.85).aspx
|
|
#
?
Apr 10, 2018 23:59
|
|
|
I know Duo can happily sit in the middle of a workstation login, don't know how much it can interact with external providers to decide if people can login or not though.
|
|
#
?
Apr 11, 2018 00:01
|
|
|
|
| # ? Jun 2, 2024 19:24 |
|
|
That's kind of crazy. Could something be used in between the workstations and the Windows AD server? We're trying to avoid putting something on the clients if possible. I guess plan B is using RADIUS or similar to prevent network access entirely.
|
|
#
?
Apr 11, 2018 00:04
|
|