|
So I've been looking at dynamic distribution lists, and it seems god-damned awesome. But I'm sure you all knew that. Now, from what I'm seeing there's no way to convert a static list to dynamic, I have to make a new one? Also, some people in a department are on certain lists while others are not. I saw you can use custom attributes for the filter, but what happens when someone is on 14 mailing lists? Coordinating the attributes seems really annoying in cases like that, am I misunderstanding it somehow?
|
# ? Sep 15, 2017 04:02 |
|
|
# ? Jun 1, 2024 00:00 |
|
And we’re back to normal
|
# ? Sep 15, 2017 04:46 |
|
Avenging_Mikon posted:So I've been looking at dynamic distribution lists, and it seems god-damned awesome. But I'm sure you all knew that. Now, from what I'm seeing there's no way to convert a static list to dynamic, I have to make a new one? Also, some people in a department are on certain lists while others are not. I saw you can use custom attributes for the filter, but what happens when someone is on 14 mailing lists? Coordinating the attributes seems really annoying in cases like that, am I misunderstanding it somehow? You stop fulfilling quests to make DL-All-Accounting_except-Jill, DL-All-Accounting_except-Peter. use -RecipientFilter {((RecipientType -eq 'UserMailbox') -and (memberOfgroup -eq 'CN=Accounts_Receivable,OU=Security Groups,OU=xxxxxx,DC=xxxxxxx,DC=xxxxxx,DC=com'))} Edit: Use statefully named Mail Enabled Security Groups The real answer is you get out of the mail game all together. SeaborneClink fucked around with this message at 05:45 on Sep 15, 2017 |
# ? Sep 15, 2017 05:42 |
|
My boss found out I had snuck in some AD clean up scripts that i had running on a weekly schedule, 6ish months ago. While not having encountered a single problem during the last 6 months. He now wants the scripts disabled and retooled so that he has to run it manually and he himself has to insert a username that goes through the cleanup. I tried telling him that he gets and has been getting a weekly e-mail with a list of users that have been disabled and deleted. He's not listening. i'm not a big fan of turning what has been a proven working automated solution back into a manual process. Or does he make some sense that i'm not seeing? I took out the company info but these are the scripts code:
code:
Sefal fucked around with this message at 12:05 on Sep 15, 2017 |
# ? Sep 15, 2017 12:02 |
|
Sefal posted:My boss found out I had snuck in some AD clean up scripts that i had running on a weekly schedule, 6ish months ago. While not having encountered a single problem during the last 6 months. He now wants the scripts disabled and retooled so that he has to run it manually and he himself has to insert a username that goes through the cleanup. I tried telling him that he gets and has been getting a weekly e-mail with a list of users that have been disabled and deleted. He's not listening. i'm not a big fan of turning what has been a proven working automated solution back into a manual process. What version of Windows are you using on the domain servers(and what functional level you are running your domain on)? If you have at least 2008r2 you could retool it to use native powershell rather than quest.activeroles SlowBloke fucked around with this message at 12:24 on Sep 15, 2017 |
# ? Sep 15, 2017 12:21 |
|
Windows 2012R2 Function level is Windows Server 2012. Retooling it to use the native P$ is a pretty good idea. Thank you!
|
# ? Sep 15, 2017 12:34 |
|
Sefal posted:Windows 2012R2 You are going to need the active directory power shell module contained within RSAT installed(if you are running the script on one of the dc servers no need for it) and you are going to need to change the module loading with code:
If you have active directory recycle bin active and configured, there is no major issue with mass deleting active directory objects, otherwise i might share some reservations with having automated object removal without quick reversibility.
|
# ? Sep 15, 2017 12:57 |
|
Personally I see no benefit from deletion over simple disable and move unless the company size is massive.
|
# ? Sep 15, 2017 13:03 |
I wouldn't want a script with such sloppy code formatting running.
|
|
# ? Sep 15, 2017 13:10 |
|
I see no problem with keeping the account in the disabled ou. But deleting the homedirectory is something i want to keep as it frees up storage space. The company size isn't massive so I can take out the delete account part. Thank you guys. It's good to hear someone else's opinion of my choices.
|
# ? Sep 15, 2017 13:11 |
|
nielsm posted:I wouldn't want a script with such sloppy code formatting running. I'm trying
|
# ? Sep 15, 2017 13:12 |
|
Sickening posted:Personally I see no benefit from deletion over simple disable and move unless the company size is massive. Working at small companies I never delete the account, and unless their home directory is big I leave that alone as well. It rarely matters but just this month an employee returned after two years at business school and he was stoked that all his stuff was still there.
|
# ? Sep 15, 2017 13:55 |
|
gently caress that. 30 days and then email and home directory is gone.
|
# ? Sep 15, 2017 13:56 |
|
I need to ask why we delete AD entries. The only useful part is it removes people from our static distribution lists.
|
# ? Sep 15, 2017 14:19 |
|
Avenging_Mikon posted:I need to ask why we delete AD entries. The only useful part is it removes people from our static distribution lists. Remove them from all the members of and it serves the sane function.
|
# ? Sep 15, 2017 14:56 |
Avenging_Mikon posted:I need to ask why we delete AD entries. The only useful part is it removes people from our static distribution lists. This is why you use PowerShell to disable the account and remove it from all group memberships.
|
|
# ? Sep 15, 2017 14:57 |
|
What is the reason to not delete AD accounts?
|
# ? Sep 15, 2017 15:01 |
|
Kashuno posted:What is the reason to not delete AD accounts? Fastest recover from mistakes. Employees returning later. Etc
|
# ? Sep 15, 2017 15:03 |
|
Kashuno posted:What is the reason to not delete AD accounts? Not speaking from a position of authority, but disabling and removing from all groups accomplishes the same effect and is easily reversible, whereas deleting AD objects (recycling bin aspect aside) is a permanent, non-reversible action, no?
|
# ? Sep 15, 2017 15:03 |
|
"Best Practices." And, in all fairness, it is.
|
# ? Sep 15, 2017 15:13 |
|
I've always done just disable and remove from groups, but I haven't really ever needed to turn things back on. Makes sense from a best practices thing
|
# ? Sep 15, 2017 15:25 |
|
Kashuno posted:I've always done just disable and remove from groups, but I haven't really ever needed to turn things back on. Makes sense from a best practices thing Its a better process to have when multiple people administrate systems like active directory. A mistake is eventually going to happen. Restoring from the active directory recycle bin is more convoluted that it has to be. Its 100x easier to just enable a user back. I had have employees leave the company and then return in a 6 month period. Its feels really great to be able to enable and account, give it some memberships, and be right back to where they were when they left. It really helps with contractors or the like that aren't always on payroll 100% of the time but use a computer. Same with interns or other seasonal employees. Most of the reasons for getting rid of the accounts aren't really for need but mostly for preference.
|
# ? Sep 15, 2017 15:43 |
Additionally, an account in AD can have more properties than just group membership, there are some related to encryption keys that could be relevant in case the user has ever used encryption features in Windows.
|
|
# ? Sep 15, 2017 15:50 |
|
I'm not a big fan of using the same account mostly because of systems that may be outside your control. Take file ACL permissions, for example. If your organization does things poorly with regards to maintaining access, a user may come back in a different capacity than when they left and shouldn't have access to resources they previously did. With a new account the SID will be different even if the User ID is the same, whereas with the old account it may have some baggage even if you did the due diligence on groups. Really it depends on if your org is doing explicit permissions or not. (Your org should not be doing explicit permissions for users outside of niche use cases, or mailbox delegation or something) I don't think generating a new user account is all that difficult though; the difficulty is always in paperwork and specifically knowing what the user will need access to. I've seen way too many instances of orgs that just clone other users ad nauseum and have no idea as to how their SGs are structured, so they just throw individual rights all over the place.
|
# ? Sep 15, 2017 15:53 |
|
Sickening posted:Its a better process to have when multiple people administrate systems like active directory. A mistake is eventually going to happen. Restoring from the active directory recycle bin is more convoluted that it has to be. Its 100x easier to just enable a user back. As a consultant (previous employment, but also side work now) I love when people follow the disable not delete method. Just yesterday my previous employer asked if I would sub-contract on a specific account that without me they don't have the expertise to service anymore, they get to keep their fairly pricey contract, I get money on the side, customer is happy, everyone wins. Thankfully the customer only disabled the AD accounts I had. Re-enable and re-add groups and I was able to start cleaning up the mess that's been left in a matter of minutes.
|
# ? Sep 15, 2017 16:05 |
|
nielsm posted:This is why you use PowerShell to disable the account and remove it from all group memberships. Hmm, another thing to add to my burgeoning disable script.
|
# ? Sep 15, 2017 16:41 |
Avenging_Mikon posted:Hmm, another thing to add to my burgeoning disable script. As a bonus, with PS you can easily dump a log file with all the groups removed during the account deactivation. Timestamp the filename and just stash them away somewhere, so you can still go back and see what the user previously had if you need to re-activate.
|
|
# ? Sep 15, 2017 17:43 |
|
So my job got one of those pentest reports done and one of the things I'm meant to correct is a lot of machines with read-only access to IPC$ shares. Edit: These are client/end-user machines. I'm pretty ignorant about all of this so I've been trying to learn, but it looks like the main potential vulnerability with the IPC$ share is null user enumeration, which can be prevented via enabling the "Network access: Do not allow anonymous enumeration of SAM accounts and shares" GPO and disabling "Let Everyone permissions apply to anonymous users" (which is disabled by default). Am I totally off-base on this? It seems like disabling the IPC$ share will interfere with RPC and PDQ Deploy, etc.? Japanese Dating Sim fucked around with this message at 18:44 on Sep 15, 2017 |
# ? Sep 15, 2017 18:39 |
|
I think it's a bad idea to rush into. Identify the actual vulnerability, because that share needs to be available to certain authenticated processes. Edit: Apparently this was a big problem in Windows 2000. Definitely fix this if you have windows 2000 computers in your network.
|
# ? Sep 15, 2017 18:55 |
|
Dr. Arbitrary posted:Apparently this was a big problem in Windows 2000.
|
# ? Sep 15, 2017 18:59 |
|
It's all Windows 7 or 10 here. I'm not in charge of our area's servers but they're all at least 2008. And yeah, that's exactly what I'm very hesitant. Disabling IPC$ is not recommended by Microsoft, and it appears you can only do it through some registry tweaks or disabling the Server service. I don't like being in a position where I'm being difficult with people senior to me in terms of rank and experience but this just seemed a little strange to me. To be clear, they identified a lot of legit problems and our actual on-site people have been very helpful, but I'm not so sure about this one.
|
# ? Sep 15, 2017 19:00 |
|
I had to stress-test a DC server to quantify improvements on proposed new hardware (went to a lab and imported my OVA). I didn't want to time opening applications and poo poo, so I had powershell crunch useless numbers for a while. measure-command {foreach ($user in (get-aduser -filter *)){write-host (get-aduser -filter*)}} Finds 200 users, and for each, writes 200 users. 40,000 lines of output. It doesn't look the prettiest, but I thought it was a pretty decent way to get the DC to freak out and work hard without breaking anything. Old hardware took 3 minutes, new hardware took 50 seconds. I'd say that's a success.
|
# ? Sep 15, 2017 19:07 |
|
There's a big meeting in the conference room next to me and I see a tray of baked goods that no one has touched.
|
# ? Sep 15, 2017 19:08 |
|
Japanese Dating Sim posted:So my job got one of those pentest reports done and one of the things I'm meant to correct is a lot of machines with read-only access to IPC$ shares. Edit: These are client/end-user machines. It depends on your relationship with your auditor / what sort of regulation you're under that dictates what you must do from a compliance perspective. I'd highly recommend building a good relationship with your auditor because this sort of thing will keep happening. I would speak to your seniors at the company and tell them your concerns, tell them the work arounds you have (and provide documentation that supports it) and get people to sign off on it. If they agree, then take it to your auditor and explain the situation. Good luck, sometimes this can be reaaaaaal frustrating.
|
# ? Sep 15, 2017 19:09 |
|
Dick Trauma posted:There's a big meeting in the conference room next to me and I see a tray of baked goods that no one has touched. Walk in, take some stuff and say hello, walk out.
|
# ? Sep 15, 2017 19:15 |
|
Kashuno posted:Walk in, take some stuff and say hello, walk out. Be carrying a cable tester and a clipboard. Randomly hit buttons, mumble something, steal the entire tray, and walk out muttering about "conflicts with the wifi"
|
# ? Sep 15, 2017 19:23 |
|
Dick Trauma posted:There's a big meeting in the conference room next to me and I see a tray of baked goods that no one has touched. One of my college buddies was
|
# ? Sep 15, 2017 20:01 |
|
Sounds like he learned earlier than most that most important rule in life - if you act like you belong there, you can pretty much do anything you want.
|
# ? Sep 15, 2017 20:10 |
|
MC Fruit Stripe posted:Sounds like he learned earlier than most that most important rule in life - if you act like you belong there, you can pretty much do anything you want. And if you do it while wearing an ID tag or a hard hat, it's even easier.
|
# ? Sep 15, 2017 20:28 |
|
|
# ? Jun 1, 2024 00:00 |
|
fishmech posted:And if you do it while wearing an ID tag or a hard hat, it's even easier. At an old job I made a run to the bottle depot to drop off several large bags of recyclables and I kept my hardhat on for the trip. People let me cut in line because clearly I was important, and some other dudes with safety vests congregated to help me out. Basically just always wear a hardhat is what I'm trying to say. Methanar fucked around with this message at 20:53 on Sep 15, 2017 |
# ? Sep 15, 2017 20:36 |