|
Wicaeed posted:Is it "normal" for an Enterprise to come down with a blanket statement from on-high saying that PowerShell be disabled across all systems, even server OS ones? You may think it's crazy, but I work at a Fortune 500 who's had that directive for years, and it's making my life (as the Powershell expert on the Windows deployment and endpoint management team) a loving nightmare. We were supposed to have unblocked it for good this week. Then one of the GPOs EntSec required broke the VPN. lol plz let me die.
|
#
¿
Jan 17, 2019 19:17
|
|
|
|
| # ¿ May 14, 2024 16:02 |
|
|
BangersInMyKnickers posted:So I went to figure out why my Server 2012R2 VMs take hours to patch while my 2016 ones are nothing, and my sccm team is pushing the individual KBs, the the Security Only rollups, AND the full rollups for both the OS and .net every single month. Incredible. That's like the time one of my provisioning teams was bitching that it took too long to image, and it turned out they were running Windows Update at the end, every single time. When asked why, they said they were told to do it that way. By whom, I asked, because I'm the one who writes the docs and trains the trainers. Lots of furtive looks were shared, and it turned out that was a directive from my vertical's loving VP, who said he used to do it that way when he was a desktop analyst. (Said VP is in the same remote office as this provisioning team.) VP got told. Also, the complaints about duration issues stopped. (Our endpoint management software automatically pushes the relevant patches to a new machine, so running a manual Windows Update is redundant as hell.) skipdogg posted:Yes, allowing psexec is way better 
|
|
#
¿
Jan 18, 2019 23:48
|
|
|
Tab8715 posted:Why do I keep seeing this from time to time? Was there some reason in the past to do this? Laziness. Usually someone felt the need to be logging onto multiple machines (either a nosy boss or a piss-poor IT guy) and couldn't wrap their brain around role based administration.
|
|
#
¿
Jan 31, 2019 07:40
|
|
|
Our users are local admins on their own machines, which is something we keep trying to take away to the consternation of the VP of IT. There's really no reason people should have local admin (I mean, we're the  massive), but then someone says, "Bu bu but what if someone calls in and they need like a program installed and like they can't?" OH NOES, THE END OF THE loving WORLD just push the installer from the content management system and close the ticket, you loving moron.As as result, we have overbearing security tools on our endpoints that run up 100% CPU and cause mystery calls that can't be solved by pushing the goddamn button. And Powershell is hard blocked because lol that's a sane security policy. Oh, and everyone wants a Mac now, because it means they can install Dropbox and not get hassled by IT. Oh, for further lulz, those of us who need access to servers have super user accounts, which is great. Separate account, separate perms, separate password (ideally). Until I find out half my teammates are using their SU accounts on their local workstations. CONGRATULATIONS, COLLEAGUES, YOU ARE THE PROBLEM.
|
|
#
¿
Jan 31, 2019 18:25
|
|
|
I'd use Powershell, but Powershell is the hammer I carry around and swing at every problem, so calibrate accordingly. User experience question: does anyone have a guide or even general suggestions for optimizing Windows 10 for the enterprise environment? My team may finally have wrested control of the base Win10 image back from some other idiots who took it over for a while, and we want to burn the fucker to the ground and rebuild it leaner and meaner. I used to keep up with what could safely be removed, disabled, or tuned up for a better business experience, but I've been slacking since they made me queen scripting bitch on the servers.
|
|
#
¿
Mar 7, 2019 23:46
|
|
|
skipdogg posted:Also Now, imagine having to tell that to your boss 
|
|
#
¿
Mar 19, 2019 03:24
|
|
|
So just spitballing here, out of curiosity, is there a way to expose your GPOs to the world at large without using Azure AD? I know Directaccess was a thing at some point. I just...I really want to kill AD entirely. We have a multi-OS shop and it's just not feeling sustainable.
|
|
#
¿
Mar 27, 2019 00:53
|
|
|
nexxai posted:Which is hilarious because I am the Senior Cloud Analyst for a decent sized airline - we fly 737s (not the MAX8) - with several hundred employees spread out over the country and the continent and we are 100% in the cloud. We have *zero* servers on prem and run everything using Azure AD. I work for itself, and I wish this was how we operated.
|
|
#
¿
Mar 27, 2019 01:27
|
|
|
Speaking of the cloud, and being employed at ..I recently had my desk moved so I'm next to the call center that spawned me, so I have a direct eavesdropping line on calls when one of my louder colleagues is working. Overheard today: "Yes, you can use Office. No, you can't use 365. No, putting customer data in a competitor's cloud is against policy. Yes, it's been that way forever. Six years, sir. I've been here for six years. I see you started...last November? Okay, thanks, and have a great day."
|
|
#
¿
Mar 29, 2019 17:52
|
|
|
"How IS our DFS-R configured?" "We have a DFS-R?"
|
|
#
¿
Apr 3, 2019 02:17
|
|
|
Digital_Jesus posted:Your sysvol should at least be DFSR Oh, I know. It's just everything else a DFS-R can do that we keep being told we can't do because REASONS. They are not good reasons.
|
|
#
¿
Apr 4, 2019 17:52
|
|
|
Thanks Ants posted:At least it's not in the Enterprise Admins group 
|
|
#
¿
Apr 16, 2019 16:58
|
|
|
Thanks Ants posted:I think an Exchange install was (badly) ripped out of it and it's left some stuff behind. The other option is to just leave them there because it's not causing any harm. That sort of cruft would drive my former AD admin insane.
|
|
#
¿
Apr 16, 2019 21:39
|
|
|
I'm just glad the cruft I uncovered with BES_ prefixes turned out to be related to our BigFix Enterprise setup and not Blackberry Enterprise Server.
|
|
#
¿
Apr 16, 2019 23:03
|
|
|
Potato Salad posted:85,000 machine and user accounts haven't been used since 2010 We never delete a user account, but machine accounts? gently caress's sake. Those get nuked after 90 days of inactivity.
|
|
#
¿
Apr 17, 2019 20:41
|
|
|
wolrah posted:I don't believe I've ever had a "do you trust this certificate" popup I certainly have with work guest wifi. Allegedly, there's a prohibition against putting a non-work asset on the work wifi, but until like a month ago, our guest wifi was so hosed it wasn't worth using unless you were desperate or testing something that had to work off-prem. They fixed it recently, and holy poo poo, it's so much better.
|
|
#
¿
May 16, 2019 04:47
|
|
|
Thanks Ants posted:1903 disables Cortana popping up in the OOBE, which is an improvement Christ, finally. My co-workers are no doubt sick of me yelling, "loving SHUT THE gently caress UP, CORTANA," every time I get stuck on the manufacturer's OOBE.
|
|
#
¿
May 24, 2019 03:21
|
|
|
I got two seconds in before I had to stop the video in horror. Our hold music in the internal support call center is sad, tinny ukulele music. We had an outage one night that took out an entire contracting agency's ability to log into email, and about 50 people called in at once...to a room of 3 analysts. The guy who got through to me was a frequent caller and in fairly good spirits, so I ended up on the call with him for a while while I got him to relay info and get everyone to hang up and stop hammering us. When he wasn't talking, I could hear our hold music on at least a dozen speakerphones in the background, out of sync and out of tune. It was eldritch as gently caress.
|
|
#
¿
May 24, 2019 22:52
|
|
|
evobatman posted:I've imaged hundreds of Windows 10 computers, and never had Cortana speak to me. Are these people (and you!) just booting them up on the default factory image? Yeah, it's just in the standard OOBE. My image skips that and we have a GPO setting to disable most of the Cortana features, but if I have to boot something up from the factory image, she decides to get involved.
|
|
#
¿
May 27, 2019 08:31
|
|
|
wolrah posted:Just lol if you're using DVDs. USB is so much faster. I don't think I've booted a Windows install from an actual disc since XP. Windows 7 and prior sometimes get a bit weird if using USB 3.0 drives but a good USB 2.0 drive is still a lot faster than any spinning media could be. Just take care with USB 2.0 vs 3.0 ports. There are some compatibility issues due to drivers that can lead to weird failures during imaging.
|
|
#
¿
May 28, 2019 20:54
|
|
|
Wicaeed posted:Anyone know any tricks to actually getting an Engineer from Microsoft on the phone to address an issue affecting our Production environment? I thought Sev A was 24/7 coverage with a Critical Situation (CritSit) manager making hourly touches. Who's your TAM and why are they sucking so hard at their job? Sev B is daily touches and no CritSit manager, assuming you're closing the loop on your end every day. I recently had to convince my management not to escalate to Sev A because no one involved wanted to be making hourly touches 24/7, but it also wasn't a life-ruining issue, either.
|
|
#
¿
Jun 6, 2019 21:35
|
|
|
Thanks Ants posted:This looks like a good idea Oh drat do want 
|
|
#
¿
Jun 19, 2019 01:03
|
|
|
incoherent posted:even the outage page is out. New thread title?
|
|
#
¿
Jul 2, 2019 23:00
|
|
|
incoherent posted:get out of my head. I was gonna propose a new title. 
|
|
#
¿
Jul 2, 2019 23:06
|
|
|
Meanwhile, the Mac team at work is having a hell of a time wrangling MSFT's updater for Mac's instance of Office 2016. I'm on the Windows eng side, so I'm probably explaining this poorly, but it seems like the problem is that there's a secondary update engine that downloads the updates and applies them, but it won't indicate that the update is complete until ALL Office products/services are killed and restarted. Which would be fine, but we're under fire for incomplete patching numbers, so those are coming up as false positives. MSFT's advice was to either kill -9 or pkill -SIGHUB (hard kill vs kill gracefully) to force the process to close if the user won't do it on their own. Also, there's a GUI that pops up and requires user input, and the user can cancel said process, and there's no option to either nag them repeatedly or disable the "ignore" button. Also also, if you cache the update, then invoke msupdate again, it downloads the update anyway. And finally, my favorite response from my co-worker: "Curl completely goes around using msupdate. I'm not sure why you would suggest completely going around a supported Microsoft product that was created as a solution for this scenario."
|
|
#
¿
Jul 10, 2019 21:25
|
|
|
Thanks Ants posted:Office on Mac can be distributed through the App Store now, not sure if there's any differences that would cause you problems vs. what comes from MS. We use JAMF to manage patching, so the App Store is, unfortunately, not part of our management strategy.
|
|
#
¿
Jul 11, 2019 03:00
|
|
|
H2SO4 posted:Oh man, I'm going to try this. Microsoft AutoUpdate on OSX is just a dumpster fire. Yeah, I think we're about to submit a business justification for a feature request 
|
|
#
¿
Jul 12, 2019 23:02
|
|
|
Ugh, Nessus. Any time I get a mention at work about something they found via Nessus, I know I'm in for a massive headache. But lol, our previous CIO thought forced reboots were bad for the user experience! watches patch compliance numbers dwindle
|
|
#
¿
Jul 16, 2019 17:15
|
|
|
This.
|
|
#
¿
Jul 29, 2019 19:26
|
|
|
GreenNight posted:This is a Server 2019 install with a MBR partition connected to it. Curious if this works on 2019. https://miketerrill.net/2017/01/15/getting-started-with-mbr2gpt/#comment-3607
|
|
#
¿
Jul 29, 2019 19:29
|
|
|
GreenNight posted:Yeah, it's 4 partitions including the OS partition. They all have 50+ gigs of space free. Nuking one isn't a huge deal. Who cares back Cisco CUCM backups anyways. Kill them with prejudice. No one needs that poo poo.
|
|
#
¿
Jul 29, 2019 20:44
|
|
|
Thanks Ants posted:I'm planning to look into this some more tomorrow but does anyone have any ideas why Windows 10 Enterprise (in-place upgrade from a license in Azure AD) on a machine managed by Intune and enrolled with AutoPilot would not have the option to automatically set the time and time zone anywhere in the date and time settings page? As far as I know no location services have been disabled. We had some weird issues with it because of a GPO EntSec demanded we implement. We're still pushing back, because the users are blaming us for it. On mine, going into the Modern Date & time settings says, "*Some settings are hidden or managed by your organization.", but if I click on the "Additional date, time & regional settings" link on the right sidebar, it brings up the Classic control panel and all the options are available over there. (Haha, I should show that to EntSec as a justification for not doing this, since obviously the GPO isn't effectively blocking anything.) So...not sure why they're missing? Is there a registry setting that hides sections of control panels, maybe?
|
|
#
¿
Aug 1, 2019 00:44
|
|
|
The Fool posted:After some quick googling, https://zingtree.com/ advertises itself as integrating with FreshDesk not sure if that carries over to FreshService or if it will really do what you want. Oh poo poo, it bolts onto Salesforce, even? Wonder if it works on legacy orgs...
|
|
#
¿
Feb 17, 2020 23:30
|
|
|
quote:SimpleSAMLphp I know it's been said, but I want to reinforce: holy poo poo no
|
|
#
¿
Feb 22, 2020 01:44
|
|
|
I'm sorry to poo poo up the thread with non-content, but I loving hate Nessus. I keep getting screamed at by management for, "old vulnerabilities," but they're basing that on the datestamp the vuln was reported, not the datestamp the vuln was detected on that specific host. Yeah, that .NET poo poo on a specific version was called out sometime in 2004, but the user in question installed a vulnerable old version of .NET three weeks ago, so no, no one is going to go to Business Insider and scream that our company has an unpatched vuln that's 16 years old.
|
|
#
¿
Mar 21, 2020 10:19
|
|
|
Meydey posted:We proved to the Nessus developers that it is poo poo in regards to superseded patches. We use Bigfix to deploy, which drops relevance on older patches when a patch is superseded, ie Feb patch supersedes Jan. This went on for like 6 months with Spectre/Meltdown. Nessus was still calling out a Jan patch even though Feb roll-up would supersede it. So we were compliant on Bigfix reports but vuln on Nessus. ...are we co-workers? 
|
|
#
¿
Mar 21, 2020 18:13
|
|
|
Thanks Ants posted:Do you have a hefty stock of booze? There's not enough booze for that.
|
|
#
¿
Apr 10, 2020 00:05
|
|
|
devmd01 posted:My wife is a teacher and they’re in the same boat, no VPN set up or configured. Her IT department’s solution? Send everyone instructions on how to log in to their VMware horizon infrastructure. Writing instructions for non technical people is a real skill that a lot of us should probably practice more (or go work for a corporation where you can slough that poo poo off on a tech writing team, and then point at them when the docs are bad.) When I used to interview people for the help desk, one of our questions was to ask someone to explain how to tie a shoe to someone who doesn’t understand shoes, knots, or feet.
|
|
#
¿
Apr 12, 2020 14:07
|
|
|
Toast Museum posted:Edit: interestingly, macOS is a qualifying operating system, so it's kosher to install Enterprise on a Mac without buying it a Pro license first. But there's also some licensing issues on the Mac side, IIRC, if you put a different OS on the machine. I think, I might have this backwards somehow, and we were being charged for an Enterprise license for each Mac in the fleet because it had the "potential" to Boot Camp, even if we didn't? I dunno, it's been a poo poo week and my brain is mush.
|
|
#
¿
Aug 28, 2020 22:31
|
|
|
|
| # ¿ May 14, 2024 16:02 |
|
|
Potato Salad posted:small business owners are absolute fffffffff "Why do I need a router and a server? I just put everything in a shared folder on one computer and they're connected with a dumb switch." "Because you're making medical equipment and HIPAA regulations exist." "Oh, we've never been hacked! I'm sure we'll be fine." If you're an amputee, you may want to PM me about the security of your medical information.
|
|
#
¿
Nov 11, 2020 21:58
|
|