|
I'm currently working in an AD environment where everyone's passwords are set to never expire and very lax password complexity requirements, and they've been this way for several years. I want to roll out a GPO to force better password complexity and maximum password age and also turn off the never expire flag on all users. If I do this, will it immediate invalidate everyone's passwords considering they'd be over the maximum allowed age? I need to ensure this is a smooth rollout especially with 90% of users working from home. Should I instead roll out communication prior to the GPO to tell users to change their passwords or this will happen?
|
#
¿
Jun 22, 2021 14:11
|
|
|
|
| # ¿ May 14, 2024 22:55 |
|
|
Even if it was like a one year expiration rather than the 90 days?
|
|
#
¿
Jun 23, 2021 01:31
|
|
|
Does anyone have any recommendations on running IT on an ultra tight budget when it comes to infrastructure, AV, Firewalls, etc.? Environment: - 65 end users and 100 workstations spread over 8 locations with the worst internet you can imagine (agriculture) - 7 servers (5 Windows, 2 Linux) - PDC/DNS/DHCP/NPS - SDC/DNS/NPS/File/Print - Util Server (PDQ Deploy, Inventory, etc.) - SQL Server - RDS Server - 2x Ubuntu web servers (one external use, one internal only) I believe I'm about to inherit a disaster and while looking for a new job is on my forecast, currently I'm just trying to hold this down for now. The owner is making sweeping changes across the company including terminating the CEO which was my direct report. I've been told this is due to spending and losing money for the past few years. The owner has indicated to me that he's going to eliminate our MSP which does our server hosting, firewalls, AV, and end-user support. I was originally hired to do automation workflows, business intelligence reports, etc. and he knows I have the experience of building from scratch and running the infrastructure (VMware/Nimble SAN) at my previous job where I worked as a System Administrator. However, we currently have no in-house hardware and I won't have the budget to even setup a basic 3-2-1 VMware Essentials build. I'm thinking of purchasing a single tower server to run Hyper-V on and backups to a cheap NAS like a QNAP (fml) and sync to AWS for off-site. When it comes to firewalls, I only have experience with Meraki (expensive) and SonicWall, and AV was Sophos Central. Some questions: 1. Does pfsense have any UTM capabilities? Is this dumb to even think I can go cheaper than SonicWalls? 2. Is the built-in Windows defender good enough? I'm assuming no but I am not up to date on this. Any other recommendations would be appreciated.
|
|
#
¿
May 3, 2022 14:09
|
|
|
Internet Explorer posted:Absolutely no problem having that discussion here, but there's a small business thread that might get you answers more along the lines of what you're looking for. https://forums.somethingawful.com/showthread.php?threadid=3723832 Thanks I'll check this out. skipdogg posted:Run away from this if possible. Plan to but the problem is I live in a very rural area. I moved out here for this job specifically because it was my first 6-figure income (barely). Now I either have to find a healthy work-from-home/remote job or consider moving again which is such a fuckin headache.
|
|
#
¿
May 4, 2022 03:15
|
|
|
God I hate GPOs... Is there something about this GPO that I've configured wrong? It's applied, RSoP shows it applied both user and computer settings but the timeout simply never happens...   Security Filtering: Authenticated Users Linked to the root domain. No blocking inheritance. edit: I'm wondering if any previously deleted GPOs might be "tattooed"? Any other settings that might conflict with this in power and sleep? kiwid fucked around with this message at 21:11 on Jun 29, 2022 |
|
#
¿
Jun 29, 2022 21:00
|
|
|
Zaepho posted:What are you applying the GPO to? i.e. where is it linked and what objects exist under that container The user and computer are in the two highlighted OUs. Not using loopback processing except in my RDS - Computer Lockdown GPO. 
|
|
#
¿
Jun 29, 2022 21:33
|
|
|
Wizard of the Deep posted:Even if previous GPOs were tattoo'd onto the registry, that just means the settings stick around after the GPO is gone. This should be overwriting any existing settings. Yes gpresult /R /V shows it applied as well. incoherent posted:stupid question: did you unplug everything from the computer that could prevent it from sleeping? or is this a VM? So the GPO appears to be working for others but it's just this specific laptop that I've been testing with that isn't. The laptop has two monitors and a keyboard/mouse plugged in and that's it.
|
|
#
¿
Jun 30, 2022 13:56
|
|
|
Thanks Ants posted:Is there some OEM-specific power management service running? I don't believe so. It's a Lenovo but I wipe and install fresh Windows 10 on all machines to get rid of the bloatware apps. The only thing I put back on is Lenovo Update for drivers and Lenovo Service Bridge for the website linking. I suppose I can take a look at the BIOS but this user is now out for a week so I won't be able to get into this for a bit now unfortunately.
|
|
#
¿
Jun 30, 2022 14:11
|
|
|
So I deleted the GPO and created a new one with exact same settings which is now working for everyone. Ugh.
|
|
#
¿
Jul 6, 2022 16:44
|
|
|
I'm currently pricing SQL Server licensing for a 3-node HA cluster (1x8C16T CPU per node). MSRP is about CAD $14,344 per node totalling CAD $43,032 which when it comes to SMB is insanity in my opinion. Alternatively, we can go the CAL route with 50x CALs totalling CAD $10,450 + $899 for the server license. Currently the server is accessed strictly by internal employees. However, my problem is that in the next year or two we will be launching a custom CRM with a customer portal that pulls customer data from our ERP database and delivers it to the customer's dashboard (open contracts, etc.). My understanding is that a portal that a customer logs into with their own account will require a CAL for each login which would get pretty out of hand and could potentially end up being more expensive than the core licensing. So, my options are to either suck it up and pay the core licensing or I was considering using SSIS and build an ETL pipeline to export data to a MySQL database which the customer would hit instead. This data would be refreshed nightly and wouldn't be real-time and considering the CRM will run in a Linux environment anyway, could work out. Anyone got a better idea? edit: Another alternative would be using VM affinity to have the SQL VM only able to migrate between 2-nodes rather than 3 which would cut the cost down to a measly $30k instead. kiwid fucked around with this message at 20:46 on Sep 8, 2022 |
|
#
¿
Sep 8, 2022 20:36
|
|
|
Potato Salad posted:if the nightly refresh is acceptable It's possible that a nightly refresh will no longer be acceptable and real-time data (or close to real-time) necessary, unfortunately. Running the ETL job every 5 minutes could still work but at that point I get concerned about performance unless I design the pipeline intelligently to only grab new and updated data rather than truncate. Ugh... why the gently caress is this poo poo so expensive?
|
|
#
¿
Sep 8, 2022 20:54
|
|
|
Internet Explorer posted:Are you working with a DBA on this stuff? Hopefully one that isn't clueless. If not, I'd try to find someone with those skills. Doing this solely from the infrastructure point of view is likely to cause problems in the future if there's growth. I assume you are referring to the ETL pipeline? It's something we already have established for our data warehouse but no, it'd be me, the sole IT guy here doing this. Maneki Neko posted:Are these 3 physical servers running SQL server, or just a VM running on that cluster? If it's just a VM should be able to cover just licensing the VM regardless of the underlying VM infrastructure assuming you have software assurance. Anything with external users pretty much rules out CAL based licensing otherwise. It's just a single VM running on the cluster. I haven't reached out to my Microsoft licensing vendor yet to confirm but from what I've gathered, you need to license by physical cores and not VM. Then you also need to license each physical server cores that the VM might be booted up on via HA. It's like the Windows Server Standard licensing I suppose. If you have 6 VMs running on one physical machine then you can get away with 3 licenses (2 VMs per license). But if you have a 2-node HA cluster, you would need to license 3 per node, even if you only ran 3 VMs per node normally to allow for each node to boot up all 6 VMs in the event of a failure. Am I wrong? kiwid fucked around with this message at 16:19 on Sep 9, 2022 |
|
#
¿
Sep 9, 2022 16:11
|
|
|
Thanks Ants posted:You can buy MSSQL licenses as a subscription to run on-prem through the CSP programme, speak to your reseller. This might be better than buying the licenses. Never heard of that but I'll check it out, thanks.
|
|
#
¿
Sep 9, 2022 16:26
|
|
|
Maneki Neko posted:You are not correct, for SQL server running on a VM you can just license the number of cores assigned to the VM (with a minimum of 4). If you are running a bunch of VMs on your cluster it makes more sense to look at other options, but that does not sound like your case. For DRS type situations as far as I'm aware you don't even need to worry about SA but any competent Microsoft licensing vendor should be able to confirm that. Oh wow, I am completely wrong. This makes it much more digestible then. Thanks.
|
|
#
¿
Sep 12, 2022 13:43
|
|
|
I have a couple stupid Microsoft licensing questions. 1. Do I need Windows User CALs for "bots"? E.g. Power Automate RPA bots that connect into a server via RDS and perform RPA tasks on our ERP software? 2. Let's say we have a factory floor where 10 people work. All 10 people have a Windows CAL because they have their own personal user account and personal workstation. However we have an additional 15 workstations across the factory floor that use a "general" login account, for example: "Plant 2B Processing", "Plant 2B Packaging", "Plant 2B Shipping". These general accounts are used by the people that already have Windows CALs but they're not signing in with their actual user accounts. Do I need additional Windows CALs for these general logins? Thanks.
|
|
#
¿
Apr 18, 2023 15:00
|
|
|
Hed posted:I have some Finance & Accounting people who need to send a quarterly email to some (internal) recipients and get an affirmative reply. Right now they use Boomerang to send it, but the app asks for permission to be able to look at all your email and send/receive. Sounds like a use case for Power Automate. Set a scheduled trigger to send an email with a Microsoft Form that logs responses to a SharePoint List? kiwid fucked around with this message at 03:23 on Jul 7, 2023 |
|
#
¿
Jul 7, 2023 03:20
|
|
|
Question, is PKI required for an RDP cluster/farm using a domain with a .local TLD? We're having all kinds of certificate warnings and random errors in a new deployment. Is PKI absolutely required in this scenario?
|
|
#
¿
Sep 5, 2023 17:08
|
|
|
MF_James posted:It is not required, no. How do you get around the certificate issues? Unrelated, I'm doing a print server migration this weekend. Is there really no easy way to deploy printers still because of print nightmare? If I turned off the require RestrictDriverInstallationToAdministrators setting for the purposes of the migration and then re-enabled it after printers were deployed, would this cause issues after re-enabling? Putting Type 4 drivers aside, how are you guys installing printers these days? I've heard some sysadmins are installing locally on each machine, while others are typing domain admin creds to install (which is bad practice).
|
|
#
¿
Sep 12, 2023 16:58
|
|
|
Holy hell I went down the printer rabbit hole today. First, Type 4 drivers just wouldn't work at all for me. They'd print from the server but I could never get the client to print via a printer connection. Scrapped that idea, then decided to go with universal PCL6 print drivers. Luckily we only have 3 vendors of printers about and all 3 had a solid universal driver. After almost giving up following countless different guides online, I found this reddit post: https://old.reddit.com/r/sysadmin/comments/ptvwo1/generic_way_to_install_printer_drivers_help/ I was able to push those 3 universal print drivers to all clients via PDQ Deploy and then rolled out the printer deployment GPO without issue. I need to retire into a middle-management position cause I'm getting too old for this poo poo.
|
|
#
¿
Sep 13, 2023 21:40
|
|
|
chocolateTHUNDER posted:I highly recommend that if you have the budget for it, to go with something like Printerlogic to take care of printing administration. Seriously, it's worth it. I considered this, either that or Papercut. But they don't put pricing on their website and I didn't want to waste hours talking with a sales rep. We have 21 printers across the org, not sure if that's worth the service or not?
|
|
#
¿
Sep 14, 2023 14:07
|
|
|
With M365 NCE licensing, do you guys buy a buffer of licenses for the year or do you just commit to your exact license count then do month-to-month for new employees until the renewal period comes up?
|
|
#
¿
Feb 13, 2024 16:44
|
|
|
Thanks Ants posted:Commit to what is needed, add additional annual licenses if the head count changes, use the spare license if someone leaves and it takes a couple of weeks for a new person to join. If the company is losing people at a rate where the cost of the unused licenses is a problem then there are bigger problems, so it's just not worth worrying about. Awesome, thanks.
|
|
#
¿
Feb 13, 2024 18:47
|
|
|
As a solo admin, I've just now been able to move everyone over from Business Standard to Business Premium licensing. I'm going through
|
|
#
¿
Mar 21, 2024 14:14
|
|
|
Defenestrategy posted:As in what are best practices or how to setup mfa? Yes.
|
|
#
¿
Mar 21, 2024 15:53
|
|
|
sporkstand posted:There's also Security Defaults, which work pretty well for a baseline of security if you don't want/need to get into managing a bunch of CA policies, etc. Works well for smaller businesses with simpler needs, so it's not for all situations. I need to avoid security defaults because we have email accounts for operators that use "general use" PCs throughout our plants. I need CA to avoid ever prompting MFA with anything that is on-site. Unless, do you guys know of a better way?
|
|
#
¿
Mar 22, 2024 00:14
|
|
|
snackcakes posted:Are you still going to enable MFA for them just to play it safe? You can have a separate policy that prompts for MFA except for trusted locations. Assuming you have static IP addresses Correct. We'll enable MFA for these general use accounts then just setup trusted locations to never prompt it.
|
|
#
¿
Mar 22, 2024 13:08
|
|
|
Thanks Ants posted:You can go a step further and flat out deny the login to those accounts if they aren't coming from your locations. Stops someone setting up MFA and then accessing them externally if they have no reason to. Oh this would be awesome. I wasn't aware I could do this. So I don't even need to setup MFA, I just deny the login if it isn't from a trusted location? That way I can focus only on mobile users MFA?
|
|
#
¿
Mar 22, 2024 13:59
|
|
|
Excellent, thanks!
|
|
#
¿
Mar 22, 2024 14:24
|
|
|
What do you all do about employees who refuse to use their personal phones (understandable) for Azure MFA? Do you use some type of hardware fob?
|
|
#
¿
Mar 27, 2024 15:03
|
|
|
GreenNight posted:At my job management decided it's like wearing shoes to the office. If you want to work remote, using your personal phone for MFA is required. Or you're required to be on site 5 days a week. We're such a relaxed environment, HR would never go for it but I like this idea. Sir Bobert Fishbone posted:We have one user who does not own a smartphone, and she was given a Yubikey. Are Yubikey's reusable, as in if the employee leaves I can somehow reassign it to another user?
|
|
#
¿
Mar 27, 2024 15:17
|
|
|
Another question I suppose. We have two locations that are in the middle of nowhere and the only ISP available other than Starlink is a PTP wireless provider that does double-nat and doesn't provide static IPs. It's been a nightmare for site-to-site VPN but FortiGate's dial-up VPN has gotten us by. However, this means I can't setup these locations as trusted locations for MFA. What are my options here? Now that you mentioned Yubikey, I'm considering just using these for the general use PCs and leave the Yubikey plugged in 24/7. Is there an alternative?
|
|
#
¿
Mar 27, 2024 15:20
|
|
|
Internet Explorer posted:Yup yup. Also I do vaguely remember there is an upper limit of hardware MFA tokens EntraID will allow for your tenant. Maybe that's out of date knowledge, but I think it was talked about here or maybe the InfoSec thread fairly recently. Doesn't sound like it will be a problem for you, but something to be aware of. Thanks for that tip. We have about ~100 PCs across the company but only like 50 are user PCs while the rest are for plant controls. It kinda sucks to be honest but it is what it is. I'm not worried about MFA for users but rather we can't have MFA prompting for the general use accounts.
|
|
#
¿
Mar 27, 2024 15:22
|
|
|
Is it recommended to have a M365 global administrator that is excluded from conditional access policies with a strong password that never logs in and is just there in case you lock yourself out? Secondly, do you still use a separate admin account if you're using MFA and CA?
|
|
#
¿
May 14, 2024 01:52
|
|
|
How do you have MFA enabled on an account without CA? I think I tried this today with a test account and it still logs in without prompting MFA. Do you use the legacy per-user MFA to enforce it? edit: also holy poo poo that's a lot of accounts.
|
|
#
¿
May 14, 2024 02:23
|
|
|
Next question. Does anyone use device filtering in conditional access policies? If so, am I supposed to use the Device ID or the Object ID?  The policy says "DeviceID", but it didn't work until I added the Object ID. 
|
|
#
¿
May 14, 2024 14:46
|
|
|
|
| # ¿ May 14, 2024 22:55 |
|
|
Never mind, I removed the Object ID and it was still working. I then removed the Device ID and it stopped working. I added back the Device ID and it started working again. Seems it was one of those things where I should have waited 15 minutes for the change.The Fool posted:Not an answer to your question, but when working with application registrations and enterprise apps I can never keep straight if I'm supposed to use the application id, or the object id of the application registration or the enterprise app. It feels like it's different every time and the documentation isn't clear. I agree, I've been developing an intranet app that uses M365 oauth/saml and there are actually 3 IDs. Application, Object, and Tenant. I was using the wrong ID combinations for a little bit. Confusing.
|
|
#
¿
May 14, 2024 15:10
|
|