|
Yeah, we were talking about this in the Small Shop thread, but Enterprise is probably a better place. It's annoying because you have a bunch of people coming out and blaming the users (in this case, us IT guys) for using Security Filtering. Yes, the best practice is to use OUs or GPP with Targeting to limit what policies apply, but OUs is just needlessly complex and GPP with Targeting often has its own set of problems. Plus, there are some things you want to force (via Policy) instead of "set default" (via Preferences). Yes, Microsoft has said since the beginning that Authenticated Users should be left under Security Filtering as removing it removes the user's read rights to that GPO and causes "problems"... but the Group Policy Management console literally shows the following: It's a dumb bug. Blaming your users for using a setting for the only conceivable reason to use the setting is dumb. [Edit: I guess I should add the current workaround. Go to the Delegation tab and re-add Authenticated Users back. The Security Filtering will still work.]
|
# ¿ Jun 15, 2016 21:24 |
|
|
# ¿ May 14, 2024 09:05 |
|
That's all well and good, but again, Microsoft's communication on issues is awful. They know that people use this setting. Like I said, GPM shows that's... what you use the setting for. There's no other reason for it to even exist. If it is as you said, I would hope that Microsoft would have known that this was going to bite people, and they should have come out before the patch telling people to make the Delegation changes. Or you know, even after. We still get to rely on a lovely forum full of other users to play "figure it out."
|
# ¿ Jun 15, 2016 21:28 |
|
Yeah, I saw that comment as well and I agree. Then some dummies were arguing that the Delegation (maybe they misunderstood and meant Security Filtering?) didn't change the NTFS rights on the folder in SYSVOL\Policies, when in fact it obviously does. I liked the comment about Microsoft having $26 billing to buy LinkedIn, but getting rid of a good portion of their QA. Seems about right.
|
# ¿ Jun 15, 2016 21:42 |
|
Yeah, GPO by OU is awful and I will blow my brains out before I do that. The "don't use Security Filtering" is so old at this point, it reeks of ritualistic tribal knowledge that reminds me of the "old Cisco guy" mindset.
|
# ¿ Jun 15, 2016 21:58 |
|
MF_James posted:We do GPO by OU somewhat, but it's tiered and not a monster, we also only have like 20 GPOs total and none of them are monsters. When I say I won't do GPO by OU, I don't mean I apply all OUs to the domain level and leave it at that. Things should be tiered and laid out logically. What I am not doing is making an OU called "Marketing Printers" and putting everyone who needs access to the Marketing printers in that. Because that is super rigid. What if a user in the Marketing Printer OU also needs an Administration printer - oh god they can't be in both. This is what both GPP with Targetting and (surprise!) Security Filtering is for. Security Filtering and WMI filtering are both perfectly fine, except for the fact that WMI tends to be unreliable in general. Thanks Ants posted:"Don't use security filtering" is the GPO version of "don't use autonegotiate" Yeah, this is basically what I was getting at. I almost made a Reddit account to yell at people but then I remembered that's why I got a Twitter account I don't use.
|
# ¿ Jun 15, 2016 22:14 |
|
Zero VGS posted:I got our Ops team some new laptops with i7-6700HQ processors in them, and they are still telling me that Excel 2016 32-bit on Windows 10 is painfully slow. Apparently even adding a row will freeze up Excel for a minute plus. They're assuring me that they're avoiding every potential inefficiency (like following all these tips: https://msdn.microsoft.com/en-us/library/office/ff726673) I've been using Excel 2016 on Windows 10 for a few days for some rather large, but not complex, spreadsheets and haven't noticed any problems. Have you checked out this thread? http://answers.microsoft.com/en-us/...51e0ff3?page=22 Seems like maybe filtering was an issue that may have gotten fixed with a recent patch?
|
# ¿ Jun 15, 2016 23:23 |
|
Quick, someone Photoshop Nadella into "I don't always test my code..." with your "your production" line.
|
# ¿ Jun 16, 2016 19:33 |
|
double post
|
# ¿ Jun 16, 2016 19:33 |
|
Beautiful. Absolutely beautiful.
|
# ¿ Jun 16, 2016 20:35 |
|
So ah... one of the patches from Patch Tuesday was pretty drat important. MS16-077 also known as "BadTunnel". "The nuts and bolts of how the vulnerability works haven’t been revealed but it has been described as a technique for NetBIOS-spoofing across networks that bypasses firewalls and NAT (Network Address Translation) devices." "This vulnerability has a massive security impact – probably the widest impact in the history of Windows."
|
# ¿ Jun 16, 2016 22:18 |
|
That sounds awful and you have my condolences for having to support what sounds like an awful setup. I'm not familiar with what you mean by Windows 2012 hashing profiles and a quick glance did not bring up anything relevant, but cant' you just have a script that iterates through the relevant users in HKEY_USERS and sets the settings you need (or wipes it out and lets the HKEY_LOCAL_MACHINE settings take over or whatever you need to do)?
|
# ¿ Jun 21, 2016 21:05 |
|
If the DCs are replicating, bringing up new DCs and migrating the roles should work. I think the issue everyone is concerned with is that maybe the DCs aren't replicating properly. Have you gone through dcdaig? [Edit: And just in case... are you sure you're not getting bit by this? https://social.technet.microsoft.com/Forums/en-US/e2ebead9-b30d-4789-a151-5c7783dbbe34/patch-tuesday-kb3159398?forum=winserverGP ]
|
# ¿ Jun 23, 2016 01:08 |
|
Swink posted:No SYSVOL replication is happening though. Could I manually copy and share that folder on a new DC? Sorry, I forgot that you mentioned that. Yes, things are seriously broken and standing up a new DC is not going to help. You need to fix the problem.
|
# ¿ Jun 23, 2016 13:46 |
|
The Spiceworks forums are the loving worse. When I need a break at work I'll sometimes read through their threads just to get a laugh at their outrageousness.
|
# ¿ Jul 13, 2016 19:33 |
|
WHAT DO YOU NEED A SAN FOR!?!?! - Scott Miller (Spicy Dorito)
|
# ¿ Jul 13, 2016 22:29 |
|
I have raised the forest and domain levels on networks dozens of times in the middle of the day and never, ever had a problem. Just did it on a network last week. As long as you're not running an ancient Exchange server you'll be fine.
|
# ¿ Jul 14, 2016 22:28 |
|
More the second. Look up the difference between DFS-N and DFS-R and that should clear things up a bit.
|
# ¿ Jul 22, 2016 16:05 |
|
My pleasure. Even if people aren't using DFS-R, they should be using DFS-N for all shares, in my opinion.
|
# ¿ Jul 28, 2016 20:46 |
|
I just remove access to the share and do one last sync before the cutover. It's the only way I can be sure that users are not changing files. I guess if you need 24x7 uptime that changes things, but then I would hope you're using other technologies that make moving to a new share easier.
Internet Explorer fucked around with this message at 15:19 on Aug 4, 2016 |
# ¿ Aug 4, 2016 14:23 |
|
Don't do this. Use Group Policy Preferences. You will need domain admin rights to edit GPOs. If you are able to access admin shares on PCs like you are doing, you likely have domain admin rights unless your company is doing things "right" and making you local admin, which I doubt if this was left to you with no help on doing it the right way. This should get you started - https://technet.microsoft.com/en-us/library/cc753580%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396
|
# ¿ Aug 12, 2016 19:07 |
|
Maybe we'll see more reliab.... AHaha no, who am I kidding?
|
# ¿ Aug 16, 2016 14:11 |
|
Has anyone been involved in rolling out ticketing/documentation software to a more general audience, not just IT? We are undergoing some management changes at my small company and we are considering having the administrative staff (Accounting, Billing, HR) run in a more organized fashion. We've looked at ZenDesk and JIRA, but both seem to have their flaws. ZenDesk doesn't really do sub-tickets or sub-tasks, making things like a new hire ticket that creates sub-tickets for the other departments, kind of difficult. JIRA seems like it could fit the bill, but the learning curve and time to implement seem somewhat daunting for us. On the documentation side, we are just looking to allow departments to better document their processes and share that knowledge with other departments. I have used Confluence extensively in the past and I am sure that would fit the bill, but so would ZenDesk's knowledge base or whatever. Anyone been through this and have some thoughts?
|
# ¿ Aug 16, 2016 21:29 |
|
Just wanted to stop by and say thank you for the feedback regarding "Service Management" for not IT folks. Still struggling to find a solution for us, but I've broadened my search a bit.
|
# ¿ Aug 17, 2016 19:08 |
|
HKCU is indeed linked to the user who is currently logged in. You can limit access to RegEdit, but you cannot limit access to HKCU and have programs still work properly. HKCU is where any setting that doesn't reside in a .config or .ini file exists for a user. HKLM is the registry for that machine. Generally, this is locked down so that only administrators can edit it. You CAN give normal users rights to keys in HKLM if you absolutely need to. How software uses those keys and what keys need to be edited depends on the software. Very generally speaking - a key for a setting will only exist in HKCU or HKLM, depending on if the software expects the user to be able to change the setting or not. Again, generally speaking, if there is a key in both places HKLM exists to serve as the "default" and HKCU exists to allow the users to set their own setting, so if the key exists in both places HKCU will win. A very useful method to figuring out how registry keys are impacted when you make a change in the UI is to use something like RegShot. It will allow you to run a "first pass" which records registry settings, then you make your change, then run a "second pass" and it will tell you the differences. Try to make small changes at a time so you can more easily see the impact. It can also monitor folders and files to look for changes in other places, like AppData, ProgramData, or (ugh) Program Files. Learning how to dictate (or set a preference on) user settings is super useful and something every Windows admin should know. It starts becoming really important when you deal with rolling out software, especially on things like RDS or Citrix. Also, I think we've had this conversation before, but this is what Group Policy exists for. If you aren't going to get access to it, tell them to either give you the tools to do your job or stop asking you to do poo poo you don't have the proper access to do.
|
# ¿ Aug 25, 2016 20:42 |
|
MF_James posted:Nah let's just manage our domain by doing edits on EVERY loving MACHINE.
|
# ¿ Aug 25, 2016 21:13 |
|
Gerdalti posted:I've just about had it up to my eye balls with Offline Files. Not sure if you've seen these, but I have heard bad things about Offline Files and DFS. I think it was mentioned in this thread as well. http://emtunc.org/blog/01/2015/dfs-and-offline-files-a-match-made-in-hell/ https://www.reddit.com/r/sysadmin/comments/2rmfiw/moving_to_dfs_but_have_offline_files_and_folder/
|
# ¿ Sep 1, 2016 18:39 |
|
I don't know anything about HyperV, but you can download what you need from EqualLogic's support site. Why would you need a CD in 2016? And I'm not sure what you mean by configuring it as "an expensive NAS." Like, I get what you're saying about putting one volume on one server and another volume on the second server, but that has nothing to do with SAN vs NAS and everything to do with some dumb person not knowing what they're doing. That's an issue on the HyperV side, and they could have set it up correctly on a NAS. If there is space on the array just make another volume, set it up correctly, and move machines over. If there's not, I think EqualLogics support shrinking of volumes. Shrink them and see if you have enough space. If that doesn't do it, buy some cheap storage, move things over, fix the configuration, and move things back. Shouldn't be too hard of a task unless working with shared storage with HyperV is somehow impossible, which as lovely as it is, I somehow doubt.
|
# ¿ Sep 8, 2016 14:10 |
|
Docjowles posted:I think he's saying the EQL is out of support. The MPIO driver is behind a paywall. That's what I get for replying to posts before I wake up. But ah, yeah, don't do that. Don't run your entire company off a single device that has no support.
|
# ¿ Sep 8, 2016 14:46 |
|
If you haven't taken a look at ShareFile, I would start there. You can have a pretty granular setup with something like that, including the ability to send users an "Upload File Link" that uploads the files to the user who sent its "Inbox" and can be moved from there. Really, the only time you'd need to provision accounts is to have things in a shared, consistent folder.
|
# ¿ Sep 8, 2016 21:46 |
|
I used AuthAnvil a bit and didn't have any complaints. Just be careful you don't end up locking yourself out if the poo poo hits the fan.
|
# ¿ Sep 14, 2016 19:31 |
|
NevergirlsOFFICIAL posted:Why did you stop using it? Just different job or did you switch to something else? Different job. We used it at an MSP. Part of the reason was that you could log into the same administrator account with a different token, so it could at least show who logged into an account and when, without having to make an account for each tech for every customer. Whether that is a good security practice or not is a different story.
|
# ¿ Sep 14, 2016 20:02 |
|
At the time we were using it internally, but the goal was to eventually offer it as a service to customers. 2FA was less popular back then (3-4 years ago) and was not in-demand by customers.
|
# ¿ Sep 14, 2016 20:30 |
|
If you're not doing an active DR test once a quarter or so and actively running on your DR environment with production being "offline", it is never going to work right. There's a reason why big boys like Netflix actively test their DR on a daily basis - http://arstechnica.com/information-technology/2012/07/netflix-attacks-own-network-with-chaos-monkey-and-now-you-can-too/
|
# ¿ Sep 14, 2016 21:32 |
|
Fudge posted:That's great assuming you can resource something like that. A lot of places probably can't even run through DR scenarios without destroying their janky environment completely. Right. If you can't roll over your business to DR and have it run for a day, then the current setup is not sufficient. Management buy-in is super important for that. The understanding needs to be, if you do not provide us the resources and allow us to test regularly, a "DR setup" is more like of a guideline at best. But, I realized I didn't answer your question. No, I have never worked in a place that could get through DR without causing a mess. I have implemented proper DR as a consultant. Sorry to hammer it home, but it's just like backups. It doesn't count if you're not actively testing it.
|
# ¿ Sep 14, 2016 21:41 |
|
Try this thread - http://forums.somethingawful.com/showthread.php?threadid=2672629
|
# ¿ Sep 15, 2016 22:49 |
|
Is Group Policy an option? Because if so, I vote for using Group Policy.
|
# ¿ Sep 19, 2016 13:56 |
|
MrMojok posted:Yeah, I did censor the name. File Replication Service is set to auto and started on DC1. His point is that you missed a couple.
|
# ¿ Sep 21, 2016 21:04 |
|
Thanks for the reply. 90 users or so. We've been undergoing a lot of management and cultural changes. I am slowly getting them to understand the need for ticketing / documentation.
|
# ¿ Sep 22, 2016 03:00 |
|
I've implemented similar. If companies are considering it, they are making enough to justify it.
|
# ¿ Sep 27, 2016 03:59 |
|
|
# ¿ May 14, 2024 09:05 |
|
You can do all those things by GPO if they regularly have domain access. You'd still have to install the OS or go the WSUS route, UT I'd rather use GPO than a script if it's possible.
|
# ¿ Oct 5, 2016 00:16 |