|
What I'm reading is that ADConnect is how you sync accounts, and ADFS is an optional addition that can provide SSO. Is that right? My manager is also concerned about our passwords being stored with Microsoft. (The one security issue he is hung up on)
|
#
?
Jul 30, 2015 23:10
|
|
|
|
| # ? Apr 19, 2024 17:11 |
|
|
Swink posted:What I'm reading is that ADConnect is how you sync accounts, and ADFS is an optional addition that can provide SSO. Is that right? My manager is also concerned about our passwords being stored with Microsoft. (The one security issue he is hung up on) What? Those passwords are sure as poo poo not stored as plain-text and more than likely stored as irreversible one-way hashed values, so unless he's manually uploading a spreadsheet with users passwords into OneDrive then he sounds like he knows nothing about how a cloud-based service functions.
|
|
#
?
Jul 31, 2015 00:57
|
|
|
You're right. Don't do ADFS, there is no real benefit to it.
|
|
#
?
Jul 31, 2015 01:10
|
|
|
He doesn't know anything and I only know slightly more so I can't allay his fears that well. Ten-four on ADFS. Thanks.
|
|
#
?
Jul 31, 2015 02:10
|
|
|
Swink posted:He doesn't know anything and I only know slightly more so I can't allay his fears that well. Well if you DON'T do password sync with AD connect then users will have a separate set of credentials to log in to o365, which will be stored with Microsoft anyway. If he doesn't want passwords with Microsoft then O365 is off the table, or you use ADFS. If you use ADFS and your domain is not available to Azure for some reason then users won't be able to authenticate.
|
|
#
?
Jul 31, 2015 16:30
|
|
|
Yeah I've read up a heap on it today including watching those awful Garage videos. It's much clearer to me now. He needs to get over the fact of the stored hashes. I don't have a way to make ADFS redundant on our network.
|
|
#
?
Jul 31, 2015 23:54
|
|
|
Not just on your network. You then need to make that network link redundant as well. And then the site. No point having your email in the  if your office building takes an extended power outage and nobody can actually log into their mailboxes.If you're worried about stored hashes then just enforce a maximum password age.
|
|
#
?
Aug 1, 2015 00:04
|
|
|
We're only doing office. Mail is staying in-house. I'm only interested in this stuff as in pertains to staff using The office suite.
|
|
#
?
Aug 1, 2015 10:05
|
|
|
Thanks Ants posted:If you're worried about stored hashes then just enforce a maximum password age. well except that's not enough because if the max age comes about, you can still log in to office 365 until the user authenticates with real AD and changes the password.
|
|
#
?
Aug 3, 2015 22:00
|
|
|
Swink posted:We're only doing office. Mail is staying in-house. I'm only interested in this stuff as in pertains to staff using The office suite. oh so in that case literally who cares
|
|
#
?
Aug 3, 2015 22:01
|
|
|
Swink posted:We're only doing office. Mail is staying in-house. I'm only interested in this stuff as in pertains to staff using The office suite. and here we are in scenic opposite land.
|
|
#
?
Aug 5, 2015 20:39
|
|
|
Here's a common request I've seen over my years of working for/with small business. I'm sure it comes up in larger companies but anyway: CEO of the company is jasshole@company.com and his assistant wants to send emails on his behalf. The assistant also wants to manage the replies instead of the president. So what do you do option 1 - create second mailbox john.rear end in a top hat@company.com. Internal users start emailing that address by mistake because they pick it from gal option 2 - have assistant send from real address, create mailbox rule to move the replies to a sepcific folder in the same mailbox and have assistant look in there. then deal with that for the rest of my life.
|
|
#
?
Aug 6, 2015 20:29
|
|
|
NevergirlsOFFICIAL posted:Here's a common request I've seen over my years of working for/with small business. I'm sure it comes up in larger companies but anyway: I generally grant the assistant rights to the mailbox and rights to send as the CEO. CEO either trusts the assistant, or you don't and you do not grant this level of access. A good employment contract for the assistant is a must here, as they will have access to sensitive company data.
|
|
#
?
Aug 6, 2015 20:36
|
|
|
Gerdalti posted:I generally grant the assistant rights to the mailbox and rights to send as the CEO. CEO either trusts the assistant, or you don't and you do not grant this level of access. A good employment contract for the assistant is a must here, as they will have access to sensitive company data. CEO trusts the assistant, not a problem. The problem is the CEO does not want to see all the replies to this specific email. Example: assistant sends an email from the CEO wishing merry christmas. But it's going to VIPs so he wants it to be from his "real" address not noreply@ or assistant@. But he also doesn't want to go through all the responses saying "thanx you too" he wants the assistant to look at those and flag any that require action.
|
|
#
?
Aug 6, 2015 20:42
|
|
|
He can't send from his real address but be immune to replies coming back to it, since anything you do to avoid that instantly makes his real address not so real any more.
|
|
#
?
Aug 6, 2015 20:45
|
|
|
Give him a second alias and set the reply to address to that. Make a mailbox rule to match messages sent to the secondary reply to address. Jasshole@ vs j.rear end in a top hat@.
|
|
#
?
Aug 6, 2015 20:49
|
|
|
adorai posted:Give him a second alias and set the reply to address to that. Make a mailbox rule to match messages sent to the secondary reply to address. Jasshole@ vs j.rear end in a top hat@. Ah, yes, in that scenario this is what I've done.
|
|
#
?
Aug 6, 2015 20:58
|
|
|
Gerdalti posted:Ah, yes, in that scenario this is what I've done. it's a stupid goddamn scenario.
|
|
#
?
Aug 6, 2015 21:22
|
|
|
Rhymenoserous posted:it's a stupid goddamn scenario.
|
|
#
?
Aug 6, 2015 21:29
|
|
|
Agreed, it's imagine the proper way to do it is to use a mailer of some sort, allowed to send on behalf, with a different reply to address.
|
|
#
?
Aug 6, 2015 22:13
|
|
|
Hey guys. I have a chance to get into a sysadmin job for ~80 users. As far as I know, I would be the only one there although I've been told there's budget for temporary consultants if I need help with something. This is for a new contract in a new building and I'd basically be setting things up from the ground up.. Nothing is in place yet. No domain, no ticketing system, etc.. Does this sound like a good opportunity or a death wish?
|
|
#
?
Aug 7, 2015 15:04
|
|
|
Tots posted:Hey guys. I have a chance to get into a sysadmin job for ~80 users. As far as I know, I would be the only one there although I've been told there's budget for temporary consultants if I need help with something. This is for a new contract in a new building and I'd basically be setting things up from the ground up.. Nothing is in place yet. No domain, no ticketing system, etc.. Does this sound like a good opportunity or a death wish? Both.
|
|
#
?
Aug 7, 2015 15:09
|
|
|
Tots posted:Hey guys. I have a chance to get into a sysadmin job for ~80 users. As far as I know, I would be the only one there although I've been told there's budget for temporary consultants if I need help with something. This is for a new contract in a new building and I'd basically be setting things up from the ground up.. Nothing is in place yet. No domain, no ticketing system, etc.. Does this sound like a good opportunity or a death wish? Sounds like a good opportunity to me. Clean start means you get to do things right the first time instead of trying to clean up the messes your predecessors have left behind. The only thing that concerns me is the fact that you used sysadmin, 80 users, and ticketing system all in the same thought. So you're going to be this organization's one-stop IT shop? It's not an unreasonable task or anything but it does demand that you set realistic goals instead of waltzing in on day one and trying to setup AD plus ticketing plus remote support plus asset tracking plus god knows what else.
|
|
#
?
Aug 7, 2015 15:17
|
|
|
Tots posted:Hey guys. I have a chance to get into a sysadmin job for ~80 users. As far as I know, I would be the only one there although I've been told there's budget for temporary consultants if I need help with something. This is for a new contract in a new building and I'd basically be setting things up from the ground up.. Nothing is in place yet. No domain, no ticketing system, etc.. Does this sound like a good opportunity or a death wish? I run a similar environment from a similar starting point. Except it was more like 30 end users, but theyre software developers, and an application we develop that has about 5000 external users. Most days its pretty awesome. Once in a while it sucks super, super bad. Being the only end to support before calling in a consultant or pinging Microsoft can be stressful if something goes wrong. If you're going to be the only point for user support (I am) on top of IT infrastructure - automation and centralized management is critical. Although that will depend on the neediness of the end users, and complexity of the infrastructure. I'm more on the "complex infrastructure, easy end user" side of that spectrum. Good resume block though. Make sure you have an adequate budget to work with and purchasing is handled intelligently; thats been my biggest headache. I'm in the process of pushing for a junior admin to take the more menial tasks as our infrastructure grows (so there's a potential segue into management for you)
|
|
#
?
Aug 7, 2015 15:25
|
|
|
Sounds like a great opportunity but I would also push for a junior guy to help blunt low-end tickets, answer phones, deal with walk-ups. Plus when you're the only IT guy, good luck ever taking a day off let alone a week.
|
|
#
?
Aug 7, 2015 15:42
|
|
|
Internet Explorer posted:Sounds like a great opportunity but I would also push for a junior guy to help blunt low-end tickets, answer phones, deal with walk-ups. Plus when you're the only IT guy, good luck ever taking a day off let alone a week. Seconding this. I would love that job, but would absolutely want a helpdesk person to handle all the crap that comes in.
|
|
#
?
Aug 7, 2015 16:08
|
|
|
Good news! I just found out that there is potential that a second person would be there as well. If I am the only person, then yes I would be the one stop IT shop. I also just found out that it will be a call center, so I think that should make things easier...Maybe? The fact that it's being built from scratch with a real budget is what's attracting me to this. The current environment I'm in is the biggest IT clusterfuck that I could possibly imagine and the idea of setting something up right with all streamlined centralized automated processes gives me a boner. Just to give you an idea, on multiple occasions I've had to visit upwards of 20 workstations to do things like "update adobe" or "create a shortcut for the new network drive" per my supervisor's instruction. E: Also, if I do get this position then expect me to be in this thread documenting the process and asking for advice throughout. 
|
|
#
?
Aug 7, 2015 17:09
|
|
|
Let's talk remote lockdown for a second. My company has recently started hiring people who work remotely 100% of the time (or near enough). This is new to me, and therefore I have not planned for it at all. Now we're also FIRING people who work remotely 100% of the time, and the problem is that I can not just take their laptop from them the second they get fired (i.e. removing their access to steal company data). I'm looking at Lojack and Prey at the moment, any advantages to either? Or another piece of software completely?
|
|
#
?
Aug 7, 2015 17:35
|
|
|
Gerdalti posted:Let's talk remote lockdown for a second.
|
|
#
?
Aug 7, 2015 18:55
|
|
|
I got things powered down at closing time so I could move a UPS aside in order to mount an additional one, I requested earlier that our two servers get a scheduled shutdown that didn't happen so I did them manually. Of course the terminal server I shutdown starts installing updates, so I learn my lesson what shutdown the main one bypassing updates since I don't want to stick around for ages. Get everything put into place ready to setup on Monday, but after I left the building I remember I left updates installing during shutdown; not restart and I'm sure as hell not in on the weekend to power it back on. It's not like anyone uses it anyway, and nobody should be working from home anyway outside hours. 
|
|
#
?
Aug 7, 2015 19:46
|
|
|
Sheep posted:Sounds like a good opportunity to me. Clean start means you get to do things right the first time instead of trying to clean up the messes your predecessors have left behind. I'd suggest having them hire an outside contractor for 2-6 months during the initial setup period so you can have someone setup all the PC's etc while you focus on domain controller/ticket system/mail system/etc.
|
|
#
?
Aug 7, 2015 19:50
|
|
|
Rhymenoserous posted:I'd suggest having them hire an outside contractor for 2-6 months during the initial setup period so you can have someone setup all the PC's etc while you focus on domain controller/ticket system/mail system/etc. I'd suggest having some local MSP on retainer for when things get busy, or you want to take a vacation, or if you get hit by a lottery. Even if there's a help-desk PFY, having someone more senior who can step in and knows the environment is critical for business continuity reasons. With someone on retainer, maybe a few hours a month, you could bring them in to give you a second set of eyes or another person to bounce ideas off of, too. Building the reputation now means your bosses don't have to scramble later. I'd also absolutely want to know what the actual budget is for the build-out. If they're cheaping out now, you're going to spend more on fire extinguishers than you will on building a solid infrastructure, and that's bad.
|
|
#
?
Aug 8, 2015 01:24
|
|
|
Gerdalti posted:Let's talk remote lockdown for a second. Vdi only, that way the laptop is useless to steal company data.
|
|
#
?
Aug 8, 2015 01:41
|
|
|
adorai posted:Vdi only, that way the laptop is useless to steal company data. VDI's only an option with relatively robust remote internet connectivity...not saying that's the case here, but if he's working with people that are in the field (literally) VDI may not be an option.
|
|
#
?
Aug 8, 2015 22:45
|
|
|
I have never understood VDI with laptops. I think HP made a laptop thin client a while back that didn't have a 3G/4G modem in, which seemed completely pointless to me.
|
|
#
?
Aug 8, 2015 22:59
|
|
|
adorai posted:Give him a second alias and set the reply to address to that. Make a mailbox rule to match messages sent to the secondary reply to address. Jasshole@ vs j.rear end in a top hat@. nice yeah I should just set the reply to
|
|
#
?
Aug 9, 2015 00:27
|
|
|
Tots posted:Hey guys. I have a chance to get into a sysadmin job for ~80 users. As far as I know, I would be the only one there although I've been told there's budget for temporary consultants if I need help with something. This is for a new contract in a new building and I'd basically be setting things up from the ground up.. Nothing is in place yet. No domain, no ticketing system, etc.. Does this sound like a good opportunity or a death wish? for 80 staff you can limp along with 1 sysadmin and 1 helpdesk bro. are you going to be expected to do other "IT stuff" such as writing sql queries for people, or do they understand that's a third hire
|
|
#
?
Aug 9, 2015 02:04
|
|
|
Thanks Ants posted:I have never understood VDI with laptops. I think HP made a laptop thin client a while back that didn't have a 3G/4G modem in, which seemed completely pointless to me. Eh. We opted out of that crap because verizon wants an extra line fee. They already have smartphones, we'll just tether.
|
|
#
?
Aug 10, 2015 21:24
|
|
|
Sheep posted:"Oh you want $2000 to replace the D-Link consumer APs with two Merakis because the clients are furious that our wireless never works? Not in the budget, maybe next year! Can't fix stupid. Also your sales suck if they can't get that point across without sounding like a jackass. Or if your really smart you order the laptops with less wizbang, they can live with 8gb and a 120gb SSD and take the saving and grab some ubiquiti's and be a hero while sowing discontent that their bosses are morons. peoplsit.txt BlueBlazer fucked around with this message at 18:02 on Aug 11, 2015 |
|
#
?
Aug 11, 2015 18:00
|
|
|
|
| # ? Apr 19, 2024 17:11 |
|
|
Yeah, the issue was that company-wide stuff like that demanded approval from the very highest levels of the company, so by the time it got to the people doing approval it had been significantly changed. The good news is that some client threw a fit and I got the go ahead to replace all of our stuff - network equipment, laptops, even the copiers and printers if I so feel like it (I don't), so now my biggest problem is finding time to figure out when I want to fly out to all of our offices and do the installs. Miracles do happen in small business IT. McDeth posted:Yup, to be fair it was a defective unit that was for whatever reason unable to pull the proper config without rebooting, but it still was a pretty big wtf moment to somebody in charge of securing a network with sensitive medical data on it. I had a similar issue with an AP yesterday, rang up Meraki support and they were like "well this doesn't make sense at all, want us to ship you a new unit?" I told them I'd think on it, eventually wound up messing with the native VLAN assignment on the relevant port and the AP miraculously came to life, updated its configuration and defucked itself so everything's gravy. Also every MX security appliance we've had delivered so far had the firmware bug where static IP settings don't stick until the thing updates the firmware. The first time it happened was fun, the second time I learned to plug them in at home and update the firmware before driving out to do the install. So yeah Meraki quality control may leave something to be desired but it's all worth it considering how much less time we have to spend dealing with network BS now. Sheep fucked around with this message at 18:43 on Aug 11, 2015 |
|
#
?
Aug 11, 2015 18:33
|
|