|
You really need a better workflow instead of a technical solution, but you probably already know that. Can you whip up something with Get-SmbOpenFile ?
|
#
?
Oct 27, 2016 15:37
|
|
|
|
| # ? May 6, 2024 04:59 |
|
|
Got a situation I need some Windows/Linux expertise on: Brought in to work on a network at a game studio. There's ~30 odd computers here, none of them are on a domain (some wild west cowboy poo poo I know). Mostly Windows machines but there's a pair of Ubuntu servers set up with SAMBA for LDAP services. I'm getting AD setup immediately (why that wasn't done first I have no clue) but my main question is how well will Windows Server jive with the Samba boxes. Is there any good documentation out there I can read? I've already gotten started on some searching but I want to make sure I'm not wasting precious time here.
|
|
#
?
Oct 28, 2016 20:46
|
|
|
Killer Low Life posted:Got a situation I need some Windows/Linux expertise on:
|
|
#
?
Oct 28, 2016 20:53
|
|
|
anthonypants posted:These days you can totally run a Samba server as a domain controller, is that what they're doing? If it turns out that Samba isn't being used for user and computer authentication, what is it using LDAP for? I know that it can run as a DC, but given a lack of time and the urgency of the situation, I was trying to avoid messing around with things that I'm not as well-versed in. My first instinct was that I can at least get an evaluation copy of WinSrv, get that up quick, get everyone plugged in and running and then deal with compliance and licensing later. I will more than likely get budget for it but not until next month. I would like to keep the DC on Windows-- as it's a dev studio we (mostly) need to be working on Windows machines. I haven't talked with the CTO about the LDAP thing in detail but the general rub is they're using it to store game builds, assets, or something along those lines. To clarify I would like to tie those Ubuntu boxes in to the AD forest without too big of an interruption to the production team and Samba was installed but not implemented yet(?). I've worked with Linux and I'm comfortable with the basics, but in a scenario like this time is of the essence and I need to clean up this mess ASAP without wasting too much time reading documentation on a system I've encountered for the first time. Killer Low Life fucked around with this message at 21:21 on Oct 28, 2016 |
|
#
?
Oct 28, 2016 21:13
|
|
|
They're storing data in LDAP, what? You need to know exactly what they are doing before you touch anything because that sounds like a terrible disaster waiting to happen.
|
|
#
?
Oct 29, 2016 11:46
|
|
|
wyoak posted:Computer accounts are pretty much the same thing as user accounts under the covers. Couple reasons people like service accounts though-as you ran into, if the computer goes away, permissions do too. Also, if you stand up another instance of Software 2, you don't have to add more permissions to software1's server. More importantly, from a security standpoint, a locked down service account is better - if that service is owned, they don't necessarily own the server since they'll be in that account's context, which hopefully doesn't have rights to anything else. If a service running as localsystem is compromised, they've got full access to the box. Thanks. I'm pleased I haven't opened a gaping hole in the side of my server and it's mainly a matter of housekeeping in terms of making life easier if the server was ever decommissioned and upgraded in the future
|
|
#
?
Oct 30, 2016 16:56
|
|
|
Spun up a new domain controller for a new site this weekend, and the Best Practices Analyzer for the DNS role is complaining that the _msdcs.companyname.local zone is missing. It's replicated from my other domain controllers fine, and as far as I can tell nothing is broken. I've checked the BPA on my other DCs and it's also throwing this error. All the resolutions I can see from Google are telling me to delete this folder and then create a brand new delegation with the same name, but that seems like a potentially dangerous thing to do, and like I said, things seem to be working fine. Is it safe to make this change, or should I just leave it alone and ignore this "error"?
|
|
#
?
Oct 31, 2016 23:40
|
|
|
Maybe I'm stupid, but I don't ever use Best Practices Analyzer. Unrelated, anyone running IPAM on a 2012 R2 server? Is it any good? Would it be useful in a single domain with ~14 subnets? Even if I don't "need" it, is it a worthwhile thing to play around with?
|
|
|
#
?
Nov 1, 2016 03:40
|
|
|
Just being able to dump some important data into a SQL database for auditing purposes should be enough to deploy. I'd like to know what connecting to where or asking for DHCP addresses.
|
|
#
?
Nov 1, 2016 05:37
|
|
|
I'm having a weird issue with connection to a physical domain controller (Windows Server 2012 R2) in my environment using Remote Desktop Connection. I tried logging in using the RDC client yesterday and it will go through the connection cycle and then immediately return me to the RDC application without displaying the server desktop. This is strange because I was able to access this server remotely last Thursday and we didn't commit any changes since that time. The only thing we changed on the server was the installation of a hotfix that was supposed to resolve duplicate SPN error messages, which was done last Tuesday and we were able to log into the server without issues immediately following the hotfix application. I have tried to do the following: - Restart the server. - Verified that Remote Desktop is enabled in the server configuration pane and validated that all appropriate users are added into the authorized RDP group. - Validated that all Remote Desktop services are running, including Remote Host Connection Manager. No dice on that. - Validated physical network connectivity was well as TCP/IP and DNS functionality. We can ping this server by both IP and Domain Name without issues. - Verified that the RDP port (3389) is open and listening on the domain controller. - Attempted to connect with a RDP client open using the -admin switch. We can connect to this server using the SCCM console, but I believe that uses a different protocol than RDP. I'm not sure what I'm missing on this. I've ran through every check I know to make and Google didn't provide any new insights other than validating that the services and ports are open. Am I missing anything obvious or should I turn to an external consultant to have this looked at?
|
|
#
?
Nov 1, 2016 13:55
|
|
|
 I have a client whose lovely line of business app needs IE10. Microsoft has either purged all copies of their IE10 MSUs and exe installers or my Google-Fu is not strong. I don't keep a loving IE10 installer around, and I'd like to push this out over PSADT+SCCM. Any of you know where to find the IE10 installer, or have it sitting on your Lump O' Software somewhere? AMD64 e - never mind, got an installer off a semi-reputable site with a checksum matching retail Potato Salad fucked around with this message at 14:09 on Nov 1, 2016 |
|
#
?
Nov 1, 2016 14:00
|
|
|
Potato Salad posted:
|
|
#
?
Nov 1, 2016 15:01
|
|
|
some background makes it a wee more difficult than can be afforded than that. got it working though. unrelated note: I just two minutes ago received the largest promotion of my career thusfar (50+%), due in no small part to loving around with SCCM for the last few years.
|
|
#
?
Nov 1, 2016 16:59
|
|
|
i need to go lie down also it it sad that the first thing I do is text my wife, but then the second thing I do is post on an internet forum
|
|
#
?
Nov 1, 2016 17:00
|
|
|
SCCM is a goldmine for career advancement because no one wants to deal with that poo poo anymore so you're a rare find, grats
|
|
#
?
Nov 1, 2016 17:18
|
|
|
I built imaging on SCCM but cant give enough of a gently caress to learn the rest.
|
|
#
?
Nov 1, 2016 17:42
|
|
|
CLAM DOWN posted:SCCM is a goldmine for career advancement because no one wants to deal with that poo poo anymore so you're a rare find, grats Depends on how much you enjoy packaging, data analytics, etc. It's great for that. I could probably move somewhere else making a ton of money being "the SCCM guy" but I'm not sure I'd ever want to be 100% focused on just the product. That said, it can do a million different things. All the MDM stuff for Windows Phone on the SCCM exam is hilarious.
|
|
#
?
Nov 1, 2016 22:28
|
|
|
50%? God drat.
|
|
#
?
Nov 1, 2016 22:52
|
|
|
Imaging is basically magic to management. And if you're a guy that can implement configuration baselines? Hooboy.
|
|
#
?
Nov 2, 2016 00:00
|
|
|
Vargatron posted:I'm having a weird issue with connection to a physical domain controller (Windows Server 2012 R2) in my environment using Remote Desktop Connection. I tried logging in using the RDC client yesterday and it will go through the connection cycle and then immediately return me to the RDC application without displaying the server desktop. SCCM uses RDP for the guts of it, but it has its own control protocol for building the session. The logon session type is Console (like physically logging in) rather than RDP-Tcp#. I'd check the System log for WS-Management errors, and Security events 4624, 4625 for audit failures on Logon Type: 10 (RemoteInteractive). Hopefully a clue will be in there.
|
|
#
?
Nov 4, 2016 19:09
|
|
|
Extremely Penetrated posted:SCCM uses RDP for the guts of it, but it has its own control protocol for building the session. The logon session type is Console (like physically logging in) rather than RDP-Tcp#. I'd check the System log for WS-Management errors, and Security events 4624, 4625 for audit failures on Logon Type: 10 (RemoteInteractive). Hopefully a clue will be in there. Consultant recommended we copy over the RDP related DLLs from a server that works, but I'll follow your suggestions prior to doing that. Thanks for the input.
|
|
#
?
Nov 4, 2016 19:48
|
|
|
Is it at all possible to deploy wireless network settings (SSID/password/etc.) via group policy? I found how to do so with a non-passworded network, but that's not too useful.
|
|
#
?
Nov 7, 2016 23:54
|
|
|
Eschatos posted:Is it at all possible to deploy wireless network settings (SSID/password/etc.) via group policy? I found how to do so with a non-passworded network, but that's not too useful. If your network is WPA2-PSK I don't know of anything, other than maybe running some kind of script. Is Windows Connect Now still in Windows 10? It was a way to save Wi-Fi settings on a USB drive. https://technet.microsoft.com/en-us/library/ff723781.aspx
|
|
#
?
Nov 8, 2016 00:17
|
|
|
Eschatos posted:Is it at all possible to deploy wireless network settings (SSID/password/etc.) via group policy? I found how to do so with a non-passworded network, but that's not too useful. No passwords in GPOs because Microsoft published the AES key used to encrypt them. If you want to push a secure wireless network out via GPO try setting up an 8021x authenticated network so it's done via AD computer and user account.
|
|
#
?
Nov 8, 2016 00:26
|
|
|
Yeah we setup a radius server for wireless authentication and push that out via GPO. Works pretty drat good, better than I expected.
|
|
#
?
Nov 8, 2016 01:03
|
|
|
It's Patch Tuesday and it looks like we've got a root level RCE in the font renderer again (surprise!!!) with an active exploit: https://technet.microsoft.com/en-us/library/security/MS16-132 Time to start patching.
|
|
#
?
Nov 8, 2016 19:44
|
|
|
Number19 posted:It's Patch Tuesday and it looks like we've got a root level RCE in the font renderer again (surprise!!!) with an active exploit: ¯\_(ツ)_/¯
|
|
#
?
Nov 8, 2016 19:51
|
|
|
CLAM DOWN posted:¯\_(ツ)_/¯ 
|
|
#
?
Nov 8, 2016 19:51
|
|
|
Something in last month's security patches caused Bitlocker to prompt our users for a password until a Suspend/Resume was done (on like 50 of 500 laptops), so this next month should be fun.
|
|
#
?
Nov 8, 2016 19:54
|
|
|
drat. I realize it's not secure by any stretch of the imagination, but until we can move to 802.1X anyone can get the password anyway by opening up the network properties and checking the Show Characters box anyway. Security practices are not the best here. I guess the way to do it would be to export the wireless configuration from a working computer, set up a GPO to save the .xml file on every relevant computer, and have a batch script import it on each computer.
|
|
#
?
Nov 8, 2016 21:14
|
|
|
Question about DNS Does a record TTL trickle down from the authoritative server? (Ie. if contoso.com authoritative TTL was 5mins and my local AD DNS server caches the record, will it remain 5mins or does does the local AD DNS (no-authoritative) use a different TTL?) I assume no but I wasn't able to find any google responses on this and a bit lazy to go through the RFC.
|
|
#
?
Nov 9, 2016 17:02
|
|
|
lol internet. posted:Question about DNS The TTL is told to the next guy and he's responsible to delete the cached version.
|
|
#
?
Nov 9, 2016 17:09
|
|
|
The normal case is that the local caching server just passes along whatever the authoritative one returned. And then caches that response so it can respond to local clients more quickly, until the TTL expires and it has to revalidate. But as usual, "it depends". Some DNS resolvers allow you to ignore the authoritative server's TTL and do whatever you want. So you cannot 100% assume that behavior. I don't know offhand if Windows DNS has that option.
|
|
#
?
Nov 9, 2016 19:10
|
|
|
Docjowles posted:The normal case is that the local caching server just passes along whatever the authoritative one returned. And then caches that response so it can respond to local clients more quickly, until the TTL expires and it has to revalidate.
|
|
#
?
Nov 9, 2016 19:13
|
|
|
edit: wait nevermind!
|
|
#
?
Nov 10, 2016 03:01
|
|
|
Could you configure your Wi-Fi network to use a certificate-based authentication and push the certificate to workstations with Group Policy?
|
|
#
?
Nov 10, 2016 03:06
|
|
|
I'm having some trouble getting some things to happen in Windows using chef, but I'm reasonably sure it's something to do with my VM template causing it (everything works perfectly in my local testbed, but blows up when using our internal vmware infrastructure). I'm installing some software that requires a few Windows features to be installed, namely .NET 3.5 and the SNMP service. If I let Chef handle everything it bombs out adding the features, complaining that it can't find the installation sources--but if I install them manually through the wizard or with powershell, it installs perfectly fine. The interesting part is that if I install something totally unrelated first (telnet client for instance), then the Chef run is successful. Any ideas what might cause this behavior? Chef is just running "Install-WindowsFeature <featurename>" under the covers, so why does it work when I do the same thing myself?
|
|
#
?
Nov 11, 2016 01:34
|
|
|
Sounds like maybe this issue? https://github.com/chef-cookbooks/windows/issues/196
|
|
#
?
Nov 11, 2016 02:59
|
|
|
That's possible, thanks for the link. It would figure that the first thing I need to gently caress around with is some stupid edge case like this.
|
|
#
?
Nov 11, 2016 05:53
|
|
|
|
| # ? May 6, 2024 04:59 |
|
|
Is there some kind of information source about best practices for Windows 10 group policies? I've got some machines in which shipped with Windows 10 Pro and need to make them as non-lovely and barebones as possible, so our users don't come up with a million questions about how stuff works. I've done the basic stuff like turn off cortana, telemetry, security enforcement, but I'm having a hell of a time just setting a company lock/login screen. Of course the next step is to deploy standard imaging, but I need the budget first.
|
|
#
?
Nov 17, 2016 12:20
|
|
