|
FISHMANPET posted:So, speaking of Hyper-V. I'm doing some testing with DHCP and PXE with some VMs on my work machine. I've got my NIC setup as a "bridged" switch so my VMs are on the same network as my physical machine. I want to be able to sniff all the traffic my VMs are generating with wireshark. I've found lots of information on port-mirroring where I can set a VM as the "source" and another VM as the "destination" and I've even found how to use Hyper-V host as the "source" and a VM as the "destination" but I can't find a way to use a VM as the "source" and the physical NIC as the "destination." It turns out it was simple. I was using Wireshark against the HyperV vEthernet adapter (because this is the adapter that I had a connection through. I ran a command to see which if any of my ports were in promiscuous mode (Get-NetAdapter |fl -Property ifAlias,PromiscuousMode) and it showed that my physical Ethernet port was in promiscuous mode. If I point Wireshark at that adapter it sees all the traffic that's passing through the physical adapter. Seems simple and obvious when I put it that way.
|
#
?
Feb 1, 2019 21:54
|
|
|
|
| # ? Apr 19, 2024 12:41 |
|
|
There’s options for content filtering like you want but in my experience they’re through appliances and a pain in the rear end to manage.
|
|
#
?
Feb 2, 2019 18:04
|
|
|
Internet Explorer posted:For a long time many Windows apps wouldn't run without admin rights. Since then, lovely programmers still can't get it right. I have 2 main line of business apps where the vendors tell me that end users need to be local admin. They don't and those vendors are dumb and I have to argue with them every time I need support. Virtualstore redirects in Vista+ easily fixed 90% of the compatibility issues we had with this. Being sysadmin on an XP/2003 domain without granting your users local admin was a compatibility nightmare because absolutely nobody tested their software and were writing reg keys and files any place you could possibly think of.
|
|
#
?
Feb 4, 2019 19:00
|
|
|
BangersInMyKnickers posted:Virtualstore redirects in Vista+ easily fixed 90% of the compatibility issues we had with this. Being sysadmin on an XP/2003 domain without granting your users local admin was a compatibility nightmare because absolutely nobody tested their software and were writing reg keys and files any place you could possibly think of. Fuckin' truth, especially when you add terminal services/Citrix into the mix. I've probably spent months of time in procmon/regmon/etc figuring out what relaxations needed to be made for medical apps.
|
|
#
?
Feb 5, 2019 21:30
|
|
|
H2SO4 posted:Fuckin' truth, especially when you add terminal services/Citrix into the mix. I've probably spent months of time in procmon/regmon/etc figuring out what relaxations needed to be made for medical apps. Yuuuuup. Check out RegShot if you haven't already. I lived in RegShot back in the dark days. https://sourceforge.net/projects/regshot/
|
|
#
?
Feb 5, 2019 21:48
|
|
|
Does anybody have a link to an article (I think it was written by the Scripting Guy) where he had a basic format for all the stuff he puts in a powershell script? I lost my link.
|
|
#
?
Feb 6, 2019 17:04
|
|
|
Internet Explorer posted:Yuuuuup. oh my god this is fantastic, thank you
|
|
#
?
Feb 6, 2019 22:09
|
|
|
H2SO4 posted:oh my god this is fantastic, thank you My pleasure. Working with Citrix my whole career has led me to all sorts of fun knowledge (and likely cirrhosis.)
|
|
#
?
Feb 7, 2019 06:38
|
|
|
I actually posted this in the IT thread because I thought regshot was talked about there, but it was here after all.orange sky posted:Is there a way to run regshot remotely through Powershell, or any tool similar to it that does the same thing?
|
|
#
?
Feb 7, 2019 07:23
|
|
|
orange sky posted:I actually posted this in the IT thread because I thought regshot was talked about there, but it was here after all. Looks like a command line interface for regshot is a years old feature request.
|
|
#
?
Feb 7, 2019 07:28
|
|
|
AreWeDrunkYet posted:Looks like a command line interface for regshot is a years old feature request. Yeah I saw that request, from 2013. There could be some secret way to do it though  I thought there you guys might know some other tool that did it.
|
|
#
?
Feb 7, 2019 07:33
|
|
|
orange sky posted:Yeah I saw that request, from 2013. There could be some secret way to do it though You could always just run remote registry dumps to .reg files, then diff those with your favorite text diff tool. That's what I did to find where a few obscure settings were stored for a dental application I support so we could preconfigure them through GPOs. Not as fancy as a GUI, but as long as there's not a lot else changing during the time you're looking at it's not rocket surgery.
|
|
#
?
Feb 7, 2019 15:13
|
|
|
Anyone had any luck with Autopilot in a large enterprise? We've run several projects for smaller customers under 300 seats and they've been pretty smooth. Some of our overseas colleagues had a go at a larger enterprise that wanted to jump on the co-management, enrol anywhere bandwagon and judging from the 90 minute conference call I just came from, ran into some issues. Anyone with have any good experiences?
|
|
#
?
Feb 14, 2019 08:16
|
|
|
We are currently roadblocked because we need to hybrid join and that seems to only work well if the system is built on site. Supposedly we should be able to build offsite with a cert/policy bundle in the near future but for some reason that feature isn’t available yet. 120k seats fwiw but we are still in early poc.
|
|
#
?
Feb 14, 2019 14:46
|
|
|
Yeah, that's the situation we're facing. The device does actually get on the domain, however there's no way of launching a VPN connection before signing into the desktop, and no way for AAD to handle auth with no dc visibility. The Microsoft dream of enrolling anywhere only works if all your apps can authenticate by SAML and you're not on a shared network.
|
|
#
?
Feb 14, 2019 23:58
|
|
|
Like everything else Microsoft does, it works well on paper or in a perfect environment. Anything else, you're hosed
|
|
#
?
Feb 15, 2019 00:10
|
|
|
I think that it's likely banking on an Always-On VPN (MS has a way of creating Machine Tunnels that come up and only the machine can use that allow it to auth you against AD) or DirectAccess (boy do I loves me some DirectAccess). That being said I;m staying away from AutoPilot for the time being and sticking to the more traditional ConfigMgr OSD for OS deployments.
|
|
#
?
Feb 15, 2019 00:24
|
|
|
I think the idea is you AutoPilot enrol and then Intune takes over and handles the Always-On VPN deployment stuff, which gets you back to your DCs Edit: It looks like this is how they see it working (https://docs.microsoft.com/en-us/intune/windows-autopilot-hybrid) but the VPN support isn't there just yet. Thanks Ants fucked around with this message at 00:38 on Feb 15, 2019 |
|
#
?
Feb 15, 2019 00:33
|
|
|
Hybrid enrollment is going to be phased out in the future I frankly would never recommend autopilot to someone running intune/sccm in a hybrid prem/cloud deployment. Too much work, too finnicky, and it's going to die anyway. I started rolling autopilot with the philosophy that I'm not cramming AP into my deployment and config management environments, I'm refreshing my system management stack to suit AP Potato Salad fucked around with this message at 13:24 on Feb 15, 2019 |
|
#
?
Feb 15, 2019 13:19
|
|
|
Thanks Ants posted:I think the idea is you AutoPilot enrol and then Intune takes over and handles the Always-On VPN deployment stuff, which gets you back to your DCs This, except use cloud management points for sccm, then deploy whatever your existing vpn solution was  Note that hybrid life is made a significantly easier when you consider that (not Azure AD) AD domain controllers can be placed in Azure shielded VMs. Point to Site connections work as before. and start putting your on-prem apps behind Azure WAFs if they aren't modern Potato Salad fucked around with this message at 13:33 on Feb 15, 2019 |
|
#
?
Feb 15, 2019 13:26
|
|
|
Well, here's a weird one that I don't know how to Google... We fixed up folder permissions to use groups instead of explicit permissions. Now some users can't access the folder despite being part of the group. We made sure they log out and back in. NTFS permissions are good, Share permissions are set to full control for everyone, the way god intended. Oddly enough, if you navigate to the folder by IP address it works but not using DNS name. I immediately checked if offline files was enabled since that has hosed me before, but nope. The first time it happened I figured gently caress that user, their computer is hosed up. It just happened to another person. Anyone run into something like this before?
|
|
#
?
Feb 15, 2019 22:39
|
|
|
Sounds like DNS. Can you ping the file server via hostname and it gets the correct IP?
|
|
#
?
Feb 15, 2019 22:41
|
|
|
snackcakes posted:Well, here's a weird one that I don't know how to Google... When you say DNS name are you using FQDN or just the host name? As much as I hate the meme, GreenNight is probably right that it is a DNS issue.
|
|
#
?
Feb 15, 2019 22:44
|
|
|
snackcakes posted:Well, here's a weird one that I don't know how to Google... As above, this sounds like a DNS thing (jokes aside). Are you using DFS or anything, or just straight shares on a server?
|
|
#
?
Feb 15, 2019 23:27
|
|
|
Tried FQDN and hostname. I also thought it was a DNS issue, since it's always DNS but in this case it does not seem to be.. So you can do \\SERVER\SHARE and get there If you do \\SERVER\SHARE\FOLDER you get told that you don't have permission If you do \\IP\SHARE\FOLDER you're golden Pinging server by FQDN or hostname return the same result
|
|
#
?
Feb 15, 2019 23:48
|
|
|
Is it access denied just for accessing the share or is the issue specifically when trying to create a new file/folder? Also, does it work when reading a file by exact path instead of browsing to it? I don’t work on file servers much these days but vaguely recall there being rights missing for reading extended attributes and for listing folder contents, respectively for the above.
|
|
#
?
Feb 16, 2019 01:38
|
|
|
There is a traverse permission that exists. One other thing that probably doesn't apply but I'll mention it anyway, you can't make multiple connections to a single file server with different connect-as values. So if you're logged in as userA and map a drive to SERVER then try to map another share as userB that will fail. It's a client side thing, so if you make that mapping as UserB to the ip address or a cname it will be fine.
|
|
#
?
Feb 16, 2019 01:45
|
|
|
Potato Salad posted:Hybrid enrollment is going to be phased out in the future What's your strategy for desktop apps that rely on AD, VDI?
|
|
#
?
Feb 16, 2019 12:03
|
|
|
buffbus posted:Is it access denied just for accessing the share or is the issue specifically when trying to create a new file/folder? Also, does it work when reading a file by exact path instead of browsing to it? Access to the share is fine, but accessing a specific folder is denied, unless you browse by IP. FISHMANPET posted:There is a traverse permission that exists. One other thing that probably doesn't apply but I'll mention it anyway, you can't make multiple connections to a single file server with different connect-as values. So if you're logged in as userA and map a drive to SERVER then try to map another share as userB that will fail. It's a client side thing, so if you make that mapping as UserB to the ip address or a cname it will be fine. This gives me an idea, maybe there's something stored in the credential manager. The users have laptops though, so sadly I will have to wait a few days to check for that.
|
|
#
?
Feb 16, 2019 15:48
|
|
|
Assuming the intention is for all folders to have the same permissions. You might just reset all access rights down the structure in case there are lingering user specific denies.
|
|
#
?
Feb 16, 2019 16:28
|
|
|
Every day I admin Windows file permissions is how often I miss admining a Novell file server. I don't miss ConsoleOne but man Novell was nice.
|
|
#
?
Feb 16, 2019 16:36
|
|
|
buffbus posted:Assuming the intention is for all folders to have the same permissions. You might just reset all access rights down the structure in case there are lingering user specific denies. Unless there's something I deeply do not understand about permissions I don't see how it could be a permissions issue if it works by IP but not DNS name. If it was permissions wouldn't it not work either way?
|
|
#
?
Feb 16, 2019 16:36
|
|
|
snackcakes posted:Unless there's something I deeply do not understand about permissions I don't see how it could be a permissions issue if it works by IP but not DNS name. If it was permissions wouldn't it not work either way? I’m having trouble finding the tech net thread but there was a bug which involved rights for something which is usually enabled but if not can cause these issues, though in that case the user was just unable to write when accessing via host name. Fairly sure the right was “read extended attributes”. I know you said offline files were disabled but if this is isolated to a handful of computers it couldn’t hurt to reset the cache just in case. https://www.technlg.net/windows/delete-offline-files-cache-windows-7/
|
|
#
?
Feb 16, 2019 16:57
|
|
|
GreenNight posted:Every day I admin Windows file permissions is how often I miss admining a Novell file server. I don't miss ConsoleOne but man Novell was nice. Good technology, poo poo tools. I sometimes wonder if they would have stuck around if they could have made OES pretend it was a domain controller, but still have the Novell features in the back end.
|
|
#
?
Feb 16, 2019 22:06
|
|
|
My one thing that still bugs me is I get requests from a manager to give someone access to a folder 5 levels deep. NO OTHER FOLDER, or access above. In Novell this was easy. Give access to the deep as gently caress folder and it will take care of the rest. In Windows you have to edit permissions on every single parent folder too. PITA.
|
|
#
?
Feb 17, 2019 16:07
|
|
|
GreenNight posted:My one thing that still bugs me is I get requests from a manager to give someone access to a folder 5 levels deep. NO OTHER FOLDER, or access above. In Novell this was easy. Give access to the deep as gently caress folder and it will take care of the rest. In Windows you have to edit permissions on every single parent folder too. PITA. I’m not on Windows right now, but don’t you just have to set something like Traverse Folder (CI) on the top folder, then set permissions on the target folder? Don’t all the intermediate folders pick up that permission from the Container Inherit bit? (Admittedly, it would still be more complex, but it’s not every folder.)
|
|
#
?
Feb 17, 2019 16:23
|
|
|
GreenNight posted:My one thing that still bugs me is I get requests from a manager to give someone access to a folder 5 levels deep. NO OTHER FOLDER, or access above. In Novell this was easy. Give access to the deep as gently caress folder and it will take care of the rest. In Windows you have to edit permissions on every single parent folder too. PITA. I'm reasonably confident that in Windows, if you set the NTFS permission on that 5th level folder only, the user will be able to access it if they have the link to that full path, but they wouldn't be able to traverse from a parent folder. This doesn't require any modifications of the ACL on any of the parents.
|
|
#
?
Feb 17, 2019 16:30
|
|
|
Jadus posted:I'm reasonably confident that in Windows, if you set the NTFS permission on that 5th level folder only, the user will be able to access it if they have the link to that full path, but they wouldn't be able to traverse from a parent folder. This doesn't require any modifications of the ACL on any of the parents. This is 100% correct but people are babies so being able to walk from the top level folder (which is automapped) down to the 5th level is a requirement. Edit: I have security groups setup for each top level folder where if a user is in this group they'll see all the folder names but no files in that folder unless they have access.
|
|
#
?
Feb 17, 2019 18:32
|
|
|
GreenNight posted:This is 100% correct but people are babies so being able to walk from the top level folder (which is automapped) down to the 5th level is a requirement. All this could be easily figured handled if windows had the windows location feature easily script-able and covered by group policy. The network locations feature is great but so far looks to be completely manual and that isn't defensible.
|
|
#
?
Feb 17, 2019 18:38
|
|
|
|
| # ? Apr 19, 2024 12:41 |
|
|
You can activate GPOs based on AD site, if that gets you close to what you're after
|
|
#
?
Feb 17, 2019 18:43
|
|