|
lol this is disgusting
|
# ? Feb 23, 2020 07:06 |
|
|
# ? Mar 28, 2024 09:29 |
|
The Fool posted:I can't recommend this in any way. Dirt Road Junglist posted:I know it's been said, but I want to reinforce: holy poo poo no nexxai posted:Do not, under any circumstances, do this. Methanar posted:
Collecting for emphasis
|
# ? Feb 23, 2020 07:15 |
|
yeah you want to make sure you roll your own crypto first so you can secure those SAML calls
|
# ? Feb 23, 2020 20:24 |
|
This seems like it should be simple...the parent workstation OU has a GPO applied that sets the wallpaper with BGINFO. However, there are 3 PC's that a different background needs to apply. What's the least stupid way to not apply that GPO to certain workstations?
|
# ? Mar 10, 2020 12:55 |
|
Set a GPO override with that setting disabled
|
# ? Mar 10, 2020 13:05 |
|
Create a security group for the exceptions, add the exceptions to the security group, then go into the delegation tab for the GPO and click "Advanced". Add the exception security group, allow "Read" deny "Apply group policy". Make sure it's computers in the security group if you're going computer policy instead of user policy.
|
# ? Mar 10, 2020 15:25 |
|
klosterdev posted:Create a security group for the exceptions, add the exceptions to the security group, then go into the delegation tab for the GPO and click "Advanced". Add the exception security group, allow "Read" deny "Apply group policy". This is similar to what I do when I get forced to do dumb poo poo like this on selective machines/accounts randomly across our domain. Security Filtering is your friend. Moey fucked around with this message at 01:09 on Mar 12, 2020 |
# ? Mar 12, 2020 01:07 |
|
Moey posted:This is similar to what I do when I get forced to do dumb poo poo like this on selective machines/accounts randomly across our domain. Security Filtering is your friend. It's stupid-useful. Other important security filtering method is to only have it apply to people/computers in the security group. Go into the delegation tab for the GPO and click "Advanced". Add the security group you want the GPO to affect, allow "Read" allow "Apply group policy", then untick (but don't deny) "apply group policy" on Authenticated Users, but keep Read. (if you remove Read or Authenticated Users the GPO will fail to apply) Remember that the policy still has to be linked to a relevant OU. Once you have both those down it's incredible how much flexibility you have with setting policies opposed to making a mess of OUs.
|
# ? Mar 12, 2020 04:41 |
|
Also don't forget about item level targeting on preference GPOs.
|
# ? Mar 12, 2020 05:50 |
|
Internet Explorer posted:Also don't forget about item level targeting on preference GPOs. This. Also you can use info from Getadmx.com to convert almost any policy setting to a registry preference. We have over 100k workstations across only 6 OUs and stuff like this always comes in handy.
|
# ? Mar 12, 2020 06:08 |
|
You should be managing security group membership with these features ^ https://www.checkyourlogs.net/gpogpp-control-the-local-administrators-group/
|
# ? Mar 12, 2020 11:15 |
|
How do you Enterprise Orgs handle shared accounts that could potentially be used to publicly identify an Organization? We recently discovered that someone had registered a public Github Org with our company name, and fortunately it was inactive for so long that Github Support is just handing over the Org name to us. I'm also squatting on several similar Org names for future use if we need it, using naming conventions that mirror our Azure DevOps Organizations. One of our Cloud Architects is requesting that I create an AD service account, and use that service account's O365 email address for registering the Org instead of a functional mailbox. Can Github Org ownership be shared across multiple emails/people at a company?
|
# ? Mar 17, 2020 04:22 |
|
Has anyone had issues with 2008 ESU license activation? I have about 500 or so, which we pushed keys to via Bigfix. That worked fine for everything with internet access, but then we had to go manual activation for about 200 or so air gapped servers. SLMGR /ipk, /dlv, /atp, and the Microsoft Activation site. This suuucked, but was easier than punching holes for VAMT. Now I'm down to 30 that are failing manual activation due to the Software Protection Service I believe. The fix for that is to disable SPP, run slmgr /upk to remove the license, then reapply the license, then reenable SPP. The problem is that removes the KMS license also, along with the ESU icense. I would just decom the drat things but business needs them 'cause reasons. Moving them to Azure is not an option either. Some are DCs. Has anyone else run into this? Microsoft is not being helpful.
|
# ? Mar 17, 2020 22:37 |
|
Oh we had that, you can just readd the KMS key and they should activate. Too late now but I think you can be a bit more surgical about what keys you're removing to keep from removing the KMS key in the first place, but yeah MS support just tells you to flatten the keys because they dgaf. Exact same thing happened to us with our air gapped systems.
|
# ? Mar 18, 2020 02:42 |
|
FISHMANPET posted:Oh we had that, you can just readd the KMS key and they should activate. Too late now but I think you can be a bit more surgical about what keys you're removing to keep from removing the KMS key in the first place, but yeah MS support just tells you to flatten the keys because they dgaf. Exact same thing happened to us with our air gapped systems. Awesome, thanks. I will try a few nonprods tomorrow. The prod servers will be interesting as mgmt put a change blackout in place due to Corona.
|
# ? Mar 18, 2020 08:00 |
|
Yeah we learned the hard way ours lost activation when they rebooted for patches over the weekend, and they're for processing credit card transactions for the parking system, and we're a campus that has events on the weekend... Glad I wasn't on call that weekend!
|
# ? Mar 18, 2020 14:40 |
|
Has anyone run in to Office 2019 installs that get flagged by tools like Nessus as being out-of-date, even though Click-To-Run is showing the latest build number? Some of my machines are being reported as having unpatched DLLs in the install path, but Click-To-Run is showing everything is up-do-date.
|
# ? Mar 20, 2020 23:26 |
|
I don't know how exactly Nessus does it's scans or what it's detection methods are, but the move to cumulative patching has broken a lot of things. We use Rapid7 Insight VM and have had false positives for older vulnerabilities because the client didn't have the specific KB for the Office vulnerability installed but it did have the latest cumulative update installed, which means it was was actually patched. Rapid7 fixed their definitions and the vulnerability went away. So maybe Nessus is doing some like that? Does it give you specific advice on what you need to do to remediate the specific vulnerabilities it's finding?
|
# ? Mar 20, 2020 23:43 |
|
Aren't office patches rolled out in groups of some kind as well, perhaps nessus is looking for a patch not available to you yet?
|
# ? Mar 21, 2020 08:08 |
|
I'm sorry to poo poo up the thread with non-content, but I loving hate Nessus. I keep getting screamed at by management for, "old vulnerabilities," but they're basing that on the datestamp the vuln was reported, not the datestamp the vuln was detected on that specific host. Yeah, that .NET poo poo on a specific version was called out sometime in 2004, but the user in question installed a vulnerable old version of .NET three weeks ago, so no, no one is going to go to Business Insider and scream that our company has an unpatched vuln that's 16 years old.
|
# ? Mar 21, 2020 10:19 |
|
We proved to the Nessus developers that it is poo poo in regards to superseded patches. We use Bigfix to deploy, which drops relevance on older patches when a patch is superseded, ie Feb patch supersedes Jan. This went on for like 6 months with Spectre/Meltdown. Nessus was still calling out a Jan patch even though Feb roll-up would supersede it. So we were compliant on Bigfix reports but vuln on Nessus. Their reasoning was that Nessus looks at the reg key vs installed KB. So even if a later KB was installed, if the prior patch reg fix wasn't applied then it was still vulnerable. Also we have Tanium in the mix because why the gently caress not.
|
# ? Mar 21, 2020 17:53 |
|
Meydey posted:We proved to the Nessus developers that it is poo poo in regards to superseded patches. We use Bigfix to deploy, which drops relevance on older patches when a patch is superseded, ie Feb patch supersedes Jan. This went on for like 6 months with Spectre/Meltdown. Nessus was still calling out a Jan patch even though Feb roll-up would supersede it. So we were compliant on Bigfix reports but vuln on Nessus. ...are we co-workers?
|
# ? Mar 21, 2020 18:13 |
|
In this case, Nessus is flagging DLL versions in the Office install path. I have seen cases of what you're talking about, where Nessus just needs its supercedence info updated, but this isn't looking like one of those cases. Nessus is telling me to install KB patches, but when you run them they say they're not needed, or not applicable to the installed software. I'm honestly not sure what to think. On the one hand Office is telling me it's up-to-date, on the other, I'm seeing file versions that are being flagged as vulnerable on their own loving website. gently caress click-to-run.
|
# ? Mar 22, 2020 19:01 |
|
We're now using MS Teams due to the coronavirus pandemic. We're using the web-based version and not the installed version (that installer is all kinds of hosed up). Users are stating that when they hold meetings with multiple participants, they can each only see 1 other person at a time. They can choose which person they see by clicking on the participant name, but they get one and that's it. Is it possible to get the whole Zoom style grid with all participants visible? Where everybody sees everybody else all at the same time?
|
# ? Mar 25, 2020 22:38 |
|
Not sure about on the web version but that definitely works on the client version, gently caress it works on the mobile version with at least 4 people. What is your beef with the installer?
|
# ? Mar 25, 2020 23:05 |
|
MF_James posted:What is your beef with the installer? If you run it, it seems like most times you end up with Microsoft Teams on your computer. sorry... sorry...
|
# ? Mar 25, 2020 23:51 |
|
MF_James posted:Not sure about on the web version but that definitely works on the client version, gently caress it works on the mobile version with at least 4 people. MS has not made a per-machine installer, it's only per-user and doesn't really get installed (into AppData) until the user logs in. But...we have a software restriction policy that blocks this. Of course there are ways around this, but they tend to be somewhat cumbersome, or reduce the security posture of the machine. Then there's the issue of it installing for every user that logs into the machine and eating up roughly 300mb per installation. Not a big deal when it's one user, but we have machines that have a couple dozen users sign in over the course of a month. Again, neither of these are insurmountable problems but the web version has none of these issues so...
|
# ? Mar 26, 2020 00:10 |
|
there is a machine-wide installer. But it just bootstraps the user installer for any user that logs in to the machine.
|
# ? Mar 26, 2020 00:38 |
|
https://docs.microsoft.com/en-us/microsoftteams/msi-deployment
|
# ? Mar 27, 2020 13:34 |
|
They're so determined to make it live in userland that all that MSI does is install into the profile of everybody that logs on. Which may or may not get around that app restriction policy. But you said that and the space issue were surmountable, whereas "no grid in webview" may be insurmountable so you'll have to pick your poision.
|
# ? Mar 27, 2020 22:50 |
|
|
# ? Mar 27, 2020 23:18 |
|
Teams actually does have an option for a proper system install now, but it's intended for VDI environments. The downside is that it has no update functionality in this mode, so you have to push out a new .msi for every update. It also doesn't seem to save certain settings like dark mode. code:
|
# ? Mar 28, 2020 00:01 |
|
Thanks. I'll check that out. This really not critical, some users were just clamoring for it because they saw that zoom has it. CEO stepped in, decided that it's not critical so it's a non issue now. I'll still check out that link just in case this rears it's head again (lol it will)
|
# ? Mar 28, 2020 00:33 |
|
While we're on the subject of video conferencing apps, I've got a weird Webex issue. A few times a day, the Windows client will launch itself for no apparent reason. I'm not seeing anything in the event logs, nor does there appear to be a scheduled task launching it. Anyone else run into this?
|
# ? Mar 28, 2020 00:47 |
|
I haven't heard of that and we've just deployed it to 300 users. Maybe re-install?
|
# ? Mar 28, 2020 00:48 |
|
GreenNight posted:I haven't heard of that and we've just deployed it to 300 users. Maybe re-install? I'm not opposed to reinstalling if I stay stumped, but I'm hoping I can figure out what the gently caress first. I mean, the app isn't running when this happens, so something is starting it.
|
# ? Mar 28, 2020 00:54 |
|
Mr. Clark2 posted:We're now using MS Teams due to the coronavirus pandemic. We're using the web-based version and not the installed version (that installer is all kinds of hosed up). Users are stating that when they hold meetings with multiple participants, they can each only see 1 other person at a time. They can choose which person they see by clicking on the participant name, but they get one and that's it. Mr. Clark2 posted:MS has not made a per-machine installer, it's only per-user and doesn't really get installed (into AppData) until the user logs in. But...we have a software restriction policy that blocks this. Of course there are ways around this, but they tend to be somewhat cumbersome, or reduce the security posture of the machine. Then there's the issue of it installing for every user that logs into the machine and eating up roughly 300mb per installation. Not a big deal when it's one user, but we have machines that have a couple dozen users sign in over the course of a month. FISHMANPET posted:They're so determined to make it live in userland that all that MSI does is install into the profile of everybody that logs on. Which may or may not get around that app restriction policy. But you said that and the space issue were surmountable, whereas "no grid in webview" may be insurmountable so you'll have to pick your poision. FRINGE fucked around with this message at 06:03 on Mar 28, 2020 |
# ? Mar 28, 2020 05:59 |
|
My school board is warning that our Windows devices will time out of service if they go 60 days without connecting to the network at school. Normally this isn't an issue, but we've all been barred from entering our schools with no particular end in sight. Any quick and dirty VPN hacks to allow device 'check in'?
|
# ? Apr 9, 2020 19:14 |
You can't sit in the parking lot and reach wifi?
|
|
# ? Apr 9, 2020 19:27 |
|
|
# ? Mar 28, 2024 09:29 |
|
Newf posted:Any quick and dirty VPN hacks to allow device 'check in'? um, just being connected to the VPN doesn't do it?
|
# ? Apr 9, 2020 19:31 |