|
Bob Morales posted:We have PC's that do not have Trusted Platform Module (TPM) This is where you take a stand and tell management that devices without TPM will no longer be able to be supported. Considering what kind of devices exist at this point that don't have a TPM, they are probably shitboxes anyway. I made TPM a specification for Drive Encryption early on and it never hurt me.
|
# ? Apr 7, 2021 15:11 |
|
|
# ? Apr 26, 2024 14:54 |
|
LOL You're talking to Bob, that won't fly where he works.
|
# ? Apr 7, 2021 15:17 |
|
I don't think anything we've bought recently is missing TPM, but this is probably our biggest chunk of devices. Lenovo Thinkcentre M73, which know that I think about it, is what we have bought recently because the training room PC's were just refreshed in the last 6 months or so.
|
# ? Apr 7, 2021 16:16 |
|
Awaiting the incoming package from Amazon with 120 of the cheapest 4GB USB drives they could find
|
# ? Apr 7, 2021 16:36 |
|
Daisy chain a bunch of powered USB hubs and Raid 0 those mofos
|
# ? Apr 7, 2021 16:48 |
|
Bob Morales posted:We have PC's that do not have Trusted Platform Module (TPM) I've never used Symantec disk encryption but if it will automatically unlock without a TPM then I would stick with that for these TPM-less devices until they can be replaced. Needing to either enter a PIN or remember to connect a USB disk every reboot would suck. Never mind needing to write your own process to archive the keys or stand up MBAM servers to handle it. When we did our big Windows 7 upgrade over a decade ago we also included a BitLocker implementation but we had a couple offices which were unable to procure devices with TPMs. Those locations got to stick with EFS until we could get them the proper hardware.
|
# ? Apr 7, 2021 22:03 |
|
Best pc inventory / patch management / software deployment / upgrade software out there these days? ~200 ish devices. Will want to integrate it into some workflow software of some kind, self serving software installs, HelpDesk, that sort of thing. Still sccm? Nitr0 fucked around with this message at 10:52 on Apr 8, 2021 |
# ? Apr 8, 2021 10:48 |
|
Someone help me out here, I have two domains with a forest trust between them. For arguments sake, lets call them example.com and sample.net. I also have three locations: DC Has a domain controller for example.com and sample.net HQ Also has DCs for both domains Local Only has a DC in example.com. Has no direct connection to any sample.net DCs. My thinking is, that I should be able to log into "example.com" computers at location "local" by using an account from sample.net. I thought this would be handed over to a DC that has a trust connection. But right now, I am just receiving event 5719 AKA domain not available. Do I have to give the example.com DC in "Local" access to a DC of sample.net?
|
# ? Apr 8, 2021 14:29 |
Do you have DHCP providing both search suffixes at each location and do all the DCs have the ability to communicate to the other forests DCs? I’ve always wound up adding each domains name servers to all the DCs in both forests - I’ve also never maintained multiple forests just established trusts for domain consolidation in M&A’s so not sure what best practice is
|
|
# ? Apr 8, 2021 14:33 |
|
I explicitly don't want the DC in "Local" to have direct communications with the other AD, unless it's a hard requirement.
|
# ? Apr 8, 2021 14:43 |
Pretty sure you’d need to be using conditional forwarding to ensure the DCs in sample.net will resolve example.net requests coming from local.
|
|
# ? Apr 8, 2021 15:01 |
|
Yeah domain trust just means you can access resources in other domains without needing an account in them, they won't solve client to domain controller communication issues.
|
# ? Apr 8, 2021 15:13 |
|
https://blogs.msmvps.com/acefekay/2016/11/02/active-directory-trusts/ Almost everything you'll ever want to know about forest trusts. Scroll down to the section on Kerberos authentication Sequence between Domains in a Forest https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787646(v=ws.10)?redirectedfrom=MSDN I've always allowed access to the other forest via DNS and at a minimum to the PDCe of the other domain.
|
# ? Apr 8, 2021 15:17 |
|
Is there a way in Windows 10, to delay the actual locking of the screen when you start the screen saver, like you can on a Mac? Screen saver comes on at 1 minute....but it's not locked until 5 minutes? I tried powering the screen off at 1 minute but it triggers the lock screen.
|
# ? Apr 9, 2021 19:33 |
|
I think there's a legacy GPO for screensavers specifically but I've never tried using it
|
# ? Apr 9, 2021 20:13 |
|
So, this may be more of a Microsoft 365 question, and if there is an appropriate thread for that, please kick me there, I didn't see anything in my searching: Due to regulatory requirements, I have to disable accounts that have been inactive for 90 days. I am not going to split hairs on "what does that * mean * anyways?!". I agree. Especially when dealing with all the fields in AD that seem like they should be used for that and definitely * should not * be used for that. The local network version of the solution has worked fine since inception, it is: code:
BUT, wrinkle time. Since March 2020 a large contingent has been working remotely. They are not VPNing in, because they just email and teams their day away and never hit the local DC. Then I start to google about how to programmatically get those logs or entries from Microsoft 365 Azure AD. I get a lot of: "you have to get the report manually from O365" there is a way to pull a list of last login to mailbox BUT it is also updated by lots of background processes finally hit on a feature in the Graph API for signInActivity, BUT its in BETA Using the graph scenario just to see what I can get, I was able to check my local list of inactive users against Azure AD Signin activity. Which has worked well. The rub comes that whenever I roll in and try to run that process again, I get 403's on the API call. If I pull back to just email address and name, it works fine. I have to go in and grant permissions to the app registration in Azure (even though it is already granted) and then it will start working again. I am getting a new token each run of my script, AND I have other app registrations that don't use the beta graph and its fine. I guess this is one of those "Don't use beta in prod, and this is how we enforce it, or side effect" but, damnit, this is dumb. Usually any kind of regulation requires this, why the hell is there not just a "Do thing, get data on this specific thing that most orgs needs to do." Also we really don't have people to put on this, so its just frustrating. If there is something else I can use or programmatically do for this, I would be forever in your debt.
|
# ? Apr 9, 2021 20:28 |
|
Bob Morales posted:Is there a way in Windows 10, to delay the actual locking of the screen when you start the screen saver, like you can on a Mac? According to https://winaero.com/screen-saver-pa...your%20Desktop. it's in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod If it doesn't exist it's supposed to be a DWORD containing the grace period in seconds.
|
# ? Apr 9, 2021 20:34 |
|
ptier posted:So, this may be more of a Microsoft 365 question, and if there is an appropriate thread for that, please kick me there, I didn't see anything in my searching: This is a specific piece of documentation about your problem, and it references the Graph API call you are working with https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts The Graph Explorer is a good place to mess around with this stuff as well https://developer.microsoft.com/en-us/graph/graph-explorer Thanks Ants fucked around with this message at 21:15 on Apr 9, 2021 |
# ? Apr 9, 2021 21:12 |
|
wolrah posted:According to https://winaero.com/screen-saver-pa...your%20Desktop. it's in the registry at Thanks, I’ll play around with that on monday
|
# ? Apr 9, 2021 22:19 |
|
Bob Morales posted:I don't think anything we've bought recently is missing TPM, but this is probably our biggest chunk of devices. Lenovo Thinkcentre M73, which know that I think about it, is what we have bought recently because the training room PC's were just refreshed in the last 6 months or so. do infineon or lenovo sell tpms for thinkcentres? they're often like $5
|
# ? Apr 11, 2021 16:07 |
|
Could 2021-04 cumulative update take any loving longer to install
|
# ? Apr 15, 2021 03:50 |
|
Yeah it’s a big one. Got all my exchange servers patched
|
# ? Apr 15, 2021 04:10 |
|
I'm looking for some guidance in Azure cost monitoring, if anyone's got experience with that. I've been asked to monitor things that could lead to Azure running away with money. We don't host anything too fancy, mostly just Virtual Machines. Looking to get a handle on seeing things like Egress network traffic, and if any Standard SSDs (rare that we would use this) are going wild with IOPS We use a CSP for our Azure subscription, so we have no way of actually seeing costs from within Azure. I think this is going to make my life a lot harder. Any advice on what I might be able to do? I was looking at egress for network interfaces on VMs, but it doesn't seem like it will show me what I need to know. Price tiering looks like Egress to the internet is free up to 5 GB but all of the metrics are capping out in megabytes and I figure surely that can't be true.
|
# ? Apr 19, 2021 00:44 |
The CSP thing sucks. Ask if they have an API, you can roll your own monitoring or possibly plug a third party tool into it (no idea if this is real). I’ve dealt with lots of enterprise cost monitoring, my experience with smaller shops not on an EA using CSP has been a non starter really. You’re at their mercy. Whoever you’re working with might be reselling CSP from a big dawg (or is one like TechData or Insight) and they are the safest bets with API access. Get an EA if you can because IMO unless you’re getting great support the discounts wind up being a ripoff when you’re missing cost visibility. For Azure cost monitoring generally the built in stuff is perfectly fine. Azure cost recommendations if spits out are suspect at best, but can serve as a starting point. The cost alerts etc. are all straightforward and they’re constantly improving the dashboard. But you won’t have that soooooo Also before anyone recommends it to you, Sharegate Overcast is getting discontinued and it was the cheapest and one of the easiest third party tools to use. I’ve heard great things about apptio. If any of them or anything else can utilize a CSP API I would figure that out ASAP. Edit: there’s some stuff out there about MCA’s and whatnot, I would talk to your account person before deciding I know wtf I’m talking about. I know the CSPs I’ve run into really don’t offer the MCAs or anything, so not sure if it’s something MS rolled out that failed or what. I know I had this CSP convo two weeks ago and our client said gently caress the whole thing and went PAYG lmao i am a moron fucked around with this message at 01:25 on Apr 19, 2021 |
|
# ? Apr 19, 2021 01:18 |
|
i am a moron posted:Also before anyone recommends it to you, Sharegate Overcast is getting discontinued and it was the cheapest and one of the easiest third party tools to use. I’ve heard great things about apptio. If any of them or anything else can utilize a CSP API I would figure that out ASAP. This really pisses me off. It was a fantastic tool before sharegate bought it and jacked the price up
|
# ? Apr 19, 2021 01:57 |
|
Thanks for chiming in. Seems like my suspicions are confirmed. They're looking to do alerting through Azure but I'll get a support ticket in with our CSP (Pax8) and see if they've got any recommendations
|
# ? Apr 19, 2021 02:20 |
|
CSP billing for Azure really only makes sense if the company reselling it is also providing you with some solution deployed in Azure and then charging you an agreed set cost each month for it. Reselling a variable rate service with no access to the Azure cost management tools is a recipe for pain, and like i am a moron said, it's not worth the very small saving once the CSP provider wants their margin.
|
# ? Apr 19, 2021 09:09 |
I’ve heard companies can provide such dashboards and access, but I’ve never actually seen it. I also might be getting that confused with the API stuff, it might be that CSPs get the API access and they have to build stuff on top of it. End customers might not get any API access. It’s a mess speaking as someone who’s worked for companies that kinda sorta dipped their toes into it. The CSP thing is sticky if you’re not on an EA too because I don’t think there’s any other way to get an invoice and lots of accounting departments don’t want to use credit cards.
|
|
# ? Apr 19, 2021 13:05 |
|
You can ask MS to bill you for Azure as an invoice with 30 day terms, there doesn't seem to be a minimum spend either. https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/pay-by-invoice
|
# ? Apr 19, 2021 14:48 |
You have to have an MCA, which I didn’t think is necessarily available to everyone but I could be wrong. If you can get an MCA in lieu of working through a CSP I’d highly recommend. There’s some info here: https://www.microsoft.com/en-us/licensing/how-to-buy/microsoft-customer-agreement I work with MS all the time and I’ve never once seen a sales rep recommend this from MS. But they only get involved on certain sized accounts to begin with, otherwise they’ll refer you to whoever they like in their partner ecosystem. It’s all EA’s or CSPs. But it says you get this agreement through an MS sales rep directly so I dunno. They’ve been moving to a lot of new licensing, partnering and purchasing programs but I’m not sure how much they’re doing to incentivize people to switch to them.
|
|
# ? Apr 19, 2021 15:12 |
|
I don’t know the specifics of how it was originally set up by my old job pre-paid a portion of the azure spend as part of our EA through our VAR and any overages we had we paid on our true-up bill.
|
# ? Apr 19, 2021 15:20 |
I’m gonna but all the EAs I’ve ever seen have a minimum spend negotiated into them for Azure services. There’s a variety of different payment options I’m assuming the VARS all work off of: https://www.microsoft.com/en-us/Licensing/how-to-buy/financing
|
|
# ? Apr 19, 2021 15:28 |
|
This may be a dumb question or in the wrong place, in which case apologies in advance. Is there a way to get IIS to do request/input decompression, akin to mod_deflate "SetInputFilter DEFLATE" for Apache? This seems entirely separate from the Dynamic/Static Compression settings, based on all research I've done already.
|
# ? Apr 19, 2021 18:53 |
|
I'm not aware of having an MCA in place, I just know that a company I do side work for spends about £350 each month in Azure and gets invoiced by MS for it. Maybe they are locked in now because the change was done a few years ago.
|
# ? Apr 19, 2021 19:15 |
The MCA looks like a standard agreement you can sign up with through the website so... lol at any folks I’ve worked with using CSP for invoices
|
|
# ? Apr 20, 2021 04:33 |
|
I spoke to my CSP (I have no option of moving away from them, we're an MSP and use them to resell licensing) and it turns out something called "Azure Plan" is becoming available for CSPs and will give us access to Azure Cost Management again. Until then I'm just going to have to wait.
|
# ? Apr 20, 2021 22:50 |
|
Trying to find the right thread for this: In powershell or CMD, is there a command to get more info from a network printer if "nslookup <ipaddress>" doesn't return what I need? When the user goes to Devices & Printers, they see a friendly name for the network printer. I need to be able to find that same friendly name given an IP address. I'm stumped.
|
# ? Apr 23, 2021 21:24 |
|
You need to do a Get-Printer and then take the PortName variable from the printer and send it into Get-PrinterPort, PrinterHostAddress has the IP or DNS name of the printer. Edit: Oh, you want to work backwards and see what printers are using a port. I think you'd have to do code:
code:
Thanks Ants fucked around with this message at 21:33 on Apr 23, 2021 |
# ? Apr 23, 2021 21:28 |
PowerShell has a PrintManagement module since Windows 8, I believe. Assuming the printer is installed on the machine, I think you can use the Get-Printer command and then filter by PortName. Perhaps you need to first use Get-PrinterPort to find the appropriate port name.
|
|
# ? Apr 23, 2021 21:30 |
|
|
# ? Apr 26, 2024 14:54 |
|
Thanks Ants posted:You need to do a Get-Printer and then take the PortName variable from the printer and send it into Get-PrinterPort, PrinterHostAddress has the IP or DNS name of the printer. No dice. I don't receive any output from either of those commands. nielsm, this is unfortunately a user on the network that I'm trying to assist. What if I know the name of the network printer? Can I work back and get the ip address? *I realize these are broad questions lacking details. This is a people/process problem but now I'm stubborn and want to figure it out. I think our IT team has a print/server and queue set up. When I do Get-Printer on my own device, on the VPN, I receive a printer name of: \\somepath\Printer_01_X . Printer_01_X is the name I'd like to find on the network if I have the IP address. The next best solution is if a user tells me their network printer name is Printer_01_X, I'd like to find the IP address of it in CMD or Powershell. Hughmoris fucked around with this message at 21:56 on Apr 23, 2021 |
# ? Apr 23, 2021 21:52 |