Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
fluppet
Feb 10, 2009


An apprentice came in:
Or at least that's the idea. As a 1 man sysadmin/devops/Cloud wrangler/desktop support department at a small startup, how do I make my case that an apprentice is unlikely to have the skills to be much use and I don't have the time to spend giving them the mentoring that they deserve

Adbot
ADBOT LOVES YOU

BallerBallerDillz
Jun 10, 2009

Cock, Rules, Everything, Around, Me


Scratchmo

What city if you don't mind doxing yourself?

fluppet
Feb 10, 2009


96 Port Hub posted:

What city if you don't mind doxing yourself?

Leeds

Bunni-kat
May 25, 2010

Service Desk B-b-bunny...
How can-ca-caaaaan I
help-p-p-p you?


Oh god.

A request came in, pre-approved by our supervisor. They want us to make folders for a project. One main folder for each leader, named for their position. There's about 120. And then make it so that only that person, and their supervisor, can access the folder.

So manually, create about 120 folders and security groups, each with unique names. I feel like there should be a way to automate this. I have two months to get it accomplished. Powershell AHOY!

The Fool
Oct 16, 2003



Avenging_Mikon posted:

Oh god.

A request came in, pre-approved by our supervisor. They want us to make folders for a project. One main folder for each leader, named for their position. There's about 120. And then make it so that only that person, and their supervisor, can access the folder.

So manually, create about 120 folders and security groups, each with unique names. I feel like there should be a way to automate this. I have two months to get it accomplished. Powershell AHOY!

If your AD has the manager field populated, and you have a CSV listing the 120 people, it could be done very quickly.

sloshmonger
Mar 21, 2013


Avenging_Mikon posted:

Oh god.

A request came in, pre-approved by our supervisor. They want us to make folders for a project. One main folder for each leader, named for their position. There's about 120. And then make it so that only that person, and their supervisor, can access the folder.

So manually, create about 120 folders and security groups, each with unique names. I feel like there should be a way to automate this. I have two months to get it accomplished. Powershell AHOY!

You posted this about 10 minutes ago. In that time, you should have googled creating an ACLs with powershell, and started writing the script. You should be done in about 20 minutes. Remember to give some sort of administrative access to the folder level, at least at first, so you have access to delete your first bad attempt.

What are you going to do with your two month vacation?

ChubbyThePhat
Dec 22, 2006

Who nico nico needs anyone else


The Fool posted:

If your AD has the manager field populated, and you have a CSV listing the 120 people, it could be done very quickly.

I didn't think of that. I'm going to assume it is not the case though.

Bunni-kat
May 25, 2010

Service Desk B-b-bunny...
How can-ca-caaaaan I
help-p-p-p you?


The Fool posted:

If your AD has the manager field populated, and you have a CSV listing the 120 people, it could be done very quickly.

Sadly itís not quite that simple. They want the title as the name of the folder, so "Manager of EC & CC DeptĒ and the title fields in AD arenít that in-depth. already talked them out of position coding as the names because that isnít anywhere in AD. We were brought in at the absolute end of this and presented with a lot of gibberish, so Iím hoping I can further talk them around to naming the folders [department], [title]. At that point Iíd just need to find a way to convert the names to a usable format, and tell the script to make the folder, create a security grouping with the same name, then add the relevant person to the group, each part of which isnít that difficult.

This is in addition to my normal helpdesk duties, so

sloshmonger posted:

What are you going to do with your two month vacation?

No vacation, sadly.

Inspector_666
Oct 7, 2003

benny with the good hair


sloshmonger posted:

You posted this about 10 minutes ago. In that time, you should have googled creating an ACLs with powershell, and started writing the script. You should be done in about 20 minutes. Remember to give some sort of administrative access to the folder level, at least at first, so you have access to delete your first bad attempt.

What are you going to do with your two month vacation?

Real talk is the only way to do ACLs in Powershell by creating new objects? I feel like MS could make that whole process so much smoother (just like how it handles distinguished names for AD stuff.)

sloshmonger
Mar 21, 2013


Inspector_666 posted:

Real talk is the only way to do ACLs in Powershell by creating new objects? I feel like MS could make that whole process so much smoother (just like how it handles distinguished names for AD stuff.)

I don't know if it's the only way, just the only way I've done before, so reused a lot of that code.. It's a weird space of powershell and .Net that only led to madness.

code:
# Define ACL Rights
$objACLFullControl = [System.Security.AccessControl.FileSystemRights]::FullControl #Specifies the right to exert full control over a folder or file, and to modify access control and audit rules. This value represents the right to do anything with a file and is the combination of all rights in this enumeration.
$objACLRead = [System.Security.AccessControl.FileSystemRights]::Read #Specifies the right to open and copy folders or files as read-only. This right includes the ReadData right, ReadExtendedAttributes right, ReadAttributes right, and ReadPermissions right.
$objACLReadAndExecute = [System.Security.AccessControl.FileSystemRights]::ReadAndExecute #Specifies the right to open and copy folders or files as read-only, and to run application files. This right includes the Read right and the ExecuteFile right.
$objACLModify = [System.Security.AccessControl.FileSystemRights]::Modify #Specifies the right to read, write, list folder contents, delete folders and files, and run application files. This right includes the ReadAndExecute right, the Write right, and the Delete right.
$objACLWrite = [System.Security.AccessControl.FileSystemRights]::Write #Specifies the right to create folders and files, and to add or remove data from files. This right includes the WriteData right, AppendData right, WriteExtendedAttributes right, and WriteAttributes right
$objACLTraverse = [System.Security.AccessControl.FileSystemRights]::Traverse #Specifies the right to list the contents of a folder and to run applications contained within that folder.

#Define Active Directory Groups
#Change for appropriate security
#Base Groups
$objADGroupIT = get-adgroup 'IT Department'
$objADGroupDomainUsers = Get-ADGroup 'Domain Users'
$objADGroupJob = get-adgroup 'Job Group'

#Define Base ACL
$objACLIT = New-Object System.Security.AccessControl.FileSystemAccessRule ($objAdGroupIT.SamAccountName,$objACLFullControl,('ContainerInherit, ObjectInherit'),'None','Allow')
$objACLDomain = New-Object System.Security.AccessControl.FileSystemAccessRule ($objAdGroupDomainUsers.SamAccountName,$objACLReadAndExecute,('ContainerInherit, ObjectInherit'),'None','Allow')
$objACLJob = New-Object System.Security.AccessControl.FileSystemAccessRule ($objAdGroupJob.SamAccountName,$objACLModify,('ContainerInherit, ObjectInherit'),'None','Allow')
$objACLRoot = New-Object System.Security.AccessControl.DirectorySecurity
$objACLRoot.AddAccessRule($objACLIT)
$objACLRoot.AddAccessRule($objACLDomain)
$objACLRoot.AddAccessRule($objACLJob)
$objACLRoot.SetAccessRuleProtection($True,$True)

#... Bunch of irrelevant code and conditional statements

$objACLNew = $objACLRoot

Add-Content -Path $objLogFile -Value ('Applying security for ' + $objFolderSelection +  $newLine)
'Please Wait...'
#Apply security to full tree path selected
Set-acl -Path $objFolderSelection -AclObject $objACLNew
$objACLNewAccess = $objAclNew.Access 
$objACLNewAccess | Select-Object -Property IdentityReference, FileSystemRights| Add-Content -Path $objLogFile
On an unrelated note, I just realized my older scripts are much better commented than my newer stuff.

Entropic
Feb 21, 2007

patriarchy sucks


I just got back from doing a bunch of out of town network jobs at sites I'd never been to before, and it never ceases to amaze me how people who don't know anything about who you are and why you're there will just give you keys and point you to network closets in important government buildings as long as you walk in with a clipboard and a lanyard and look lost.

Arquinsiel
Jun 1, 2006

"There is no such thing as society. There are individual men and women, and there are families. And no government can do anything except through people, and people must look to themselves first."

God Bless Margaret Thatcher
God Bless England
RIP My Iron Lady


The Macaroni posted:

Re: Phishing

After 2 or so years, I finally fell for one of the educational "fake" phishing emails. The security team brilliantly aped a corporate email, all the way down to the logo, wording, and the linked external survey ("Click here to share your thoughts on the recent So-and-So Initiative!"). My last company used an internal tool for surveys, but here we hardly have anything on prem so a link to CorpSurveySite.Com went right under my radar.

Thank goodness it was fake.
I had one of those pop up and after checking all the gubbinz realised that it was a legit email sent from a domain we owned but which was defunct due to branding, but maintained to prevent exactly this poo poo happening. There was literally nothing in it to suggest it was suspicious at all, except the CEO never bothers with the level of poo poo the email suggested. So I figured out what it was and opened the link in a VM to see what we were doing to educate users, as a good and curious new security dude.

Six pages into the PDF that I downloaded later, I got bored and stopped reading. It was just. So. Long. A non-technical user, of which we had lots, would just have stopped caring on page one.

Also the SOC went nuts because they couldn't work out who on the non-SOC security team opened the link and why it was being accessed from outside the company since I was running all my poo poo through our team's shared testing SSH tunnel due to firewall issues that ServiceNow was preventing the helpdesk even noticing existed and turned out to be due to group policy poo poo which wasn't fixed until a week before I left all while everyone else was using the SSH tunnel just because gently caress the web filter when you literally need to look up "blocked: hacking" content basically every ten minutes

Roflex
Jan 13, 2007


I got an email linking to a google form with no other information than the subject ("Company Apparel size survey") and reported it to the cybersecurity department per procedure for reporting suspicious activity. Never got a response. A month later I got a company windbreaker 2 sizes too small.

RFC2324
Jun 7, 2012

Http 418




Arquinsiel posted:

I had one of those pop up and after checking all the gubbinz realised that it was a legit email sent from a domain we owned but which was defunct due to branding, but maintained to prevent exactly this poo poo happening. There was literally nothing in it to suggest it was suspicious at all, except the CEO never bothers with the level of poo poo the email suggested. So I figured out what it was and opened the link in a VM to see what we were doing to educate users, as a good and curious new security dude.

Six pages into the PDF that I downloaded later, I got bored and stopped reading. It was just. So. Long. A non-technical user, of which we had lots, would just have stopped caring on page one.

Also the SOC went nuts because they couldn't work out who on the non-SOC security team opened the link and why it was being accessed from outside the company since I was running all my poo poo through our team's shared testing SSH tunnel due to firewall issues that ServiceNow was preventing the helpdesk even noticing existed and turned out to be due to group policy poo poo which wasn't fixed until a week before I left all while everyone else was using the SSH tunnel just because gently caress the web filter when you literally need to look up "blocked: hacking" content basically every ten minutes

Holy run on sentence Batman

ilkhan
Oct 7, 2004

IF I JUST LICK ENOUGH BOOT LEATHER, BIG DADDY TRUMP WILL SURELY LOVE ME

A client just insisted on installing a switch themselves. Client stayed late and replaced two temporary 24 port switches with a new 48 port.

Client just sent in a picture. Both 24s are gone, there are *two* cables plugged into the new switch, and the patch panels have about 30 new cables plugged into them.

I am so glad this isn't directly my problem.

Renegret
May 26, 2007

THANK YOU FOR CALLING HELP DOG, INC.

YOUR POSITION IN THE QUEUE IS *pbbbbbbbbbbbbbbbbt*


Cat Army Sworn Enemy


Client doesn't know what a VLAN is either I'm guessing?

blackswordca
Apr 25, 2010

Just 'cause you pour syrup on something doesn't make it pancakes!

Renegret posted:

Client doesn't know what a VLAN is either I'm guessing?

That's assuming that vlans are used. My old boss never used them because the contractor at the company said they didn't work well. I think it's because he didn't know how to use them but I'm just guessing.

Renegret
May 26, 2007

THANK YOU FOR CALLING HELP DOG, INC.

YOUR POSITION IN THE QUEUE IS *pbbbbbbbbbbbbbbbbt*


Cat Army Sworn Enemy


blackswordca posted:

That's assuming that vlans are used. My old boss never used them because the contractor at the company said they didn't work well. I think it's because he didn't know how to use them but I'm just guessing.

In my heart I know this is true, for as funny as it would be for the client to actually plug everything in correctly and have it still not work.

So that switching loop that took down the internal network last night? I got paid 5 hours of overtime to listen to IT spin their wheels trying to figure it out. Turns out a switch poo poo the bed and started happily forwarding broadcasts out of all of it's blocking ports, while reporting that the blocking ports were perfectly fine.

Judge Schnoopy
Nov 2, 2005

dont even TRY it, pal

blackswordca posted:

That's assuming that vlans are used. My old boss never used them because the contractor at the company said they didn't work well. I think it's because he didn't know how to use them but I'm just guessing.

"This Netgear switch doesn't route between VLANs and figuring out security zones on my firewall is too hard. Of course we don't have a dedicated router why would we. A flat network works just fine!"

blackswordca
Apr 25, 2010

Just 'cause you pour syrup on something doesn't make it pancakes!

Judge Schnoopy posted:

"This Netgear switch doesn't route between VLANs and figuring out security zones on my firewall is too hard. Of course we don't have a dedicated router why would we. A flat network works just fine!"

Replace 'dont have a dedicated router' with 'Cheapest fortigate possible' and you are right.

Arquinsiel
Jun 1, 2006

"There is no such thing as society. There are individual men and women, and there are families. And no government can do anything except through people, and people must look to themselves first."

God Bless Margaret Thatcher
God Bless England
RIP My Iron Lady


RFC2324 posted:

Holy run on sentence Batman
If I don't run it on, you don't get the full effect of why this was stupid. I actually re-edited it all back into one sentence just to accurately express how terrible the workarounds were.

ilkhan
Oct 7, 2004

IF I JUST LICK ENOUGH BOOT LEATHER, BIG DADDY TRUMP WILL SURELY LOVE ME

Renegret posted:

Client doesn't know what a VLAN is either I'm guessing?
Flat switch, no vlans in use on it. Took our tech a couple hours to untangle the mess.

GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

I always like apps that can't communicate across vlans. Oh the server is in VLAN100 but your clients are in VLAN102? gently caress it, doesn't work.

RFC2324
Jun 7, 2012

Http 418




isn't that one of the points of a vlan? no communication between them unless it is routed as a separate network?

because if not I'm back to completely not understanding the point of them.

or are you complaining about apps that won't route between networks, because that is a whole separate issue

Judge Schnoopy
Nov 2, 2005

dont even TRY it, pal

The apps most likely use multicast broadcasts which are never* routed.

Vlans stop poo poo from broadcasting to the entire network.

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE


Judge Schnoopy posted:

The apps most likely use multicast broadcasts which are never* routed.

Vlans stop poo poo from broadcasting to the entire network.

Yeah, this, we have 1 customer with their core business application that does multicast to connect to the software on client devices.

you ate my cat
Jul 1, 2007



While gearing up for an unrelated project, we discovered that we don't actually own a large number of business-critical phone numbers. We disconnected them after a move about 2 years ago, and apparently the whole thing just fell through the cracks. They continue to work because the provider didn't disconnect them properly, but we don't pay for them and they may stop working at any moment.

This is not a priority, of course.

GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

RFC2324 posted:

or are you complaining about apps that won't route between networks, because that is a whole separate issue

This, yes.

RFC2324
Jun 7, 2012

Http 418




GreenNight posted:

This, yes.

looks like other people already gave what to google to get it working, which a little googling narrowed down to IGMP and IP Multicast routing. same google did make it appear that it might be a bit of a PITA in practice tho

these forums are too helpful sometimes, and always educational

The Fool
Oct 16, 2003



Ask me about getting iOS display mirroring working across network segments.

It's actually just a checkbox in the meraki dashboard

duz
Jul 11, 2005

Come on Ilhan, lets go bag us a shitpost




you ate my cat posted:

While gearing up for an unrelated project, we discovered that we don't actually own a large number of business-critical phone numbers. We disconnected them after a move about 2 years ago, and apparently the whole thing just fell through the cracks. They continue to work because the provider didn't disconnect them properly, but we don't pay for them and they may stop working at any moment.

This is not a priority, of course.

Sounds like you found a way to make some money on the side.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



The Fool posted:

Ask me about getting iOS display mirroring working across network segments.

It's actually just a checkbox in the meraki dashboard

Meraki's implementation of that is infuriating because for whatever reason it doesn't consider the native VLAN to be one that you'd want to listen for Bonjour services on or advertise Bonjour services to. As far as I can tell this isn't a protocol limitation, it just means I sometimes need to make a weird choice of what VLAN the APs use for management.

sfwarlock
Aug 11, 2007


Judge Schnoopy posted:

The apps most likely use multicast broadcasts which are never* routed.

Vlans stop poo poo from broadcasting to the entire network.

One word: Chromecasts.

More words: An ex-cow-orker of mine laughed at me for buying NUCs to power TV displays and instead spent a week developing a "proof of concept" with Chromecasts.

Then laughed at me again when the bosses loved that solution and told me to return the NUCs.

Then the Chromecasts sat there happily broadcasting out over the wireless VLAN trying to find someone to talk to while my cow orker screamed at me for setting up VLANs and I sat there wondering if Google eats their own dogfood.

Judge Schnoopy
Nov 2, 2005

dont even TRY it, pal

sfwarlock posted:

One word: Chromecasts.

More words: An ex-cow-orker of mine laughed at me for buying NUCs to power TV displays and instead spent a week developing a "proof of concept" with Chromecasts.

Then laughed at me again when the bosses loved that solution and told me to return the NUCs.

Then the Chromecasts sat there happily broadcasting out over the wireless VLAN trying to find someone to talk to while my cow orker screamed at me for setting up VLANs and I sat there wondering if Google eats their own dogfood.

It would work fine if you put the signal feeder devices on that same wireless vlan. The signaller will tell the Chromecast what to pull, and the Chromecast will use regular packets to retrieve the content from the internet / internal server.

I set up an audio system for a fitness center that uses multicast on wifi to communicate with end user devices. It wasn't too hard to throw the broadcasters on that vlan while also giving everybody access to the internet AND segmenting it off of internal traffic.

dogstile
May 1, 2012

fucking clocks
how do they work?


Renegret posted:

In my heart I know this is true, for as funny as it would be for the client to actually plug everything in correctly and have it still not work.

So that switching loop that took down the internal network last night? I got paid 5 hours of overtime to listen to IT spin their wheels trying to figure it out. Turns out a switch poo poo the bed and started happily forwarding broadcasts out of all of it's blocking ports, while reporting that the blocking ports were perfectly fine.

Why did it take them five hours? O_O

I've got a spare switch in every building just because its a very quick way to check a thing that's common enough for me to warrant a spare switch in each building. I may not be a great IT dude, but i'm lazy enough that i'm not spending 5 hours straight actively working on a thing if i can avoid it.

Renegret
May 26, 2007

THANK YOU FOR CALLING HELP DOG, INC.

YOUR POSITION IN THE QUEUE IS *pbbbbbbbbbbbbbbbbt*


Cat Army Sworn Enemy


dogstile posted:

Why did it take them five hours? O_O

I've got a spare switch in every building just because its a very quick way to check a thing that's common enough for me to warrant a spare switch in each building. I may not be a great IT dude, but i'm lazy enough that i'm not spending 5 hours straight actively working on a thing if i can avoid it.

To be fair, 3 hours of that was working on the switch. The last 2 were hammering out some residual DHCP issues, and the first hour was spent troubleshooting the wrong thing because the issue was being misreported by users. Because of the potential impact they didn't want to pull poo poo randomly, especially when the issue looked like a spanning tree problem. Even Cisco was at a loss.

Geemer
Nov 4, 2010




Office365 is down for large parts of the world. My work's ground to a halt. Good luck to any IT person that has to deal with it.

Gerdalti
May 24, 2003

SPOON!


Geemer posted:

Office365 is down for large parts of the world. My work's ground to a halt. Good luck to any IT person that has to deal with it.

I've been out of the office for 11 days, and this is the disaster I am walking in to. At least I just have to hang a sign that says "Microsoft is working on it."

Thanks Ants
May 21, 2004

Bless You Ants, Blants



It's fine, stuff still works if you're authenticated. I was out the office but my phone never noticed any issues.

Adbot
ADBOT LOVES YOU

Gerdalti
May 24, 2003

SPOON!


It appears to be resolved now. Thankfully.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply