Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«230 »
  • Post
  • Reply
Methanar
Sep 26, 2013




lol this is disgusting

Adbot
ADBOT LOVES YOU

The Fool
Oct 16, 2003



The Fool posted:

I can't recommend this in any way.

Dirt Road Junglist posted:

I know it's been said, but I want to reinforce: holy poo poo no

nexxai posted:

Do not, under any circumstances, do this.

Methanar posted:



lol this is disgusting

Collecting for emphasis

H2SO4
Sep 11, 2001

put your money in a log cabin




Buglord

yeah you want to make sure you roll your own crypto first so you can secure those SAML calls

Bob Morales
Aug 18, 2006

I love the succulent taste of cop boots

This seems like it should be simple...the parent workstation OU has a GPO applied that sets the wallpaper with BGINFO. However, there are 3 PC's that a different background needs to apply. What's the least stupid way to not apply that GPO to certain workstations?

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Set a GPO override with that setting disabled

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!

Create a security group for the exceptions, add the exceptions to the security group, then go into the delegation tab for the GPO and click "Advanced". Add the exception security group, allow "Read" deny "Apply group policy".

Make sure it's computers in the security group if you're going computer policy instead of user policy.

Moey
Oct 22, 2010

I LIKE TO MOVE IT


klosterdev posted:

Create a security group for the exceptions, add the exceptions to the security group, then go into the delegation tab for the GPO and click "Advanced". Add the exception security group, allow "Read" deny "Apply group policy".

Make sure it's computers in the security group if you're going computer policy instead of user policy.

This is similar to what I do when I get forced to do dumb poo poo like this on selective machines/accounts randomly across our domain. Security Filtering is your friend.

Moey fucked around with this message at 00:09 on Mar 12, 2020

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!

Moey posted:

This is similar to what I do when I get forced to do dumb poo poo like this on selective machines/accounts randomly across our domain. Security Filtering is your friend.

It's stupid-useful. Other important security filtering method is to only have it apply to people/computers in the security group. Go into the delegation tab for the GPO and click "Advanced". Add the security group you want the GPO to affect, allow "Read" allow "Apply group policy", then untick (but don't deny) "apply group policy" on Authenticated Users, but keep Read. (if you remove Read or Authenticated Users the GPO will fail to apply) Remember that the policy still has to be linked to a relevant OU.

Once you have both those down it's incredible how much flexibility you have with setting policies opposed to making a mess of OUs.

Internet Explorer
Jun 1, 2005





Oven Wrangler

Also don't forget about item level targeting on preference GPOs.

buffbus
Nov 19, 2012


Internet Explorer posted:

Also don't forget about item level targeting on preference GPOs.

This. Also you can use info from Getadmx.com to convert almost any policy setting to a registry preference. We have over 100k workstations across only 6 OUs and stuff like this always comes in handy.

Potato Salad
Oct 23, 2014

Nobody Cares




Tortured By Flan

You should be managing security group membership with these features ^

https://www.checkyourlogs.net/gpogp...strators-group/

Wicaeed
Feb 8, 2005


How do you Enterprise Orgs handle shared accounts that could potentially be used to publicly identify an Organization?

We recently discovered that someone had registered a public Github Org with our company name, and fortunately it was inactive for so long that Github Support is just handing over the Org name to us.

I'm also squatting on several similar Org names for future use if we need it, using naming conventions that mirror our Azure DevOps Organizations.

One of our Cloud Architects is requesting that I create an AD service account, and use that service account's O365 email address for registering the Org instead of a functional mailbox.

Can Github Org ownership be shared across multiple emails/people at a company?

Meydey
Dec 31, 2005


Has anyone had issues with 2008 ESU license activation? I have about 500 or so, which we pushed keys to via Bigfix. That worked fine for everything with internet access, but then we had to go manual activation for about 200 or so air gapped servers. SLMGR /ipk, /dlv, /atp, and the Microsoft Activation site. This suuucked, but was easier than punching holes for VAMT.

Now I'm down to 30 that are failing manual activation due to the Software Protection Service I believe. The fix for that is to disable SPP, run slmgr /upk to remove the license, then reapply the license, then reenable SPP. The problem is that removes the KMS license also, along with the ESU icense. I would just decom the drat things but business needs them 'cause reasons. Moving them to Azure is not an option either. Some are DCs.

Has anyone else run into this? Microsoft is not being helpful.

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams


Oh we had that, you can just readd the KMS key and they should activate. Too late now but I think you can be a bit more surgical about what keys you're removing to keep from removing the KMS key in the first place, but yeah MS support just tells you to flatten the keys because they dgaf. Exact same thing happened to us with our air gapped systems.

Meydey
Dec 31, 2005


FISHMANPET posted:

Oh we had that, you can just readd the KMS key and they should activate. Too late now but I think you can be a bit more surgical about what keys you're removing to keep from removing the KMS key in the first place, but yeah MS support just tells you to flatten the keys because they dgaf. Exact same thing happened to us with our air gapped systems.

Awesome, thanks. I will try a few nonprods tomorrow. The prod servers will be interesting as mgmt put a change blackout in place due to Corona.

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams


Yeah we learned the hard way ours lost activation when they rebooted for patches over the weekend, and they're for processing credit card transactions for the parking system, and we're a campus that has events on the weekend...

Glad I wasn't on call that weekend!

capitalcomma
Sep 9, 2001

A grim bloody fable, with an unhappy bloody end.

Has anyone run in to Office 2019 installs that get flagged by tools like Nessus as being out-of-date, even though Click-To-Run is showing the latest build number? Some of my machines are being reported as having unpatched DLLs in the install path, but Click-To-Run is showing everything is up-do-date.

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams


I don't know how exactly Nessus does it's scans or what it's detection methods are, but the move to cumulative patching has broken a lot of things. We use Rapid7 Insight VM and have had false positives for older vulnerabilities because the client didn't have the specific KB for the Office vulnerability installed but it did have the latest cumulative update installed, which means it was was actually patched. Rapid7 fixed their definitions and the vulnerability went away. So maybe Nessus is doing some like that? Does it give you specific advice on what you need to do to remediate the specific vulnerabilities it's finding?

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE


Aren't office patches rolled out in groups of some kind as well, perhaps nessus is looking for a patch not available to you yet?

Dirt Road Junglist
Oct 8, 2010

There's a ghost in me
Who wants to say I'm sorry
Doesn't mean I'm sorry






I'm sorry to poo poo up the thread with non-content, but I loving hate Nessus. I keep getting screamed at by management for, "old vulnerabilities," but they're basing that on the datestamp the vuln was reported, not the datestamp the vuln was detected on that specific host. Yeah, that .NET poo poo on a specific version was called out sometime in 2004, but the user in question installed a vulnerable old version of .NET three weeks ago, so no, no one is going to go to Business Insider and scream that our company has an unpatched vuln that's 16 years old.

Meydey
Dec 31, 2005


We proved to the Nessus developers that it is poo poo in regards to superseded patches. We use Bigfix to deploy, which drops relevance on older patches when a patch is superseded, ie Feb patch supersedes Jan. This went on for like 6 months with Spectre/Meltdown. Nessus was still calling out a Jan patch even though Feb roll-up would supersede it. So we were compliant on Bigfix reports but vuln on Nessus.
Their reasoning was that Nessus looks at the reg key vs installed KB. So even if a later KB was installed, if the prior patch reg fix wasn't applied then it was still vulnerable. Also we have Tanium in the mix because why the gently caress not.

Dirt Road Junglist
Oct 8, 2010

There's a ghost in me
Who wants to say I'm sorry
Doesn't mean I'm sorry






Meydey posted:

We proved to the Nessus developers that it is poo poo in regards to superseded patches. We use Bigfix to deploy, which drops relevance on older patches when a patch is superseded, ie Feb patch supersedes Jan. This went on for like 6 months with Spectre/Meltdown. Nessus was still calling out a Jan patch even though Feb roll-up would supersede it. So we were compliant on Bigfix reports but vuln on Nessus.
Their reasoning was that Nessus looks at the reg key vs installed KB. So even if a later KB was installed, if the prior patch reg fix wasn't applied then it was still vulnerable. Also we have Tanium in the mix because why the gently caress not.

...are we co-workers?

capitalcomma
Sep 9, 2001

A grim bloody fable, with an unhappy bloody end.

In this case, Nessus is flagging DLL versions in the Office install path. I have seen cases of what you're talking about, where Nessus just needs its supercedence info updated, but this isn't looking like one of those cases.

Nessus is telling me to install KB patches, but when you run them they say they're not needed, or not applicable to the installed software.

I'm honestly not sure what to think. On the one hand Office is telling me it's up-to-date, on the other, I'm seeing file versions that are being flagged as vulnerable on their own loving website.

gently caress click-to-run.

Mr. Clark2
Sep 17, 2003

Rocco sez: Oh man, what a bummer. Woof.


We're now using MS Teams due to the coronavirus pandemic. We're using the web-based version and not the installed version (that installer is all kinds of hosed up). Users are stating that when they hold meetings with multiple participants, they can each only see 1 other person at a time. They can choose which person they see by clicking on the participant name, but they get one and that's it.
Is it possible to get the whole Zoom style grid with all participants visible? Where everybody sees everybody else all at the same time?

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE


Not sure about on the web version but that definitely works on the client version, gently caress it works on the mobile version with at least 4 people.

What is your beef with the installer?

AlternateAccount
Apr 25, 2005
FYGM

MF_James posted:

What is your beef with the installer?

If you run it, it seems like most times you end up with Microsoft Teams on your computer.


sorry... sorry...

Mr. Clark2
Sep 17, 2003

Rocco sez: Oh man, what a bummer. Woof.


MF_James posted:

Not sure about on the web version but that definitely works on the client version, gently caress it works on the mobile version with at least 4 people.

What is your beef with the installer?

MS has not made a per-machine installer, it's only per-user and doesn't really get installed (into AppData) until the user logs in. But...we have a software restriction policy that blocks this. Of course there are ways around this, but they tend to be somewhat cumbersome, or reduce the security posture of the machine. Then there's the issue of it installing for every user that logs into the machine and eating up roughly 300mb per installation. Not a big deal when it's one user, but we have machines that have a couple dozen users sign in over the course of a month. Again, neither of these are insurmountable problems but the web version has none of these issues so...

The Fool
Oct 16, 2003



there is a machine-wide installer. But it just bootstraps the user installer for any user that logs in to the machine.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

https://docs.microsoft.com/en-us/mi.../msi-deployment

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams


They're so determined to make it live in userland that all that MSI does is install into the profile of everybody that logs on. Which may or may not get around that app restriction policy. But you said that and the space issue were surmountable, whereas "no grid in webview" may be insurmountable so you'll have to pick your poision.

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!

Hungry Computer
Nov 12, 2008




College Slice

Teams actually does have an option for a proper system install now, but it's intended for VDI environments. The downside is that it has no update functionality in this mode, so you have to push out a new .msi for every update. It also doesn't seem to save certain settings like dark mode.

code:
msiexec /i <path_to_msi>  ALLUSER=1 ALLUSERS=1

Mr. Clark2
Sep 17, 2003

Rocco sez: Oh man, what a bummer. Woof.


Thanks. I'll check that out. This really not critical, some users were just clamoring for it because they saw that zoom has it. CEO stepped in, decided that it's not critical so it's a non issue now. I'll still check out that link just in case this rears it's head again (lol it will)

Toast Museum
Dec 3, 2005

30% Iron Chef


While we're on the subject of video conferencing apps, I've got a weird Webex issue. A few times a day, the Windows client will launch itself for no apparent reason. I'm not seeing anything in the event logs, nor does there appear to be a scheduled task launching it. Anyone else run into this?

GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

I haven't heard of that and we've just deployed it to 300 users. Maybe re-install?

Toast Museum
Dec 3, 2005

30% Iron Chef


GreenNight posted:

I haven't heard of that and we've just deployed it to 300 users. Maybe re-install?

I'm not opposed to reinstalling if I stay stumped, but I'm hoping I can figure out what the gently caress first. I mean, the app isn't running when this happens, so something is starting it.

FRINGE
May 23, 2003
title stolen for lf posting


Mr. Clark2 posted:

We're now using MS Teams due to the coronavirus pandemic. We're using the web-based version and not the installed version (that installer is all kinds of hosed up). Users are stating that when they hold meetings with multiple participants, they can each only see 1 other person at a time. They can choose which person they see by clicking on the participant name, but they get one and that's it.
Is it possible to get the whole Zoom style grid with all participants visible? Where everybody sees everybody else all at the same time?
Most of the Office products do not have feature parity between the web and full versions. If youre going to depend on Teams for substantial business use, use the installed version.

Mr. Clark2 posted:

MS has not made a per-machine installer, it's only per-user and doesn't really get installed (into AppData) until the user logs in. But...we have a software restriction policy that blocks this. Of course there are ways around this, but they tend to be somewhat cumbersome, or reduce the security posture of the machine. Then there's the issue of it installing for every user that logs into the machine and eating up roughly 300mb per installation. Not a big deal when it's one user, but we have machines that have a couple dozen users sign in over the course of a month.
They should be able to install Teams locally and join from the machine they are sitting at without risking your internal machines.?



FISHMANPET posted:

They're so determined to make it live in userland that all that MSI does is install into the profile of everybody that logs on. Which may or may not get around that app restriction policy. But you said that and the space issue were surmountable, whereas "no grid in webview" may be insurmountable so you'll have to pick your poision.
Its pretty deeply integrated with Sharepoint/Onedrive/Outlook. Its pretty User and Group dependent.

FRINGE fucked around with this message at 05:03 on Mar 28, 2020

Newf
Feb 14, 2006
I appreciate hacky sack on a much deeper level than you.

My school board is warning that our Windows devices will time out of service if they go 60 days without connecting to the network at school. Normally this isn't an issue, but we've all been barred from entering our schools with no particular end in sight.

Any quick and dirty VPN hacks to allow device 'check in'?

nielsm
Jun 1, 2009




Fallen Rib

You can't sit in the parking lot and reach wifi?

Adbot
ADBOT LOVES YOU

The Fool
Oct 16, 2003



Newf posted:

Any quick and dirty VPN hacks to allow device 'check in'?

um, just being connected to the VPN doesn't do it?

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«230 »