Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
SEKCobra
Feb 28, 2011


Bob Morales posted:

We have PC's that do not have Trusted Platform Module (TPM)

This means we either have to use a USB drive or PIN to boot Bitlocker enabled computers? Should we just stick with Symantec disk encryption at this point?

This is where you take a stand and tell management that devices without TPM will no longer be able to be supported. Considering what kind of devices exist at this point that don't have a TPM, they are probably shitboxes anyway.
I made TPM a specification for Drive Encryption early on and it never hurt me.

Adbot
ADBOT LOVES YOU

skipdogg
Nov 29, 2004
Resident SRT-4 Expert


LOL You're talking to Bob, that won't fly where he works.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



I don't think anything we've bought recently is missing TPM, but this is probably our biggest chunk of devices. Lenovo Thinkcentre M73, which know that I think about it, is what we have bought recently because the training room PC's were just refreshed in the last 6 months or so.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Awaiting the incoming package from Amazon with 120 of the cheapest 4GB USB drives they could find

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!

Daisy chain a bunch of powered USB hubs and Raid 0 those mofos

Caf
May 21, 2004

I'm King James! The Lion King!

Bob Morales posted:

We have PC's that do not have Trusted Platform Module (TPM)

This means we either have to use a USB drive or PIN to boot Bitlocker enabled computers? Should we just stick with Symantec disk encryption at this point?

I've never used Symantec disk encryption but if it will automatically unlock without a TPM then I would stick with that for these TPM-less devices until they can be replaced. Needing to either enter a PIN or remember to connect a USB disk every reboot would suck. Never mind needing to write your own process to archive the keys or stand up MBAM servers to handle it.

When we did our big Windows 7 upgrade over a decade ago we also included a BitLocker implementation but we had a couple offices which were unable to procure devices with TPMs. Those locations got to stick with EFS until we could get them the proper hardware.

Nitr0
Aug 17, 2005

IT'S FREE REAL ESTATE


Best pc inventory / patch management / software deployment / upgrade software out there these days? ~200 ish devices.

Will want to integrate it into some workflow software of some kind, self serving software installs, HelpDesk, that sort of thing.

Still sccm?

Nitr0 fucked around with this message at 09:52 on Apr 8, 2021

SEKCobra
Feb 28, 2011


Someone help me out here, I have two domains with a forest trust between them. For arguments sake, lets call them example.com and sample.net.
I also have three locations:

DC
Has a domain controller for example.com and sample.net

HQ
Also has DCs for both domains

Local
Only has a DC in example.com. Has no direct connection to any sample.net DCs.

My thinking is, that I should be able to log into "example.com" computers at location "local" by using an account from sample.net. I thought this would be handed over to a DC that has a trust connection.
But right now, I am just receiving event 5719 AKA domain not available. Do I have to give the example.com DC in "Local" access to a DC of sample.net?

i am a moron
Nov 12, 2020

Gettin' woke about vaccines

Do you have DHCP providing both search suffixes at each location and do all the DCs have the ability to communicate to the other forests DCs? Iíve always wound up adding each domains name servers to all the DCs in both forests - Iíve also never maintained multiple forests just established trusts for domain consolidation in M&Aís so not sure what best practice is

SEKCobra
Feb 28, 2011


I explicitly don't want the DC in "Local" to have direct communications with the other AD, unless it's a hard requirement.

i am a moron
Nov 12, 2020

Gettin' woke about vaccines

Pretty sure youíd need to be using conditional forwarding to ensure the DCs in sample.net will resolve example.net requests coming from local.

Thanks Ants
May 21, 2004

#essereFerrari


Yeah domain trust just means you can access resources in other domains without needing an account in them, they won't solve client to domain controller communication issues.

skipdogg
Nov 29, 2004
Resident SRT-4 Expert


https://blogs.msmvps.com/acefekay/2016/11/02/active-directory-trusts/

Almost everything you'll ever want to know about forest trusts. Scroll down to the section on Kerberos authentication Sequence between Domains in a Forest

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787646(v=ws.10)?redirectedfrom=MSDN

I've always allowed access to the other forest via DNS and at a minimum to the PDCe of the other domain.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Is there a way in Windows 10, to delay the actual locking of the screen when you start the screen saver, like you can on a Mac?

Screen saver comes on at 1 minute....but it's not locked until 5 minutes?

I tried powering the screen off at 1 minute but it triggers the lock screen.

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!

I think there's a legacy GPO for screensavers specifically but I've never tried using it

ptier
Jul 2, 2007

Back off man, I'm a scientist.


Pillbug

So, this may be more of a Microsoft 365 question, and if there is an appropriate thread for that, please kick me there, I didn't see anything in my searching:


Due to regulatory requirements, I have to disable accounts that have been inactive for 90 days. I am not going to split hairs on "what does that * mean * anyways?!". I agree. Especially when dealing with all the fields in AD that seem like they should be used for that and definitely * should not * be used for that. The local network version of the solution has worked fine since inception, it is:

code:
 Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 90.00:00:00 -searchscope subtree -searchbase "OU=needful,dc=awesome,dc=local"
This works, as well as it can, its giving me rough, which is all I need.

BUT, wrinkle time. Since March 2020 a large contingent has been working remotely. They are not VPNing in, because they just email and teams their day away and never hit the local DC. Then I start to google about how to programmatically get those logs or entries from Microsoft 365 Azure AD. I get a lot of:

"you have to get the report manually from O365"
there is a way to pull a list of last login to mailbox BUT it is also updated by lots of background processes

finally hit on a feature in the Graph API for signInActivity, BUT its in BETA

Using the graph scenario just to see what I can get, I was able to check my local list of inactive users against Azure AD Signin activity. Which has worked well. The rub comes that whenever I roll in and try to run that process again, I get 403's on the API call. If I pull back to just email address and name, it works fine. I have to go in and grant permissions to the app registration in Azure (even though it is already granted) and then it will start working again. I am getting a new token each run of my script, AND I have other app registrations that don't use the beta graph and its fine. I guess this is one of those "Don't use beta in prod, and this is how we enforce it, or side effect" but, damnit, this is dumb. Usually any kind of regulation requires this, why the hell is there not just a "Do thing, get data on this specific thing that most orgs needs to do." Also we really don't have people to put on this, so its just frustrating.

If there is something else I can use or programmatically do for this, I would be forever in your debt.

wolrah
May 8, 2006
what?


Bob Morales posted:

Is there a way in Windows 10, to delay the actual locking of the screen when you start the screen saver, like you can on a Mac?

Screen saver comes on at 1 minute....but it's not locked until 5 minutes?

I tried powering the screen off at 1 minute but it triggers the lock screen.

According to https://winaero.com/screen-saver-pa...your%20Desktop. it's in the registry at

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod

If it doesn't exist it's supposed to be a DWORD containing the grace period in seconds.

Thanks Ants
May 21, 2004

#essereFerrari


ptier posted:

So, this may be more of a Microsoft 365 question, and if there is an appropriate thread for that, please kick me there, I didn't see anything in my searching:


Due to regulatory requirements, I have to disable accounts that have been inactive for 90 days. I am not going to split hairs on "what does that * mean * anyways?!". I agree. Especially when dealing with all the fields in AD that seem like they should be used for that and definitely * should not * be used for that. The local network version of the solution has worked fine since inception, it is:

code:
 Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 90.00:00:00 -searchscope subtree -searchbase "OU=needful,dc=awesome,dc=local"
This works, as well as it can, its giving me rough, which is all I need.

BUT, wrinkle time. Since March 2020 a large contingent has been working remotely. They are not VPNing in, because they just email and teams their day away and never hit the local DC. Then I start to google about how to programmatically get those logs or entries from Microsoft 365 Azure AD. I get a lot of:

"you have to get the report manually from O365"
there is a way to pull a list of last login to mailbox BUT it is also updated by lots of background processes

finally hit on a feature in the Graph API for signInActivity, BUT its in BETA

Using the graph scenario just to see what I can get, I was able to check my local list of inactive users against Azure AD Signin activity. Which has worked well. The rub comes that whenever I roll in and try to run that process again, I get 403's on the API call. If I pull back to just email address and name, it works fine. I have to go in and grant permissions to the app registration in Azure (even though it is already granted) and then it will start working again. I am getting a new token each run of my script, AND I have other app registrations that don't use the beta graph and its fine. I guess this is one of those "Don't use beta in prod, and this is how we enforce it, or side effect" but, damnit, this is dumb. Usually any kind of regulation requires this, why the hell is there not just a "Do thing, get data on this specific thing that most orgs needs to do." Also we really don't have people to put on this, so its just frustrating.

If there is something else I can use or programmatically do for this, I would be forever in your debt.

This is a specific piece of documentation about your problem, and it references the Graph API call you are working with

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts

The Graph Explorer is a good place to mess around with this stuff as well

https://developer.microsoft.com/en-us/graph/graph-explorer

Thanks Ants fucked around with this message at 20:15 on Apr 9, 2021

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



wolrah posted:

According to https://winaero.com/screen-saver-pa...your%20Desktop. it's in the registry at

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod

If it doesn't exist it's supposed to be a DWORD containing the grace period in seconds.

Thanks, Iíll play around with that on monday

Potato Salad
Oct 23, 2014

Nobody Cares




Bob Morales posted:

I don't think anything we've bought recently is missing TPM, but this is probably our biggest chunk of devices. Lenovo Thinkcentre M73, which know that I think about it, is what we have bought recently because the training room PC's were just refreshed in the last 6 months or so.

do infineon or lenovo sell tpms for thinkcentres?

they're often like $5

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Could 2021-04 cumulative update take any loving longer to install

Adbot
ADBOT LOVES YOU

GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

Yeah itís a big one. Got all my exchange servers patched

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply