Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
  • Post
  • Reply
Wizard of the Deep
Sep 25, 2005


We use SpamTitan for our in-house Exchange server, and it works pretty well. Lots of filtering options and control, and the user interface isn't too terrible, either.

Adbot
ADBOT LOVES YOU

Wizard of the Deep
Sep 25, 2005


Yaos posted:

I just joined my computer to the domain here and have come across an issue where I can't remote control my computer with any account, but I am able to remote control other computers with the same accounts. The error is "the user has requested a type of logon (e.g., interactive or network) that has not been granted."

I'm not sure what's going on since this only effects my computer. I did not think you could specifically deny remote control to a certain computer. I've already left and joined the domain which did not fix it.

Edit: Something is just messed up on my computer, remote assistance does not work either. Guess it's time for a reinstall.

It's simple, but are you sure you have RDP/Remote Assistance enabled on your PC, with appropriate accounts/groups granted access?

Wizard of the Deep
Sep 25, 2005


Yaos posted:

It should be unless joining the domain changed it. I will have to check it out. Thanks.

Joining the domain shouldn't turn off RDP, but you will need to add domain accounts/groups to the "Can log in via RDP" group.

I've got the settings configured through a GPO now, so it's completely automated. Computer joins domain, RDP is forced on, and certain groups are automatically added

Wizard of the Deep
Sep 25, 2005


Without a better idea of the scope of your environment or your underlying CA choice, I'd start with these two links:

Everything you should know about certificates and PKI but are too afraid to ask

Microsoft's guidance for 2012r2 CAs

If you're doing a master/subordinate/consumer cert chain, and you've still got access to the master CA, maybe just make a new sub CA?

Due to divestiture, I had the opportunity to create new PKI infrastructure for a large enterprise (before the reduction in force sneaked up on us), and it wasn't technically challenging. There were just a LOT of details to work through. Getting it right the first time will take a lot of up-front investment in terms of understanding your product, your goals, and what realistic options you have to achieve them.

Also, make sure you have solid time infrastructure, and if you're doing an off-line root, triple-check your timezone settings before you start signing master and sub certs. It's not like Microsoft's default choice of setting 2012r2 to PST by default will bite you in the rear end or anything.

Wizard of the Deep fucked around with this message at 03:53 on Jun 7, 2019

Wizard of the Deep
Sep 25, 2005


Mr. Clark2 posted:

I'm still a newbie when it comes to certs but I've done some research based on what you posted and understand the process at a high level to be pretty much:

- Set up an internal server to be a CA and issue certificates
- Use our internal infrastructure (GPO etc.) to issue these certs to our domain joined machines
- Set up NPS so that it uses the issued cert to authenticate

That sound about right?

In addition to the heaving drinking, I want to clarify the second step. You'll have a GPO that tells your clients (either devices or users) to request certs from your PKI infrastructure, based on established and published templates. Then, the NPS can verify that the cert is valid (I.E., signed by a valid sub-CA) and not revoked. Once that's done, it can run whatever policies are appropriate for the client.

Wizard of the Deep
Sep 25, 2005


NevergirlsOFFICIAL posted:

I'm running into an issue... And while troubleshooting, I ran into another issue. Here are both issues:

THE REAL ISSUE:
I have a RODC on my domain and a third party Windows server is supposed to perform LDAPS queries against it. This broke somehow a few days ago after the RODC froze and got a hard reboot. The issue is the other server is not trusting the cert presented by my RODC. The cert presented is signed by my internal CA. The third party says they shouldn't have to trust my internal CA. I have a wild card cert from godaddy on this RODC. but LDAPS is not presenting it. I understand that LDAPS just takes the first cert it sees and it sees the internal-CA one and uses that. The workaround in place is to use LDAP without the S which is working.

THE SECOND ISSUE:
Anyway.... To troubleshoot this, I restored a copy of the RODC from before this happened... Of course I put it off network and then turned it on. I can't sign in to it - no logon servers available.


Windows server 2012 bla bla bla. I'm really sad about having to post in this thread again, I was doing so well avoiding all work. And for the record I inherited this.

The real issue: Is the third-party server joined to your domain? I want to say AD offers the newest certificate, so reissuing the GoDaddy cert may resolve the issue? I don't have a way to verify that right now.

The second issue: holy poo poo do not do this. Burn that RODC to the ground, fix AD, and start from scratch. All sorts of wonky things happen when you restore DCs.

Wizard of the Deep
Sep 25, 2005


NevergirlsOFFICIAL posted:

Third party server is not on the domain. I attempted reinstalling the GoDaddy cert but possibly I didn't do it correctly.

I think it's not "the certificate most recently installed", but "the certificate issued most recently". I think. This is pulling from memories on an issue I wasn't directly involved in almost two years ago.

Wizard of the Deep
Sep 25, 2005


As skipdogg said, GPOs will only show settings that have been configured/defined. In other words, settings you've changed.

Each GPO should handle one "thing". Have a GPO for creating common desktop shortcuts, or mapping drives, or setting everyone's wallpaper. Within that, you could do some item-level targetings, like users in Accounting get network drive X, while Human Resources has network drive Y. But they should be relatively focused. If there's a lot of settings that need to be changed, it may pay to break it out. For example, at my last role we handled a lot of security hardening through GPOs, to the point where we had three or four "Security" GPOs. GPOS also have a notes/description field that's freeform text. You should write general overview info in there.

The Group Policy management tool also has Group Policy Modeling (so you can project what computer and user policies will apply, based on AD OU and site information), and Resultant Set Of Policy (RSOP), which will reach out to the identified computer and user to see what's actually being applied. Modeling and RSOP can conflict in weird and confusing ways, mostly due to read rights as applied to GPOs. RSOP should line up with GPresults run from a client machine.

As much as I love PowerShell, I don't think it's a great method for managing GPOs right now, beyond making regular backups. You should absolutely user PowerShell for dealing with AD as a whole, though. Especially if you don't have some third-party tool to handle bulk changes and reporting.

Wizard of the Deep
Sep 25, 2005


All of that, and also remember you can build GPOs and test them by only linking them to test OUs, without having to deal with WMI filtering.

Wizard of the Deep
Sep 25, 2005


I mean, I can't remember any good reasons I've filtered by WMI off the top of my head.

Wizard of the Deep
Sep 25, 2005


wyoak posted:

Am I missing anything here?

Would multiple subordinate CAs make sense, now or in the future? Multiple subs allow for high availability, load distribution, and simplifying cert management if you have more than one domain that doesn't trust the other.

Wizard of the Deep
Sep 25, 2005


I don't think loopback processing will work in this situation, but it's the closest solution I can immediately think of. I think LBP only recursively applies user settings to computer objects.

Wizard of the Deep
Sep 25, 2005


kiwid posted:

Anyone have experience with cleaning up AD?

Our AD was created in Server 2000 and upgraded all these years leaving junk accounts, groups, OUs, etc. Also, we used to run our own exchange so I definitely remember editing random ADSIedit things.

I was thinking of maybe cleaning this up. Any tools out there to help with this?

Fire.

I'm only half-kidding. It may actually make more sense to start fresh, especially if/when you're making a big upgrade push.

Another easy target is users and computer objects that haven't authenticated in over a year. Those are good targets for disabling and moving to a morgue OU.

Wizard of the Deep
Sep 25, 2005


Sudden Loud Noise posted:

I have a hard time believing this. In my experience in places I've worked (both good and bad,) and with tons of other customers, everyone has had a ton of technical debt, it's all a matter of how much is that debt hurting you at the moment?

Of course it's all relative as well. I've seen companies that have technical debt that is mostly productivity impacting as opposed to security impacting. Many places would say that company doesn't have any debt at all.

Hey. Right now in the Bay area, there's a five-minute old startup. They only have ten minutes worth of technical debt.

Wizard of the Deep
Sep 25, 2005


Let's step back: What are you trying to accomplish with this power plan? And why do users feel the need to change it?

Or are you just seeing that you can change it, and are concerned folks are going to break things?

If you really need to lock in a particular plan, you'll probably have to lock down who can change power settings. That may need even more work if your users are all local admins. I'm not sure of the specifics on how you'd go about that, but that's where I'd start. If you really, really need to actually lock things down.

Wizard of the Deep
Sep 25, 2005


Yea, you should just be reviewing AD, and making people get new equipment.

If that's not politically feasible, Welsh is a language pack available in Windows 7.

Adbot
ADBOT LOVES YOU

Wizard of the Deep
Sep 25, 2005


snackcakes posted:

I've come across a problem in Azure that has been pretty hard for me to google.

I've got a WVD Hostpool and a Standard Load Balancer so my VMs can share a Public IP Address

Somehow I've broken it so that when I add new VMs to the hostpool they have no external internet access, until I add them to the Backend Pool of the Load Balancer

This is preventing the VMs from having the Windows Virtual Desktop Agent and Bootloader installed, which means they don't join the hostpool automatically. Azure considers the VM deployment a failure because of this

As a result I have to add the VM to the Load Balancer Backend Pool manually, and then manually install the agents and register it with the hostpool

Life is hell

Are you putting them behind a restrictive Network Security Group?

Are they being joined to a working subnet?

Are they being joined to the RIGHT subnet?

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply