Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Protocol7
Jul 26, 2012

Cyber Hellcat is not amused


Hi, it's me, (probably a loving moron) who runs a server infrastructure for a tiny company that's basically me, my boss, and a ragtag offshore team.

Unfortunately, someone decided to chown -R $user:$user /etc on one of my dev servers. I can thankfully just restore a backup from 4 days ago to fix the permissions, but what's a good way to prevent people from running commands like that again? Aside from smacking them upside the head...

Adbot
ADBOT LOVES YOU

BonoMan
Feb 20, 2002


Jade Ear Joe

You know that black mirror style phishing attack that claims they have you watching porn or something and you gotta bitcoin them or they'll tell all your contacts?

I just got a new variant on that. It's a dynamic email - the contents are a tagged post in a google doc (your email is used as the tag) with the same style messaging. It managed to get around Google's own spam filter.

Just something to keep your users abreast on.

Guy Axlerod
Dec 29, 2008


BonoMan posted:

You know that black mirror style phishing attack that claims they have you watching porn or something and you gotta bitcoin them or they'll tell all your contacts?


I was hoping this was a suggestion to help the previous poster with people abusing sudo. I have pictures of you jacking off, but as long as you don't do something stupid with sudo I will not release them.

BonoMan
Feb 20, 2002


Jade Ear Joe

Guy Axlerod posted:

I was hoping this was a suggestion to help the previous poster with people abusing sudo. I have pictures of you jacking off, but as long as you don't do something stupid with sudo I will not release them.

Well I mean it would probably do the trick for that too tbh

Tapedump
Aug 31, 2007


College Slice

I just took over a sister site, and every domain-joined PC that RDCs into another domain-joined workstation or the DC, it makes me enter creds twice.

I've done some quick reading, and the clues I got about GPO and reg entries don't seem to pan out, and a workstation that is not domain-joined can be remoted into normally.

SO it's domain-based, but where is my best bet to start looking? I've checked that GPEdit Comp-AdminTemplate-WindowsComponents\RDS\Host\Security and set "Always prompt for password upon connection" to Disabled.

Please help me find where to disable this behavior.

Honey Im Homme
Sep 3, 2009



Is the domain healthy? Start by running dcdiag and see if anything is borked

Collateral Damage
Jun 13, 2009



Protocol7 posted:

Hi, it's me, (probably a loving moron) who runs a server infrastructure for a tiny company that's basically me, my boss, and a ragtag offshore team.

Unfortunately, someone decided to chown -R $user:$user /etc on one of my dev servers. I can thankfully just restore a backup from 4 days ago to fix the permissions, but what's a good way to prevent people from running commands like that again? Aside from smacking them upside the head...
If they have root access there's not really anything you can do to stop them from doing destructive mistakes, you can only mitigate them through frequent backups, file versioning and/or configuration management.

Smacking them over the head is a good start though.

bolind
Jun 19, 2005




Pillbug

User complains about Linux desktop PC freezing, becoming unresponsive. I checked the service tag.

Said desktop turned nine years old this January...

Thanks Ants
May 21, 2004

#essereFerrari


We get that, companies assume that because they bought a Mac in 2015 that means it should still be capable of working on big Photoshop documents in 2021. Buy new hardware guys, it's time.

BonoMan
Feb 20, 2002


Jade Ear Joe

Thanks Ants posted:

We get that, companies assume that because they bought a Mac in 2015 that means it should still be capable of working on big Photoshop documents in 2021. Buy new hardware guys, it's time.

God I deal with this poo poo *every day*. And I'm a creative professional who does some IT so I try to get hardware updates whenever I can but goddamn it's hard. We just had a graphic designer start and it was just "what do we have laying around?" She's literally on a 2015 iMac. Looks gorgeous... runs slow as poo poo now though.

bolind
Jun 19, 2005




Pillbug

Recruit, hire, train and retain an employee: yeah we’ll blow six figgies.
Actually giving them a tool that makes them more productive: nah we can’t spend 2% of their salary on that.

Meanwhile, the hardware guys get labs and spectrum analyzers worth millions.

BonoMan
Feb 20, 2002


Jade Ear Joe

bolind posted:

Recruit, hire, train and retain an employee: yeah we’ll blow six figgies.
Actually giving them a tool that makes them more productive: nah we can’t spend 2% of their salary on that.

Meanwhile, the hardware guys get labs and spectrum analyzers worth millions.

Yeah this is what infuriates me. Like... hiring an employee is an investment. Please give them the right tools to succeed!

No idea why hardware purchases are like pulling teeth.

We do have some growth though. Our new financial manager is building budgets and we'll actually have real funds we can pull from and spend as we see fit without authorizing every single one. Imagine that! Like a real business!

Thanks Ants
May 21, 2004

#essereFerrari


2-3k every few years on hardware for an employee who churns out billable creative work is such a ridiculous ROI that you'd think putting the numbers in front of people would make them see the obvious value.

Internet Explorer
Jun 1, 2005


I am having a similar fight right now. Hardware lifecycle policies are so important to have in place. And not poo poo like "oh well these were leased so we'll need to return them" or any other one-off thing. It gets replaced every 3, 4, or 5 years and that's that. No other discussion. People seem to struggle with that concept, even in IT.

GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

Laptops absolutely, but we have 10 yr old computers on a factory floor running Windows 10 and an SSD drive and they run fine since all they do is Excel and a 5250 client.

Internet Explorer
Jun 1, 2005


I'm not going to say I think a 10 year old computer is fine, but you can handle different needs with different hardware lifecycles. Factory floor computers might have a different lifecycle than laptops which might have a different lifecycle than servers.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



You guys want some deals on refurbished PC's?



3jobsago.jpg

Tapedump
Aug 31, 2007


College Slice

Honey Im Homme posted:

Is the domain healthy? Start by running dcdiag and see if anything is borked
Thank you, I didn't know about that.

All passes except the below, which I'm not sure how to read, but I'm looking into UmRdpService:


Starting test: SysVolCheck
[SERVER1] An net use or LsaPolicy operation failed with error
1208, An extended error has occurred..
......................... SERVER1 failed test SysVolCheck

and


Starting test: SystemLog
An error event occurred. EventID: 0x00009007
Time Generated: 03/02/2021 17:47:36
Event String:
A fatal error occurred while creating an SSL server credential. The internal error state is 10013.
An error event occurred. EventID: 0xC0001B63
Time Generated: 03/02/2021 17:48:36
Event String:
A timeout (60000 milliseconds) was reached while waiting for a transaction response from the UmRdpService service.
......................... SERVER1 failed test SystemLog

mllaneza
Apr 28, 2007


Veteran, Bermuda Triangle Expeditionary Force, 1993-1952





Thanks Ants posted:

2-3k every few years on hardware for an employee who churns out billable creative work is such a ridiculous ROI that you'd think putting the numbers in front of people would make them see the obvious value.

I've gotten pushback on "the new Creative Director needs $5k worth of software right now". My followup was "Then someone who isn't me can go down to Michaels and buy them a box of crayons." I don't think I've ever had a PO approved faster.

Gyshall
Feb 24, 2009

Had a couple of drinks.
Saw a couple of things.


We're an all MacOS shop, about 40 employees. We're also a startup, and have been able to use mostly cloud native stuff using Okta and 2fa which has been great. Zero trust and all that crap, we're all remote and no central office.

However we have partners that are asking us to allow-list IP ranges of our users, which was OK when we were 3-4 people, but now is a burden and clearly not scalable. Some stuff I was looking at:

- Zscaler, which is $$$$ but doable
- Pritunl
- Tailscale
- Twingate

and a few others. Wanted to get the Gooncensus on how to approach this - we don't need Deep packet inspection or anything like that, but my goal is to be able to have users toggle a connection (or just have it always-on) without degrading performance of their day to day activity.

I'd also like to be able to have something turnkey, or if I have to launch it into Azure or something that is OK too.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



God drat I hate IP whitelists.

Thanks Ants
May 21, 2004

#essereFerrari


OpenVPN Cloud with one of the nodes deployed in Azure behind a NAT gateway and all traffic routing out of that

Gyshall
Feb 24, 2009

Had a couple of drinks.
Saw a couple of things.


Thanks Ants posted:

OpenVPN Cloud with one of the nodes deployed in Azure behind a NAT gateway and all traffic routing out of that

This is interesting. I see they support Okta/SAML as well, so this is a pretty neat solution.

stevewm
May 10, 2005


Bob Morales posted:

You guys want some deals on refurbished PC's?


3jobsago.jpg

Retail store IT here.. This is exactly what we do.

No point in buying brand new machines just to run Chrome, RemoteApp and a bit of LibreOffice.

We will buy brand new for a new location if we get them cheap enough, but otherwise is refurbs with SSDs. For our workloads, a 6 year old PC with a SSD performs identically to a brand new machine with SSD.

Floor machines are generally replaced when they start having problems, not on any particular cycle.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



stevewm posted:

Retail store IT here.. This is exactly what we do.

No point in buying brand new machines just to run Chrome, RemoteApp and a bit of LibreOffice.

We will buy brand new for a new location if we get them cheap enough, but otherwise is refurbs with SSDs. For our workloads, a 6 year old PC with a SSD performs identically to a brand new machine with SSD.

Floor machines are generally replaced when they start having problems, not on any particular cycle.

This was before there were SSD's (at least in $500 PC's)....and not saving much money. I could see using them for the factory floor too, where they are just going to get dirty etc.

They bought refurbished servers, too

codo27
Apr 21, 2008



Prob asked this here before, what are you guys using for tickets? Looking at Hubspot at the moment. Its just me and I only have maybe ~50 users so I dont need anything too elaborate.

I would love if I could set it up so I dont have to create the tickets and if an email was sent to a certain address (365) if it would generate the ticket off of that

codo27 fucked around with this message at 17:00 on Mar 9, 2021

Thanks Ants
May 21, 2004

#essereFerrari


Freshdesk is good and doesn't have an SSO tax

Internet Explorer
Jun 1, 2005


Hello everyone! Just a quick note to help out the folks who browse by bookmarks. We've started a SH/SC feedback thread and would love it if you stopped by to say hi and let us know what you think.

https://forums.somethingawful.com/showthread.php?threadid=3961558

The Gunslinger
Jul 24, 2004

Do not forget the face of your father.

Fun Shoe

Not sure if this is the right spot but I'm trying to get a handle on helping my father's business out. His IT guy retired and he never invested any time or money into things. Right now it's a bunch of Dell client computers running Windows 10 Pro (6 of them) with one of them acting as a "server" with a storage spaces mirror on it. There's a Synology NAS that back ups the client PCs and it backs up to the cloud as well. The backup strategy is at least OK but I really dislike a client PC being a single point of failure for his entire business and want to make some other improvements for him.

I haven't worked in IT for a long time and we were mostly a BSD shop so I have little experience on the Windows side of things. AD seems like overkill for his business but I can't seem to find anything else that would fit the bill. My first idea was just setting up a proper server for SSO, centralized profiles and then using his NAS to serve files instead, I have no idea why it was offloaded to a client PC in the first place. I was just going to use SMB for this which would work fine but that doesn't solve the SSO issue. The clients don't roam much but enough that it would be nice. Then there's also the issue of migrating the existing local profiles to the server.

Any ideas or recommendations appreciated.

The Gunslinger fucked around with this message at 17:52 on Mar 10, 2021

Thanks Ants
May 21, 2004

#essereFerrari


Unless you've got a good reason why it won't work then how ever many licenses of MS365 Business Premium as there are users, with Azure AD logins on the PCs, user folders copied to their personal OneDrive space, and some Intune policies to keep some sort of consistency between the PCs in terms of naming, update rings, software installs etc. Files in SharePoint.

This assumes the types of files are suitable for SharePoint, the internet connection is acceptable, etc.

Thanatosian
Apr 16, 2013

Angrier, Bitterer Man


Grimey Drawer

If there's a budget, strongly recommend an MSP. If he's gotten by on this for this long, it probably wouldn't be too expensive, they'll help him figure out a good solution.

If you want to be your dad's new IT guy, my suggestion would be to just bite the bullet and invest a couple thousand in windows licensing (a Windows Server license is $500, and an upgrade license from Home to Pro is $100) and maybe a new/refurbished small server to be a DC (I don't know whether or not you can use a SAN as a DC, but you probably shouldn't).

Edit: ignore me, do what Thanks Ants suggests.

mewse
May 2, 2006




Thanks Ants posted:

Unless you've got a good reason why it won't work then how ever many licenses of MS365 Business Premium as there are users, with Azure AD logins on the PCs, user folders copied to their personal OneDrive space, and some Intune policies to keep some sort of consistency between the PCs in terms of naming, update rings, software installs etc. Files in SharePoint.

This assumes the types of files are suitable for SharePoint, the internet connection is acceptable, etc.

Yeah a small company like that shouldn't have the maintenance hassle of on-site servers.

Internet Explorer
Jun 1, 2005


Thanks Ants posted:

Unless you've got a good reason why it won't work then how ever many licenses of MS365 Business Premium as there are users, with Azure AD logins on the PCs, user folders copied to their personal OneDrive space, and some Intune policies to keep some sort of consistency between the PCs in terms of naming, update rings, software installs etc. Files in SharePoint.

This assumes the types of files are suitable for SharePoint, the internet connection is acceptable, etc.

This is the correct answer. And hire a company to come in and do it.

The Gunslinger
Jul 24, 2004

Do not forget the face of your father.

Fun Shoe

Thanks Ants posted:

Unless you've got a good reason why it won't work then how ever many licenses of MS365 Business Premium as there are users, with Azure AD logins on the PCs, user folders copied to their personal OneDrive space, and some Intune policies to keep some sort of consistency between the PCs in terms of naming, update rings, software installs etc. Files in SharePoint.

This assumes the types of files are suitable for SharePoint, the internet connection is acceptable, etc.

Appreciate the responses guys, thank you. Unfortunately I'm not sure he could go the hosted route due to it being a rural area and the internet connection being an issue - they're working with Quickbooks files that are sometimes multiple gigabytes and other boring stuff like that. Downstream it can be OK, upstream is awful. I guess I should've said that right off the bat, my apologies.

He's going to retire in 5 years so I just have to make sure he gets there. My full time job affords me a lot of free time if necessary and I'm willing to help but I don't want to be certified in AD or something.

I guess I will look at talking to an MSP. Perhaps it was naive of me but I figured there would be some sort of small server solution to the issue that didn't dive into AD, Sharepoint and CALs.

Thanks Ants
May 21, 2004

#essereFerrari


I would never normally recommend it, and I haven't used it so please do your research, but a Synology NAS claims to be able to be a directory server so that would give you a central store of user accounts and you can bind the Windows 10 Pro machines to that domain if you want people to log in using those credentials. That also sorts your file storage, and you can have a backup job copy files to a USB disk that gets taken offsite.

It's far from ideal but an improvement on what you have now.

Internet Explorer
Jun 1, 2005


The Gunslinger posted:

Appreciate the responses guys, thank you. Unfortunately I'm not sure he could go the hosted route due to it being a rural area and the internet connection being an issue - they're working with Quickbooks files that are sometimes multiple gigabytes and other boring stuff like that. Downstream it can be OK, upstream is awful. I guess I should've said that right off the bat, my apologies.

He's going to retire in 5 years so I just have to make sure he gets there. My full time job affords me a lot of free time if necessary and I'm willing to help but I don't want to be certified in AD or something.

I guess I will look at talking to an MSP. Perhaps it was naive of me but I figured there would be some sort of small server solution to the issue that didn't dive into AD, Sharepoint and CALs.

Everything is in the cloud now. No one really cares about "easy to use, cheap, on-prem" solutions.

The Gunslinger
Jul 24, 2004

Do not forget the face of your father.

Fun Shoe

Internet Explorer posted:

Everything is in the cloud now. No one really cares about "easy to use, cheap, on-prem" solutions.

Fair enough, I'm really out of touch I guess. It doesn't even need to be cheap, just needs to be on-site and I could manage his backup stuff. But yeah looking at Google it seems like everything is "get hosted".

quote:

I would never normally recommend it, and I haven't used it so please do your research, but a Synology NAS claims to be able to be a directory server so that would give you a central store of user accounts and you can bind the Windows 10 Pro machines to that domain if you want people to log in using those credentials. That also sorts your file storage, and you can have a backup job copy files to a USB disk that gets taken offsite.

It's far from ideal but an improvement on what you have now.

Thanks, I'll look at that too. I have a new PowerEdge that I could give him to use as a backup server as well.

No. 1 Juicy Boi
Jun 1, 2003

#1 JUICY BOY



Buglord

I've got a dumb question I'm probably overthinking:

We have an on-prem AD setup and use Azure AD Connect to sync it to our Office 365 tenancy (email is fully there, no Exchange). Now that everyone's working remotely, when users need to change their password, they connect to the VPN and then change it. But... most people forget to do that, of course. So they end up having a mismatch of passwords between their laptop and Office/VPN.

What's the smoothest way to idiot-proof that process, or is the answer "migrate fully to Azure AD"?

Wizard of the Deep
Sep 25, 2005


No. 1 Juicy Boi posted:

I've got a dumb question I'm probably overthinking:

We have an on-prem AD setup and use Azure AD Connect to sync it to our Office 365 tenancy (email is fully there, no Exchange). Now that everyone's working remotely, when users need to change their password, they connect to the VPN and then change it. But... most people forget to do that, of course. So they end up having a mismatch of passwords between their laptop and Office/VPN.

What's the smoothest way to idiot-proof that process, or is the answer "migrate fully to Azure AD"?

Make sure AAD Connect is configured to sync passwords back to on-prem, then enable Self-Service Password Reset in AAD. aka.ms/sspr and aka.ms/ssprsetup

Adbot
ADBOT LOVES YOU

No. 1 Juicy Boi
Jun 1, 2003

#1 JUICY BOY



Buglord

Wizard of the Deep posted:

Make sure AAD Connect is configured to sync passwords back to on-prem, then enable Self-Service Password Reset in AAD. aka.ms/sspr and aka.ms/ssprsetup

Would that change the laptop's login password though? Or would they still need to connect to the VPN to sync that part?

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply